BGP FLowspec to Yang/Yaml ACL

Douglas_Fischer · June 16, 2020, 6:39pm

We were looking for some way to implement BGP Flowspec Filtering(just the permit/deny basic) using L3 switches in an automated way.

Searching a bit we found https://github.com/ios-xr/bgpfs2acl

Is almost what we are looking for!
But is focused on Cisco devices.

We even considered fork it to our specific vendor.
But before reinventing the wheel, I decide to ask to colleagues if anybody knows some tool that converts BGP Flowspec ACLs into YAML or even to YANG.

If that exists, with Ansible/Netconf/RestConf(or some similar tool), it would be easy to delegate to Switchs doing the basic filtering that only More expensive Routers can do by now.

P.S.: This Idea does not include(on the first moment) more complex features of Flowspec like Redirect ou Rate-Limt.

Any suggestions or ideas?

Douglas_Fischer · June 16, 2020, 6:46pm

Just a complementary demonstration of a cenário we this “bgpfs2acl” been used.
https://youtu.be/8pNZJUHlRPk

adamv0025 · June 17, 2020, 12:05pm

In order to use YANG you need a device that can speak NETCONF/RESTCONF and understands YANG.

There’s no such thing as “The YANG ACL” -there’s IETF YANG model for ACLs, there’s OpenConfig one, and your switch vendor might have another YANG model for representing ACLs.

Whichever model provides sufficient coverage for your use case (i.e. can use the model to specify SRC/DST/MASK/DENY/ACCEPT) and is supported natively by your device (can send the ACL config in this format to the device at it knows what to do) is the right for you.

If your devices do not support NETCONF/RESTCONF nor understand YANG you can still push the ACL changes via CLI scraping (Ansible)

Now in either case (netconf-yang/ansible), what you’re better off with is a tool that allows operator to enter the details of the ACL line to be added (details of the flow) and just take that input and insert it into the pre-defined/prepared template (yang/ansible template), then the script just prompts the resulting config to be pushed onto the device (devices).

adam

Tim_Jackson · June 17, 2020, 1:07pm

Use ExaBGP to insert the routes? (https://github.com/Exa-Networks/exabgp)

This is some old Perl that generates the older ExaBGP 2.0 style entries, but it uses template toolkit which means you can easily change the output format:

https://paste.somuch.fail/?744af55b8bea1414#WlXYkcfATNRxpRcr4NGOtxw4cqzStbCpApxmIevRPDk=

There’s a lot more you could do to make this even more flexible, you don’t need YANG or to modify any config, just build something that accepts what you’re after and sends it as flowspec routes from ExaBGP to the routers you care about.