Skip to Content.
Sympa Menu

rare-dev - [rare-dev] about the current flowspec state

Subject: Rare project developers

List archive

[rare-dev] about the current flowspec state


Chronological Thread 
    < Chronological >      < Thread >
  • From: mc36 <>
  • To: , "" <>
  • Subject: [rare-dev] about the current flowspec state
  • Date: Fri, 27 Jan 2023 12:06:48 +0100
hi,

so flowspec things are pretty well there for a long ago...

we can do tons of crazy stuff like unicast to flowspec rewrite if you have a
simpler detector:
https://github.com/rare-freertr/freeRtr/blob/master/src/net/freertr/rtr/rtrUni2flow.java

but still, the main worker is around to encode and decode the afi properly:
https://github.com/rare-freertr/freeRtr/blob/master/src/net/freertr/rtr/rtrBgpFlow.java

it interworks fine in our nren for years now with our cisco asr9ks fine:

sniffer.vh#show cdp neighbor
interface hostname iface ipv4
ipv6
ethernet1 rtr1.vh.hbone.hu GigabitEthernet100/0/0/8 195.111.100.85
null
ethernet2 rtr2.vh.hbone.hu GigabitEthernet101/0/0/13 195.111.100.89
null
access1108347795 p4deb access1662428157 10.21.127.124
2001:db8:217f::111b
access2066320167 p4deb access1671675027 10.21.127.185
2001:db8:217f::114f
access337731963 nrpe.wdcvhpc access740763194 10.21.127.208
2001:db8:217f::116e
access666045082 nrpe.wdcvhpc access1529960395 10.21.127.159
2001:db8:217f::1172

sniffer.vh#show ipv4 bgp 1955 flowspec database
prefix hop metric aspath
601:1dc3:c74b:6800::#:: 0:0 195.111.97.179 200/100/2/0
601:1dc3:c77a:2000::#:: 0:0 195.111.97.179 200/100/2/0
601:1dc3:c7b6:5000::#:: 0:0 195.111.97.179 200/100/2/0
601:1dc3:c7c0:c800::#:: 0:0 195.111.97.179 200/100/2/0
601:1dc3:c7de:f000::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce32:ee00::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce32:ef00::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce32:f000::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce7f:4d00::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce7f:4e00::#:: 0:0 195.111.97.179 200/100/2/0
601:2054:ce82:f900::#:: 0:0 195.111.97.179 200/100/2/0
601:20c1:e0a3:1d00::#:: 0:0 195.111.97.179 200/100/2/0
601:20c1:e10e:8d00::#:: 0:0 195.111.97.179 200/100/2/0
602:2058:da11:2100::#:: 0:0 195.111.97.92 200/100/0/0
602:2058:da11:2100::#:: 0:0 195.111.97.93 200/100/0/0
602:2058:da11:2100::#:: 0:0 195.111.97.179 200/100/0/0
602:209c:e63f:4600::#:: 0:0 195.111.97.92 200/100/0/0
602:209c:e63f:4600::#:: 0:0 195.111.97.93 200/100/0/0
602:209c:e63f:4600::#:: 0:0 195.111.97.179 200/100/0/0
602:20ca:3cf5:8200::#:: 0:0 195.111.97.92 200/100/0/0
602:20ca:3cf5:8200::#:: 0:0 195.111.97.93 200/100/0/0
602:20ca:3cf5:8200::#:: 0:0 195.111.97.179 200/100/0/0

sniffer.vh#show policy-map flowspec inet ipv4
seq chld queue intrvl byt/int rxb rxp trnsmt
ace
1 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 195.199.75.104 ffff:ffff:ffff:ffff:ffff:ffff:ffff:fff8 all
2 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 195.199.122.32 ffff:ffff:ffff:ffff:ffff:ffff:ffff:fff8 all
3 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 195.199.182.80 ffff:ffff:ffff:ffff:ffff:ffff:ffff:fff8 all
4 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 195.199.192.200 ffff:ffff:ffff:ffff:ffff:ffff:ffff:fff8 all
5 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 195.199.222.240 ffff:ffff:ffff:ffff:ffff:ffff:ffff:fff8 all
6 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.50.238 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
7 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.50.239 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
8 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.50.240 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
9 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.127.77 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
10 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.127.78 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
11 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 84.206.130.249 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
12 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 193.224.163.29 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
13 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all any all 193.225.14.141 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
14 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all 88.218.17.33 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all any all
15 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all 156.230.63.70 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all any all
16 0 0/128 100 0 0 0 tx=0(0) rx=0(0) drp=0(0)
all 202.60.245.130 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all any all
17 0 0/128 100 0 252545 1843 tx=252545(1843) rx=0(0)
drp=0(0)

sniffer.vh#



these then get programmed to the dataplanes through the common api:
https://github.com/rare-freertr/freeRtr/blob/master/src/net/freertr/serv/servP4langConn.java#L3197


and then finally enforced for example in the tofino in hardware:
https://github.com/rare-freertr/freeRtr/blob/master/misc/p4bf/include/ig_ctl_flowspec.p4


there are some unit tests covering all these functionality one by one:
mc36@noti:~$ curl http://src.mchome.nop.hu/src/rtr.html| grep flowspec
</td><td>success</td><td>p4lang: transmit flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/p4lang-acl50.tst";>p4lang-acl50.tst</a></td><td>success</td><td>p4lang:
drop flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/p4lang-acl51.tst";>p4lang-acl51.tst</a></td><td>success</td><td>p4lang:
policer flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/p4lang-acl52.tst";>p4lang-acl52.tst</a></td><td>success</td><td>p4lang:
priority flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp11.tst";>qos-copp11.tst</a></td><td>success</td><td>qos
transmit flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp12.tst";>qos-copp12.tst</a></td><td>success</td><td>qos drop
flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp13.tst";>qos-copp13.tst</a></td><td>success</td><td>qos
policer flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp14.tst";>qos-copp14.tst</a></td><td>success</td><td>qos
priority flowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp15.tst";>qos-copp15.tst</a></td><td>success</td><td>qos
transmit otherflowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp16.tst";>qos-copp16.tst</a></td><td>success</td><td>qos drop
otherflowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp17.tst";>qos-copp17.tst</a></td><td>success</td><td>qos
policer otherflowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/qos-copp18.tst";>qos-copp18.tst</a></td><td>success</td><td>qos
priority otherflowspec</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp179.tst";>rout-bgp179.tst</a></td><td>success</td><td>unicast+flowspec
over bgp</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp180.tst";>rout-bgp180.tst</a></td><td>success</td><td>unicast+flowspecvpn
over bgp</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp183.tst";>rout-bgp183.tst</a></td><td>success</td><td>unicast+flowspec
over bgp with soft-reconfig</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp184.tst";>rout-bgp184.tst</a></td><td>success</td><td>unicast+flowspecvpn
over bgp with soft-reconfig</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp187.tst";>rout-bgp187.tst</a></td><td>success</td><td>unicast+flowspec
over bgp with additional path</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp188.tst";>rout-bgp188.tst</a></td><td>success</td><td>unicast+flowspecvpn
over bgp with additional path</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp270.tst";>rout-bgp270.tst</a></td><td>success</td><td>unicast+otherflowspecvpn
over bgp</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp271.tst";>rout-bgp271.tst</a></td><td>success</td><td>unicast+otherflowspecvpn
over bgp with soft-reconfig</td></tr>
<tr><td><a
href="http://sources.freertr.org/cfg/rout-bgp272.tst";>rout-bgp272.tst</a></td><td>success</td><td>unicast+otherflowspecvpn
over bgp with additional path</td></tr>

mc36@noti:~$


these are just unit tests, you really need to create a meaningful topology
first to have something interesting...
and now the fun part.... you really dont need to have a big switch to
experiment with it...
as frederic presented, you can run it on your own notebook, you can build
your own topology and so on far under 1gb/1cpu requirement:

wget freertr.org/rtr.zip
unzip rtr.zip
cd src
./c.sh
./tw.sh rout-bgp179

then you can access your routers by
telnet localhost 20001
telnet localhost 20002

and once you define a policy-map (show in qos-copp13.tst for example)
and set it to be advertised then you can see it arriving on the other...
if you set that to install, then you can check the results by pinging... :)

br,
cs

  • [rare-dev] about the current flowspec state, mc36, 01/27/2023

Archive powered by MHonArc 2.6.19.

Top of Page