BGP firewall

3 min read

If you are protecting your network from packet with spoofed source IP, it is likely that you have to update your routers ACL each time the route you learn from your customers are changing. This can be automated, but could this be done without having to generated ?

BGP firewall

WARNING

This post is kept for nostalgic reason. Please do not use this solution for anything in production as it is more than likely that it will cause issues with any serious traffic.

Always up-to-date ACL

ACL can be auto-generated from the content of the Registry Database, which is likely to be out of date, but it could also be possible to use the content of the router’s RIB to auto-generate those filters.

Juniper has a feature called SCU/DCU (which from what I can read on their side seems to be mainly used for traffic accounting) which can be (ab)used to create some kind of dynamic prefix-list based the the communities taged on your BGP route.

Configuration

The example below uses SCU to create a firewall blocking packet entering your network with invalid source IPs.

In order to do so we :

  • tag all routes with communities depending on their source (transit,customer,peer)
  • create a policy statement based on those communities
  • apply this policy statement to our RIB to create the classes
  • use those classes as filtering term of firewalls
[edit policy-options]
policy-statement community-to-class {
  term is-peering { ... }
  term is-transit { ... }
  term is-customer {
  from community [ route-customer originate-customer ];
    then {
      destination-class customer;
      source-class customer;
    }
  }
  term is-orginated-here {
    from community originate;
    then {
      destination-class originate;
      source-class originate;
    }
  }
}

Then we tell the Juniper to build the SCU from our routing table.

[edit routing-options]
forwarding-table {
  export [ community-to-class load-balancing ];
  unicast-reverse-path feasible-paths;
}

We then create a firewall saying that we intended to use this SCU as a match close.

[edit firewall]
filter external-incoming-transit {
  ...
  term originate-deny {
    from { 
      source-class originate;
    }
    then { 
      count deny-spoof-originate;
      discard;
    } 
  }
}

And finally apply it to the interface ..

[edit interface .... }
unit 123 {
  description "a peer/transit interface";
  vlan-id 123;
  family inet {
    rpf-check {
      mode loose;
    }
    no-redirects;
    filter {
      input external-incoming-transit;
    }
    address 1.2.3.4/30;
  }
}

The route will have been tagged with an import statement on your bgp peers or sourced within your network

[edit policy-options]
community originate members 30740:30740

[edit routing-options]
aggregate {
  route 82.219.0.0/16 {
    community 30740:30740;
    as-path {
      origin igp;
    }
  }
}

Finally do not forget to remove those communities from the routes you are receiving from ebgp.

BGP ACL
Avatar
Thomas Mangin
Technology Enthusiast