Hi, I juste added some preliminary support for FlowSpec (RFC5575) to my BGP route injector http://bgp.exa.org.uk/ As I am not aware of any other project allowing to inject flow route into a network, I am taking the liberty to plug it here. You can access the SVN repository at: http:/svn.exa.org.uk/bgp/trunk/ the code is under a 3-clauses BSD licence. More information about the installation are available on the wiki. I performed basic testing by rate-limiting one of my coworkers mail and web flows - seems to work - for the rest, it may not do what it should. If you are interested, have any questions, or are missing a feature, or just find any bugs, please, just let me know. Changing the configuration and sighuping the application perform send the peers the correct update messages to change the peer RIB. Or just enable graceful-restart and restart the application if you do not care about the number of update :p More information: - http://www.terena.org/activities/tf-ngn/tf-ngn17/uze-flowspec.pdf - http://resources.nznog.org/2006/Friday-240306/DavidLambert-BGPFlowSpecificat... - http://uknof.org/uknof15/Mangin-NakedBGP.pdf (another shameless selfplug - BGP overview - 3 slides on FlowSpec) Thomas -- Exa Networks Limited - http://www.exa-networks.co.uk/ Company No. 04922037 - VAT no. 829 1565 09 27-29 Mill Field Road, BD16 1PY, UK Phone: +44 (0) 845 145 1234 - Fax: +44 (0) 1274 567646 --------- neighbor 82.219.123.221 { [....] flow { route { match { source 10.0.0.1/32; destination 192.168.0.1/32; port =80; destination-port =3128 >8080&<8088; source-port >1024; protocol tcp; # protocol [ tcp udp ]; # packet-length >200&<300 >400&<500; # fragment not-a-fragment; # fragment [ first-fragment last-fragment ]; # icmp-type [ unreachable echo-request echo-reply ]; # icmp-code [ host-unreachable network-unreachable ]; # tcp-flags [ urgent rst ]; # dscp [ 10 20 ]; } then { discard; # rate-limit 9600; # redirect 65500:12345; # redirect 1.2.3.4:5678; } } } } thomas.mangin@m7i-4.u3.tcw.uk> show configuration logical-routers trap protocols bgp local-as 30740; group flow { type external; multihop; local-preference 100; local-address 82.219.123.221; import no-export; export deny-all; peer-as 65500; neighbor 82.219.131.242 { traceoptions { file bgp; flag all; } family inet { unicast; flow { no-validate everything; } } family inet6 { unicast; } } } thomas.mangin@m7i-4.u3.tcw.uk> show configuration logical-routers trap policy-options policy-statement everything then accept; # env PYTHONPATH=~/source/bgp/lib/ python daemon/bgpd etc/bgp/m7i-service.txt 033 12:28:13 Supervisor/ performing reload 033 12:28:13 Supervisor/ New Peer 82.219.123.221 033 12:28:14 82.219.123.221/ 30740 -> OPEN version=4 asn=65500 hold_time=180 router_id=82.219.131.242 capabilities=[Graceful Restart Flags 0x8 Time 5 IPv4/flow-ipv4=0x80 IPv4/unicast=0x80 IPv6/unicast=0x80, Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4] 033 12:28:15 82.219.123.221/ 30740 <- OPEN version=4 asn=30740 hold_time=90 router_id=82.219.123.221 capabilities=[Cisco Route Refresh (unparsed), Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4, Route Refresh (unparsed)] 033 12:28:16 82.219.123.221/ 30740 -> KEEPALIVE 033 12:28:17 82.219.123.221/ 30740 <- KEEPALIVE announcing IPv6 unicast 2a02:b80:0:6:50::1/128 next-hop 2a02:b80::90:0:52e:0:1 med 100 announcing IPv4 flow-ipv4 destination 192.168.0.1/32,source 10.0.0.1/32,protocol =TCP,port =80,destination-port =3128 >8080&<8088,source-port >1024 extended community [ 0x80 0x6 0x0 0x0 0x0 0x0 0x0 0x0 ] announcing IPv4 unicast 82.219.4.100/32 next-hop 82.219.4.101 med 100 033 12:28:17 82.219.123.221/ 30740 -> UPDATE (3) 033 12:28:17 82.219.123.221/ 30740 <- KEEPALIVE thomas.mangin@m7i-4.u3.tcw.uk> show route logical-router trap table inetflow.0 extensive inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 192.168.0.1,10.0.0.1,proto=6,port=80,dstport=3128,>8080&<8088,srcport>1024/256 (1 entry, 0 announced) *BGP Preference: 170/-101 Next hop type: Fictitious Next-hop reference count: 1 State: <Active Ext> Peer AS: 65500 Age: 1:13 Task: BGP_65500_30740.82.219.131.242+32319 AS path: 65500 I Communities: no-export traffic-rate:0:0 Localpref: 100 Router ID: 82.219.131.242