BORDER GATEWAY PROTOCOL (BGP) FLOWSPEC ORIGINATION AUTHORIZATION USING ROUTE ORIGIN AUTHORIZATION (ROA)

Organization Name

huawei technologies co., ltd.

Inventor(s)

Yingzhen Qu of Addison TX (US)

Alvaro Enrique Retana of Addison TX (US)

BORDER GATEWAY PROTOCOL (BGP) FLOWSPEC ORIGINATION AUTHORIZATION USING ROUTE ORIGIN AUTHORIZATION (ROA) - A simplified explanation of the abstract

This abstract first appeared for US patent application 20240137338 titled 'BORDER GATEWAY PROTOCOL (BGP) FLOWSPEC ORIGINATION AUTHORIZATION USING ROUTE ORIGIN AUTHORIZATION (ROA)

Simplified Explanation

The abstract describes a method for a network node in a receiving autonomous system to verify the authorization of a sending autonomous system to issue a Border Gateway Protocol (BGP) Flow Specification (Flowspec) for a specific prefix.

• The network node receives a BGP update message containing a Flowspec associated with a prefix from the sending AS.
• An out-of-band Flowspec AS authorization list is obtained by the network node, indicating which ASes are authorized to issue the Flowspec for the prefix.
• The network node checks if the sending AS is included in the out-of-band Flowspec AS authorization list for the prefix.
• If the sending AS is not on the list, the network node rejects the Flowspec.

Potential Applications

This technology can be applied in network security systems to ensure that only authorized ASes can issue Flowspecs for specific prefixes, preventing unauthorized traffic manipulation.

Problems Solved

1. Unauthorized issuance of BGP Flow Specifications by ASes. 2. Ensuring network stability and security by restricting the authorization to issue Flowspecs.

Benefits

1. Enhanced network security. 2. Prevention of malicious traffic manipulation. 3. Improved network performance and stability.

Potential Commercial Applications

Securing network infrastructures in data centers, internet service providers, and telecommunications companies.

Possible Prior Art

Prior art may include existing methods for BGP Flow Specification authorization and verification in network systems.

Unanswered Questions

How does this technology impact network performance and efficiency?

This technology can potentially improve network performance by preventing unauthorized traffic manipulation and ensuring the stability of BGP Flow Specifications.

What are the potential challenges in implementing this technology on a large scale network infrastructure?

One challenge could be the management of the out-of-band Flowspec AS authorization list for multiple prefixes and ASes in a complex network environment. Additionally, ensuring the timely update of authorization lists to reflect changes in network configurations could be a challenge.

Original Abstract Submitted

a method performed by a network node of a receiving autonomous system (as) for verifying that a sending as is authorized to issue a border gateway protocol (bgp) flow specification (flowspec). the network node receives a bgp update message from a sending as. the bgp update message includes a flowspec associated with a prefix of an as. the network node obtains an out-of-band flowspec as authorization list indicating autonomous systems (ases) that are authorized to issue the flowspec for the prefix of the as. the network node determines whether the sending as is included on the out-of-band flowspec as authorization list for the prefix of the as. the network node rejects the flowspec when the sending as is not on the out-of-band flowspec as authorization list for the prefix of the as.