Internet-Draft Packet Content Filter for BGP FlowSpec March 2024
Cui & Gao Expires 21 September 2024 [Page]
Intended Status:
Y. Cui
Tsinghua University
Y. Gao
Zhongguancun Laboratory

Packet Content Filter for BGP FlowSpec


The BGP Flow Specification enables the distribution of traffic filter policies (traffic filters and actions) via BGP, facilitating DDoS traffic filtering. However, the traffic filterer in FSv1 and FSv2 predominantly focuses on IP header fields, which may not adequately address new types of DDoS attack traffic characterized by constant patterns within the packet content. This document introduces a new flow specification filter type designed for packet content filtering. The match field includes offset-type, offset value, content-length, and content-value, encoded in the Flowspec NLRI. This new filter aims to augment DDoS defense capabilities.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 September 2024.

Table of Contents

1. Introduction

BGP flow specification describes the distribution of traffic filter policies through BGP, allowing for efficient traffic management and DDoS attack mitigation. Existing versions, FSv1 and FSv2, primarily offer n-tuple matching conditions for policy enforcement, enabling actions such as packet dropping, re-directing, or limitation, etc. These filter rules can be propagated to all BGP peers simultaneously without necessitating router configuration changes. Despite their utility, FSv1 and FSv2 reliance on IP header fields for traffic filtering is increasingly inadequate for countering DDoS attack. DDoS attacks such as application-level Challenge Collapsar (CC) attacks, ACK flood attacks, etc, feature distinct patterns within the packet content with a large traffic.

This document delineates a new flow specification filter type that facilitates packet content filtering, leveraging offset-type, offset value, content-length, and content-value within the Flowspec NLRI to enhance DDoS defense mechanisms.

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Definitions and Acronyms

3. The Flow Specification for Packet Offset Filter

This document specifies a new flow specification filter type that is encoded in the BGP FS NLRI and we follow the FSv1 definition format rightnow. The new filter is defined as follows:

Type TBD – Packet-Content

Encoding:< type (1 octet), [value]+>

The value field is encoded using offset-type, offset-value, content-length and content-value.

Encoding: < offset-type (4 bits), offset-value (2 octets), content-length (1 octets), content-value>

3.1. Offset-type and Offset-value

The offset-type and offset-value define the starting position of the packet content used for matching. To avoid the effect of variable header length on the offset, we use the hierarchical way like [draft-khare-idr-bgp-flowspec-payload-match-08].The offset-tpye is defined as follows:

| Value | Description of Offset Type  |
| 0     | IP Header                   |
| 1     | IP Header Data              |
| 2     | Data within TCP/UDP         |

Figure 1: offset-type

Each offset-type is detailed as follows:

  • Offset-type 0 is defined as the start of the IP header.

  • Offset-type 1 is defined as the start of the data portion of the IP header after the IP options.

  • Offset-type 2 is defined as start of the TCP or UDP data. Type 2 will only be used if it is the first packet of a fragment and the Layer 4 transport protocol is TCP (6) or UDP (17). For other IP protocols, type 1 or type 2 can be used.

The offset-value is defined as a 2-octet unsigned integer that specifies the count of bytes to be bypassed from the offset-type's starting position to match the packet content.


  • By setting offset-type 0 and an offset-value of 0, the match is configured to start precisely at the beginning of the IP header.

  • By setting offset-type 1 and an offset-value of 2, the match will start two bytes past the initial data portion of the IP header, skipping over any IP options. This configuration, for example, in UDP packets, specifically targets the start of the destination port information.

  • By setting offset-type 2 and an offset-value of 10, the match will start ten bytes into the content of the TCP/UDP packet.

3.2. Content-length and Content-value

The content-length is a one octet unsigned integer field that contains the length of the value field in octets. The content-value is encoded as {content, mask}. Content and mask have a same length which defined by the content-length.

The content provides a string to be matched. Their length is defined by content-length. Based on the information provided by equipment vendors and operators, 8octets is usually sufficient for the identification of DDoS attacks.

Mask is a string containing 0 and 1, where 1 represents what will be matched and 0 represents characters that can be ignored.

The content and mask are operated AND by bit to get the final content of the packet that needs to be matched.

4. IANA Considerations

In accordance with the procedures outlined for managing the "Flow Spec Component Types" registry, IANA is hereby requested to assign a new Type Value. This assignment is sought from the First Come First Served range, as detailed below:

| Type Value | Name                      | Reference     |
| TBD        | Packet Content filter     | this document |

The introduction of the "Packet Content filter" Type Value is purposed to expand the capability of BGP FSv1 by enabling more granular control over traffic filtering.

This is especially pertinent for addressing complex patterns within packet content that are characteristic of Distributed Denial of Service (DDoS) attacks and other security challenges. The proposed Packet Content filter facilitate the specification of detailed criteria for traffic matching, including but not limited to, content inspection at specific packet offsets. In the following update we will add the definition of FSv2.

5. Security Considerations

No new security issues are introduced to the BGP protocol by this specification

6. Normative References

Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, , <>.
Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, , <>.
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.


We wish to thank Susan Hares, Jeffery Hass and Li Yang for their valuable comments and suggestions on this document.

Authors' Addresses

Yong Cui
Tsinghua University
Beijing, 100084
Yujia Gao
Zhongguancun Laboratory
Beijing, 100094