FlowSpec (Rules, Collectors, and Observations)

Spectops supports both:

• Outbound FlowSpec rules: you create rules and bind them to one or more BGP sessions to enforce traffic filtering.
• Inbound FlowSpec observation: one or more collector sessions ingest FlowSpec rules from external peers and store observations for analysis (and optional collective workflows).

If you only need BGP blackhole nullification (RTBH), you can ignore FlowSpec entirely.

Outbound FlowSpec rules are managed through the UI and API, then injected to the adapter for announcement. Keep your rule set conservative and prefer explicit destinations over overly broad prefixes.

If a peer does not negotiate FlowSpec capabilities, the platform will surface session issues rather than silently “succeed”.

To ingest FlowSpec observations, create a BGP session that is explicitly marked as a FlowSpec collector. The platform uses collector sessions for reading a peer’s FlowSpec RIB and storing observations.

• Collector ingest is only enabled when a session is configured as a collector and has FlowSpec enabled.
• Observations are deduplicated by peer + AFI + match components, and withdrawals are detected with a short grace period.

See also: Collector Plane.

FlowSpec Listener sources let you point at a peer (by neighbor IP) and periodically poll for inbound FlowSpec rules. The system extracts destination prefixes and turns them into standard source snapshots so they flow through the same export/announcement pipeline as other sources.

• This is useful when an upstream provides FlowSpec signals but your downstream enforcement uses BGP blackhole routing (RTBH).
• Optional action filters can restrict which FlowSpec actions are accepted (for example, only discard).

Implementation details are documented in docs/FLOWSPEC_LISTENER.md in the repository.