]> Huawei Technologies

Beijing China gengnan@huawei.com

Huawei Technologies

Beijing China tanzhen6@huawei.com

Huawei Technologies

Beijing China liumingxing7@huawei.com

Routing IDR Internet-Draft Many source address validation (SAV) mechanisms have been proposed for preventing source address spoofing. However, existing SAV mechanisms are faced with the problems of inaccurate validation or high operational overhead in some cases. This paper proposes BGP SAVNET by extending BGP protocol for SAV. This protocol can propagate SAV-related information through BGP messages. The propagated information will help routers automatically generate accurate SAV rules which are for checking the validity of data packets.

Introduction Source address validation (SAV) is essential for preventing source address spoofing attacks (e.g., DDoS based on source address spoofing ) and tracing back network attackers. For a network, SAV mechanisms can be deployed on edge routers or aggregation routers for validating the packets from the connected subnets or neighboring ASes . ACL-based ingress filtering can be used for SAV, which, however, has high operational overhead problems in dynamic networks and also has limited capacity of rules. Many SAV mechanisms, such as strict uRPF, loose uRPF, and EFP-uRPF , leverage routing information to automatically generate SAV rules. The rules indicate the wanted incoming directions of source addresses. The packets with specified source addresses but from unwanted directions will be considered invalid . However, there may be inaccurate validation problems under asymmetric routing . This is because these uRPF mechanisms are "single-point" designs. They leverage the local FIB or local RIB table to determine the incoming interfaces for source addresses, which may not match the real incoming directions. That is, purely relying on the original IGP or BGP protocols to obtain routing information for SAV rule generation cannot well meet the requirement of accurate validation. This document proposes an extension of BGP protocol for SAV, i.e., BGP SAVNET. Unlike existing "single-point" mechanisms, BGP SAVNET allows coordination between the routers within the network or the ASes outside the network by propagating SAV-related information through extended BGP messages. The propagated information can provide more accurate source address information and incoming direction information than the local FIB and RIB tables. The routers with BGP SAVNET can automatically generate accurate SAV rules without introducing much overhead. The BGP SAVNET protocol is suitable to generating SAV rules for both IPv4 and IPv6 addresses. The SAV rules can be used for validating any native IP packets or IP-encapsulated packets.

Terminology SAV: Source address validation, an approach to preventing source address spoofing. SAV Rule: The rule that indicates the valid incoming interfaces for a specific source prefix. SAV Table: The table or data structure that implements the SAV rules and is used for source address validation in the data plane. SPA: Source prefix advertisement, i.e., the process for advertising the origin source addresses/prefixes of a router or an AS. SPD: Source path discovery, i.e., the process for discovering the real incoming directions of particular source addresses/prefixes.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

BGP Protocol Relationship The BGP extensions for BGP SAVNET follow a backward compatible manner without impacting existing BGP functions. New BGP SAVNET subsequent address families will be introduced under the IPv4 address family and the IPv6 address family, respectively. The BGP UPDATE message (specifically the MP_REACH_NLRI and the MP_UNREACH_NLRI attributes) and the BGP Refresh message will be extended. AFI and SAFI can be used for distinguishing the BGP SAVNET messages from other messages. A few existing path attributes such as Originator_ID and Clister_list or new defined path attributes MAY be used for BGP SAVNET. Actually, most existing path attributes are not necessarily required for BGP SAVNET. However, if the unnecessary path attributes are carried in BGP updates, they will be accepted, validated, and propagated consistent with the BGP protocol.

BGP SAVNET Solution

Application Scenarios BGP SAVNET aims to generate accurate SAV rules for most use cases including asymmetric routing. An SAV rule indicates the valid incoming interfaces for a specific source address/prefix. A router with BGP SVANET will locally maintain a SAV table storing the SAV rules. The SAV table can be used for validating data packets. shows the application scenarios where BGP SAVNET will enabling SAV in data plane:

• SAV within an AS
  • Edge routers connecting subnets: BGP SAVNET can be deployed at '*' for checking the validity of the packets from subnets.
  • Aggregation routers: Aggregation routers can do validation at 'x' for any arrival packets.
• SAV between ASes
  • Border routers connecting other ASes: BGP SAVNET can be deployed at '#' for checking the validity of the packets from other ASes.

BGP SAVNET application scenarios

SAV Solution within an AS The solution consists of two main processes: Source Address Advertisement (SPA) and Source Path Discovery (SPD). Edge routers can generate SAV rules through SPA on the interfaces connecting subnets. SPA and SPD can help aggregation routers generate SAV rules on the interfaces connecting other routers.

Solution for Edge Routers Edge routers aims to generate SAV rules, i.e., the source prefix allowlist at each interface connecting to a subnet. If the subnet is single-homed, the allowlist can be generated through local RIB. When the subnet is multi-homed to edge routers, asymmetric routing may exist. SPA will help the routers get accurate allowlist. Specifically, edge routers can propagate its source prefixes learned from an interface connecting to a subnet. The source prefixes with a tag will be carried in the SPA message. Other routers will receive the message. The interfaces configured with the same tag value on other routers will include the tagged source prefixes in the corresponding allowlist. More details can be found in the version-00 of .

Solution for Aggregation Routers Aggregation routers are to generate SAV rules for checking the validity of recorded source prefixes and ignore the validation of unrecorded source prefixes. Each edge router can first send SPA messages for propagating its router-id and its source prefixes that need to be validated. Aggregation routers will record the mapping from router-id to source prefixes. Then, each edge router will send an SPD messages to each neighbor router. The message carries the source router-id of the edge router and the destination router-ids whose mapped source prefixes take the neighbor router as the next forwarding hop. The neighbor router (e.g., aggregation router) receiving the message will record the incoming interface of the message, and SAV rules will be generated locally by binding the source router-id's source prefixes to the recorded incoming interface. Then neighbor router will remove its own router-id from the destination router-id list and relay the message to its neighbors according to local forwarding rules. The routers receiving the message will repeat the above process until the destination router-id list is empty. More details can be found in the version-00 of .

SAV Solution between ASes

Solution for Border Routers The solution consists of two main processes: SPA and SPD. Border routers can generate SAV rules at interfaces connecting to other ASes through SPA and SPD. Let AS X be the local AS which acts as a validation AS and generates SAV rules for other ASes. Let AS Y be one of the ASes deploying BGP SAVNET, which is named as source AS. Validation AS X will generate SAV rules for protecting the source prefixes of source AS Y. AS Y first advertise its own AS number and its own source prefixes to AS X through SPA messages. SPA is necessary because AS Y cannot learn the complete set of source prefixes of AS Y purely through BGP updates. Some hidden source prefixes that do not appear can be advertised to AS X through SPA messages. After SPA, AS Y can send SPD messages for notifying its preferred AS paths from AS Y to AS X. AS X will learn the incoming direction of AS Y's packets. Then, SAV rules can be generated. SPD can help AS X for discovering the real forwarding paths that do not match the control plane paths learned by AS X. More details can be found in the version-00 of . Note that, the SAV solutions either within an AS or between ASes are under working on. The BGP SAVNET will be updated if the solutions are revised.

BGP SAVNET Peering Models Several BGP SAVNET solutions are introduced that can be applied in different scenarios. Depending on the solution's feature, different peering models need to be taken.

Full-mesh IBGP Peering This peering model is required by the SAV solution within an AS so that the edge routers can generate SAV rules. In this model, routers enabling BGP SAVNET MUST establish full-mesh iBGP sessions either through direct iBGP sessions or route-reflector. The BGP SAVNET sessions can be established only when the BGP SAVNET address family has been successfully negotiated. SPA messages within an AS can be advertised through the full-mesh BGP SAVNET sessions. The extensions of BGP messages for carrying SPA messages will be introduced in .

Singe-hop IBGP Peering between Directly Connected Routers This peering model meets the requirement of the SAV solution within an AS so that the aggregation routers can generate SAV rules. In this model, routers enabling BGP SAVNET MUST establish single-hop iBGP sessions through direct point-to-point links. For each link, a single-hop iBGP session needs to be established, and the messages transmitted over the session MUST be carried by the corresponding link. SPD messages within an AS can be advertised through these sessions. The extensions of BGP messages for carrying SPD messages will be introduced in .

EBGP Peering between ASes The SAV solution between ASes requires eBGP sessions which can be single-hop or multi-hop. In this model, for the AS enabling BGP SAVNET, at least one border router in the AS MUST establish the BGP SAVNET sessions with other border routers in the neighboring or remote ASes. SPA and SPD messages between ASes will be advertised through these sessions. The extensions of BGP messages for carrying SPA and SPD messages will be introduced in .

BGP SAVNET Protocol Extension

BGP SAVNET SAFI In order to transmitting and exchanging data needed to generate an independent SAV table, the document introduces the BGP SAVNET SAFI. The value is TBD and requires IANA registration as specified in . In order for two BGP SAVNET speakers to exchange BGP SAVNET NLRI (SPA message), they MUST establish a BGP SAVNET peer and MUST exchange the Multiprotocol Extensions Capability to ensure that they are both capable of processing such NLRI properly. Two BGP SAVNET speakers MUST exchange Route Refresh Capability to ensure that they are both capable of processing the SPD message carried in the BGP Refresh message.

BGP SAVNET NLRI The BGP SAVNET NLRI is used to transmit Source Prefix (either IPv4 or IPv6) information to form a uniform Source Prefix list within a deployment domain. The BGP SAVNET NLRI TLVs are carried in BGP UPDATE messages as (1) route advertisement carried within Multiprotocol Reachable NLRI (MP_REACH_NLRI) , and (2) route withdraw carried within Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI). While encoding an MP_REACH_NLRI attribute containing BGP SAVNET NLRI TLVs, the "Length of Next Hop Network Address" field SHOULD be set to 0 upon the sender. The "Network Address of Next Hop" field should not be encoded upon the sender, because it has a 0 length and MUST be ignored upon the receiver.

SPA TLVs within an AS The BGP SAVNET NLRI TLV each carries a Source Prefix and related information, therefore it is called an SPA TLV. This type of TLVs are used in SPA process within an AS. The format is shown below:

SPA TLV format

The meaning of these fields are as follows:

• Type: Type of the BGP SAVNET NLRI TLV, the value is 1 for SPA TLV within an AS.
• Length: The length of the BGP SAVNET NLRI value, the Type and Length fields are excluded.
• Origin router-id: The router ID of the originating node of the source prefix in the deployment domain.
• MaskLen: The mask length in bits, which also indicates the valid bits of the IP Prefix field.
• IP Prefix: IP address. The length ranges from 1 to 16 bytes. Format is consistent with BGP IPv4/IPv6 unicast address.
• Tag: Interface Tag.

SPA TLVs between ASes This type of TLVs are used in SPA process between ASes. Type value is 2 for SPA TLV between ASes. The details are TBD.

BGP SAVNET Refresh The SPD TLV is carried in a BGP Refresh message after the BGP Refresh message body, as follows:

BGP-REFRESH with SPD TLV format

By carrying an SPD TLV, a BGP SAVNET Refresh message MUST NOT be processed as a Route-Refresh (as a re-advertisement request) and SHOULD only be used in the SPD process. A BGP SAVNET Refresh message without an SPD TLV SHOULD be processed as a Route-Refresh as defined in Route Refresh Capability .

The SPD TLVs within an AS The SPD TLV carries the information that the Source Path Discovery process needed. This type of TLVs are used in SPD process within an AS. The format is shown below:

SPD TLV format

The meaning of these fields are as follows:

• Type: TLV Type, the value is 2 for SPD TLV.
• SubType: TLV Sub-Type, value is 1 for SPD TLV within an AS.
• Length: The length of the SPD TLV value, the Type, SubType and Length fields are excluded.
• Sequence Number: Indicates the sequence of Source Path Discovery process. The initial value is 0 and the value increases monotonically.
• Origin router-id: The router ID of the originating node of the Source Path Discovery process.
• Optional Data Length: The length of the optional data field in bytes. The value can be 0 when there is no optional data.
• Optional Data: In Sub-TLV format, see Section 5.3.2 for details.
• Dest List: List of destination router-ids, using 4-bytes route-id, indicates the destinations of this Source Path Discovery process.

The SPD TLVs between ASes This type of TLVs are used in SPD process between ASes. SubType value is 2 for SPD TLV between ASes. The details are TBD.

The SPD Optional Data Sub-TLVs Information in the Optional Data field of the SPD TLV is encoded in Sub-TLV format. The format is shown below and applies to all types of Sub-TLVs. Each type of Sub-TLV SHOULD appear no more than once in an SPD TLV.

SPD Optional Data Sub-TLV format

The meaning of these fields are as follows:

• Type: Sub-TLV Type. The value 1 and 2 have been taken. The sequence of values is TBD and requires IANA registration as specified in Section 9.
• Length: The length of the Sub-TLV value, the Type and Length fields are excluded.

Sub-TLV Type 1: Origin Router-id List List of agent original router-ids, using 4-bytes route-id. This information is used in the SPD convergence process and can carry a maximum of 254 router-ids.

Sub-TLV Type 2: Path Router-id List List of path router-ids, using 4-bytes route-id, record all the router-id of the routers that the SPD process has passed through. This information is used to prevent loops and can carry a maximum of 254 router-ids.

Decision Process with BGP SAVNET The Decision Process described in works to determines a degree of preference among routes with the same prefix. The Decision Process involves many BGP Path attributes, which are not necessary for BGP SAVNET SPA and SPD process, such as next-hop attributes and IGP-metric attributes. Therefore, this document introduces a simplified Decision Process for SAVNET SAFI. The purpose of SPA is to maintain a uniform Source Prefix list, which is the mapping from original router-id to IP addresses, across all routers in the deploy domain. To ensure this, it is RECOMMENDED that all routers deploy no ingress or egress route-policies.

BGP SAVNET NLRI Selection The Decision Process described in no longer apply, and the Decision Process for BGP SAVNET NLRI are as follows:

1. The locally imported route is preferred over the route received from a peer.
2. The route received from a peer with the numerically larger originator is preferred.
3. The route received from a peer with the numerically larger Peer IP Address is preferred.

Self-Originated NLRI BGP SAVNET NLRI with origin router-id matching the local router-id is considered self-originated. All locally imported routes should be considered self-originated by default. Since the origin router-id is part of the NLRI key, it is very unlikely that a self-originated NLRI would be received from a peer. Unless a router-id conflict occurs due to incorrect configuration. In this case, the self-originated NLRI MUST be discarded upon the receiver, and appropriate error logging is RECOMMENDED. On the other hand, besides the route learn from peers, a BGP SAVNET speaker MUST NOT advertise NLRI which is not self-originated.

Error Handling

Process of BGP SAVNET NLRIs When a BGP SAVNET speaker receives a BGP Update containing a malformed MP_REACH_NLRI or MP_UNREACH_NLRI, it MUST ignore the received TLV and MUST NOT pass it to other BGP peers. When discarding a malformed TLV, a BGP SAVNET speaker MAY log a specific error. If duplicate NLRIs exist in a MP_REACH_NLRI or MP_UNREACH_NLRI attribute, only the last one SHOULD be used.

Process of BGP SAVNET SPA TLVs When a BGP SAVNET speaker receives an SPA TLV with an undefined type, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPA TLV with a 0 origin router-id, or the origin router-id is the same as the local router-id, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPA TLV with an invalid MaskLen field, which is out of the range 1~32 for IPv4 and 1~128 for IPv6, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPA TLV with an address field, whose length in bytes do not match with the remaining data, it MUST be considered malformed. When a BGP SAVNET speaker receives a malformed SPA TLV, it MUST ignore the received TLV and MUST NOT pass it to other BGP peers. When discarding a malformed TLV, a BGP SAVNET speaker MAY log a specific error.

Process of BGP SAVNET Refresh Each BGP Refresh message MUST contain at most one SPD TLV. When a BGP SAVNET speaker receives a BGP Refresh packet with multiple SPD TLVs, only the first one SHOULD be processed.

Process of BGP SAVNET SPD TLVs When a BGP SAVNET speaker receives an SPD TLV with an undefined type or subtype, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPD TLV with a 0 origin router-id, or the origin router-id is the same as the local router-id, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPD TLV with an optional data sub-TLV that is an undefined type, it MUST be considered malformed. When a BGP SAVNET speaker receives an SPD TLV with a DestList field that is not a multiple of 4 in length, it MUST be considered malformed. When a BGP SAVNET speaker receives a Refresh message with a malformed SPD TLV, it MUST ignore the received message. When discarding a malformed message, a BGP SAVNET speaker MAY log a specific error. When a BGP SAVNET speaker receives an SPD TLV with a sequence number that does not match the local recorded sequence number:

• If the newly received sequence number is numerically larger, the local recorded sequence number SHOULD be updated to the newly received sequence number.
• If the newly received sequence number is numerically smaller, the local recorded sequence number SHOULD NOT be updated, and the BGP SAVNET speaker SHOULD log a specific error.

Management Considerations TBD

IANA Considerations The BGP SAVNET SAFIs under the IPv4 address family and the IPv6 address family need to be allocated by IANA.

Security Considerations This document does not introduce any new security considerations.

References Normative References This document defines a new Border Gateway Protocol (BGP) capability termed 'Route Refresh Capability', which would allow the dynamic exchange of route refresh request between BGP speakers and subsequent re-advertisement of the respective Adj-RIB-Out. [STANDARDS-TRACK] This document defines extensions to BGP-4 to enable it to carry routing information for multiple Network Layer protocols (e.g., IPv6, IPX, L3VPN, etc.). The extensions are backward compatible - a router that supports the extensions can interoperate with a router that doesn't support the extensions. [STANDARDS-TRACK] This document defines an Optional Parameter, called Capabilities, that is expected to facilitate the introduction of new capabilities in the Border Gateway Protocol (BGP) by providing graceful capability advertisement without requiring that BGP peering be terminated. This document obsoletes RFC 3392. [STANDARDS-TRACK] Tsinghua University Tsinghua University Huawei Zhongguancun Laboratory Huawei Tsinghua University Zhongguancun Laboratory Intra-domain source address validation (SAV) plays an important role in defending against source address spoofing attacks in intra-domain networks. This document proposes an intra-domain source address validation (intra-domain SAVNET) architecture. Under the architecture, a router can automatically generate accurate SAV rules based on the SAV-related information from multiple information sources. This document does not specify protocols or protocol extensions, instead focusing on architectural components and their functionalities in an intra-domain SAVNET deployment. Tsinghua University Tsinghua University Huawei Zhongguancun Laboratory Huawei Zhongguancun Laboratory Tsinghua University Source address validation (SAV) is critical to preventing attacks based on source IP address spoofing. The proposed inter-domain SAVNET architecture enables an AS to generate SAV rules based on SAV- related information from multiple sources. This architecture integrates existing SAV mechanisms and offers ample design space for new SAV mechanisms. The document focuses on architectural components and SAV-related information in an inter-domain SAVNET deployment, without specifying any protocols or protocol extensions. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned, and, at the AS level, some policy decisions may be enforced. BGP-4 provides a set of mechanisms for supporting Classless Inter-Domain Routing (CIDR). These mechanisms include support for advertising a set of destinations as an IP prefix, and eliminating the concept of network "class" within BGP. BGP-4 also introduces mechanisms that allow aggregation of routes, including aggregation of AS paths. This document obsoletes RFC 1771. [STANDARDS-TRACK] The Source Address Validation Improvement (SAVI) effort aims to complement ingress filtering with finer-grained, standardized IP source address validation. This document describes threats enabled by IP source address spoofing both in the global and finer-grained context, describes currently available solutions and challenges, and provides a starting point analysis for finer-grained (host granularity) anti-spoofing work. BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. Tsinghua University Tsinghua University Tsinghua University Huawei Huawei This document provides the gap analysis of existing intra-domain source address validation mechanisms, describes the fundamental problems, and defines the requirements for technical improvements. Tsinghua University Tsinghua University Zhongguancun Laboratory Huawei Huawei This document provides the gap analysis of existing inter-domain source address validation mechanisms, describes the fundamental problems, and defines the requirements for technical improvements. Huawei China Mobile Tsinghua University Huawei Huawei Zhongguancun Laboratory Source address validation (SAV) table consists of SAV rules that are manually configured or automatically generated. The table will take effect in data plane for checking the validity of source addresses. SAV mechanisms may enable SAV tables in data plane using different methods (e.g., ACL or FIB), and these tables are suitable for different application scenarios. This document aims to provide a systematic view of existing SAV tables, which makes it convenient for engineers or operators to improve existing SAV mechanisms or properly apply SAV on routers. The document first examines existing forms of SAV tables and provides a unified abstraction. Then, three validation modes are concluded as well as suggestions for application scenarios. Finally, diversified actions for each validity state are introduced for compliance of different operation requirements.

Acknowledgements TBD