]> BGP Link-State Extensions for Source Address Validation Networks (SAVNET) China Unicom
tongt5@chinaunicom.cn
China Unicom
pangran@chinaunicom.cn
Huawei
gengnan@huawei.com
Huawei
liumingxing7@huawei.com
Routing Intra Domain Routing Internet-Draft BGP Link-state uses the BGP protocol to collect and report network topology to the network controller. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally. About This Document Status information for this document may be found at . Discussion of this document takes place on the Intra Domain Routing Working Group mailing list (), which is archived at . Subscribe at .
Introduction Source address spoofing-based attacks is one of the main sources of network threats. Source address validation (SAV) is an effective method to prevent source address spoofing-based attacks . Many network operators have deployed network controllers in their networks. Network controllers can be used to generate SAV rules based on the network topology information. The generated SAV rules can be then disseminated to network devices for SAV. BGP Link-State (BGP-LS) protocol is a convenient tool for collecting network topology information . It aggregates the topology information collected by IGP protocol and sends the information to the upper controller. BGP-LS can help controllers collect topology information. However, to generate accurate SAV rules, the currently supported information in BGP-LS is not enough. Controllers need to know which interface is connected to a specific subnet and which source prefixes the interface can reach. The information that is useful for SAV rule generation is called SAV-related information in this document. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally.
Terminology
  • SAV: Source address validation
  • SAV Rule: The rule that indicates the valid/invalid incoming interfaces of a specific source IP address or source IP prefix.
  • AS: Autonomous System
BGP Link-State for SAVNET This section introduces the SAV rules, SAV-related information, and BGP Link-State for SAV.
SAV Rules SAV rules can be used for checking the validity of source addresses of incoming packets. The rules are usually in the format of <source prefix, incoming interface set>. The source prefix is for matching specific packets. Interface set represents a set of physical interfaces from which the packets should arrive. For example, the rule <P1, [intf1, intf2]> means the source prefix P1 must arrive the router at interface Intf1 or Intf2, otherwise, P1 is invalid. For invalid source prefixes, the filtering actions, such as block, rate-limit, and redirect, can be taken on the packets .
SAV-related information SAV-related information is the relevant information required by the controller to generate SAV rules, including:
  • Protocol-ID: same as Table 2 in .
  • Multi-instance identifier: Identifier of the IGP domain used to identify different protocol instances when running IS-IS, OSPF multi-instance, and OSPFv3 multi-instance.
  • Subnet identifier: Identifier of the customer subnet that identifies different customer subnets.
  • Subnet prefix: Describes the prefix information of the customer subnet.
  • Access interface: Identifies the interface of the device from which the customer subnet is accessed.
BGP Link-State for SAVNET BGP Link-State protocol is a new way to collect network topology and summarize the topology information collected by the IGP protocol to be uploaded to the upper layer controller, which normalizes the topology uploading protocol and reduces the requirement on the computational power of the upper layer controller. In the SDN controller-based intra-domain SAV capability enhancement scheme, SAV-related information can be uploaded to the network controller via BGP-LS. As shown in , the controller establishes BGP connections with routers in the AS domain, including both SAV-enabled and SAV-disabled devices, to upload SAV-related information.
Collection of Link-State for SAV-related Information
BGP Link-State Extensions for SAVNET A new BGP-LS NLRI type (TBD1) called SAVNET NLRI is defined in this section. The value field part of the NLRI contains the SAV-related information described in and is encoded as follows: The format of Protocol-ID, Multiple instance identifier, Local Node Descriptors TLV, Prefix Descriptors TLVs, and Link Descriptors TLVs in the above figure is defined same as that in . The meaning of fields:
  • Type (TBD2): This field indicates a subnet interface identification.
  • Length: This field indicates the total length of the prefix TLV.
  • Subnet identifier: This field indicates the access subnet and needs to be configured locally.
Security Considerations No new security issues are introduced.
IANA Considerations IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new Descriptor TLV type (TBD2) for the extensions proposed in this document.
References Normative References Distribution of Link-State and Traffic Engineering Information Using BGP In many environments, a component external to a network is called upon to perform computations based on the network topology and the current state of the connections within the network, including Traffic Engineering (TE) information. This is information typically distributed by IGP routing protocols within the network. This document describes a mechanism by which link-state and TE information can be collected from networks and shared with external components using the BGP routing protocol. This is achieved using a BGP Network Layer Reachability Information (NLRI) encoding format. The mechanism applies to physical and virtual (e.g., tunnel) IGP links. The mechanism described is subject to policy control. Applications of this technique include Application-Layer Traffic Optimization (ALTO) servers and Path Computation Elements (PCEs). This document obsoletes RFC 7752 by completely replacing that document. It makes some small changes and clarifications to the previous specification. This document also obsoletes RFC 9029 by incorporating the updates that it made to RFC 7752. Informative References Intra-domain Source Address Validation (SAVNET) Architecture Tsinghua University Tsinghua University Tsinghua University Huawei Zhongguancun Laboratory Huawei Zhongguancun Laboratory This document proposes the intra-domain SAVNET architecture, which achieves accurate source address validation (SAV) in an intra-domain network by an automatic way. Compared with uRPF-like SAV mechanisms that only depend on routers' local routing information, SAVNET routers generate SAV rules by using both local routing information and SAV-specific information exchanged among routers, resulting in more accurate SAV validation in asymmetric routing scenarios. Compared with ACL rules that require manual efforts to accommodate to network dynamics, SAVNET routers learn the SAV rules automatically in a distributed way. Inter-domain Source Address Validation (SAVNET) Architecture Tsinghua University Tsinghua University Huawei Zhongguancun Laboratory Huawei Zhongguancun Laboratory Tsinghua University This document introduces an inter-domain SAVNET architecture for performing AS-level SAV and provides a comprehensive framework for guiding the design of inter-domain SAV mechanisms. The proposed architecture empowers ASes to generate SAV rules by sharing SAV- specific information between themselves, which can be used to generate more accurate and trustworthy SAV rules in a timely manner compared to the general information. During the incremental or partial deployment of SAV-specific information, it can rely on general information to generate SAV rules, if an AS's SAV-specific information is unavailable. Rather than delving into protocol extensions or implementations, this document primarily concentrates on proposing SAV-specific and general information and guiding how to utilize them to generate SAV rules. It also defines the architectural components and their relations. General Source Address Validation Capabilities China Mobile Tsinghua University Huawei Technologies Huawei Technologies Zhongguancun Laboratory New H3C Technologies The SAV rules of existing source address validation (SAV) mechanisms, are derived from other core data structures, e.g., FIB-based uRPF, which are not dedicatedly designed for source filtering. Therefore there are some limitations related to deployable scenarios and traffic handling policies. To overcome these limitations, this document introduces the general SAV capabilities from data plane perspective. How to implement the capabilities and how to generate SAV rules are not in the scope of this document. BGP Extensions for Source Address Validation Networks (BGP SAVNET) Huawei Technologies Huawei Technologies Huawei Technologies Huawei Technologies Tsinghua University Zhongguancun Laboratory Many source address validation (SAV) mechanisms have been proposed for preventing source address spoofing. However, existing SAV mechanisms are faced with the problems of inaccurate validation or high operational overhead in some scenarios. This document proposes BGP SAVNET by extending BGP protocol for SAV. This protocol can propagate SAV-related information through BGP messages. The propagated information will help edge/border routers automatically generate accurate SAV rules. These rules construct a validation boundary for the network and help check the validity of source addresses of arrival data packets.
Acknowledgments The authors would like to acknowledge the contributions from Wenxiang Lv and Jing Zhao.