Source Address Validation Table Abstraction and Application

Introduction Source address validation (SAV) can detect and prevent source address spoofing on the SAV-enabled routers. When a packet arrives at an interface of the router, the source address of the packet will be validated. For the packets with unwanted source addresses or arriving at unwanted interfaces, will be considered invalid and usually be conducted elimination actions on. There have been many source address validation (SAV) mechanisms such as ACL-based filtering (), uRPF-like mechanisms (, ), etc. ACL rules can act as SAV rules for filtering unwanted source addresses (possibly spoofed source addresses) at specific interfaces. Strict uRPF and loose uRPF conducts reverse looking up in FIB for validating source addresses. Therefore, FIB entries can somehow be considered as SAV rules. It can be found that existing SAV mechanisms have their own core data structures which are coupled with the corresponding underlying implementation. The coupling induces three problems. First, it is not easy to perform analysis across different SAV mechanisms because the SAV rule generation process and the validation process depends on the underlying implementation. Second, the accuracy of SAV varies under different application conditions. With diversified data structure of SAV rules, we cannot easily express or agree on important questions such as which kind of SAV tables can be generated and enabled in the data plane. Third, SAV mechanisms usually take either "permit" action or "block" action on the validated packets. It is sometimes not flexible enough for diversified operation requirements in practice. This document abstracts the data structure for storing SAV rules as a unified SAV table. The SAV table is a logical description and not coupled with underlying implementation. After defining the SAV table, the document introduces the validation process, validation modes, and elimination actions. All the descriptions are not bound to specific implementations, but real implementations must have the equivalent effects to the abstracted descriptions. The SAV table abstraction and application introductions can:

Help engineers easily clarify the design goals of SAV mechanisms.
Help operators easily learn how to apply SAV in different scenarios.

How to generate the SAV rules in the SAV table is not the focus of this document.

Terminology SAV rule: The entry specifying the valid incoming interfaces of specific source addresses or source prefixes. SAV table: The abstracted data structure that stores SAV rules. Validation mode: The definition that describes the typical applications of SAV table. Different modes take effect in different scales and treat the default prefix differently. Elimination action: The action taken on the invalid packets that fail to pass SAV process.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

SAV Table Abstraction The basic idea of SAV is to check whether a source prefix arrives from a valid interface of the router. So, there are two dimensions in a logic SAV table, i.e., source prefix and interface. shows the abstraction of SAV table. The prefixes, i.e., Prefix1, Prefix2, Prefix3, ..., Prefixn, mean the prefixes that the SAV mechanisms have learned or aim to validate. The interfaces, i.e., Intf. 1, Intf. 2, Intf. 3 ..., are the router's interfaces that enable validation. Each cell in the table indicates the validity state of the corresponding source prefix and interface. For example, suppose a packet with source address P1 arrives at interface Intf1. The validity state for the packet is "state_11" after taking SAV. For the source prefix of "default" in , it means all zero IP address for IPv4 or IPv6, i.e., unrecorded source addresses. The packets with unrecorded source addresses will match the default source prefix. There are two kinds of validity states: "valid" and "invalid". If the state is "valid", the packet is considered legitimate. If the state is "invalid", the packet is considered as carrying a spoofed source address. There may be some cases where SAV mechanisms fail to get enough information for SAV table generation and cannot determine the validity states of some cells. In these cases, the cells are suggested to be filled with "valid" instead of "invalid" or a particularly defined "unknown" state, so that the forwarding of legitimate packets will not be impacted (e.g., blocked) by mistake.

SAV table abstraction

Validation Process The validation process is shown in . Suppose the router has learned the SAV table by SAV mechanisms and implemented it in the data plane. When a packet arrives at the router, the router will take the source address and the incoming interface of the packet as the input and look up the table. The validity state that is either "valid" or "invalid" will be returned after the process.

Validation process | implemented |--------> validity incoming intf.) | SAV table | state +-------------+ ]]>

Validation Modes This section defines validation modes which describes the typical applications of SAV table. These modes take effect in different scales and treat the default prefix differently. By choosing modes in different scenarios appropriately, the network can be protected as much as possible while not impacting the forwarding of legitimate packets. Validation modes also describe the goal of SAV table generation. The modes can be set before generating the table. By specifying validation modes, operators can take appropriate SAV mechanisms matching the modes, and engineers can design new SAV mechanisms to achieve the goal in challenging scenarios. Note that, validation modes do not put restrictions to product implementations, but the implementation should have the equivalent effect to the description.

Mode 1: Interface-based prefix allowlist Mode 1 is an interface-scale mode, i.e., it takes effect on a configured interface. The interface enabling Mode 1 is maintaining an interface-based prefix allowlist. Only the source prefixes recorded in the list will be considered valid, otherwise invalid. For the interface enabling Mode 1, the corresponding column in the generated SAV table can be equivalently mapped to a prefix allowlist. In the column, the prefixes recorded as valid will be put into the allowlist. Particularly, the default prefix is deterministic to be "invalid" in the column. Applying Mode 1 on an interface requires the complete knowledge of legitimate prefixes connected to the interface. Mode 1 is suitable to the interfaces connecting to a subnet, a stub AS, or a customer cone. Such a mode can efficiently prevent the connected network from spoofing source prefixes of other networks. In some cases, it may be difficult for an interface getting all the legitimate source prefixes. If not all legitimate prefixes are included in the allowlist, packets with legitimate source addresses arriving at the interface may be improperly blocked. For example, the interface with a default route or the interface connecting to the Internet through a provider AS can hardly promise to know all the legitimate source prefixes.

Mode 2: Interface-based prefix blocklist Mode 2 is also an interface-scale mode, i.e., it takes effect on a configured interface. An interface cannot enable Mode 1 and Mode 2 at the same time. The interface enabling Mode 2 is maintaining an interface-based prefix blocklist. The source prefixes recorded in the list will be considered invalid, otherwise valid. For the interface enabling Mode 2, the corresponding column in the generated SAV table can be equivalently mapped to a prefix blocklist. In the column, the prefixes recorded as invalid will be put into the blocklist. Particularly, the default prefix is deterministic to be "valid" in the column. This mode does not require the complete blocklist. If the packets with the specific source addresses need to be discarded, Mode 2 can be taken. Mode 2 is suitable for proactive filtering and reactive filtering. Usually the source prefixes that are sure to be invalid will be put into the blocklist, which is proactive filtering. Reactive filtering rules are usually installed in DDoS elimination for dropping specific packets.

Mode 3: Prefix-based interface allowlist Mode 3 is a router-scale mode, i.e., it takes effect on all the SAV-enabled interfaces except those enabling Mode 1 or Mode 2. The router enabling Mode 3 is maintaining a specific set of source prefixes (Notes: usually not include the default prefix) and an interface allowlist (i.e., a list of legitimate incoming interfaces) for each of the source prefixes. The packets whose source addresses are covered by no recorded source prefix will be considered valid. A packet will also be considered valid, if 1) its source address is covered by a recorded source prefix and 2) the incoming interface is also included in the corresponding interface allowlist of the source prefix. If the source address is covered by a recorded source prefix but the incoming interface is not included, the validation result will be "invalid". Mode 3 focuses on validating/protecting the interested source prefixes. If some source prefixes are important but there is no condition to enable Mode 1, Mode 3 can be enabled to provide some extent of protection. Note that, Mode 1 and Mode 2 are configured on an interface, while Mode 3 is for the whole router. Thus, there can be multiple modes configured on the same router. For interfaces configured with Mode 1 or Mode 2, Mode 3 will not be conducted for the packets arriving at the interface. shows a comparison of different validation modes.

A comparison of different validation modes

Elimination Actions After doing validation, the router should update the local validation statistics. For the packet with invalid state, elimination actions should be taken on the packet. Simply dropping the packets may not well satisfy the requirements of operators in different scenarios. This section suggests to provide flexible actions to invalid packet just like FlowSpec (, ). One of the followings elimination actions will be taken:

"Permit": Forward packets normally though the packets are considered invalid. This action is useful when operators only want to monitor the status of source address spoofing in the network. The "Permit" action can be taken together with the "Sample" action.
"Block": Drop packets directly, which is the common choose of existing SAV mechanisms.
"Rate limit": Enforce an upper bound of traffic rate (e.g., bps or pps) for mitigation of source address spoofing attacks.
"Traffic redirect": Redirect the packets to the specified points (e.g., scrubbing centers) in the network for attack elimination.

The following action is optional:

"Sample": Capture the packets with a configurable sampling rate and reports them to remote servers (e.g., security analysis center). The sampled packets can be used for threat awareness and further analysis . "Sample" can be taken together with any one of the above elimination actions. Note that, existing techniques like NetStream or NetFlow can be used for "Sample".

Security Considerations This document focuses on the organization of the core data structure of SAV and device-local SAV operation. The generation of SAV table is not discussed. There may be some security considerations for SAV generation, but it is not in the scope of this document. The "Sample" action pushes data to remote servers. This function can be achieved by existing techniques like NetStream or NetFlow. The "Sample" action may induce same security considerations as these techniques, and the corresponding documents have discussed them.

IANA Considerations This document includes no request to IANA.