]> Zhongguancun Laboratory

Beijing China huangmq@zgclab.edu.cn

China Mobile

Beijing China chengweiqiang@chinamobile.com

Tsinghua University

Beijing China tolidan@tsinghua.edu.cn

Huawei Technologies

Beijing China gengnan@huawei.com

Zhongguancun Laboratory

Beijing China lichen@zgclab.edu.cn

Routing savnet Internet-Draft The SAV rules of existing source address validation (SAV) mechanisms, are derived from other core data structures, e.g., FIB-based uRPF, which are not dedicatedly designed for source filtering. Therefore there are some limitations related to deployable scenarios and traffic handling policies. To overcome these limitations, this document introduces the general SAV capabilities from data plane perspective. How to implement the capabilities and how to generate SAV rules are not in the scope of this document.

Introduction Source address validation (SAV) can detect and prevent source address spoofing on the SAV-enabled routers. When a packet arrives at an interface of the router, the source address of the packet will be validated. The packets with unwanted source addresses or arriving at unwanted interfaces, will be considered invalid and usually be conducted elimination actions on. Only validated packets will continue to be handled or forwarded. From the perspective of data plane validation, the SAV capabilities of existing mechanisms have two main limitations. One of them is the deployable scenario limitation. ACL rules can be configured for filtering unwanted source addresses at specific interfaces (). However, ACL is not dedicatedly designed for source prefix filtering. There exist performance and scalability issues due to long-key based searching, and usually expert maintenance efforts are required. Strict uRPF and loose uRPF are two typical FIB-based SAV mechanisms () and are supported by most commercial routers/switches. FIB-based validation brings many benefits compared to ACL-based filtering but also induces some limitations. Strict uRPF is not applicable for asymmetric routing (), which exists in various scenarios such as intra-domain multi-homing access, inter-domain interconnection, etc. Under asymmetric routing, a source prefix may have a different incoming interface from the next-hop interface of the matched entry, or the source prefix does not exist in the FIB at all. Loose mode can only block unannounced prefix, which results in massive false negatives. Overall, existing ACL-based or FIB-based SAVs can only be applied to specific scenarios and cannot be adaptive to various scenarios (e.g., symmetric vs asymmetric). The other limitation is inflexible traffic handling policy. The current common practice is just to silently drop the spoofed packets. We don't know who benefits from this and who is the source. Further more, the clues of attacks are ignored, which could be very helpful for dealing with DDoS attacks etc. The root cause of the above two limitations is that there is no tool specifically designed for source address filtering. That is, the capabilities of current tools are derived from other functions, e.g., FIB or ACL. This document describes the general SAV capabilities that the data plane of SAV-enabled devices should have. Two kinds of capabilities will be introduced: validation mode and traffic handling policy. Validation modes describe how to apply validation in different scenarios. Traffic handling policies are the policies applied on the validated packets. By implementing the general SAV capabilities, the above two limitations of existing mechanisms can be overcome. To achieve accurate and scalable source address validation, dedicated SAV rules are needed instead of just using those derived from other functions, e.g., FIB or ACL. Note that the general SAV capabilities described in this document are decoupled with vendor implementation. Conforming implementations of this specification may differ, but the SAV outcomes SHOULD be equivalent to the described SAV capabilities. And also how to generate SAV rules is not the focus of this document.

Terminology Validation mode: The mode that describes the typical applications of SAV in a specific kind of scenarios. Different modes take effect in different scales and treat the validated packets differently. SAV rule: The entry specifying the incoming interfaces of specific source addresses or source prefixes. The SAV rule expression might be slightly diffrent between validation modes. Traffic handling policy: The policy taken on the 'invalid' packets validated by SAV.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Validation Modes This section describes four validation modes (Mode1 in , Mode2 in , Mode3 in , Mode4 in ). These modes take effect in different scales and need corresponding SAV rules to validate spoofing packets. By choosing modes in different scenarios appropriately, the network can be protected as much as possible while not impacting the forwarding of legitimate packets.

Mode 1: Interface-based prefix allowlist Mode 1 is an interface-scale mode, which means it takes effect on a specific interface. The interface enabling Mode 1 is maintaining an interface-based prefix allowlist--SAV rule 1. Only the source prefixes recorded in the list will be considered valid, otherwise invalid. Applying Mode 1 on an interface requires the complete knowledge of legitimate source prefixes connected to the interface. Mode 1 is suitable to the closed-connected interfaces such as those connecting to a subnet, a stub AS, or a customer cone. Such a mode can efficiently prevent the connected network from spoofing source prefixes of other networks. Strict uRPF based on FIB belongs to this mode. However, to overcome the limitation of asymmetric routing, additional native source prefix-based SAV rule expression is suggested. This is essential for new SAV mechanisms or architectures such as EFP-uRPF , BAR-SAV , Intra-domain/Inter-domain SAVNET (, ), etc. Mode 1 is the most efficient one if applicable, it is mutual exclusive with other modes. However, in some cases, it may be difficult for an interface getting all the legitimate source prefixes. If any legitimate prefix is not included in the allowlist, packets with this source addresses arriving at the interface may be improperly blocked. For example, the interface with a default route or the interface connecting to the Internet through a provider AS can hardly promise to know all the legitimate source prefixes. We need more modes to cover those scenarios.

Mode 2: Interface-based prefix blocklist Mode 2 is also an interface-scale mode, which means it takes effect on a configured interface. An interface cannot enable Mode 1 and Mode 2 at the same time. The interface enabling Mode 2 is maintaining an interface-based prefix blocklist--SAV rule 2. The source prefixes recorded in the list will be considered invalid, otherwise valid. This mode does not require the complete knowledge of the illegitimate source prefixes on the interface, however some of them can be learned. Mode 2 is suitable for proactive filtering and reactive filtering. Usually the source prefixes that are sure to be invalid will be put into the blocklist, which is proactive filtering. Reactive filtering rules are usually installed in DDoS elimination for dropping packets with specific source addresses. The prefix blocklist can be generated automatically, e.g., one of Intra-domain SAVNET architecture cases, blocking the incoming traffic with internal source prefixes on WAN interface. Or operators can configure the specific source prefixes to block from the interface. This is similar to ACL-based filtering, but more native SAV rule expression with better performance and scalability.

Mode 3: Prefix-based interface allowlist Mode 3 is a router-scale mode, which means it can validate traffic arriving at the router from all directions. The router enabling Mode 3 will record the protected source prefixes and maintain an interface allowlist for each source prefix--SAV rule 3. If a source prefix has an interface allowlist, the packet with this source prefix is considered valid only when its incoming interface is in the interface allowlist. Otherwise, the packet is considered invalid. Applying Mode 3 in a router requires the complete knowledge of legitimate incoming interfaces for a specific source prefix. Mode 3 focuses on validating/protecting the interested source prefixes, it is applicable to the scenario where multiple interfaces are availalbe to provide potential connection to a(or a group) specific source prefix(es) , e.g. WAN-side open connected interfaces. Mode 3 provides a convenient and effective way to control which interface(s) is allowed to accept the specific source prefix, rather than to achieve similar effect by configuring Mode 2 on all other interfaces to block this source prefix. Operators can configure the interface allowlist for a specific source prefix, to prevent DDoS attack related to this source prefix. Or the interface list for specific prefixes can be generated automatically, e.g., one capability defined by Inter-domain SAVNET architectures.

Mode 4: Prefix-based interface blocklist Mode 4 is also a router-scale mode, which means it can validate traffic arriving at the router from all directions. The router enabling Mode 4 will maintain an interface blocklist for a specific source prefix--SAV rule 4. If a source prefix has an interface blocklist, the packet with this source prefix is considered invalid when its incoming interface is in the interface blocklist. Otherwise, the packet is considered valid. Applying Mode 4 in a router does not requires the complete knowledge of illegitimate incoming interfaces for a specific source prefix. Mode 4 focuses on prevent specific source prefix spoofing from specific directions, it is applicable to the scenario where multiple interfaces are facing specific source prefix spoofing attack, e.g. traffic coming in a network from open connected interfaces with its internal prefix as source address. Mode 4 provides a convenient and effective way to control which interface(s) should not accept the specific source prefix, rather than to achieve similar effect by configuring Mode 2 on each interface to block this source prefix, or Mode 4 for the specific source prefix but with a very long interface allowlist. Operators can configure the interface blocklist for a specific source prefix, to prevent DDoS attack related to this source prefix. Or the interface list for specific prefixes can be generated automatically, e.g., one capability defined by Intra-domain SAVNET architectures.

Validation Procedure Mode 1 and Mode 2 are working on interface-level, they should not be enabled on same interface at same time. If they are enabled on same interface, Mode 2 must be ignored. Mode 3 and Mode 4 are working on router-level, they are also mutual exclusive with each othter, that is, they should not be enabled for a specific source prefix at same time. If so, Mode 4 must be ignored. Fruther more, Mode 1 are most preferred mode, which means while an interface has enabled Mode 1, the traffic for this interface don't need go through all other modes (Mode 2, Mode 3 or Mode 4) no matter whether they are configured. While the validation result on interface-level for Mode 2 is valid, the traffic still need go through Mode 3 or Mode 4 if applicable. shows a comparison of different validation modes for dealing with source address validation.

A comparison of different validation modes

The general validation procedure is listed as below. The final validity state, either "valid" or "invalid", will be returned after the procedure. 1) A packet arrives at the router, the source address and the incoming interface of the packet will be copied as the input for following validation process, and the initial validity state is set as 'valid'. 2) If Mode 1 is enabled on the incoming interface, the packet will be only validated based on SAV rule 1 (interface-base prefix allowlist), procedure returns with corresponding validity state. Otherwise--Mode 1 is not enabled on the incoming interface, perform following validation process. 3) If Mode 2 is enabled on the incoming interface, the packet will be validated based on SAV rule 2 (interface-base prefix blocklist). If validation result is invalid, precedure returns. If the validation result is valid or Mode 2 is not enabled, go through router-level validation procedures as below. 4) Similarly, if applicable, Mode 3 and Mode 4 validation procedure will be gone through based on SAV rule 3 (prefix-based interface allowlist) and SAV rule 4 (prefix-based interface blocklist) respectively, in which the precedure will return in case the validation result is invalid. For a specific source prefix, there should be only one router-level mode enabled.

Traffic Handling Policies After doing validation, the router gets the validity state of the incoming packet. For the packet with invalid state, traffic handling policies should be taken on the packet. Simply forwarding or silently dropping may not well satisfy the requirements of operators in different scenarios. This section suggests to provide flexible traffic handling policies to validated packets just like FlowSpec (, ). The followings are the traffic control policies that can be taken. One and only one of the policies will be chosen for an "invalid" validation result.

• "Permit": Forward packets normally though the packets are considered invalid. This policy is useful when operators only want to monitor the status of source address spoofing in the network. The "Permit" policy can be taken together with the "Sample" policy.
• "Discard": Drop packets directly, which is the common choose of existing SAV mechanisms.
• "Rate limit": Enforce an upper bound of traffic rate (e.g., bps or pps) for mitigation of source address spoofing attacks. This policy is helpful while operators want do tentative filtering.
• "Traffic redirect": Redirect the packets to the specified points (e.g., scrubbing centers) in the network for attack elimination.

There are also traffic monitor policies that are optional. One of the useful traffic monitor policies is:

• "Sample": Capture the packets with a configurable sampling rate and reports them to remote servers (e.g., security analysis center). The sampled packets can be used for threat awareness and further analysis. "Sample" can be taken together with any one of the above policies. Note that, existing techniques like NetStream or NetFlow can be used for "Sample".

Security Considerations This document focuses on the general SAV capabilities. The generation of SAV rules is not discussed. There may be some security considerations for SAV generation, but it is not in the scope of this document. The "Sample" policy pushes data to remote servers. This function can be achieved by existing techniques like NetStream or NetFlow. The "Sample" policy may induce same security considerations as these techniques, and the corresponding documents have discussed them.

IANA Considerations This document includes no request to IANA.

Acknowledgements The authors appreciate the valuable comments from all members of the IETF SAVNET Working Group. We extend a special thanks to Aijun Wang for his guidance and suggestion. We extend a special thanks to Mingxing Liu and Changwang Lin for their feedback and contributions from vendor implemention point of view.

Contributors - Mingxing Liu Huawei Technologies China Email: liumingxing7@huawei.com - Changwang Lin New H3C Technologies China email: linchangwang.04414@h3c.com

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. This document defines a Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute (intra-domain and inter-domain) traffic Flow Specifications for IPv4 unicast and IPv4 BGP/MPLS VPN services. This allows the routing system to propagate information regarding more specific components of the traffic aggregate defined by an IP destination prefix. It also specifies BGP Extended Community encoding formats, which can be used to propagate Traffic Filtering Actions along with the Flow Specification NLRI. Those Traffic Filtering Actions encode actions a routing system can take if the packet matches the Flow Specification. This document obsoletes both RFC 5575 and RFC 7674. "Dissemination of Flow Specification Rules" (RFC 8955) provides a Border Gateway Protocol (BGP) extension for the propagation of traffic flow information for the purpose of rate limiting or filtering IPv4 protocol data packets. This document extends RFC 8955 with IPv6 functionality. It also updates RFC 8955 by changing the IANA Flow Spec Component Types registry. USA National Institute of Standards and Technology Akamai Technologies USA National Institute of Standards and Technology Designing an efficient source address validation (SAV) filter requires minimizing false positives (i.e., avoiding blocking legitimate traffic) while maintaining directionality (see RFC8704). This document advances the technology for SAV filter design through a method that makes use of BGP UPDATE messages, Autonomous System Provider Authorization (ASPA), and Route Origin Authorization (ROA). The proposed method's name is abbreviated as BAR-SAV. BAR-SAV can be used by network operators to derive more robust SAV filters and thus improve network resilience. This document updates RFC8704. Tsinghua University Tsinghua University Zhongguancun Laboratory Huawei Zhongguancun Laboratory This document proposes the intra-domain SAVNET architecture, which achieves accurate source address validation (SAV) in an intra-domain network by an automatic way. Compared with uRPF-like SAV mechanisms [RFC3704] that only depend on routers' local routing information, SAVNET routers generate SAV rules by using both local routing information and SAV-specific information exchanged among routers, resulting in more accurate SAV validation in asymmetric routing scenarios. Compared with ACL-based ingress filtering [RFC2827] that entirely requires manual efforts to accommodate to network dynamics, SAVNET routers learn SAV rules automatically in a distributed way. This document introduces an inter-domain SAVNET architecture for performing AS-level SAV and provides a comprehensive framework for guiding the design of inter-domain SAV mechanisms. The proposed architecture empowers ASes to generate SAV rules by sharing SAV- specific information between themselves, which can be used to generate more accurate and trustworthy SAV rules in a timely manner compared to the general information. During the incremental or partial deployment of SAV-specific information, it can utilize general information to generate SAV rules, if an AS's SAV-specific information is unavailable. Rather than delving into protocol extensions or implementations, this document primarily concentrates on proposing SAV-specific and general information and guiding how to utilize them to generate SAV rules. To this end, it also defines some architectural components and their relations.