IGP-based Source Address Validation in Intra-domain Networks (Intra-domain SAVNET)

Introduction The purpose of intra-domain SAV is to prevent outgoing data packets from an intra-domain subnet (e.g., a host network or a customer network) from forging source addresses of other intra-domain subnets or other ASes, and to prevent incoming data packets from external ASes from forging source addresses of the local AS. To this end, intra-domain SAV should focus on SAV on host-facing routers, customer-facing routers, and AS border routers (see ). Specifically, host-facing routers or customer-facing routers should block data packets from the connected host network or customer network with a spoofed source IP address not belonging to that network. AS border routers should block data packets from other ASes with a spoofed source IP address belonging to the local AS. However, existing intra-domain SAV solutions (e.g., BCP38 and BCP84 ) have problems of high operational overhead or inaccurate validation (see ). ACL-based ingress filtering requires manual operations to configure and update the SAV rules, while uRPF-based solutions may improperly block legitimate data packets in the scenario of routing asymmetry. To address these problems and guide the design of new intra-domain SAV solutions, proposes the architecture of intra-domain SAVNET and introduces the use of SAV-specific information in intra-domain networks. Following the intra-domain SAVNET architecture, this document proposes a new IGP-based intra-domain SAV solution, called IGP-SAVNET, which improves the accuracy upon current intra-domain SAV solutions. It allows host-facing routers, customer-facing routers, and AS border routers to communicate SAV-specific information using the intra-domain routing protocol or an extension to the intra-domain routing protocol. By using SAV-specific information, these routers can generate and update accurate SAV rules in an automatic way. The reader is encouraged to be familiar with and .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology SAV Rule: The rule in a router that describes the mapping relationship between a source address (prefix) and the valid incoming interface(s). It is used by a router to make SAV decisions and is inferred from the SAV Information Base. Host-facing Router: An intra-domain router of an AS which is connected to an intra-domain host network (i.e., a layer-2 network). Customer-facing Router: An intra-domain router of an AS which is connected to an intra-domain customer network running the routing protocol (i.e., a layer-3 network). AS Border Router: An intra-domain router of an AS which is connected to other ASes.

Goals of Intra-domain SAV Goal 1: The host-facing router or customer-facing router should identify source prefixes belonging to its host network or customer network and block data packets from its host network or customer network using source addresses not belonging to the network. For example, in , Routers A and B should generate SAV rules at the interface '#' and block data packets from Network 1 using source addresses not belonging to Network 1. Router C should generate SAV rules at interfaces '#' and block data packets from Network 2 using source addresses not belonging to Network 2. Goal 2: The AS border router should identify source prefixes belonging to the local AS and block data packets from other ASes using source addresses belonging to the local AS. For example, in , Routers D and E should generate SAV rules at interface '#' and block data packets from other ASes using source addresses belonging to the local AS.

Goals of Intra-domain SAV

Description of the Method To achieve the above two goals, IGP-SAVNET allows host-facing routers, customer-facing routers, and AS border routers to communicate SAV-specific information between each other through IGP. These routers will not communicate SAV-specific information with routers/devices in host networks, customer networks, and other ASes. In the following, this document describes how IGP-SAVNET works to meet the goals.

SAV procedure on customer-facing or host-facing routers SAV on a customer-facing (or host-facing) router aims to identify source prefixes belonging to the customer (or host) network. After that, the customer-facing (or host-facing) router can perform accurate SAV filtering by only accepting data packets from its customer (or host) network with source addresses belonging to that network. If the customer (or host) network is single-homed, the customer-facing (or host-facing) router can directly identify source prefixes through its local routes to that network. If the customer (or host) network is multi-homed, the customer-facing (or host-facing) router may fail to identify all source prefixes of that network through its local routes to that network in the scenario of routing asymmetry (see ). For example, in , due to traffic engineering, Router A only learns the route to sub prefix 10.1.0.0/16 from Network N, while Router B only learns the route to the other sub prefix 10.0.0.0/16 from Network N. In this case, as described in , strict uRPF on Router A will block data packets from the customer (or host) network with legitimate source addresses in prefix 10.0.0.0/16, and strict uRPF on Router B will block data packets from the customer (or host) network with legitimate source addresses in prefix 10.1.0.0/16. To achieve accurate SAV on routers facing the multi-homed customer (or host) network, IGP-SAVNET allows routers facing the same customer (or host) network to identify source prefixes of the network through SAV-specific information communication.

SAV-specific information communication between Routers A and B +----------+ | | | Router A | SAV-specific info | Router B | | | +-------#--+ <---------------------+ +--#-------+ | | | [10.0.0.0/16]+[tag n] | | | | | | | | | | | | +--------------------+ | | | | | Customer or Host | | | | +----| Network N |-----+ | | +--------------------+ | | (10.0.0.0/15 ) | +-----------------------------------------------------+ ]]> A detailed description of SAV procedure is as follows:

Tag Assignment: Each single-homed or multi-homed customer (or host) network is assigned a unique tag value. For example, in , Network N is assigned tag n. The tag value for can be configured and updated manually.
SAV-specific Information Communication: Each customer-facing (or host-facing) router provides its SAV-specific information of its customer (or host) networks to other intra-domain routers. The SAV-specific information of a customer (or host) network contains the prefixes learned through the router's local routes to the network and the tag value of the network. For example, Router A can provide its SAV-specific information, which contains prefix 10.1.0.0/16 and tag n, to other intra-domain routers. This procedure can be implemented by using IGP or extensions to IGP, which will be elaborated in .
SAV-specific Information Processing: When a router receives SAV-specific information containing the same tag value as its customer (or host) network, it considers that the prefixes contained in the SAV-specific information also belong to its customer (or host) network. For example, Router B will identify prefix 10.1.0.0/16 as a source prefix of Network N after receiving the SAV-specific information provided by Router A.
Source Prefix Identification: By integrating prefixes learned through SAV-specific information provided by other routers with prefixes learned through its local routes, the customer-facing (or host-facing) router can identify complete source prefixes of its customer (or host) network. For example, Router B will identify that both prefix 10.1.0.0/16 and prefix 10.0.0.0/16 belong to Network N after processing SAV-specific information provided by Router A. Similarly, Router A will also identify complete source prefixes of Network N after processing SAV-specific information provided by Router B.
SAV Rule Generation: Each customer-facing (or host-facing) router generates an allowlist containing source prefixes of its customer (or host) network at the interface facing that network. Only data packets using source addresses covered in the allowlist will be accepted at this interface.

SAV procedure on AS border routers SAV on an AS border router aims to identify source prefixes belonging to the local AS. After receiving SAV-specific information or routing information originating from host-facing and customer-facing routers through IGP, AS border routers can identify source prefixes of the local AS accordingly and generate a blocklist containing these source prefixes. After that, data packets arriving from other ASes with source addresses belonging to the local AS will be blocked on the AS border router.

SAV-specific Information Communication Using IGP The key idea is to add the tag value into the prefix information when the customer-facing (or host-facing) router distributes the prefix information of its customer (or host) network. As shown in , the SAVNET Agent of a Sender Router provides its SAV-specific information to other SAVNET routers via IGP. After receiving SAV-specific information from other SAVNET routers, the SAVNET Agent of the Receiver Router generates SAV rules by using SAV-specific information from other SAVNET routers and/or its own SAV-specific information. The Sender Router can be a customer-facing router or a host-facing router. The Receiver Router can be a customer-facing router, a host-facing router, or an AS border router.

Overview of SAV-specific information communication + IGP LSDB | | | +-----^------+ | | +-----+------+ | | | | | | | | +-------+---------+ | | +--------v--------+ | | | SAVNET Agent | | | | SAVNET Agent | | | | +-------------+ | | | | +-------------+ | | | | | Information | | | | | | Information | | | | | | Provider | | | | | | Receiver | | | | | +-------------+ | | | | +-------------+ | | | +-----------------+ | | +-----------------+ | | | | | +---------------------+ +---------------------+ ]]> The overall procedure of SAV-specific information communication is as follows:

At the Sender Router: Carry its SAV-specific information (e.g., the tag information of the customer or host network) through the Link State Database (LSDB) of IGP. The IGP will synchronize the LSDB, including node information, link information, prefix information, and tag information.
At the Receiver Router: After receiving SAV-specific information carried in the LSDB, its SAVNET Agent extracts SAV-specific information from the LSDB of IGP and then generates SAV rules as described in .

In the following, this document presents two approaches to implement SAV-specific information communication among intra-domain routers.

Approach #1: Using the existing Administrative Tag Sub-TLV When a router distributes IP prefix information of the customer or host network, it can carry the tag of that network in the Administrative Tag Sub-TLV. When a router receives IP prefix information, it checks if there is a locally configured interface with the same tag as the Administrative Tag information carried in the prefix. If such an interface exists, SAVNET rules will be added, with the prefix being the received prefix and the interface being the locally configured interface with this tag. As shown in , assume Network N is assigned tag n. In the prefix information of 10.1.0.0/16 published by Router A, tag n is carried via the Administrative Tag Sub-TLV. Similarly, in the prefix information of 10.0.0.0/16 published by Router B, tag n is carried via the Administrative Tag Sub-TLV. When Router A receives the prefix information of 10.0.0.0/16, it checks that the carried tag n matches the tag of Network N, and thus determines that prefix 10.0.0.0/16 also belongs to Network N. Similarly, Router B determines that prefix 10.1.0.0/16 also belongs to Network N using the same process.

Administrative Tag Sub-TLV of IS-IS For routers running IS-IS, they can carry the tag in the Administrative Tag Sub-TLV (defined in ), which can be included in: Extended IP Reachability TLV (135), Multi-Topology Reachable IPv4 Prefixes TLV (235), IPv6 Reachability TLV (236), Multi-Topology Reachable IPv6 Prefixes TLV (237).

Administrative Tag Sub-TLV of OSPF For routers running OSPF, they can carry the tag in the Administrative Tag Sub-TLV within the OSPF Extended Prefix TLV Sub-TLV .

Administrative Tag Sub-TLV of OSPFv3 For routers running OSPFv3, they can include the tag in the Administrative Tag Sub-TLV within the OSPFv3 Intra-Area-Prefix TLV, Inter-Area-Prefix TLV, and External-Prefix TLV .

Considerations of using Administrative Tag Sub-TLV In practice, intra-domain routers may also use the Administrative Tag Sub-TLV for other purposes (e.g., route filtering), and multiple Administrative Tag Sub-TLVs may be carried in the IP prefix information simultaneously. Therefore, using the existing Administrative Tag Sub-TLV for SAV-specific information communication may conflict with other routing policies that also use Administrative Tags as filtering criteria. To address this issue, this document proposes Approach #2 in the following.

Approach #2: Defining a new SAVNET Tag Sub-TLV To avoid possible conflicts and facilitate operation and management, it is more recommended to define and use a dedicated SAVNET Tag Sub-TLV to tranmit SAV-specific information.

SAVNET Tag Sub-TLV of IS-IS shows the structure of SAVNET Tag Sub-TLV of IS-IS. It can be included in the following TLVs: Extended IP Reachability TLV (135), Multi-Topology Reachable IPv4 Prefixes TLV (235), IPv6 Reachability TLV (236), Multi-Topology Reachable IPv6 Prefixes TLV (237).

SAVNET Tag Sub-TLV of IS-IS

SAVNET Tag Sub-TLV of OSPF and OSPFv3 shows the structure of SAVNET Tag Sub-TLV of OSPF and OSPFv3. The SAVNET Tag Sub-TLV of OSPF specified herein will be valid as a sub-TLV of the following TLVs specified in :

Extended Prefix TLV advertised in the OSPFv2 Extended Prefix LSA

The SAVNET Tag Sub-TLV of OSPFv3 specified herein will be valid as a sub-TLV of the following TLVs specified in :

Inter-Area-Prefix TLV advertised in the E-Inter-Area-Prefix-LSA.
Intra-Area-Prefix TLV advertised in the E-Intra-Area-Prefix-LSA.
External-Prefix TLV advertised in the E-AS-External-LSA and the E-NSSA-LSA.

SAVNET Tag Sub-TLV of OSPF and OSPFv3

Security Considerations The security considerations described in and also applies to this document.

IANA Considerations TBD.