Bicone Source Address Validation

Introduction Source address spoofing is one of the most serious security threats to today's Internet. It serves as a main attack vector for large-scale Distributed Denial of Service (DDoS) attacks and is commonly used in reflective DDoS attacks. To mitigate source address spoofing, many source address validation (SAV) solutions (e.g., BCP38 and BCP84 ) have been proposed. The primary design goal of SAV solutions is avoiding improper block (i.e., blocking legitimate traffic) while maintaining directionality (see and ). Existing advanced SAV solutions (e.g., EFP-uRPF ) typically generate ingress SAV allowlist filters on interfaces facing a customer or lateral peer AS by using information related to the customer cone of that AS. When adopting SAV based on the allowlist, the interface only allows incoming data packets using source addresses that are covered in the allowlist. Therefore, the allowlist must contain all prefixes belonging to the corresponding customer cone. Otherwise, if the allowlist is incomplete, it will improperly block legitimate traffic from the corresponding customer cone. This document analyzes the potential improper block problems when using an allowlist. To avoid improper blocks, this document proposes a new SAV solution by generating an ingress SAV blocklist filter which contains prefixes exclusively belonging to the provider cone. The blocklist is not required to be complete, but it should contain as many prefixes exclusively belonging to the provider cone as possible. When adopting SAV based on the blocklist, the interface blocks incoming data packets using source addresses that are covered in the blocklist. In practice, network operators can flexibly decide to use a blocklist or an allowlist according to their requirements and actual conditions. The reader is encouraged to be familiar with , , , , , and .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology Improper Block: The validation results that the packets with legitimate source addresses are blocked improperly due to inaccurate SAV filters. Provider Cone: The set of ASes an AS can reach by using only Customer-to-Provider (C2P) links.

Improper Block When the Allowlist is Incomplete The basic idea of existing allowlist-based SAV solutions is generating an allowlist by using information related to the customer cone of a customer or lateral peer AS. Specifically, they identify prefixes belonging to the corresponding customer cone and only allows data packets using source addresses in these prefixes on the interface facing that customer or lateral peer AS. This is because data packets received from a customer or lateral peer AS should use source addresses belonging to the customer cone of that AS unless there is a route leak . Limited propagation of prefixes or the existence of hidden prefixes can result in an incomplete allowlist, which may in turn lead to improper block problems (see ).

An example of limited propagation of prefixes in the customer cone illustrates an example of limited propagation of prefixes in the customer cone of AS4. Arrows in the figure indicate propagation direction of BGP announcements as well as AS relationship (i.e., Provider-to-Customer (P2C), Customer-to-Provider (C2P), or Peer-to-Peer (P2P)) from sending AS to receiving AS. AS1 announces the route for prefixes P1 and P2 to its two provider ASes, i.e., AS2 and AS3. Since AS1 attaches NO_EXPORT in the BGP UPDATE message sent to AS2, AS2 will not propagate the route to AS4. As a result, AS4 only receives the route to prefixes P1 and P2 from its lateral peer or provider AS5. If AS4 uses EFP-uRPF (including Algorithm A and Algorithm B) to generate an allowlist on AS4-AS2 interface, the allowlist will not contain prefixes P1 and P2, and thus will improperly block data packets using source addresses in prefixes P1 or P2.

An example of hidden prefixes in the customer cone illustrates an example of hidden prefixes in the Content Delivery Networks (CDN) and Direct Server Return (DSR) scenario. AS6 (where the anycast server is located) announces the route to anycast prefix P3. Although AS1 (where the edge server is located) is not authorized to announce the route to prefix P3, it will send legitimate data packets using source addresses in prefix P3 due to the DSR technology. If AS4 applies an allowlist on interface AS4-AS2, the allowlist will not contain prefix P3. Therefore, the allowlist filter on interface AS4-AS2 will improperly block data packets using source addresses in prefix P3. More recent SAV solutions (e.g., BAR-SAV ) additionally use Autonomous System Provider Authorization (ASPA) and Route Origin Authorization (ROA) related to the customer cone to generate a more robust allowlist. Traffic Origin Authorization (TOA) can be used to further improve the completeness of the allowlist in the hidden prefixes scenario. Since registering ASPAs, ROAs, and TOAs is optional for network operators, ASPAs, ROAs, and TOAs would be partially deployed for a long time. When some ASes in the customer cone do not have ASPAs, ROAs, or TOAs, the generated allowlist may still be incomplete. In summary, considering the complexity of inter-domain routing, existing SAV solutions which use allowlist filters on interfaces facing a customer or lateral peer AS may fail to identify all prefixes belonging to the corresponding customer cone. In this case, the incomplete allowlist will have improper blocks.

Goals of Bicone SAV Bicone SAV aims to achieve more robust ingress SAV filtering on interfaces facing a customer or lateral peer AS by flexibly using allowlist or blocklist filters. It has two main goals:

Avoiding improper blocks. Bicone SAV aims to avoid blocking legitimate data packets received from a customer or lateral peer AS. As described in , if the allowlist is incomplete, it will improperly block legitimate data packets. In this case, it is recommended to use a blocklist to avoid improper blocks.
Maintaining directionality. Unlike Loose uRPF which completely loses directionality, Bicone SAV aims to identify more source-spoofed data packets by maintaining directionality. In general, the allowlist filter has stricter directionality than the blocklist filter, so using an allowlist will have less improper admits.

Blocklist Generation This section introduces how to generate a blocklist by using BGP updates, ASPAs, and TOAs related to the provider cone.

Key Idea The provider cone of an AS is defined as the set of ASes an AS can reach by using only Customer-to-Provider (C2P) links. Considering prefixes only associated with ASes in the provider cone should not be used as source addresses in data packets received from any customer or lateral peer AS unless there is a route leak . The blocklist can contain prefixes only belonging to the provider cone. When using the blocklist on an interface facing a customer or lateral peer AS, it will block data packets received from that interface using any source address in the blocklist. To generate such a blocklist, an AS can first identify ASes in its provider cone by using ASPAs and AS-PATH in BGP UPDATE messages. Then, it can discover prefixes belonging to these ASes by using Traffic Origin Authorizations (TOAs) . Subsequently, it must remove prefixes that also belong to its customer cone. Given the uncertainty in determining whether a prefix belongs to its customer cone (as analyzed in ), a conservative strategy is to retain prefixes exclusively belonging to the provider cone. This blocklist SAV filter can address the improper block problems of existing allowlist SAV filters, while maintaining directionality.

Generation Procedure A detailed description of blocklist generation procedure is as follows:

Create the set of all directly connected Provider ASNs. Call it AS-set Z(1).
Create the set of all unique AS_PATHs in Adj-RIBs-In of all interfaces facing Providers.
For each unique AS_PATH with N (N>1) ASNs, i.e., [ASN_{1}, ASN_{2}, ..., ASN_{i}, ASN_{i+1}, ..., ASN_{N}] where ASN_{i} is the ith ASN in AS_PATH and the first ASN (i.e., ASN_{1}) is a directly connected Provider ASN. If all unique AS_PATHs have been processed, go to Step 8.
Let i = N
Decrement i to i-1.
If ASN_{i} authorizes ASN_{i+1} as a Provider in ASN_{i}'s ASPA, ASNs from ASN_{1} to ASN_{i+1} (i.e., ASN_{1}, ASN_{2}, ..., ASN_{i}, and ASN_{i+1}) are included in AS-set Z(1) and go to Step 3.
If i == 1, go to Step 3. Else, go to Step 5.
Let k = 1.
Increment k to k+1.
Create AS-set Z(k) of ASNs that are not in AS-set Z(k-1) but are authorized as Providers in ASPAs of any ASN in AS-set Z(k-1).
If AS-set Z(k) is null, then set k_max = k-1 and go to Step 12. Else, form the union of AS-set Z(k) and AS-set Z(k-1) as AS-set Z(k) and go to Step 9.
Select all TOAs in which the authorized origin ASN is in AS-set Z(k_max). Form the union of the sets of prefixes in the selected TOAs. Call it Prefix-set S.
For each unique Prefix P in Prefix-set S, check origin ASNs of Prefix P by using all TOAs. If all unique Prefixes in Prefix-set S have been processed, go to Step 15.
For each prefix of Prefix P and its sub prefixes, if the prefix has at least one origin ASN not in AS-set Z(k_max), remove the prefix from Prefix-set S. Go to Step 13.
Apply Prefix-set S as a blocklist on interfaces facing a customer or lateral peer AS.

Incremental and Partial Deployment of ASPAs Note that it is difficult for an AS to identify all ASes in its provider cone when some ASes in the provider cone do not register ASPAs. Therefore, the generated blocklist may not include all prefixes in the provider cone under incremental and partial deployment of ASPAs. The main advantage of blocklist over allowlist is that, when the blocklist is incomplete, the blocklist will not improperly block legitimate data packets and will still block source-spoofed data packets using source addresses in the blocklist, providing immediate incremental benefits to adopters.

Implementation and Operations Considerations Network operators are advised to flexibly use either allowlist or blocklist on interfaces facing different customer or lateral peer ASes according to their requirements and actual conditions.

Meeting the Goals Avoiding improper blocks is more important because discarding legitimate traffic will cause serious traffic interruption. On the basis of avoiding improper blocks, the less improper admits of SAV, the better. If the allowlist on an interface is complete, it will have no improper block and no improper admit. But if the allowlist is incomplete due to hidden prefixes (e.g., prefixes P1 and P2 in ) in the customer cone and lack of necessary ASPAs, the allowlist will have improper blocks, thus failing to meet the goal. For a blocklist, it will not improperly block legitimate data packets whether the blocklist is complete or not. If the allowlist on an interface is complete, network operators are advised to use the allowlist. Otherwise, network operators are advised to use the blocklist. For small ISPs with a smaller customer cone size, it is easier to determine whether an allowlist is complete because there are fewer ASes in the customer cone and the routing should be relative simple. For example, they can ask a customer or lateral peer AS whether all ASes in its customer cone have deployed ASPAs. But for large ISPs with a larger customer cone size, it is more challenging. If network operators cannot determine the integrity of the allowlist, the blocklist is recommended to avoid possible improper blocks.

Storage Overhead Additional memory (i.e., ternary content-addressable memory (TCAM)) is required to store the allowlist or blocklist in line cards. Network operators need to take storage overhead into consideration when deploying allowlists or blocklists. Generally, a small ISP will generate a smaller allowlist and a larger blocklist, while a large ISP will generate a larger allowlist and a smaller blocklist. A possible way to save memory is to store the original list in the control plane, with only the aggregated list stored in memory. For example, if the original list contains prefixes P1 and P2 and prefix P1 is a less-specific prefix of prefix P2, then only prefix P1 is stored in memory.

Implementation and Operations Recommendations For an interface facing a customer or lateral peer AS:

If the network operator can determine that the allowlist covers all prefixes of the facing customer cone, it is recommended to use an allowlist on the interface because the complete allowlist would have neither improper blocks nor improper admits.
If the network operator cannot determine the integrity of the allowlist, it is recommended to use a blocklist filter to avoid improper blocks. It is highly recommended to use Loose uRPF and the blocklist together to block more spoofing data packets than solely using Loose uRPF or the blocklist. Loose uRPF is used to block data packets using unallocated or unrouteable source addresses. The blocklist is used to block data packets using source addresses that only belong to the provider cone. Network operators are allowed to manually modify or configure the blocklist according to their local knowledge. For example, to improve the use of blocklist, they can add special purpose prefixes that will not be used as source addresses of data packets, e.g., IANA IPv4 Special-Purpose Address Registry .

Security Considerations The security considerations described in , , , , and also applies to this document.

IANA Considerations This document has no IANA requirements.

Acknowledgements The authors would like to thank Ben Maddison, Kotikalapudi Sriram, Nan Geng, Aijun Wang, Shengnan Yue, Siyuan Teng, Igor Lubashev, Job Snijders, and many other members of the SIDROPS and SAVNET working groups for comments and discussion.