]> Tsinghua University

Beijing China xuke@tsinghua.edu.cn

Tsinghua University

Beijing China jianping@cernet.edu.cn

Tsinghua University

Beijing China wangxiaoliang0623@foxmail.com

Zhongguancun Laboratory

Beijing China guoyangfei@zgclab.edu.cn

China Telecom

Beijing China donggz@chinatelecom.cn

Security Area Network Working Group Internet-Draft Packet forwarding on Internet typically takes no place with inspection of the source address. Thus malicious attacks or abnormal behavior have been launched with the spoofed source addresses. This document describes an inter-domain source address validation with RPKI (Resource Public Key Infrastructure) and IPsec (IP Security), including the motivation, tech framework, main interactive process, and optional extensions.

Introduction IP spoofing has been a long-recognized threat to Internet security for decades. Inter-domain source address validation (SAV) has long served as the primary defense mechanism due to its better cost-effectiveness. However, over years of effort, inter-domain source address validation deployment is still not optimistic. An important reason for this is the difficulty of balancing the clear security benefits of partial deployments with the scalability of large-scale deployments. uRPF , for example, is a routing-based scheme to filter spoofed traffic, which may result in a lack of security benefits due to the dynamic nature of routing or incomplete information caused by partial deployments. RPKI architecture represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers. IPsec security architecture is used to secure the IP packet in host-to-host, host-to-network, and network-to-network modes. This document defines using present technologies to reinforce the security of source address in the inter-domain layer. This document describes an inter-domain source address validation with RPKI and IPsec, including the motivation, tech framework, main interactive process, and extensions.

Terms and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Commonly used terms in this document are described below.

AH:

IPsec Authentication Header, which is used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays.

ASBR:

AS border router, which is at the boundary of an AS.

CA:

Certification authority.

EE:

End entity.

IKE:

Internet Key Exchange, which is used in IPsec to negotiate IKE SA and IPsec SA.

NIR:

National Internet registry, which is a special case for RIR.

RIR:

Regional Internet registry, which is a governing body that is responsible for the administration of Internet addresses in a specific geographic region.

RPKI:

Resource Public Key Infrastructure, which is a special PKI.

Tag:

The authentic identification of the source address of a packet and placed at the AH's ICV field.

Desgin Objectives Source Address Validation (SAV) aims at preventing the source address from being spoofed. It should work at the network layer and provide a veritable IP source address. When a packet is sent to the network, for saving network bandwidth and computation resources, the router forwards the packet using the destination address and without any inspection of the source address. The packet may come from a forger or impostor of the source address so that the destination end becomes a latent victim. The design goals of ERISAV includes follows:

1. Extensible current protocols. With the bindings and extensions of the current protocols, it would extremely reduce the cost of updating software, firmware, and hardware. And more importantly, it would be compatible with the current network. In ERISAV, it chooses the RPKI, IKE, and IPsec AH.
2. Flatten end-to-end mode. Flatten mode, following the end-to-end design principle, ensures that the undeployed router has no perception of this mechanism. And it can be processed and deployed incrementally.
3. Cryptography-based lightweight labels. A cryptographic packet-by-packet signature could guarantee that the reverse computation is infeasible and when it is cracked, the label has been changed to another. And this packet signature could efficiently be verified and resist to label-based replay attacks.
4. Inter-domain collaboration trustness. Build an inter-domain trust alliance and complete source address validation via inter-domain collaboration.

Overview ERISAV is a cryptography-based end-to-end inter-domain source address validation method that guarantees security benefits at partial deployment. ERISAV combines three existing mechanisms. It uses the RPKI trust chain for the ASN-IP Prefix binding relationship, IKE for tag/key negotiation and delivery, and IPsec AH for carrying the identification of the source address in data transmission. A typical workflow of ERISAV is shown in .

RISAV workflow example.

Interactive Process ERISAV mainly contains 3 steps.

1. IANA issues a Certification Authority (CA) certificate to each Regional Internet Registry (RIR). RIR uses its root CA to issue a CA certificate for LIR or NIR which will issue a CA certificate for one AS. The AS issues a new End Entity (EE) certificate to enable verification of signatures on RPKI signed objects. This builds the trust chain using RPKI to guarantee the Internet number resource including AS number and IP prefix are correctly announced. Moreover, the public key of AS will be seated at the CA certificate, which will be used for communication with each other following.
2. IPsec IKE negotiates the tag tagged in the packet. IKE also negotiates the authentication algorithm, authentication key, and others specified by SA. These will be stored in the SAD and SPD described in . IPsec AH is the authentication header of the IPsec Security Architecture. It authenticates the whole packet for integrity. However, source address validation does not require such strong authentication. It just needs to protect the source address from being spoofed. So it needs a new authentication process. This new authentication process will only take a few changeless fields as input. And the original tag will be seen as the authentication key. The result of this process will produce a new label called the packet signature that will be filled in the packet properly. And this label or the SA MUST send to all the ASBR for communication.
3. Data transmission uses the IPsec AH header extension to the packet. IPsec AH carries the tag in its field. The tag represents the authenticity of the source address. When the source ASBR forwards a packet originating from the ASBR's located AS, the ASBR will check the destination of the packet. If it is forwarded to the ERISAV protection area, the ASBR will add the IPsec AH header extension with the related tag filled. If the destination ASBR receives a packet coming from the ERISAV protection area, the ASBR will compare the tag with its local tag. If they are matched, the source address of this packet will be seemd as not tampered. Otherwise, the packet will be discarded because the source address is a spoofing address.

Related Extensions As discussed before, there are almost negligible changes to current protocols. ERISAV just needs one new IPsec SA for the requirements of source address validation. It just requires requesting a new attribute for storing and transporting the tag information. The tag will be used as the key during the authentication process. The process of AH also needs some changes. It takes a few unchangeable fields as input to generate a signature replacing the original tag for security consideration.

Security Consideration TBD.

IANA Consideration TBD.

Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS-TRACK] This document describes an updated version of the IP Authentication Header (AH), which is designed to provide authentication services in IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). [STANDARDS-TRACK] Remote Triggered Black Hole (RTBH) filtering is a popular and effective technique for the mitigation of denial-of-service attacks. This document expands upon destination-based RTBH filtering by outlining a method to enable filtering by source address as well. This memo provides information for the Internet community. This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.