]> IGP-based Source Address Validation in Intra-domain Networks (Intra-domain SAVNET) Tsinghua University
Beijing China tolidan@tsinghua.edu.cn
Tsinghua University
Beijing China qlc19@mails.tsinghua.edu.cn
ZTE Corporation
Nanjing China song.xueyan2@zte.com.cn
New H3C Technologies
Beijing China linchangwang.04414@h3c.com
Routing lsr SAV This document proposes a new IGP-based intra-domain source address validation (SAV) solution, called IGP-SAVNET, which improves the accuracy upon current intra-domain SAV solutions. It allows intra-domain routers to communicate SAV-specific information using the intra-domain routing protocol or an extension to the intra-domain routing protocol. By using SAV-specific information, intra-domain routers can generate and update accurate SAV rules in an automatic way.
Introduction The purpose of intra-domain SAV is to prevent outgoing data packets from an intra-domain subnet (e.g., a host network or a customer network) from forging source addresses of other intra-domain subnets or other ASes, and to prevent incoming data packets from external ASes from forging source addresses of the local AS. To this end, intra-domain SAV should focus on SAV on host-facing routers, customer-facing routers, and AS border routers (see ). Specifically, host-facing routers or customer-facing routers should block data packets from the connected host network or customer network with a spoofed source IP address not belonging to that network. AS border routers should block data packets from other ASes with a spoofed source IP address belonging to the local AS. However, existing intra-domain SAV solutions (e.g., BCP38 and BCP84 ) have problems of high operational overhead or inaccurate validation (see ). ACL-based ingress filtering requires manual operations to configure and update the SAV rules, while uRPF-based solutions may improperly block legitimate data packets in the scenario of routing asymmetry. To address these problems and guide the design of new intra-domain SAV solutions, proposes the architecture of intra-domain SAVNET and introduces the use of SAV-specific information in intra-domain networks. Following the intra-domain SAVNET architecture, this document proposes a new IGP-based intra-domain SAV solution, called IGP-SAVNET, which improves the accuracy upon current intra-domain SAV solutions. It allows host-facing routers, customer-facing routers, and AS border routers to communicate SAV-specific information using the intra-domain routing protocol or an extension to the intra-domain routing protocol. By using SAV-specific information, these routers can generate and update accurate SAV rules in an automatic way. The reader is encouraged to be familiar with and .
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology SAV Rule: The rule in a router that describes the mapping relationship between a source address (prefix) and the valid incoming interface(s). It is used by a router to make SAV decisions and is inferred from the SAV Information Base. Host-facing Router: An intra-domain router of an AS which is connected to an intra-domain host network (i.e., a layer-2 network). Customer-facing Router: An intra-domain router of an AS which is connected to an intra-domain customer network running the routing protocol (i.e., a layer-3 network). AS Border Router: An intra-domain router of an AS which is connected to other ASes.
Goals of Intra-domain SAV Goal 1: The host-facing router or customer-facing router should identify source prefixes belonging to its host network or customer network and block data packets from its host network or customer network using source addresses not belonging to the network. For example, in , Routers A and B should generate SAV rules at the interface '#' and block data packets from Network 1 using source addresses not belonging to Network 1. Router C should generate SAV rules at interfaces '#' and block data packets from Network 2 using source addresses not belonging to Network 2. Goal 2: The AS border router should identify source prefixes belonging to the local AS and block data packets from other ASes using source addresses belonging to the local AS. For example, in , Routers D and E should generate SAV rules at interface '#' and block data packets from other ASes using source addresses belonging to the local AS.
Goals of Intra-domain SAV
Description of the Method To achieve the above two goals, IGP-SAVNET allows host-facing routers, customer-facing routers, and AS border routers to communicate SAV-specific information between each other through IGP. These routers will not communicate SAV-specific information with routers/devices in host networks, customer networks, and other ASes. In the following, this document describes how IGP-SAVNET works to meet the goals.
SAV procedure on customer-facing or host-facing routers SAV on a customer-facing (or host-facing) router aims to identify source prefixes belonging to the customer (or host) network. After that, the customer-facing (or host-facing) router can perform accurate SAV filtering by only accepting data packets from its customer (or host) network with source addresses belonging to that network. If the customer (or host) network is single-homed, the customer-facing (or host-facing) router can directly identify source prefixes through its local routes to that network. If the customer (or host) network is multi-homed, the customer-facing (or host-facing) router may fail to identify all source prefixes of that network through its local routes to that network in the scenario of routing asymmetry (see ). For example, in , due to traffic engineering, Router A only learns the route to sub prefix 10.1.0.0/16 from Network N, while Router B only learns the route to the other sub prefix 10.0.0.0/16 from Network N. In this case, as described in , strict uRPF on Router A will block data packets from the customer (or host) network with legitimate source addresses in prefix 10.0.0.0/16, and strict uRPF on Router B will block data packets from the customer (or host) network with legitimate source addresses in prefix 10.1.0.0/16. To achieve accurate SAV on routers facing the multi-homed customer (or host) network, IGP-SAVNET allows routers facing the same customer (or host) network to identify source prefixes of the network through SAV-specific information communication.
SAV-specific information communication between Routers A and B +----------+ | | | Router A | SAV-specific info | Router B | | | +-------#--+ <---------------------+ +--#-------+ | | | [10.0.0.0/16]+[tag n] | | | | | | | | | | | | +--------------------+ | | | | | Customer or Host | | | | +----| Network N |-----+ | | +--------------------+ | | (10.0.0.0/15 ) | +-----------------------------------------------------+ ]]>
A detailed description of SAV procedure is as follows:
  1. Tag Assignment: Each single-homed or multi-homed customer (or host) network is assigned a unique tag value. For example, in , Network N is assigned tag n. The tag value for can be configured and updated manually.
  2. SAV-specific Information Communication: Each customer-facing (or host-facing) router provides its SAV-specific information of its customer (or host) networks to other intra-domain routers. The SAV-specific information of a customer (or host) network contains the prefixes learned through the router's local routes to the network and the tag value of the network. For example, Router A can provide its SAV-specific information, which contains prefix 10.1.0.0/16 and tag n, to other intra-domain routers. This procedure can be implemented by using IGP or extensions to IGP, which will be elaborated in .
  3. SAV-specific Information Processing: When a router receives SAV-specific information containing the same tag value as its customer (or host) network, it considers that the prefixes contained in the SAV-specific information also belong to its customer (or host) network. For example, Router B will identify prefix 10.1.0.0/16 as a source prefix of Network N after receiving the SAV-specific information provided by Router A.
  4. Source Prefix Identification: By integrating prefixes learned through SAV-specific information provided by other routers with prefixes learned through its local routes, the customer-facing (or host-facing) router can identify complete source prefixes of its customer (or host) network. For example, Router B will identify that both prefix 10.1.0.0/16 and prefix 10.0.0.0/16 belong to Network N after processing SAV-specific information provided by Router A. Similarly, Router A will also identify complete source prefixes of Network N after processing SAV-specific information provided by Router B.
  5. SAV Rule Generation: Each customer-facing (or host-facing) router generates an allowlist containing source prefixes of its customer (or host) network at the interface facing that network. Only data packets using source addresses covered in the allowlist will be accepted at this interface.
SAV procedure on AS border routers SAV on an AS border router aims to identify source prefixes belonging to the local AS. After receiving SAV-specific information or routing information originating from host-facing and customer-facing routers through IGP, AS border routers can identify source prefixes of the local AS accordingly and generate a blocklist containing these source prefixes. After that, data packets arriving from other ASes with source addresses belonging to the local AS will be blocked on the AS border router.
SAV-specific Information Communication Using IGP The key idea is to add the tag value into the prefix information when the customer-facing (or host-facing) router distributes the prefix information of its customer (or host) network. As shown in , the SAVNET Agent of a Sender Router provides its SAV-specific information to other SAVNET routers via IGP. After receiving SAV-specific information from other SAVNET routers, the SAVNET Agent of the Receiver Router generates SAV rules by using SAV-specific information from other SAVNET routers and/or its own SAV-specific information. The Sender Router can be a customer-facing router or a host-facing router. The Receiver Router can be a customer-facing router, a host-facing router, or an AS border router.
Overview of SAV-specific information communication + IGP LSDB | | | +-----^------+ | | +-----+------+ | | | | | | | | +-------+---------+ | | +--------v--------+ | | | SAVNET Agent | | | | SAVNET Agent | | | | +-------------+ | | | | +-------------+ | | | | | Information | | | | | | Information | | | | | | Provider | | | | | | Receiver | | | | | +-------------+ | | | | +-------------+ | | | +-----------------+ | | +-----------------+ | | | | | +---------------------+ +---------------------+ ]]>
The overall procedure of SAV-specific information communication is as follows:
  • At the Sender Router: Carry its SAV-specific information (e.g., the tag information of the customer or host network) through the Link State Database (LSDB) of IGP. The IGP will synchronize the LSDB, including node information, link information, prefix information, and tag information.
  • At the Receiver Router: After receiving SAV-specific information carried in the LSDB, its SAVNET Agent extracts SAV-specific information from the LSDB of IGP and then generates SAV rules as described in .
In the following, this document presents two approaches to implement SAV-specific information communication among intra-domain routers.
Approach #1: Using the existing Administrative Tag Sub-TLV When a router distributes IP prefix information of the customer or host network, it can carry the tag of that network in the Administrative Tag Sub-TLV. When a router receives IP prefix information, it checks if there is a locally configured interface with the same tag as the Administrative Tag information carried in the prefix. If such an interface exists, SAVNET rules will be added, with the prefix being the received prefix and the interface being the locally configured interface with this tag. As shown in , assume Network N is assigned tag n. In the prefix information of 10.1.0.0/16 published by Router A, tag n is carried via the Administrative Tag Sub-TLV. Similarly, in the prefix information of 10.0.0.0/16 published by Router B, tag n is carried via the Administrative Tag Sub-TLV. When Router A receives the prefix information of 10.0.0.0/16, it checks that the carried tag n matches the tag of Network N, and thus determines that prefix 10.0.0.0/16 also belongs to Network N. Similarly, Router B determines that prefix 10.1.0.0/16 also belongs to Network N using the same process.
Administrative Tag Sub-TLV of IS-IS For routers running IS-IS, they can carry the tag in the Administrative Tag Sub-TLV (defined in ), which can be included in: Extended IP Reachability TLV (135), Multi-Topology Reachable IPv4 Prefixes TLV (235), IPv6 Reachability TLV (236), Multi-Topology Reachable IPv6 Prefixes TLV (237).
Administrative Tag Sub-TLV of OSPF For routers running OSPF, they can carry the tag in the Administrative Tag Sub-TLV within the OSPF Extended Prefix TLV Sub-TLV .
Administrative Tag Sub-TLV of OSPFv3 For routers running OSPFv3, they can include the tag in the Administrative Tag Sub-TLV within the OSPFv3 Intra-Area-Prefix TLV, Inter-Area-Prefix TLV, and External-Prefix TLV .
Considerations of using Administrative Tag Sub-TLV In practice, intra-domain routers may also use the Administrative Tag Sub-TLV for other purposes (e.g., route filtering), and multiple Administrative Tag Sub-TLVs may be carried in the IP prefix information simultaneously. Therefore, using the existing Administrative Tag Sub-TLV for SAV-specific information communication may conflict with other routing policies that also use Administrative Tags as filtering criteria. To address this issue, this document proposes Approach #2 in the following.
Approach #2: Defining a new SAVNET Tag Sub-TLV To avoid possible conflicts and facilitate operation and management, it is more recommended to define and use a dedicated SAVNET Tag Sub-TLV to tranmit SAV-specific information.
SAVNET Tag Sub-TLV of IS-IS shows the structure of SAVNET Tag Sub-TLV of IS-IS. It can be included in the following TLVs: Extended IP Reachability TLV (135), Multi-Topology Reachable IPv4 Prefixes TLV (235), IPv6 Reachability TLV (236), Multi-Topology Reachable IPv6 Prefixes TLV (237).
SAVNET Tag Sub-TLV of IS-IS
SAVNET Tag Sub-TLV of OSPF and OSPFv3 shows the structure of SAVNET Tag Sub-TLV of OSPF and OSPFv3. The SAVNET Tag Sub-TLV of OSPF specified herein will be valid as a sub-TLV of the following TLVs specified in :
  1. Extended Prefix TLV advertised in the OSPFv2 Extended Prefix LSA
The SAVNET Tag Sub-TLV of OSPFv3 specified herein will be valid as a sub-TLV of the following TLVs specified in :
  1. Inter-Area-Prefix TLV advertised in the E-Inter-Area-Prefix-LSA.
  2. Intra-Area-Prefix TLV advertised in the E-Intra-Area-Prefix-LSA.
  3. External-Prefix TLV advertised in the E-AS-External-LSA and the E-NSSA-LSA.
SAVNET Tag Sub-TLV of OSPF and OSPFv3
Security Considerations The security considerations described in and also applies to this document.
IANA Considerations This document has no IANA requirements.
References Normative References Source Address Validation in Intra-domain Networks Gap Analysis, Problem Statement, and Requirements Tsinghua University Tsinghua University Tsinghua University Huawei Huawei This document provides the gap analysis of existing intra-domain source address validation mechanisms, describes the fundamental problems, and defines the requirements for technical improvements. Intra-domain Source Address Validation (SAVNET) Architecture Tsinghua University Tsinghua University Tsinghua University Huawei Zhongguancun Laboratory This document proposes the intra-domain SAVNET architecture, which achieves accurate source address validation (SAV) in an intra-domain network by an automatic way. Compared with uRPF-like SAV mechanisms that only depend on routers' local routing information, SAVNET routers generate SAV rules by using both local routing information and SAV-specific information exchanged among routers, resulting in more accurate SAV validation in asymmetric routing scenarios. Compared with ACL rules that require manual efforts to accommodate to network dynamics, SAVNET routers learn the SAV rules automatically in a distributed way. Extensions to OSPF for Advertising Prefix Administrative Tags LabN Consulting, L.L.C. Cisco Systems Futurewei Technologies It is useful for routers in OSPFv2 and OSPFv3 routing domains to be able to associate tags with prefixes. Previously, OSPFv2 and OSPFv3 were relegated to a single tag and only for AS External and Not-So- Stubby-Area (NSSA) prefixes. With the flexible encodings provided by OSPFv2 Prefix/Link Attribute Advertisement and OSPFv3 Extended LSAs, multiple administrative tags may be advertised for all types of prefixes. These administrative tags can be used for many applications including route redistribution policy, selective prefix prioritization, selective IP Fast-ReRoute (IPFRR) prefix protection, and many others. The ISIS protocol supports a similar mechanism that is described in RFC 5130. A Policy Control Mechanism in IS-IS Using Administrative Tags This document describes an extension to the IS-IS protocol to add operational capabilities that allow for ease of management and control over IP prefix distribution within an IS-IS domain. This document enhances the IS-IS protocol by extending the information that an Intermediate System (IS) router can place in Link State Protocol (LSP) Data Units for policy use. This extension will provide operators with a mechanism to control IP prefix distribution throughout multi-level IS-IS domains. [STANDARDS-TRACK] OSPFv2 Prefix/Link Attribute Advertisement OSPFv2 requires functional extension beyond what can readily be done with the fixed-format Link State Advertisements (LSAs) as described in RFC 2328. This document defines OSPFv2 Opaque LSAs based on Type-Length-Value (TLV) tuples that can be used to associate additional attributes with prefixes or links. Depending on the application, these prefixes and links may or may not be advertised in the fixed-format LSAs. The OSPFv2 Opaque LSAs are optional and fully backward compatible. OSPFv3 Link State Advertisement (LSA) Extensibility OSPFv3 requires functional extension beyond what can readily be done with the fixed-format Link State Advertisement (LSA) as described in RFC 5340. Without LSA extension, attributes associated with OSPFv3 links and advertised IPv6 prefixes must be advertised in separate LSAs and correlated to the fixed-format LSAs. This document extends the LSA format by encoding the existing OSPFv3 LSA information in Type-Length-Value (TLV) tuples and allowing advertisement of additional information with additional TLVs. Backward-compatibility mechanisms are also described. This document updates RFC 5340, "OSPF for IPv6", and RFC 5838, "Support of Address Families in OSPFv3", by providing TLV-based encodings for the base OSPFv3 unicast support and OSPFv3 address family support. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS (Denial of Service) attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ingress Filtering for Multihomed Networks BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.