Internet DRAFT - draft-cheng-savnet-intra-domain-sav-bgp

draft-cheng-savnet-intra-domain-sav-bgp



SAVNET                                                         W. Cheng
Internet-Draft                                             China Mobile
Intended status: Standards Track                                 C. Lin
Expires: September 3, 2024                         New H3C Technologies
                                                                 S. Yue
                                                           China Mobile
                                                          March 4, 2024



                     Intra-domain SAV Support via BGP
                draft-cheng-savnet-intra-domain-sav-bgp-00


Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on September 3, 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in



Cheng, et al.          Expires September, 2024                [Page 1]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Abstract

   This document describes a method for publishing source prefixes via
   the BGP protocol, iterating through the SAVNET table entries based
   on intra-domain next hop SAVNET rules. The generation of intra-
   domain next hop SAVNET rules is implemented by the intra-domain IGP
   protocol, and the BGP protocol inherits the source interface list
   from its next hop SAVNET rules to generate the SAVNET rule table for
   source prefixes.

Table of Contents


   1. Introduction...................................................3
   2. Terminology....................................................3
   3. Solution.......................................................4
      3.1. Overview..................................................4
      3.2. Procedure.................................................6
   4. Example........................................................7
   5. Deployment Considerations......................................7
   6. IANA Considerations............................................8
   7. Security Considerations........................................8
   8. References.....................................................8
      8.1. Normative References......................................8
      8.2. Informative References....................................9
   Acknowledgments...................................................9
   Authors' Addresses................................................9



















Cheng, et al.          Expires September, 2024                [Page 2]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   1. Introduction

   As shown in Figure 1, the existing network has the following
   scenario: within the intra-domain network, topology information is
   disseminated via the IGP protocol, while prefix information is
   distributed via iBGP neighbors. All iBGP nodes establish iBGP
   neighbor relationships with Route Reflectors (RRs) and exchange
   source prefix information. The IGP protocol contains network
   topology information but lacks source prefix information, while the
   BGP protocol holds source prefix information but does not include
   network topology information. In this scenario, it is necessary to
   combine the network topology information from IGP with the source
   prefix information from the BGP protocol in order to compute the
   source prefix's associated source port information and generate SAV
   rules.

   +---------------------------------------------------------+
   |                                                   AS    |
   |                                                         |
   |      iBGP ===========  RR  =========== iBGP             |
   |   +---------+    (           )      +---------+         |
   |   |iBGP Node|---( IGP Network )-----|iBGP Node|         |
   |   +---------+    (           )      +---------+         |
   +---------------------------------------------------------+

                Figure 1: The case of the SAVNET Procedure



   The scenario described in [draft-cheng-savnet-intra-domain-sav-IGP-
   00] and [I-D.lin-Intra-domain-savnet-method] involves the
   publication of SAVNET source prefix by the IGP protocol, and the
   generation of SAVNET rules based on the connectivity calculation
   using the IGP's topology information. However, for the scenario
   described in this document, where the source prefix information is
   published by the BGP protocol, it is unable to generate the required
   SAV rules.

   This document describes how to generate SAV rules using the topology
   information from the IGP protocol and the source prefix information
   from the BGP protocol in this network scenario.



   2. Terminology

   The following terminologies are used in this document.


Cheng, et al.          Expires September, 2024                [Page 3]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   SAV Rule: The rule that indicates the source validity of a specific
   IP address or an IP prefix.

   SAV Table: The table or data structure that implements the SAV rules
   and is used for source address validation in the data plane.

   IGP: Interior Gateway Protocol.

   BGP: Border Gateway Protocol.

   Source prefix: The source prefixes are used to validate source
   addresses in the data plane.

   3. Solution

   3.1. Overview

   This section introduces a new method for computing and generating
   SAV rules based on BGP source prefix and IGP topology information in
   an intra-domain scenario. This method relies on two fundamental
   pieces of information: the source prefix information and
   reachability information. The source prefix information can be
   transmitted through static configuration or the BGP protocol. This
   document addresses the scenario where source prefix information is
   transmitted via the BGP protocol.

   The source prefix information consists of the source prefix and the
   next-hop information for the prefix publication.

   The IGP's topology information includes the connectivity details
   between nodes and the IGP prefix information published by each node.

   As depicted in Figure 2, source prefix information is disseminated
   via the BGP protocol, where Router C advertises the source prefix
   Prefix1 with a next hop of Router 2, Router D advertises the source
   prefix Prefix2 with a next hop of Router 3, and Router E advertises
   the source prefix Prefix3 with a next hop of Router 4. Router B,
   serving as the BGP Route Reflector, is responsible for collecting
   and reflecting all BGP source prefix information.

   Based on the IGP's topology information, the interface list
   corresponding to the IGP prefix can be calculated. The specific
   calculation process can be found in [draft-cheng-savnet-intra-
   domain-sav-BGP-00]. The first-level NextHop SAV rule table is
   generated based on this information in the form of (IGP-Prefix, if).




Cheng, et al.          Expires September, 2024                [Page 4]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   The calculation of the next-hop SAV rule is not limited to IGP and
   can involve other new extended protocols not described in this
   document.

   Subsequently, using the source prefix information distributed via
   the iBGP protocol, a match is made against the first-level SAV rule
   table based on the source prefix information. Once a match is found,
   the interface list "if" is inherited to produce the second-level SAV
   rule table (BGP-Prefix, if). This document relies on the generation
   of SAVNET rules based on the next hop derived from the IGP protocol.
   The relationships of the generated SAVNET rule table are illustrated
   in Figure 3.

   +---------------------------------------------------------+
   |                                                   AS    |
   |                    iBGP Router1                          |
   | SAV Rule:          +--------3-+                         |
   | (Prefix1, A-1)     | Router A |                         |
   | (Prefix2, A-1)     +1--------2+                         |
   | (Prefix3, A-2)      /\       /\                         |
   |                     /         \                         |
   |                    /           \                        |
   |                   /            \
   |                  /              \
   |   RR       +----------+      +----------+               |
   |iBGP Router5| Router B |      | Router E | iBGP Router6  |
   |            +1--------2+      +---------1+               |
   |             /\       /\                /\               |
   |             /         \                 \               |
   |            /           \                 \              |
   |      +----------+   +----------+      +----------+      |
   |      | Router C |   | Router D |      | Router F |      |
   |      +----------+   +----------+      +----------+      |
   |          |               |                  |           |
   |   iBGP Router2      iBGP Router3      iBGP Router4      |
   |    Prefix1           Prefix2           Prefix3          |
   +---------------------------------------------------------+
               Figure 2:  Example 1 of Topology Calculation


   This approach enables automatic adjustment of SAV table entries
   based on topological changes, thereby achieving secure protection
   for source addresses within the domain.






Cheng, et al.          Expires September, 2024                [Page 5]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


        +----------+                 +----------+
        | BGP Route|                 | IGP LSDB |
        +----------+                 +----------+
         |      |                         |
         |      |                         V
         |      V                    +------------+
         |  NextHop  <- - - - ->     |NextHop SAVA|
         |      |                    +------------+
         |      |
         V      V
       Source  NextHop
       Prefix  If
             |
             V
       +------------+
       | BGP SAVA   |
       +------------+
               Figure 3:  Example 1 of Topology Calculation


   3.2. Procedure

   The calculation process for intra-domain SAVNET rules based on BGP
   is as follows:

   Step 1: Perform calculation based on the LSDB of the IGP protocol
   and generate first-level SAV rules using the prefix information
   published by the IGP nodes. The generated SAVNET rule takes the
   form: (IGP-Prefix, if). This also forms the next-hop SAVNET table
   required for BGP.

   Step 2: Iterate through all source prefix information distributed by
   the BGP protocol. For each source prefix, match it with the
   corresponding next-hop information of the publisher. Then, search
   and match this next-hop address in the SAV rules generated in Step
   1. Obtain and utilize the inherited interface list from the first-
   level SAV rules to generate second-level SAV rules. The generated
   rules take the form: (BGP-Prefix, if).

   Step 3: If there are changes in the topological information of the
   IGP protocol, repeat the calculation in Step 1. If there are changes
   in the SAV rules generated in Step 1, the BGP protocol refreshes the
   (BGP-Prefix, if) rule table based on the next-hop associated SAVNET
   table, thus skipping Step 2.

   Step 4: If there are changes in the source prefix information
   distributed by the BGP protocol, skip Step 1 and proceed with the


Cheng, et al.          Expires September, 2024                [Page 6]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   calculation according to Step 2, refreshing the rule list generated
   by BGP.

   4. Example

   +---------------------------------------------------------+
   |                                                   AS    |
   |                   iBGP 11.11.11.11                      |
   | SAV Rule:          +--------3-+                         |
   | (10.0.0.0/24, A-1) | Router A |                         |
   | (20.0.0.0/24, A-1) +1--------2+                         |
   | (30.0.0.0/24, A-2)  /\       /\                         |
   |                     /         \                         |
   |                    /           \                        |
   |                   /            \
   |                  /              \
   |   RR       +----------+      +----------+               |
   |iBGP        | Router B |      | Router E | iBGP          |
   |55.55.55.55 +1--------2+      +---------1+ 66.66.66.66   |
   |             /\       /\                /\               |
   |             /         \                 \               |
   |            /           \                 \              |
   |      +----------+   +----------+      +----------+      |
   |      | Router C |   | Router D |      | Router F |      |
   |      +----------+   +----------+      +----------+      |
   |          |               |                  |           |
   |   iBGP 22.22.22.22  iBGP 33.33.33.33  iBGP 44.44.44.44  |
   |    P: 10.0.0.0/24   P: 20.0.0.0/24    P:30.0.0.0/24     |
   +---------------------------------------------------------+
               Figure 4:  Example 3 of Topology Calculation


   After conducting internal IGP calculations, on router A, it is
   determined that BGP neighbors reachable via A-1 are 22.22.22.22 and
   33.33.33.33. BGP neighbor 44.44.44.44 is reachable via A-2.

   Following the source prefix calculation in BGP, inheriting the
   outgoing interface information from the connectivity calculation,
   router A can compute the following savnet table entries:
   (10.0.0.0/24, A-1) obtained from BGP neighbor 22.22.22.22,
   (20.0.0.0/24, A-1) obtained from BGP neighbor 33.33.33.33, and
   (30.0.0.0/24, A-2) obtained from BGP neighbor 44.44.44.44.

   5. Deployment Considerations

   If the network topology information and source prefix information
   within the domain are both conveyed by the IGP protocol, SAVNET
   rules can be automatically generated following the calculation

Cheng, et al.          Expires September, 2024                [Page 7]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   method described in [draft-cheng-savnet-intra-domain-sav-IGP-00] or
   [I-D.lin-Intra-domain-savnet-method].

   If in the network, the intra-domain network topology information is
   conveyed by the IGP protocol, while the intra-domain source prefix
   information is transmitted via the BGP protocol, this SAVNET
   calculation method can be deployed to generate SAVNET rules for
   preventing source address attacks in outbound and inbound traffic.

   If the intra-domain source prefixes are transmitted via BGP, while
   network connectivity information is conveyed by protocols other than
   IGP, this deployment can still be used to calculate SAVNET rules.
   The BGP protocol simply inherits the interfaces from the topological
   calculation into the final generated SAVNET rules, based on the
   next-hop information in the source prefixes.

   Furthermore, it is also possible to plan a separate BGP domain
   within the intra-domain, using BGP RR to reflect and propagate all
   intra-domain source prefixes. First, through IGP or other extended
   technologies, the savnet table entries corresponding to the next
   hops of BGP source prefixes are calculated. Finally, through the
   next hop of BGP, the savnet table entries of the next hops are
   obtained to generate the BGP-published source prefix SAVNET table
   entries, ultimately achieving BGP calculation SAVNET functionality
   within the intra-domain.

   6. IANA Considerations

   This document does not involve IANA.

   7. Security Considerations

   TBD

   8. References

   8.1. Normative References

   [I-D.li-savnet-intra-domain-architecture]
             Li, D., Wu, J., Huang, M., Chen, L., Geng, N., Qin, L.,
             and F. Gao, "Intra-domain Source Address Validation
             (SAVNET) Architecture", Work in Progress, Internet-Draft,
             draft-li-savnet-intra-domain-architecture-03, 25 July
             2023, <https://datatracker.ietf.org/doc/html/draft-li-
             savnet-intra-domain-architecture-06>.




Cheng, et al.          Expires September, 2024                [Page 8]

Internet-Draft    Intra-domain SAV Support via BGP          March 2024


   [I-D.lin-Intra-domain-savnet-method] D. Li,"Intra-domain SAVNET
             method", Work in Progress,
             <https://www.ietf.org/archive/id/draft-lin-savnet-lsr-
             intra-domain-method-03.txt>



   8.2. Informative References

    [I-D.ietf-savnet-intra-domain-problem-statement]

             Li, D., Wu, J., Qin, L., Huang, M., and N. Geng, "Source
             Address Validation in Intra-domain Networks Gap Analysis,
             Problem Statement, and Requirements", Work in Progress,
             Internet-Draft, draft-ietf-savnet-intra-domain-problem-
             statement-02, 17 August 2023,
             <https://datatracker.ietf.org/doc/html/draft-ietf-savnet-
             intra-domain-problem-statement-02>.

   Acknowledgments

   TBD

   Authors' Addresses

   Weiqiang Cheng
   China Mobile
   China

   Email: chengweiqiang@chinamobile.com


   Changwang Lin
   New H3C Technologies
   China

   Email: linchangwang.04414@h3c.com



   Shengnan Yue
   China Mobile
   China
   yueshengnan@chinamobile.com





Cheng, et al.          Expires September, 2024                [Page 9]