Internet DRAFT - draft-cheng-savnet-intra-domain-sav-bgp
draft-cheng-savnet-intra-domain-sav-bgp
SAVNET W. Cheng
Internet-Draft China Mobile
Intended status: Standards Track C. Lin
Expires: September 3, 2024 New H3C Technologies
S. Yue
China Mobile
March 4, 2024
Intra-domain SAV Support via BGP
draft-cheng-savnet-intra-domain-sav-bgp-00
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on September 3, 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Cheng, et al. Expires September, 2024 [Page 1]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Abstract
This document describes a method for publishing source prefixes via
the BGP protocol, iterating through the SAVNET table entries based
on intra-domain next hop SAVNET rules. The generation of intra-
domain next hop SAVNET rules is implemented by the intra-domain IGP
protocol, and the BGP protocol inherits the source interface list
from its next hop SAVNET rules to generate the SAVNET rule table for
source prefixes.
Table of Contents
1. Introduction...................................................3
2. Terminology....................................................3
3. Solution.......................................................4
3.1. Overview..................................................4
3.2. Procedure.................................................6
4. Example........................................................7
5. Deployment Considerations......................................7
6. IANA Considerations............................................8
7. Security Considerations........................................8
8. References.....................................................8
8.1. Normative References......................................8
8.2. Informative References....................................9
Acknowledgments...................................................9
Authors' Addresses................................................9
Cheng, et al. Expires September, 2024 [Page 2]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
1. Introduction
As shown in Figure 1, the existing network has the following
scenario: within the intra-domain network, topology information is
disseminated via the IGP protocol, while prefix information is
distributed via iBGP neighbors. All iBGP nodes establish iBGP
neighbor relationships with Route Reflectors (RRs) and exchange
source prefix information. The IGP protocol contains network
topology information but lacks source prefix information, while the
BGP protocol holds source prefix information but does not include
network topology information. In this scenario, it is necessary to
combine the network topology information from IGP with the source
prefix information from the BGP protocol in order to compute the
source prefix's associated source port information and generate SAV
rules.
+---------------------------------------------------------+
| AS |
| |
| iBGP =========== RR =========== iBGP |
| +---------+ ( ) +---------+ |
| |iBGP Node|---( IGP Network )-----|iBGP Node| |
| +---------+ ( ) +---------+ |
+---------------------------------------------------------+
Figure 1: The case of the SAVNET Procedure
The scenario described in [draft-cheng-savnet-intra-domain-sav-IGP-
00] and [I-D.lin-Intra-domain-savnet-method] involves the
publication of SAVNET source prefix by the IGP protocol, and the
generation of SAVNET rules based on the connectivity calculation
using the IGP's topology information. However, for the scenario
described in this document, where the source prefix information is
published by the BGP protocol, it is unable to generate the required
SAV rules.
This document describes how to generate SAV rules using the topology
information from the IGP protocol and the source prefix information
from the BGP protocol in this network scenario.
2. Terminology
The following terminologies are used in this document.
Cheng, et al. Expires September, 2024 [Page 3]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
SAV Rule: The rule that indicates the source validity of a specific
IP address or an IP prefix.
SAV Table: The table or data structure that implements the SAV rules
and is used for source address validation in the data plane.
IGP: Interior Gateway Protocol.
BGP: Border Gateway Protocol.
Source prefix: The source prefixes are used to validate source
addresses in the data plane.
3. Solution
3.1. Overview
This section introduces a new method for computing and generating
SAV rules based on BGP source prefix and IGP topology information in
an intra-domain scenario. This method relies on two fundamental
pieces of information: the source prefix information and
reachability information. The source prefix information can be
transmitted through static configuration or the BGP protocol. This
document addresses the scenario where source prefix information is
transmitted via the BGP protocol.
The source prefix information consists of the source prefix and the
next-hop information for the prefix publication.
The IGP's topology information includes the connectivity details
between nodes and the IGP prefix information published by each node.
As depicted in Figure 2, source prefix information is disseminated
via the BGP protocol, where Router C advertises the source prefix
Prefix1 with a next hop of Router 2, Router D advertises the source
prefix Prefix2 with a next hop of Router 3, and Router E advertises
the source prefix Prefix3 with a next hop of Router 4. Router B,
serving as the BGP Route Reflector, is responsible for collecting
and reflecting all BGP source prefix information.
Based on the IGP's topology information, the interface list
corresponding to the IGP prefix can be calculated. The specific
calculation process can be found in [draft-cheng-savnet-intra-
domain-sav-BGP-00]. The first-level NextHop SAV rule table is
generated based on this information in the form of (IGP-Prefix, if).
Cheng, et al. Expires September, 2024 [Page 4]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
The calculation of the next-hop SAV rule is not limited to IGP and
can involve other new extended protocols not described in this
document.
Subsequently, using the source prefix information distributed via
the iBGP protocol, a match is made against the first-level SAV rule
table based on the source prefix information. Once a match is found,
the interface list "if" is inherited to produce the second-level SAV
rule table (BGP-Prefix, if). This document relies on the generation
of SAVNET rules based on the next hop derived from the IGP protocol.
The relationships of the generated SAVNET rule table are illustrated
in Figure 3.
+---------------------------------------------------------+
| AS |
| iBGP Router1 |
| SAV Rule: +--------3-+ |
| (Prefix1, A-1) | Router A | |
| (Prefix2, A-1) +1--------2+ |
| (Prefix3, A-2) /\ /\ |
| / \ |
| / \ |
| / \
| / \
| RR +----------+ +----------+ |
|iBGP Router5| Router B | | Router E | iBGP Router6 |
| +1--------2+ +---------1+ |
| /\ /\ /\ |
| / \ \ |
| / \ \ |
| +----------+ +----------+ +----------+ |
| | Router C | | Router D | | Router F | |
| +----------+ +----------+ +----------+ |
| | | | |
| iBGP Router2 iBGP Router3 iBGP Router4 |
| Prefix1 Prefix2 Prefix3 |
+---------------------------------------------------------+
Figure 2: Example 1 of Topology Calculation
This approach enables automatic adjustment of SAV table entries
based on topological changes, thereby achieving secure protection
for source addresses within the domain.
Cheng, et al. Expires September, 2024 [Page 5]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
+----------+ +----------+
| BGP Route| | IGP LSDB |
+----------+ +----------+
| | |
| | V
| V +------------+
| NextHop <- - - - -> |NextHop SAVA|
| | +------------+
| |
V V
Source NextHop
Prefix If
|
V
+------------+
| BGP SAVA |
+------------+
Figure 3: Example 1 of Topology Calculation
3.2. Procedure
The calculation process for intra-domain SAVNET rules based on BGP
is as follows:
Step 1: Perform calculation based on the LSDB of the IGP protocol
and generate first-level SAV rules using the prefix information
published by the IGP nodes. The generated SAVNET rule takes the
form: (IGP-Prefix, if). This also forms the next-hop SAVNET table
required for BGP.
Step 2: Iterate through all source prefix information distributed by
the BGP protocol. For each source prefix, match it with the
corresponding next-hop information of the publisher. Then, search
and match this next-hop address in the SAV rules generated in Step
1. Obtain and utilize the inherited interface list from the first-
level SAV rules to generate second-level SAV rules. The generated
rules take the form: (BGP-Prefix, if).
Step 3: If there are changes in the topological information of the
IGP protocol, repeat the calculation in Step 1. If there are changes
in the SAV rules generated in Step 1, the BGP protocol refreshes the
(BGP-Prefix, if) rule table based on the next-hop associated SAVNET
table, thus skipping Step 2.
Step 4: If there are changes in the source prefix information
distributed by the BGP protocol, skip Step 1 and proceed with the
Cheng, et al. Expires September, 2024 [Page 6]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
calculation according to Step 2, refreshing the rule list generated
by BGP.
4. Example
+---------------------------------------------------------+
| AS |
| iBGP 11.11.11.11 |
| SAV Rule: +--------3-+ |
| (10.0.0.0/24, A-1) | Router A | |
| (20.0.0.0/24, A-1) +1--------2+ |
| (30.0.0.0/24, A-2) /\ /\ |
| / \ |
| / \ |
| / \
| / \
| RR +----------+ +----------+ |
|iBGP | Router B | | Router E | iBGP |
|55.55.55.55 +1--------2+ +---------1+ 66.66.66.66 |
| /\ /\ /\ |
| / \ \ |
| / \ \ |
| +----------+ +----------+ +----------+ |
| | Router C | | Router D | | Router F | |
| +----------+ +----------+ +----------+ |
| | | | |
| iBGP 22.22.22.22 iBGP 33.33.33.33 iBGP 44.44.44.44 |
| P: 10.0.0.0/24 P: 20.0.0.0/24 P:30.0.0.0/24 |
+---------------------------------------------------------+
Figure 4: Example 3 of Topology Calculation
After conducting internal IGP calculations, on router A, it is
determined that BGP neighbors reachable via A-1 are 22.22.22.22 and
33.33.33.33. BGP neighbor 44.44.44.44 is reachable via A-2.
Following the source prefix calculation in BGP, inheriting the
outgoing interface information from the connectivity calculation,
router A can compute the following savnet table entries:
(10.0.0.0/24, A-1) obtained from BGP neighbor 22.22.22.22,
(20.0.0.0/24, A-1) obtained from BGP neighbor 33.33.33.33, and
(30.0.0.0/24, A-2) obtained from BGP neighbor 44.44.44.44.
5. Deployment Considerations
If the network topology information and source prefix information
within the domain are both conveyed by the IGP protocol, SAVNET
rules can be automatically generated following the calculation
Cheng, et al. Expires September, 2024 [Page 7]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
method described in [draft-cheng-savnet-intra-domain-sav-IGP-00] or
[I-D.lin-Intra-domain-savnet-method].
If in the network, the intra-domain network topology information is
conveyed by the IGP protocol, while the intra-domain source prefix
information is transmitted via the BGP protocol, this SAVNET
calculation method can be deployed to generate SAVNET rules for
preventing source address attacks in outbound and inbound traffic.
If the intra-domain source prefixes are transmitted via BGP, while
network connectivity information is conveyed by protocols other than
IGP, this deployment can still be used to calculate SAVNET rules.
The BGP protocol simply inherits the interfaces from the topological
calculation into the final generated SAVNET rules, based on the
next-hop information in the source prefixes.
Furthermore, it is also possible to plan a separate BGP domain
within the intra-domain, using BGP RR to reflect and propagate all
intra-domain source prefixes. First, through IGP or other extended
technologies, the savnet table entries corresponding to the next
hops of BGP source prefixes are calculated. Finally, through the
next hop of BGP, the savnet table entries of the next hops are
obtained to generate the BGP-published source prefix SAVNET table
entries, ultimately achieving BGP calculation SAVNET functionality
within the intra-domain.
6. IANA Considerations
This document does not involve IANA.
7. Security Considerations
TBD
8. References
8.1. Normative References
[I-D.li-savnet-intra-domain-architecture]
Li, D., Wu, J., Huang, M., Chen, L., Geng, N., Qin, L.,
and F. Gao, "Intra-domain Source Address Validation
(SAVNET) Architecture", Work in Progress, Internet-Draft,
draft-li-savnet-intra-domain-architecture-03, 25 July
2023, <https://datatracker.ietf.org/doc/html/draft-li-
savnet-intra-domain-architecture-06>.
Cheng, et al. Expires September, 2024 [Page 8]
�
Internet-Draft Intra-domain SAV Support via BGP March 2024
[I-D.lin-Intra-domain-savnet-method] D. Li,"Intra-domain SAVNET
method", Work in Progress,
<https://www.ietf.org/archive/id/draft-lin-savnet-lsr-
intra-domain-method-03.txt>
8.2. Informative References
[I-D.ietf-savnet-intra-domain-problem-statement]
Li, D., Wu, J., Qin, L., Huang, M., and N. Geng, "Source
Address Validation in Intra-domain Networks Gap Analysis,
Problem Statement, and Requirements", Work in Progress,
Internet-Draft, draft-ietf-savnet-intra-domain-problem-
statement-02, 17 August 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-savnet-
intra-domain-problem-statement-02>.
Acknowledgments
TBD
Authors' Addresses
Weiqiang Cheng
China Mobile
China
Email: chengweiqiang@chinamobile.com
Changwang Lin
New H3C Technologies
China
Email: linchangwang.04414@h3c.com
Shengnan Yue
China Mobile
China
yueshengnan@chinamobile.com
Cheng, et al. Expires September, 2024 [Page 9]
�
