Internet DRAFT - draft-li-dsav-framework

draft-li-dsav-framework







Network Working Group                                              D. Li
Internet-Draft                                                     J. Wu
Intended status: Informational                       Tsinghua University
Expires: 15 July 2022                                           M. Huang
                                                                  Huawei
                                                                  L. Qin
                                                     Tsinghua University
                                                                 N. Geng
                                                                  Huawei
                                                         11 January 2022


         Distributed Source Address Validation (DSAV) Framework
                       draft-li-dsav-framework-01

Abstract

   This document provides an overall framework of Distributed Source
   Address Validation (DSAV) including both intra-domain and inter-
   domain levels.  It also describes related considerations.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 8174 [RFC8174].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 15 July 2022.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.



Li, et al.                Expires 15 July 2022                  [Page 1]

Internet-Draft               DSAV Framework                 January 2022


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  DSAV Framework  . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Separate Source Information Advertisement . . . . . . . .   5
     3.2.  Destination Information Identifier  . . . . . . . . . . .   6
   4.  Accuracy  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Consistency . . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Deployability . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  Security  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction


   Source address validation (SAV) is important to mitigate source
   address spoofing and contribute to the Internet security.  However,
   existing SAV mechanisms have limitations in accuracy.  Specifically,
   intra-domain SAV mechanisms (e.g. strict uRPF[RFC3704]) usually
   improperly block legitimate traffic in the case of routing asymmetry,
   while inter-domain SAV mechanisms (e.g. loose uRPF[RFC3704] and EFP-
   uRPF[RFC8704]) provide overly loose SAV rules which can improperly
   permit spoofed traffic.  The root cause of their limitations is that
   they all achieve SAV based on local forwarding information base (FIB)
   or routing information base (RIB), which may not match the real
   forwarding direction from the source.  In order to guarantee the
   accuracy, SAV should follow the real data-plane forwarding path.

   This document provides a framework to generate accurate SAV rules on
   routers at both intra-domain and inter-domain levels.  In Distributed
   Source Address Validation (DSAV) framework, each router or AS
   originates individual protocol messages to its neighbors, carrying
   local source information and corresponding destination information
   which takes the neighbor as the next hop.  Upon receiving a protocol
   message, the router or AS identifies a valid incoming interface for
   the related source addresses.  After that, it decides whether to
   terminate the message or further relay new protocol messages to its



Li, et al.                Expires 15 July 2022                  [Page 2]

Internet-Draft               DSAV Framework                 January 2022


   neighbors based on the destination information of the received
   message.  In this way, the source information will propogate through
   all possible forwarding paths originated from the source.

   This document also describes basic considerations related to DSAV,
   including accuracy, consistency, deployability, and security.


2.  Terminology


   Some definitions during a propagation process:

   *  Node: A router or AS in this document.

   *  Initial node: The node generating original protocol messages.

   *  Terminal node: The node terminating the received protocol message
      from a neighbor node.

3.  DSAV Framework


   DSAV provides a framework for distributedly generating SAV rules on
   nodes at both intra-domain and inter-domain levels.  Intra-domain SAV
   avoids source address spoofing within the same AS.  Inter-domain SAV
   prevents source address spoofing among ASes.  Despite of different
   application scenarios and protocol details, DSAVs at the two levels
   hold the same key idea.  The core workflow of DSAV is briefly
   described as follows:

   a.  An initial node A generates an original message for each neighbor
       node, carrying the source prefixes originated locally and the
       destination prefixes which take the neighbor node as the next
       hop.

   b.  When node B receives a protocol message at interface I, it
       determines interface I as a valid incoming interface for the
       source prefixes of the received message.  In other words, it
       generates the SAV rule <source prefixes of A, interface I>.











Li, et al.                Expires 15 July 2022                  [Page 3]

Internet-Draft               DSAV Framework                 January 2022


   c.  After that, node B checks the destination prefixes of the
       received message against its local FIB/RIB.  If the next hop of
       all the destination prefixes point to its local subnets/networks,
       the message is terminated; otherwise, node B relays new messages.
       It groups all destination prefixes according to their next-hop
       node.  For each next-hop node C, node B generates a new message
       destined to C, with the corresponding destination prefixes taking
       node C as the next hop.  The source prefixes in each relayed
       message should keep the same.

   d.  In DSAV, with the exception of some special cases, such as
       multipath routing, nodes usually receive only one message
       originated from each source.

   e.  The above steps can be executed periodically or when any of
       source prefixes, destination information, or forwarding paths
       change.  The updated message should add updated SAV rules or
       delete outdated SAV rules for the affected Nodes.  Particularly,
       to reduce the communication overhead, only the changed
       information should be propagated again when dynamic updating.

   Figure 1 illustrates the workflow of DSAV.  The network runs some
   routing protocols such as OSPF, IS-IS, or BGP among the four nodes.
   Each node owns a unique source prefix ( e.g.  P1 for Node 1).  Let's
   consider the propagation process where Node 1 is the initial node.
   Node 1 sends an original message to the neighbor Node 2, carrying its
   source prefix (i.e., P1) and destination prefixes whose next-hop node
   in FIB is Node 2 (i.e., P2, P3, P4).  When Node 2 receives the
   message, it specifies interface '#' as the valid incoming interface
   for prefix P1.  Then, Node 2 checks the destination prefixes
   according to its local FIB.  Since P3 and P4 are not Node 2's source
   prefixes, it should relay messages to the corresponding next-hop
   nodes, i.e. Node 3 and Node 4.  The message destined to Node 3
   carries the destination prefix P3, while the message destined to Node
   4 carries the destination prefix P4.  The source prefix in each
   relayed message keeps the same.  When Node 3 or Node 4 receives the
   message from Node 2, it also learns and enables the SAV rule <P1,
   interface '#'> but terminates the message.













Li, et al.                Expires 15 July 2022                  [Page 4]

Internet-Draft               DSAV Framework                 January 2022


                                      +----------+
                                      |  Node 1  +---+P1
                                      +----+-----+
                                           | pkt:src_v=[P1],
                                           | dst_v=[P2,P3,P4]
                        pkt:src_v=[P1],    |
            +----------+  dst_v=[P4] +-----#-----+
            |  Node 4  #-------------+  Node 2   |---+P2
            +-----+----+             +-----+-----+
                  |                        | pkt:src_v=[P1],
                  +                        | dst_v=[P3]
                  P4                       |
                                     +-----#-----+
                                     |  Node 3   +---+P3
                                     +-----------+

             - P1, P2, P3, and P4 are prefixes belonging to
                Node 1, 2, 3, and 4, respectively.
             - Node 1 is the initial node, and Node 3 and Node 4
                are the terminate nodes in this propagation process.
             - '#' means the legitimate interface for the
                data-plane packets with source addresses of P1.

            Figure 1: The workflow of DSAV

3.1.  Separate Source Information Advertisement

   Containing source prefixes and destination prefixes in a message
   sometimes induces much unnecessary overhead.  For example, a change
   on a destination prefix or forwarding path will make the initial node
   advertise its source prefixes again even though no changes happen on
   its local source prefixes at all.  A separate source information
   advertisement is taken to tackle the above problem.

   Particularly, a node can be represented by a node ID (e.g., the
   router-ID for a router or the ASN for an AS).  For each initial node,
   its source prefixes together with its node ID can be advertised to
   other nodes through broadcast or existing underlay routing protocols
   (such as OSPF, IS-IS, and BGP).  Then, other nodes will know the
   mapping from a node ID to a list of source prefixes.  Now, the
   protocol message does not need to carry a long list of source
   prefixes whose field can be replaced with just one source node ID.









Li, et al.                Expires 15 July 2022                  [Page 5]

Internet-Draft               DSAV Framework                 January 2022


3.2.  Destination Information Identifier

   Although separate source information advertisement help reduce
   communication overhead, including destination prefixes in messages
   can still be costly, especially in inter-domain scenarios with a
   large number of destination prefixes.

   Similarly, a list of destination prefixes can also be replaced with a
   destination node IDs (e.g., the router-ID for a router or the ASN for
   an AS).  Considering that a node may have hundreds of different
   prefixes, this can significantly reduce overhead.  However, the
   replacement of destination prefixes may result in accuracy problems
   in some scenarios where the destination prefixes belonging to a same
   destination node have different forwarding paths.  Some additional
   mechanisms need to be imported into these scenarios.

4.  Accuracy


   The goal of DSAV is to achieve high accuracy, i.e., avoid improper
   block problems and try best to reduce improper permit problems.  The
   improper block problem means legitimate traffic is mistakenly
   dropped.  The improper permit problem means spoofed traffic is
   mistakenly passed.

   The accuracy of DSAV is determined by the accuracy of source
   information advertisement and propagation process.  The
   incompleteness of received source information can compromise the
   accuracy of SAV.  So, each initial node should discover and advertise
   local source information carefully with the help of either automatic
   programs or manual configurations.  In the case of incomplete source
   information, the node can take a remedy method at the data plane,
   i.e., only drop packets with known source addresses but coming from
   invalid interfaces.  Packets with unknown source addresses should be
   accepted by default.  More details will be described in Section 6.

   The key of DSAV is to generate SAV rules strictly following the real
   data-plane forwarding paths.  Any factor that can affect forwarding
   should be considered.  Here are three kinds of common forwarding
   cases:

   *  Only FIBs affect forwarding.









Li, et al.                Expires 15 July 2022                  [Page 6]

Internet-Draft               DSAV Framework                 January 2022


   *  ECMP (Equal-cost multi-path routing) or UCMP (Unequal-cost multi-
      path routing).  To achieve multi-path routing, hashing functions
      are usually taken, which map packet header field values (e.g.,
      source/destination IP address, source/destination port number,
      protocol number) to candidate next hops.  Packets with the same
      destination IP address may be forwarded to different next hops.

   *  ACL redirection.  An ACL rule can have multiple match fields, and
      the match field of destination IP addresses can be included or not
      in an ACL rule.  So, similar to ECMP/UCMP, the packets with the
      same destination IP address may have different next-hop
      interfaces.

   As described in Section3, DSAV can work well in the first case.  To
   ensure accuracy in arbitrary routing scenarios, the last two cases
   should also be considered.

5.  Consistency


   The factors influencing the accuracy of DSAV may change with time.
   Such changes will lower the performance of SAV and lead to improper
   block or improper permit problems.  The SAV rules generated through
   DSAV should be updated in time so as to keep consistent with routing
   states.  The consistency of DSAV is important for the SAV framework
   working well in real networks.

   A simple method is to send updated messages periodically.  An aging
   mechanism can also be used for SAV rules.  That is, SAV rules will
   expire after a period of time.  However, these solutions may take
   much time before eliminating improper block and improper permit
   problems.  Some quick convergence mechanisms are necessary to achieve
   consistency of DSAV in time.  Here are some preliminary ideas for
   different cases:

   *  Source information changes.  A node sends new source information
      advertisements immediately upon discovering its local source
      prefixes change.

   *  Routing state changes.  When route configuration or topology
      changes, the forwarding path to a destination prefix may change.
      These changes can trigger the initial node to generate updated
      messages for the changed forwarding paths.  Then, new SAV rules
      can be added and outdated SAV rules can be withdrawn at other
      nodes quickly.  For the scenarios where fast reroute (FRR) is
      deployed, the initial node can send message to the backup
      forwarding paths in advance, and the backup SAV rules can be
      installed for fast convergence under failures.



Li, et al.                Expires 15 July 2022                  [Page 7]

Internet-Draft               DSAV Framework                 January 2022


6.  Deployability

   It is difficult to ensure that all nodes deploy DSAV simultaneously,
   especially at inter-domain level.  In this case, each node only
   learns partial source address information or incomplete legitimate
   incoming interfaces for a source prefix, which can lead to improper
   block problems.  Therefore, DSAV should support incremental and
   partial deployment.

   When deployed incrementally or partially, nodes should still aviod
   improper block problems and minimize improper permit problems based
   on incomplete SAV tables.  The process of data-plane SAV is as
   follows:

   *  For the source address whose source address information and
      incoming interface information are fully learned, nodes can
      strictly validate the authenticity by querying <source prefix,
      interface> in SAV tables.

   *  For the source address whose source address information or
      incoming interface information is only partially learned or even
      not learned, nodes should pass those packets by default to avoid
      improper block problems, since it is hard to identify the
      authenticity with incomplete information.

   Since inter-domain topology is greatly complex and ASes are managed
   by individual network operators, determining whether the incoming
   interface information for a source prefix is learned completely is a
   real challenge.  Besides, in DSAV framework, neighboring (next-hop)
   node plays an important role in the propagation of probing packets,
   namely, a node cannot send or receive any probing packet if its
   neighboring nodes don't support DSAV.  Hence, at inter-domain level,
   DSAV recommends incremental deployment by customer cones.  This
   deployment pattern ensures that each AS learns complete source
   address information and incoming interface information for other ASes
   within the same customer cone.  With the merger of different customer
   cones where DSAV is deployed, the deployment scope of DSAV will
   gradually expand, and the defense capability against source address
   spoofing will gradually increase.

7.  Security

   TBD

8.  Normative References






Li, et al.                Expires 15 July 2022                  [Page 8]

Internet-Draft               DSAV Framework                 January 2022


   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
              May 2000, <https://www.rfc-editor.org/info/rfc2827>.

   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
              Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March
              2004, <https://www.rfc-editor.org/info/rfc3704>.

   [RFC5210]  Wu, J., Bi, J., Li, X., Ren, G., Xu, K., and M. Williams,
              "A Source Address Validation Architecture (SAVA) Testbed
              and Deployment Experience", RFC 5210,
              DOI 10.17487/RFC5210, June 2008,
              <https://www.rfc-editor.org/info/rfc5210>.

   [RFC7039]  Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed.,
              "Source Address Validation Improvement (SAVI) Framework",
              RFC 7039, DOI 10.17487/RFC7039, October 2013,
              <https://www.rfc-editor.org/info/rfc7039>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8704]  Sriram, K., Montgomery, D., and J. Haas, "Enhanced
              Feasible-Path Unicast Reverse Path Forwarding", BCP 84,
              RFC 8704, DOI 10.17487/RFC8704, February 2020,
              <https://www.rfc-editor.org/info/rfc8704>.

Authors' Addresses

   Dan Li
   Tsinghua University
   Beijing
   China

   Email: tolidan@tsinghua.edu.cn


   Jianping Wu
   Tsinghua University
   Beijing
   China

   Email: jianping@cernet.edu.cn






Li, et al.                Expires 15 July 2022                  [Page 9]

Internet-Draft               DSAV Framework                 January 2022


   Mingqing Huang
   Huawei
   Beijing
   China

   Email: huangmingqing@huawei.com


   Lancheng Qin
   Tsinghua University
   Beijing
   China

   Email: qlc19@mails.tsinghua.edu.cn


   Nan Geng
   Huawei
   Beijing
   China

   Email: gengnan@huawei.com





























Li, et al.                Expires 15 July 2022                 [Page 10]