Internet DRAFT - draft-tong-idr-bgp-ls-savnet

draft-tong-idr-bgp-ls-savnet







Intra Domain Routing                                             T. Tong
Internet-Draft                                                   R. Pang
Intended status: Standards Track                            China Unicom
Expires: 5 September 2024                                        N. Geng
                                                                  M. liu
                                                                  Huawei
                                                            4 March 2024


    BGP Link-State Extensions for Source Address Validation Networks
                                (SAVNET)
                    draft-tong-idr-bgp-ls-savnet-00

Abstract

   BGP Link-state uses the BGP protocol to collect and report network
   topology to the network controller.  This document defines a new type
   of BGP-LS NLRI for reporting source address validation-related
   information to the controller.  The reported information can be used
   to generate SAV rules centrally.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-tong-idr-bgp-ls-savnet/.

   Discussion of this document takes place on the Intra Domain Routing
   Working Group mailing list (mailto:idr@ietf.org), which is archived
   at https://mailarchive.ietf.org/arch/browse/idr/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/idr/.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."




Tong, et al.            Expires 5 September 2024                [Page 1]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


   This Internet-Draft will expire on 5 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  BGP Link-State for SAVNET . . . . . . . . . . . . . . . . . .   3
     2.1.  SAV Rules . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  SAV-related information . . . . . . . . . . . . . . . . .   3
     2.3.  BGP Link-State for SAVNET . . . . . . . . . . . . . . . .   4
   3.  BGP Link-State Extensions for SAVNET  . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Source address spoofing-based attacks is one of the main sources of
   network threats.  Source address validation (SAV) is an effective
   method to prevent source address spoofing-based attacks
   [I-D.li-savnet-intra-domain-architecture]
   [I-D.wu-savnet-inter-domain-architecture].

   Many network operators have deployed network controllers in their
   networks.  Network controllers can be used to generate SAV rules
   based on the network topology information.  The generated SAV rules
   can be then disseminated to network devices for SAV.






Tong, et al.            Expires 5 September 2024                [Page 2]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


   BGP Link-State (BGP-LS) protocol is a convenient tool for collecting
   network topology information [RFC9552].  It aggregates the topology
   information collected by IGP protocol and sends the information to
   the upper controller.  BGP-LS can help controllers collect topology
   information.  However, to generate accurate SAV rules, the currently
   supported information in BGP-LS is not enough.  Controllers need to
   know which interface is connected to a specific subnet and which
   source prefixes the interface can reach.  The information that is
   useful for SAV rule generation is called SAV-related information in
   this document.

   This document defines a new type of BGP-LS NLRI for reporting source
   address validation-related information to the controller.  The
   reported information can be used to generate SAV rules centrally.

1.1.  Terminology

   *  SAV: Source address validation

   *  SAV Rule: The rule that indicates the valid/invalid incoming
      interfaces of a specific source IP address or source IP prefix.

   *  AS: Autonomous System

2.  BGP Link-State for SAVNET

   This section introduces the SAV rules, SAV-related information, and
   BGP Link-State for SAV.

2.1.  SAV Rules

   SAV rules can be used for checking the validity of source addresses
   of incoming packets.  The rules are usually in the format of <source
   prefix, incoming interface set>.  The source prefix is for matching
   specific packets.  Interface set represents a set of physical
   interfaces from which the packets should arrive.  For example, the
   rule <P1, [intf1, intf2]> means the source prefix P1 must arrive the
   router at interface Intf1 or Intf2, otherwise, P1 is invalid.  For
   invalid source prefixes, the filtering actions, such as block, rate-
   limit, and redirect, can be taken on the packets
   [I-D.huang-savnet-sav-table].

2.2.  SAV-related information

   SAV-related information is the relevant information required by the
   controller to generate SAV rules, including:

   *  Protocol-ID: same as Table 2 in [RFC9552].



Tong, et al.            Expires 5 September 2024                [Page 3]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


   *  Multi-instance identifier: Identifier of the IGP domain used to
      identify different protocol instances when running IS-IS, OSPF
      multi-instance, and OSPFv3 multi-instance.

   *  Subnet identifier: Identifier of the customer subnet that
      identifies different customer subnets.

   *  Subnet prefix: Describes the prefix information of the customer
      subnet.

   *  Access interface: Identifies the interface of the device from
      which the customer subnet is accessed.

2.3.  BGP Link-State for SAVNET

   BGP Link-State protocol is a new way to collect network topology and
   summarize the topology information collected by the IGP protocol to
   be uploaded to the upper layer controller, which normalizes the
   topology uploading protocol and reduces the requirement on the
   computational power of the upper layer controller.  In the SDN
   controller-based intra-domain SAV capability enhancement scheme, SAV-
   related information can be uploaded to the network controller via
   BGP-LS.  As shown in Figure 1, the controller establishes BGP
   connections with routers in the AS domain, including both SAV-enabled
   and SAV-disabled devices, to upload SAV-related information.

                      +--------------+
                      |  Controller  |
                      +--------------+
                        /     |     \
               BGP-LS  /      |      \ BGP-LS
                      /       |BGP-LS \
                     /        |        \
               +--------+ +--------+ +--------+
               | router | | router | | router |
               +--------+ +--------+ +--------+
                   |           |          |
               +--------+ +--------+ +----------+
               | subnet | | subnet | | other AS |
               +--------+ +--------+ +----------+

       Figure 1: Collection of Link-State for SAV-related Information

3.  BGP Link-State Extensions for SAVNET

   A new BGP-LS NLRI type (TBD1) called SAVNET NLRI is defined in this
   section.  The value field part of the NLRI contains the SAV-related
   information described in Section 2.2 and is encoded as follows:



Tong, et al.            Expires 5 September 2024                [Page 4]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+
       |  Protocol-ID  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  Multiple instance identifier                 |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       //                Local Node Descriptors TLV (variable)        //
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       //                Prefix Descriptors TLVs (variable)           //
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       //                Link Descriptors TLVs (variable)             //
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       //                Subnet Descriptors TLV (variable)            //
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The format of Protocol-ID, Multiple instance identifier, Local Node
   Descriptors TLV, Prefix Descriptors TLVs, and Link Descriptors TLVs
   in the above figure is defined same as that in [RFC9552].

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          Type                 |            Length             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        Subnet identifier                      |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The meaning of fields:

   *  Type (TBD2): This field indicates a subnet interface
      identification.

   *  Length: This field indicates the total length of the prefix TLV.

   *  Subnet identifier: This field indicates the access subnet and
      needs to be configured locally.[I-D.geng-idr-bgp-savnet]

4.  Security Considerations

   No new security issues are introduced.

5.  IANA Considerations

   IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new
   Descriptor TLV type (TBD2) for the extensions proposed in this
   document.



Tong, et al.            Expires 5 September 2024                [Page 5]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


6.  References

6.1.  Normative References

   [RFC9552]  Talaulikar, K., Ed., "Distribution of Link-State and
              Traffic Engineering Information Using BGP", RFC 9552,
              DOI 10.17487/RFC9552, December 2023,
              <https://www.rfc-editor.org/rfc/rfc9552>.

6.2.  Informative References

   [I-D.geng-idr-bgp-savnet]
              Geng, N., Li, Z., Tan, Z., Liu, Li, D., and F. Gao, "BGP
              Extensions for Source Address Validation Networks (BGP
              SAVNET)", Work in Progress, Internet-Draft, draft-geng-
              idr-bgp-savnet-03, 22 November 2023,
              <https://datatracker.ietf.org/doc/html/draft-geng-idr-bgp-
              savnet-03>.

   [I-D.huang-savnet-sav-table]
              Huang, M., Cheng, W., Li, D., Geng, N., Liu, Chen, L., and
              C. Lin, "General Source Address Validation Capabilities",
              Work in Progress, Internet-Draft, draft-huang-savnet-sav-
              table-05, 3 March 2024,
              <https://datatracker.ietf.org/doc/html/draft-huang-savnet-
              sav-table-05>.

   [I-D.li-savnet-intra-domain-architecture]
              Li, D., Wu, J., Qin, L., Geng, N., Chen, L., Huang, M.,
              and F. Gao, "Intra-domain Source Address Validation
              (SAVNET) Architecture", Work in Progress, Internet-Draft,
              draft-li-savnet-intra-domain-architecture-06, 21 January
              2024, <https://datatracker.ietf.org/doc/html/draft-li-
              savnet-intra-domain-architecture-06>.

   [I-D.wu-savnet-inter-domain-architecture]
              Wu, J., Li, D., Huang, M., Chen, L., Geng, N., Liu, L.,
              and L. Qin, "Inter-domain Source Address Validation
              (SAVNET) Architecture", Work in Progress, Internet-Draft,
              draft-wu-savnet-inter-domain-architecture-06, 5 February
              2024, <https://datatracker.ietf.org/doc/html/draft-wu-
              savnet-inter-domain-architecture-06>.

Acknowledgments

   The authors would like to acknowledge the contributions from Wenxiang
   Lv and Jing Zhao.




Tong, et al.            Expires 5 September 2024                [Page 6]

Internet-Draft        BGP-LS Extensions for SAVNET            March 2024


Authors' Addresses

   Tian Tong
   China Unicom
   Email: tongt5@chinaunicom.cn


   Ran Pang
   China Unicom
   Email: pangran@chinaunicom.cn


   Nan Geng
   Huawei
   Email: gengnan@huawei.com


   Mingxing Liu
   Huawei
   Email: liumingxing7@huawei.com































Tong, et al.            Expires 5 September 2024                [Page 7]