Internet DRAFT - draft-tong-idr-bgp-ls-savnet
draft-tong-idr-bgp-ls-savnet
Intra Domain Routing T. Tong
Internet-Draft R. Pang
Intended status: Standards Track China Unicom
Expires: 5 September 2024 N. Geng
M. liu
Huawei
4 March 2024
BGP Link-State Extensions for Source Address Validation Networks
(SAVNET)
draft-tong-idr-bgp-ls-savnet-00
Abstract
BGP Link-state uses the BGP protocol to collect and report network
topology to the network controller. This document defines a new type
of BGP-LS NLRI for reporting source address validation-related
information to the controller. The reported information can be used
to generate SAV rules centrally.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-tong-idr-bgp-ls-savnet/.
Discussion of this document takes place on the Intra Domain Routing
Working Group mailing list (mailto:idr@ietf.org), which is archived
at https://mailarchive.ietf.org/arch/browse/idr/. Subscribe at
https://www.ietf.org/mailman/listinfo/idr/.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Tong, et al. Expires 5 September 2024 [Page 1]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
This Internet-Draft will expire on 5 September 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. BGP Link-State for SAVNET . . . . . . . . . . . . . . . . . . 3
2.1. SAV Rules . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. SAV-related information . . . . . . . . . . . . . . . . . 3
2.3. BGP Link-State for SAVNET . . . . . . . . . . . . . . . . 4
3. BGP Link-State Extensions for SAVNET . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 6
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Source address spoofing-based attacks is one of the main sources of
network threats. Source address validation (SAV) is an effective
method to prevent source address spoofing-based attacks
[I-D.li-savnet-intra-domain-architecture]
[I-D.wu-savnet-inter-domain-architecture].
Many network operators have deployed network controllers in their
networks. Network controllers can be used to generate SAV rules
based on the network topology information. The generated SAV rules
can be then disseminated to network devices for SAV.
Tong, et al. Expires 5 September 2024 [Page 2]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
BGP Link-State (BGP-LS) protocol is a convenient tool for collecting
network topology information [RFC9552]. It aggregates the topology
information collected by IGP protocol and sends the information to
the upper controller. BGP-LS can help controllers collect topology
information. However, to generate accurate SAV rules, the currently
supported information in BGP-LS is not enough. Controllers need to
know which interface is connected to a specific subnet and which
source prefixes the interface can reach. The information that is
useful for SAV rule generation is called SAV-related information in
this document.
This document defines a new type of BGP-LS NLRI for reporting source
address validation-related information to the controller. The
reported information can be used to generate SAV rules centrally.
1.1. Terminology
* SAV: Source address validation
* SAV Rule: The rule that indicates the valid/invalid incoming
interfaces of a specific source IP address or source IP prefix.
* AS: Autonomous System
2. BGP Link-State for SAVNET
This section introduces the SAV rules, SAV-related information, and
BGP Link-State for SAV.
2.1. SAV Rules
SAV rules can be used for checking the validity of source addresses
of incoming packets. The rules are usually in the format of <source
prefix, incoming interface set>. The source prefix is for matching
specific packets. Interface set represents a set of physical
interfaces from which the packets should arrive. For example, the
rule <P1, [intf1, intf2]> means the source prefix P1 must arrive the
router at interface Intf1 or Intf2, otherwise, P1 is invalid. For
invalid source prefixes, the filtering actions, such as block, rate-
limit, and redirect, can be taken on the packets
[I-D.huang-savnet-sav-table].
2.2. SAV-related information
SAV-related information is the relevant information required by the
controller to generate SAV rules, including:
* Protocol-ID: same as Table 2 in [RFC9552].
Tong, et al. Expires 5 September 2024 [Page 3]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
* Multi-instance identifier: Identifier of the IGP domain used to
identify different protocol instances when running IS-IS, OSPF
multi-instance, and OSPFv3 multi-instance.
* Subnet identifier: Identifier of the customer subnet that
identifies different customer subnets.
* Subnet prefix: Describes the prefix information of the customer
subnet.
* Access interface: Identifies the interface of the device from
which the customer subnet is accessed.
2.3. BGP Link-State for SAVNET
BGP Link-State protocol is a new way to collect network topology and
summarize the topology information collected by the IGP protocol to
be uploaded to the upper layer controller, which normalizes the
topology uploading protocol and reduces the requirement on the
computational power of the upper layer controller. In the SDN
controller-based intra-domain SAV capability enhancement scheme, SAV-
related information can be uploaded to the network controller via
BGP-LS. As shown in Figure 1, the controller establishes BGP
connections with routers in the AS domain, including both SAV-enabled
and SAV-disabled devices, to upload SAV-related information.
+--------------+
| Controller |
+--------------+
/ | \
BGP-LS / | \ BGP-LS
/ |BGP-LS \
/ | \
+--------+ +--------+ +--------+
| router | | router | | router |
+--------+ +--------+ +--------+
| | |
+--------+ +--------+ +----------+
| subnet | | subnet | | other AS |
+--------+ +--------+ +----------+
Figure 1: Collection of Link-State for SAV-related Information
3. BGP Link-State Extensions for SAVNET
A new BGP-LS NLRI type (TBD1) called SAVNET NLRI is defined in this
section. The value field part of the NLRI contains the SAV-related
information described in Section 2.2 and is encoded as follows:
Tong, et al. Expires 5 September 2024 [Page 4]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
| Protocol-ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Multiple instance identifier |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Local Node Descriptors TLV (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Prefix Descriptors TLVs (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Link Descriptors TLVs (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Subnet Descriptors TLV (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format of Protocol-ID, Multiple instance identifier, Local Node
Descriptors TLV, Prefix Descriptors TLVs, and Link Descriptors TLVs
in the above figure is defined same as that in [RFC9552].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Subnet identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The meaning of fields:
* Type (TBD2): This field indicates a subnet interface
identification.
* Length: This field indicates the total length of the prefix TLV.
* Subnet identifier: This field indicates the access subnet and
needs to be configured locally.[I-D.geng-idr-bgp-savnet]
4. Security Considerations
No new security issues are introduced.
5. IANA Considerations
IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new
Descriptor TLV type (TBD2) for the extensions proposed in this
document.
Tong, et al. Expires 5 September 2024 [Page 5]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
6. References
6.1. Normative References
[RFC9552] Talaulikar, K., Ed., "Distribution of Link-State and
Traffic Engineering Information Using BGP", RFC 9552,
DOI 10.17487/RFC9552, December 2023,
<https://www.rfc-editor.org/rfc/rfc9552>.
6.2. Informative References
[I-D.geng-idr-bgp-savnet]
Geng, N., Li, Z., Tan, Z., Liu, Li, D., and F. Gao, "BGP
Extensions for Source Address Validation Networks (BGP
SAVNET)", Work in Progress, Internet-Draft, draft-geng-
idr-bgp-savnet-03, 22 November 2023,
<https://datatracker.ietf.org/doc/html/draft-geng-idr-bgp-
savnet-03>.
[I-D.huang-savnet-sav-table]
Huang, M., Cheng, W., Li, D., Geng, N., Liu, Chen, L., and
C. Lin, "General Source Address Validation Capabilities",
Work in Progress, Internet-Draft, draft-huang-savnet-sav-
table-05, 3 March 2024,
<https://datatracker.ietf.org/doc/html/draft-huang-savnet-
sav-table-05>.
[I-D.li-savnet-intra-domain-architecture]
Li, D., Wu, J., Qin, L., Geng, N., Chen, L., Huang, M.,
and F. Gao, "Intra-domain Source Address Validation
(SAVNET) Architecture", Work in Progress, Internet-Draft,
draft-li-savnet-intra-domain-architecture-06, 21 January
2024, <https://datatracker.ietf.org/doc/html/draft-li-
savnet-intra-domain-architecture-06>.
[I-D.wu-savnet-inter-domain-architecture]
Wu, J., Li, D., Huang, M., Chen, L., Geng, N., Liu, L.,
and L. Qin, "Inter-domain Source Address Validation
(SAVNET) Architecture", Work in Progress, Internet-Draft,
draft-wu-savnet-inter-domain-architecture-06, 5 February
2024, <https://datatracker.ietf.org/doc/html/draft-wu-
savnet-inter-domain-architecture-06>.
Acknowledgments
The authors would like to acknowledge the contributions from Wenxiang
Lv and Jing Zhao.
Tong, et al. Expires 5 September 2024 [Page 6]
�
Internet-Draft BGP-LS Extensions for SAVNET March 2024
Authors' Addresses
Tian Tong
China Unicom
Email: tongt5@chinaunicom.cn
Ran Pang
China Unicom
Email: pangran@chinaunicom.cn
Nan Geng
Huawei
Email: gengnan@huawei.com
Mingxing Liu
Huawei
Email: liumingxing7@huawei.com
Tong, et al. Expires 5 September 2024 [Page 7]
