IDR N. Geng Internet-Draft M. Huang Intended status: Standards Track Huawei Expires: 21 April 2024 D. Li Tsinghua University W. Gao CAICT 19 October 2023 BGP Flow Specification for Source Address Validation draft-geng-idr-flowspec-sav-00 Abstract BGP FlowSpec reuses BGP route to distribute infrastructure and propogates traffic flow information with filtering actions. This document specifies a new BGP extended community named Source Address Validation (SAV) Interface-set to disseminate SAV rules through BGP FlowSpec. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 21 April 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Geng, et al. Expires 21 April 2024 [Page 1] Internet-Draft BGP FlowSpec for SAV October 2023 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Flow Specifications for SAV . . . . . . . . . . . . . . . . . 3 2.1. SAV Rules . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. BGP FlowSpec for SAV . . . . . . . . . . . . . . . . . . 4 3. Extended Community for SAV . . . . . . . . . . . . . . . . . 5 3.1. SAV Interface-set Extended Community . . . . . . . . . . 5 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction Source Address Validation (SAV) is an efficient method for preventing source address spoofed-based attacks. SAV rules indicate the valid/ invalid incoming interfaces of a specific source IP address or source IP prefix. The rules can be deployed on edge routers, border routers, or aggregation routers for checking the validity of intra- domain and inter-domain packets. For invalid packets, filtering actions can be taken such as block, rate-limit, and redirect. There are many mechanisms that can generate SAV rules on routers ([RFC2827], [RFC3704], [RFC5210], [RFC8704], and [manrs-antispoofing]). However, the challenges of accurate validation and operation exist in asymetric routing scenarios or dynamic networks [I-D.ietf-savnet-intra-domain-problem-statement][I-D .ietf-savnet-inter-domain-problem-statement]. To facilitate SAV management, additional SAV rule dissemination is needed [I-D.li-savne t-intra-domain-architecture][I-D.wu-savnet-inter-domain-architecture] . Geng, et al. Expires 21 April 2024 [Page 2] Internet-Draft BGP FlowSpec for SAV October 2023 BGP FlowSpec is a convenient and flexible tool for traffic filtering/ controling ([RFC8955], [RFC8956]). It propogates traffic flow information for different traffic control purposes through the BGP protocol extension. Existing BGP FlowSpec design has supported source prefix matching and various traffic filtering actions but does not support binding valid/invalid incoming interfaces to source prefixes. With a minor extension, BGP FlowSpec can be used for SAV rule dissemination. This document specifies a new BGP extended community named SAV Interface-set extended community. SAV rules can be disseminated through BGP FlowSpec by combining the new extended community with source prefix component and filtering actions of existing BGP FlowSpec. The new extension can be soly used to configure SAV rules on remote routers. It can also help existing SAV mechanisms generate accurate SAV rules (i.e., as a supplement of SAV mechanisms). 1.1. Terminology SAV: Source address validation SAV Rule: The rule that indicates the valid/invalid incoming interfaces of a specific source IP address or source IP prefix. AS: Autonomous System 1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Flow Specifications for SAV 2.1. SAV Rules SAV rules can be used for checking the validity of source addresses of incoming packets. A rule usually has a format of . source prefix is for matching specific packets. Interface set represents a set of physical interfaces from which the packets arrive. Validity indicates whether the packets matching the source prefix and arrival interface are valid or invalid, so validity has a value of either valid or invalid. For example, the rule means the source prefix P1 must arrive the router at interface Intf1 or Intf2, otherwise, P1 is invalid. For invalid source prefixes, the filtering actions, such Geng, et al. Expires 21 April 2024 [Page 3] Internet-Draft BGP FlowSpec for SAV October 2023 as block, rate-limit, and redirect, can be taken on the packets [I-D.huang-savnet-sav-table]. In real networks, the interface set in SAV rules usually can be grouped. For example, the interfaces can be grouped as: * Subnet interface set that contains the interfaces connecting a target subnet * All customer AS interfaces set or the customer AS interfaces set of a customer AS * All lateral peer AS interfaces set or the lateral peer AS interfaces set of a lateral peer AS * All transit provider AS interfaces set or the transit provider AS interfaces set of a transit provider AS These interface set can be indentified by a group id for easy management. 2.2. BGP FlowSpec for SAV SAV can be disseminated to Edge/Border/Aggragation routers through BGP FlowSpec, as shown in the figure below. The controller is used to set up BGP connection with the routers in a SAV-deployed AS or domain. Note that, SAV rules disseminated by BGP FlowSpec can take effect alone or acts as a management tool of other SAV mechanisms (e.g., [RFC8704]). +------------+ | Controller | +------------+ / | \ / FS | FS \ FS / | \ +-------------+ +--------------+ +---------+ | Provider or | | SAV-deployed | | | | Customer or |------# AS/Domain #------| Subnets | | Peer AS | | | | | +-------------+ +--------------+ +---------+ Geng, et al. Expires 21 April 2024 [Page 4] Internet-Draft BGP FlowSpec for SAV October 2023 3. Extended Community for SAV Existing BGP FlowSpec supports the component for matching source prefix and various filtering actions. This document will define a new extended community called SAV Interface-set extended community, which is similar to [I-D.ietf-idr-flowspec-interfaceset]. SAV rules can be disseminated through BGP FlowSpec by combining the new extended community with source prefix component and filtering actions of existing BGP FlowSpec ([RFC8955], [RFC8956]). 3.1. SAV Interface-set Extended Community The newly defined SAV Interface-set extended community is encoded as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | SubType | AS Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AS Number (cont.) |U|V| Group Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The meaning of fields: * Type (1 octect): 0x07 or 0x47. The value of 0x07 is for FlowSpec Transitive Extended Communities, and 0x47 represents FlowSpec Non- Transitive Extended Communities. The two values have been allocated by IANA [I-D.ietf-idr-flowspec-interfaceset]. * SubType (1 octect): TBD. SubType field indicates SAV Interface- set extended community. * AS Number (4 octects): Four-octect AS number. This field indicates the target AS where the SAV rule takes effect. * Group Identifier (14 bits): A 14-bit number with the value ranging within 0..16383. Group identifier is a local property and identifies a set of interfaces for the source prefix carried in NLRI. The meaning of a group identifier depends on the configuration of network administrator. An interface may be associated with one or more group identifiers. * Flag V (1 bit): 1 means the identified interface set is valid for the source prefix, while 0 means the interface set is invalid for the source prefix. Geng, et al. Expires 21 April 2024 [Page 5] Internet-Draft BGP FlowSpec for SAV October 2023 * Flag U (1 bit): 1 means the rest of interfaces (not included in the interface set) on the local router are unknown for the source prefix. 0 means the rest of interfaces on the local router are invalid (when V=1) or valid (when V=0) for the source prefix. In a BGP update, there may be more than one instances of SAV Interface-set extended community. The final interface set for the corresponding source prefix MUST be the union of these instances. Multiple source prefixes can be put in multiple BGP FlowSpec NLRIs of one BGP update. In such case, these source prefixes MUST share the same SAV Interface-set extended communities. 3.2. Examples Example 1: Configure soucre prefix P1 as valid at AS1's interfaces (Group Identifier=ID1) connecting a multi-homed subnet. Encoding description: NLRI carries source prefix P1 following existing BGP FlowSpec. The SAV Interface-set community with Type=0x07 and subType=TBD carries ID1 with AS number=AS1, flag V=1, and U=1. Example 2: Block soucre prefix P2 at AS2's interfaces (Group Identifier=ID2) connecting to transit providers. Encoding description: NLRI carries source prefix P2 and BGP extended community carries the drop action (e.g., set traffic-rate-bytes to zero). The SAV Interface-set community with Type=0x07 and subType=TBD carries ID2 with AS number=AS2, flag V=0 and U=1. 4. IANA Considerations This document requests a new subtype (suggested value 0x03) within the FlowSpec Transitive Extended Communities (0x07) and FlowSpec Non- Transitive Extended Communities (0x47). This sub-type shall be named "SAV Interface-set", with a reference to this document. +=======+======================+===============+ | Value | Name | Reference | +=======+======================+===============+ | TBD | SAV Interface-set | This document | +-------+----------------------+---------------+ 5. Security Considerations No new security issues are introduced. Geng, et al. Expires 21 April 2024 [Page 6] Internet-Draft BGP FlowSpec for SAV October 2023 6. Acknowledgements TBD. 7. References 7.1. Normative References [I-D.ietf-idr-flowspec-interfaceset] Litkowski, S., Simpson, A., Patel, K., Haas, J., and L. Yong, "Applying BGP flowspec rules on a specific interface set", Work in Progress, Internet-Draft, draft-ietf-idr- flowspec-interfaceset-05, 18 November 2019, . [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, December 2020, . [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, December 2020, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2. Informative References [I-D.ietf-savnet-intra-domain-problem-statement] Li, D., Wu, J., Qin, L., Huang, M., and N. Geng, "Source Address Validation in Intra-domain Networks Gap Analysis, Problem Statement, and Requirements", Work in Progress, Internet-Draft, draft-ietf-savnet-intra-domain-problem- statement-02, 17 August 2023, . Geng, et al. Expires 21 April 2024 [Page 7] Internet-Draft BGP FlowSpec for SAV October 2023 [I-D.ietf-savnet-inter-domain-problem-statement] Wu, J., Li, D., Liu, L., Huang, M., and K. Sriram, "Source Address Validation in Inter-domain Networks Gap Analysis, Problem Statement, and Requirements", Work in Progress, Internet-Draft, draft-ietf-savnet-inter-domain-problem- statement-02, 22 August 2023, . [I-D.li-savnet-intra-domain-architecture] Li, D., Wu, J., Huang, M., Chen, L., Geng, N., Qin, L., and F. Gao, "Intra-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-li-savnet-intra-domain-architecture-03, 25 July 2023, . [I-D.wu-savnet-inter-domain-architecture] Wu, J., Li, D., Huang, M., Chen, L., Geng, N., Liu, L., and L. Qin, "Inter-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-wu-savnet-inter-domain-architecture-04, 30 September 2023, . [I-D.huang-savnet-sav-table] Huang, M., Cheng, W., Li, D., Geng, N., Liu, and L. Chen, "Source Address Validation Table Abstraction and Application", Work in Progress, Internet-Draft, draft- huang-savnet-sav-table-01, 6 March 2023, . [manrs-antispoofing] "MANRS Implementation Guide", January 2023, . [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, . [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March 2004, . Geng, et al. Expires 21 April 2024 [Page 8] Internet-Draft BGP FlowSpec for SAV October 2023 [RFC5210] Wu, J., Bi, J., Li, X., Ren, G., Xu, K., and M. Williams, "A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience", RFC 5210, DOI 10.17487/RFC5210, June 2008, . [RFC8704] Sriram, K., Montgomery, D., and J. Haas, "Enhanced Feasible-Path Unicast Reverse Path Forwarding", BCP 84, RFC 8704, DOI 10.17487/RFC8704, February 2020, . Authors' Addresses Nan Geng Huawei Beijing China Email: gengnan@huawei.com Mingqing Huang Huawei Beijing China Email: huangmingqing@huawei.com Dan Li Tsinghua University Beijing China Email: tolidan@tsinghua.edu.cn Wei Gao CAICT Beijing China Email: gaowei@caict.ac.cn Geng, et al. Expires 21 April 2024 [Page 9]