Intra Domain Routing T. Tong Internet-Draft R. Pang Intended status: Standards Track China Unicom Expires: 5 September 2024 N. Geng M. liu Huawei 4 March 2024 BGP Link-State Extensions for Source Address Validation Networks (SAVNET) draft-tong-idr-bgp-ls-savnet-00 Abstract BGP Link-state uses the BGP protocol to collect and report network topology to the network controller. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-tong-idr-bgp-ls-savnet/. Discussion of this document takes place on the Intra Domain Routing Working Group mailing list (mailto:idr@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/idr/. Subscribe at https://www.ietf.org/mailman/listinfo/idr/. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Tong, et al. Expires 5 September 2024 [Page 1] Internet-Draft BGP-LS Extensions for SAVNET March 2024 This Internet-Draft will expire on 5 September 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. BGP Link-State for SAVNET . . . . . . . . . . . . . . . . . . 3 2.1. SAV Rules . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. SAV-related information . . . . . . . . . . . . . . . . . 3 2.3. BGP Link-State for SAVNET . . . . . . . . . . . . . . . . 4 3. BGP Link-State Extensions for SAVNET . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 6 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Source address spoofing-based attacks is one of the main sources of network threats. Source address validation (SAV) is an effective method to prevent source address spoofing-based attacks [I-D.li-savnet-intra-domain-architecture] [I-D.wu-savnet-inter-domain-architecture]. Many network operators have deployed network controllers in their networks. Network controllers can be used to generate SAV rules based on the network topology information. The generated SAV rules can be then disseminated to network devices for SAV. Tong, et al. Expires 5 September 2024 [Page 2] Internet-Draft BGP-LS Extensions for SAVNET March 2024 BGP Link-State (BGP-LS) protocol is a convenient tool for collecting network topology information [RFC9552]. It aggregates the topology information collected by IGP protocol and sends the information to the upper controller. BGP-LS can help controllers collect topology information. However, to generate accurate SAV rules, the currently supported information in BGP-LS is not enough. Controllers need to know which interface is connected to a specific subnet and which source prefixes the interface can reach. The information that is useful for SAV rule generation is called SAV-related information in this document. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally. 1.1. Terminology * SAV: Source address validation * SAV Rule: The rule that indicates the valid/invalid incoming interfaces of a specific source IP address or source IP prefix. * AS: Autonomous System 2. BGP Link-State for SAVNET This section introduces the SAV rules, SAV-related information, and BGP Link-State for SAV. 2.1. SAV Rules SAV rules can be used for checking the validity of source addresses of incoming packets. The rules are usually in the format of . The source prefix is for matching specific packets. Interface set represents a set of physical interfaces from which the packets should arrive. For example, the rule means the source prefix P1 must arrive the router at interface Intf1 or Intf2, otherwise, P1 is invalid. For invalid source prefixes, the filtering actions, such as block, rate- limit, and redirect, can be taken on the packets [I-D.huang-savnet-sav-table]. 2.2. SAV-related information SAV-related information is the relevant information required by the controller to generate SAV rules, including: * Protocol-ID: same as Table 2 in [RFC9552]. Tong, et al. Expires 5 September 2024 [Page 3] Internet-Draft BGP-LS Extensions for SAVNET March 2024 * Multi-instance identifier: Identifier of the IGP domain used to identify different protocol instances when running IS-IS, OSPF multi-instance, and OSPFv3 multi-instance. * Subnet identifier: Identifier of the customer subnet that identifies different customer subnets. * Subnet prefix: Describes the prefix information of the customer subnet. * Access interface: Identifies the interface of the device from which the customer subnet is accessed. 2.3. BGP Link-State for SAVNET BGP Link-State protocol is a new way to collect network topology and summarize the topology information collected by the IGP protocol to be uploaded to the upper layer controller, which normalizes the topology uploading protocol and reduces the requirement on the computational power of the upper layer controller. In the SDN controller-based intra-domain SAV capability enhancement scheme, SAV- related information can be uploaded to the network controller via BGP-LS. As shown in Figure 1, the controller establishes BGP connections with routers in the AS domain, including both SAV-enabled and SAV-disabled devices, to upload SAV-related information. +--------------+ | Controller | +--------------+ / | \ BGP-LS / | \ BGP-LS / |BGP-LS \ / | \ +--------+ +--------+ +--------+ | router | | router | | router | +--------+ +--------+ +--------+ | | | +--------+ +--------+ +----------+ | subnet | | subnet | | other AS | +--------+ +--------+ +----------+ Figure 1: Collection of Link-State for SAV-related Information 3. BGP Link-State Extensions for SAVNET A new BGP-LS NLRI type (TBD1) called SAVNET NLRI is defined in this section. The value field part of the NLRI contains the SAV-related information described in Section 2.2 and is encoded as follows: Tong, et al. Expires 5 September 2024 [Page 4] Internet-Draft BGP-LS Extensions for SAVNET March 2024 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+ | Protocol-ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Multiple instance identifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Local Node Descriptors TLV (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Prefix Descriptors TLVs (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Link Descriptors TLVs (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Subnet Descriptors TLV (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The format of Protocol-ID, Multiple instance identifier, Local Node Descriptors TLV, Prefix Descriptors TLVs, and Link Descriptors TLVs in the above figure is defined same as that in [RFC9552]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Subnet identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The meaning of fields: * Type (TBD2): This field indicates a subnet interface identification. * Length: This field indicates the total length of the prefix TLV. * Subnet identifier: This field indicates the access subnet and needs to be configured locally.[I-D.geng-idr-bgp-savnet] 4. Security Considerations No new security issues are introduced. 5. IANA Considerations IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new Descriptor TLV type (TBD2) for the extensions proposed in this document. Tong, et al. Expires 5 September 2024 [Page 5] Internet-Draft BGP-LS Extensions for SAVNET March 2024 6. References 6.1. Normative References [RFC9552] Talaulikar, K., Ed., "Distribution of Link-State and Traffic Engineering Information Using BGP", RFC 9552, DOI 10.17487/RFC9552, December 2023, . 6.2. Informative References [I-D.geng-idr-bgp-savnet] Geng, N., Li, Z., Tan, Z., Liu, Li, D., and F. Gao, "BGP Extensions for Source Address Validation Networks (BGP SAVNET)", Work in Progress, Internet-Draft, draft-geng- idr-bgp-savnet-03, 22 November 2023, . [I-D.huang-savnet-sav-table] Huang, M., Cheng, W., Li, D., Geng, N., Liu, Chen, L., and C. Lin, "General Source Address Validation Capabilities", Work in Progress, Internet-Draft, draft-huang-savnet-sav- table-05, 3 March 2024, . [I-D.li-savnet-intra-domain-architecture] Li, D., Wu, J., Qin, L., Geng, N., Chen, L., Huang, M., and F. Gao, "Intra-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-li-savnet-intra-domain-architecture-06, 21 January 2024, . [I-D.wu-savnet-inter-domain-architecture] Wu, J., Li, D., Huang, M., Chen, L., Geng, N., Liu, L., and L. Qin, "Inter-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-wu-savnet-inter-domain-architecture-06, 5 February 2024, . Acknowledgments The authors would like to acknowledge the contributions from Wenxiang Lv and Jing Zhao. Tong, et al. Expires 5 September 2024 [Page 6] Internet-Draft BGP-LS Extensions for SAVNET March 2024 Authors' Addresses Tian Tong China Unicom Email: tongt5@chinaunicom.cn Ran Pang China Unicom Email: pangran@chinaunicom.cn Nan Geng Huawei Email: gengnan@huawei.com Mingxing Liu Huawei Email: liumingxing7@huawei.com Tong, et al. Expires 5 September 2024 [Page 7]