savnet M. Huang Internet-Draft Huawei Technologies Intended status: Standards Track W. Cheng Expires: 22 April 2024 China Mobile D. Li Tsinghua University N. Geng M. Liu Huawei Technologies L. Chen Zhongguancun Laboratory C. Lin New H3C Technologies 20 October 2023 Source Address Validation Table Abstraction and Application draft-huang-savnet-sav-table-02 Abstract Existing source address validation (SAV) mechanisms have their own core data structures for SAV rules which are coupled with the corresponding underlying implementation. This document defines a unified abstraction named SAV table that stores all the SAV rules. The abstraction makes it convenient for engineers or operators to improve existing SAV mechanisms or properly apply SAV on routers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 22 April 2024. Huang, et al. Expires 22 April 2024 [Page 1] Internet-Draft SAV Table October 2023 Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. SAV Table Abstraction . . . . . . . . . . . . . . . . . . . . 4 2.1. Validation Process . . . . . . . . . . . . . . . . . . . 5 2.2. Validation Modes . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Mode 1: Interface-based prefix allowlist . . . . . . 6 2.2.2. Mode 2: Interface-based prefix blocklist . . . . . . 6 2.2.3. Mode 3: Prefix-based interface allowlist . . . . . . 7 3. Elimination Actions . . . . . . . . . . . . . . . . . . . . . 8 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Normative References . . . . . . . . . . . . . . . . . . 9 6.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction Source address validation (SAV) can detect and prevent source address spoofing on the SAV-enabled routers. When a packet arrives at an interface of the router, the source address of the packet will be validated. For the packets with unwanted source addresses or arriving at unwanted interfaces, will be considered invalid and usually be conducted elimination actions on. Huang, et al. Expires 22 April 2024 [Page 2] Internet-Draft SAV Table October 2023 There have been many source address validation (SAV) mechanisms such as ACL-based filtering ([RFC3704]), uRPF-like mechanisms ([RFC3704], [RFC8704]), etc. ACL rules can act as SAV rules for filtering unwanted source addresses (possibly spoofed source addresses) at specific interfaces. Strict uRPF and loose uRPF conducts reverse looking up in FIB for validating source addresses. Therefore, FIB entries can somehow be considered as SAV rules. It can be found that existing SAV mechanisms have their own core data structures which are coupled with the corresponding underlying implementation. The coupling induces three problems. First, it is not easy to perform analysis across different SAV mechanisms because the SAV rule generation process and the validation process depends on the underlying implementation. Second, the accuracy of SAV varies under different application conditions. With diversified data structure of SAV rules, we cannot easily express or agree on important questions such as which kind of SAV tables can be generated and enabled in the data plane. Third, SAV mechanisms usually take either "permit" action or "block" action on the validated packets. It is sometimes not flexible enough for diversified operation requirements in practice. This document abstracts the data structure for storing SAV rules as a unified SAV table. The SAV table is a logical description and not coupled with underlying implementation. After defining the SAV table, the document introduces the validation process, validation modes, and elimination actions. All the descriptions are not bound to specific implementations, but real implementations must have the equivalent effects to the abstracted descriptions. The SAV table abstraction and application introductions can: * Help engineers easily clarify the design goals of SAV mechanisms. * Help operators easily learn how to apply SAV in different scenarios. How to generate the SAV rules in the SAV table is not the focus of this document. 1.1. Terminology SAV rule: The entry specifying the valid incoming interfaces of specific source addresses or source prefixes. SAV table: The abstracted data structure that stores SAV rules. Huang, et al. Expires 22 April 2024 [Page 3] Internet-Draft SAV Table October 2023 Validation mode: The definition that describes the typical applications of SAV table. Different modes take effect in different scales and treat the default prefix differently. Elimination action: The action taken on the invalid packets that fail to pass SAV process. 1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. SAV Table Abstraction The basic idea of SAV is to check whether a source prefix arrives from a valid interface of the router. So, there are two dimensions in a logic SAV table, i.e., source prefix and interface. Section 2 shows the abstraction of SAV table. The prefixes, i.e., Prefix1, Prefix2, Prefix3, ..., Prefixn, mean the prefixes that the SAV mechanisms have learned or aim to validate. The interfaces, i.e., Intf. 1, Intf. 2, Intf. 3 ..., are the router's interfaces that enable validation. Each cell in the table indicates the validity state of the corresponding source prefix and interface. For example, suppose a packet with source address P1 arrives at interface Intf1. The validity state for the packet is "state_11" after taking SAV. For the source prefix of "default" in Section 2, it means all zero IP address for IPv4 or IPv6, i.e., unrecorded source addresses. The packets with unrecorded source addresses will match the default source prefix. There are two kinds of validity states: "valid" and "invalid". If the state is "valid", the packet is considered legitimate. If the state is "invalid", the packet is considered as carrying a spoofed source address. There may be some cases where SAV mechanisms fail to get enough information for SAV table generation and cannot determine the validity states of some cells. In these cases, the cells are suggested to be filled with "valid" instead of "invalid" or a particularly defined "unknown" state, so that the forwarding of legitimate packets will not be impacted (e.g., blocked) by mistake. Huang, et al. Expires 22 April 2024 [Page 4] Internet-Draft SAV Table October 2023 +-------------------------------------------------+ + | Intf 1 | Intf 2 | Intf 3 | ... + +-------------------------------------------------+ + Prefix1 | state_11 | state_12 | state_13 | ... + + Prefix2 | state_21 | state_22 | state_23 | ... + + Prefix3 | state_31 | state_32 | state_33 | ... + + ... | ... | ... | ... | ... + + Prefixn | state_n1 | state_n2 | state_n3 | ... + + default | state_*1 | state_*2 | state_*3 | ... + +-------------------------------------------------+ *state: valid or invalid *default: all zero IP address for IPv4 or IPv6 Figure 1: SAV table abstraction 2.1. Validation Process The validation process is shown in Figure 2. Suppose the router has learned the SAV table by SAV mechanisms and implemented it in the data plane. When a packet arrives at the router, the router will take the source address and the incoming interface of the packet as the input and look up the table. The validity state that is either "valid" or "invalid" will be returned after the process. SAV-enabled Router +-------------+ packet | look up the | (src address ---->| implemented |--------> validity incoming intf.) | SAV table | state +-------------+ Figure 2: Validation process 2.2. Validation Modes This section defines validation modes which describes the typical applications of SAV table. These modes take effect in different scales and treat the default prefix differently. By choosing modes in different scenarios appropriately, the network can be protected as much as possible while not impacting the forwarding of legitimate packets. Validation modes also describe the goal of SAV table generation. The modes can be set before generating the table. By specifying validation modes, operators can take appropriate SAV mechanisms matching the modes, and engineers can design new SAV mechanisms to achieve the goal in challenging scenarios. Huang, et al. Expires 22 April 2024 [Page 5] Internet-Draft SAV Table October 2023 Note that, validation modes do not put restrictions to product implementations, but the implementation should have the equivalent effect to the description. 2.2.1. Mode 1: Interface-based prefix allowlist Mode 1 is an interface-scale mode, i.e., it takes effect on a configured interface. The interface enabling Mode 1 is maintaining an interface-based prefix allowlist. Only the source prefixes recorded in the list will be considered valid, otherwise invalid. For the interface enabling Mode 1, the corresponding column in the generated SAV table can be equivalently mapped to a prefix allowlist. In the column, the prefixes recorded as valid will be put into the allowlist. Particularly, the default prefix is deterministic to be "invalid" in the column. Applying Mode 1 on an interface requires the complete knowledge of legitimate prefixes connected to the interface. Mode 1 is suitable to the interfaces connecting to a subnet, a stub AS, or a customer cone. Such a mode can efficiently prevent the connected network from spoofing source prefixes of other networks. In some cases, it may be difficult for an interface getting all the legitimate source prefixes. If not all legitimate prefixes are included in the allowlist, packets with legitimate source addresses arriving at the interface may be improperly blocked. For example, the interface with a default route or the interface connecting to the Internet through a provider AS can hardly promise to know all the legitimate source prefixes. 2.2.2. Mode 2: Interface-based prefix blocklist Mode 2 is also an interface-scale mode, i.e., it takes effect on a configured interface. An interface cannot enable Mode 1 and Mode 2 at the same time. The interface enabling Mode 2 is maintaining an interface-based prefix blocklist. The source prefixes recorded in the list will be considered invalid, otherwise valid. For the interface enabling Mode 2, the corresponding column in the generated SAV table can be equivalently mapped to a prefix blocklist. In the column, the prefixes recorded as invalid will be put into the blocklist. Particularly, the default prefix is deterministic to be "valid" in the column. Huang, et al. Expires 22 April 2024 [Page 6] Internet-Draft SAV Table October 2023 This mode does not require the complete blocklist. If the packets with the specific source addresses need to be discarded, Mode 2 can be taken. Mode 2 is suitable for proactive filtering and reactive filtering. Usually the source prefixes that are sure to be invalid will be put into the blocklist, which is proactive filtering. Reactive filtering rules are usually installed in DDoS elimination for dropping specific packets. 2.2.3. Mode 3: Prefix-based interface allowlist Mode 3 is a router-scale mode, i.e., it takes effect on all the SAV- enabled interfaces except those enabling Mode 1 or Mode 2. The router enabling Mode 3 is maintaining a specific set of source prefixes (Notes: usually not include the default prefix) and an interface allowlist (i.e., a list of legitimate incoming interfaces) for each of the source prefixes. The packets whose source addresses are covered by no recorded source prefix will be considered valid. A packet will also be considered valid, if 1) its source address is covered by a recorded source prefix and 2) the incoming interface is also included in the corresponding interface allowlist of the source prefix. If the source address is covered by a recorded source prefix but the incoming interface is not included, the validation result will be "invalid". Mode 3 focuses on validating/protecting the interested source prefixes. If some source prefixes are important but there is no condition to enable Mode 1, Mode 3 can be enabled to provide some extent of protection. Note that, Mode 1 and Mode 2 are configured on an interface, while Mode 3 is for the whole router. Thus, there can be multiple modes configured on the same router. For interfaces configured with Mode 1 or Mode 2, Mode 3 will not be conducted for the packets arriving at the interface. Figure 3 shows a comparison of different validation modes. +-----------------------------------------------------+ + Mode | Scale | Treatment of the default prefix + +-----------------------------------------------------+ + 1 | interface | invalid + + 2 | interface | valid + + 3 | router | check its incoming interface + +-----------------------------------------------------+ Figure 3: A comparison of different validation modes Huang, et al. Expires 22 April 2024 [Page 7] Internet-Draft SAV Table October 2023 3. Elimination Actions After doing validation, the router should update the local validation statistics. For the packet with invalid state, elimination actions should be taken on the packet. Simply dropping the packets may not well satisfy the requirements of operators in different scenarios. This section suggests to provide flexible actions to invalid packet just like FlowSpec ([RFC8955], [RFC8956]). One of the followings elimination actions will be taken: * "Permit": Forward packets normally though the packets are considered invalid. This action is useful when operators only want to monitor the status of source address spoofing in the network. The "Permit" action can be taken together with the "Sample" action. * "Block": Drop packets directly, which is the common choose of existing SAV mechanisms. * "Rate limit": Enforce an upper bound of traffic rate (e.g., bps or pps) for mitigation of source address spoofing attacks. * "Traffic redirect": Redirect the packets to the specified points (e.g., scrubbing centers) in the network for attack elimination. The following action is optional: * "Sample": Capture the packets with a configurable sampling rate and reports them to remote servers (e.g., security analysis center). The sampled packets can be used for threat awareness and further analysis [I-D.cheng-savnet-proactive-defense-network]. "Sample" can be taken together with any one of the above elimination actions. Note that, existing techniques like NetStream or NetFlow can be used for "Sample". 4. Security Considerations This document focuses on the organization of the core data structure of SAV and device-local SAV operation. The generation of SAV table is not discussed. There may be some security considerations for SAV generation, but it is not in the scope of this document. The "Sample" action pushes data to remote servers. This function can be achieved by existing techniques like NetStream or NetFlow. The "Sample" action may induce same security considerations as these techniques, and the corresponding documents have discussed them. Huang, et al. Expires 22 April 2024 [Page 8] Internet-Draft SAV Table October 2023 5. IANA Considerations This document includes no request to IANA. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 6.2. Informative References [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March 2004, . [RFC8704] Sriram, K., Montgomery, D., and J. Haas, "Enhanced Feasible-Path Unicast Reverse Path Forwarding", BCP 84, RFC 8704, DOI 10.17487/RFC8704, February 2020, . [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, December 2020, . [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, December 2020, . [I-D.cheng-savnet-proactive-defense-network] Cheng, W., Geng, N., Li, D., and S. Yue, "Network Proactive Defense based on Source Address Validation", Work in Progress, Internet-Draft, draft-cheng-savnet- proactive-defense-network-01, 19 October 2023, . Authors' Addresses Huang, et al. Expires 22 April 2024 [Page 9] Internet-Draft SAV Table October 2023 Mingqing Huang Huawei Technologies Beijing China Email: huangmingqing@huawei.com Weiqiang Cheng China Mobile Beijing China Email: chengweiqiang@chinamobile.com Dan Li Tsinghua University Beijing China Email: tolidan@tsinghua.edu.cn Nan Geng Huawei Technologies Beijing China Email: gengnan@huawei.com Mingxing Liu Huawei Technologies Beijing China Email: liumingxing7@huawei.com Li Chen Zhongguancun Laboratory Beijing China Email: lichen@zgclab.edu.cn Changwang Lin New H3C Technologies Beijing China Email: linchangwang.04414@h3c.com Huang, et al. Expires 22 April 2024 [Page 10]