| Internet-Draft | Intra-domain SAVNET Architecture | May 2023 |
| Li, et al. | Expires 6 November 2023 | [Page] |
This document proposes an intra-domain source address validation (intra-domain SAVNET) architecture. Devices can communicate with each other and share more SAV-related information other than routing information, which allows SAV rules to be automatically and accurately generated.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 November 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Source address validation (SAV) is important for mitigating source address spoofing and contributing to the Internet security. Source Address Validation Architecture (SAVA) [RFC5210] divides SAV into three checking levels, i.e., access-network SAV, intra-domain SAV, and inter-domain SAV. When an access network does not deploy SAV (such as SAVI [RFC7039][RFC7513], Cable Source Verify [cable-verify], and IP Source Guard [IPSG]), intra-domain SAV helps block spoofed packets as close to the source as possible. The concept of intra-domain SAV in this document keeps consistent with that in [I-D.li-savnet-intra-domain-problem-statement].¶
The main task of SAV mechanisms is to generate SAV rules for checking the validity of incoming packets. The information of source addresses/prefixes and their incoming directions makes up the SAV rules. How to efficiently and accurately learn the information is the core challenge for SAV mechanisms.¶
There are some intra-domain SAV mechanisms available [I-D.li-savnet-intra-domain-problem-statement]. Many of them such as strict uRPF [RFC3704] and loose uRPF [RFC3704] conduct SAV based on routing information (i.e., FIB). However, they may have false positive problems under asymmetric routing. Some SAV-tailored information, a complementary of routing information, is required for accurate validation. Manually configuring SAV-tailored information or directly configuring/modifying SAV rules (e.g., ACL-based filtering [RFC2827]) on routers is not practical for complex and dynamic networks, since operational overhead can be unacceptable.¶
This document proposes an intra-domain source address validation (intra-domain SAVNET) architecture. Under the architecture, devices can communicate with others for sharing SAV-related information (including routing information, SAV-tailored information, etc.). SAV rules can be generated accurately and automatically based on the shared SAV-related information. The proposed architecture aims to satisfy the requirements of automatic update and accurate validation described in [I-D.li-savnet-intra-domain-problem-statement]. Besides, the document presents some considerations of partial deployment, security, manageability, and privacy.¶
This architecture shows the high-level designs for future intra-domain SAV mechanisms. The protocols or protocol extensions for implementing the architecture are not in the scope of the document.¶
SAV Rule: The rule that indicates the validity of a specific source IP address or source IP prefix.¶
SAV Table: The table or data structure that implements the SAV rules and is used for source address validation in the data plane.¶
False Positive: The validation results that the packets with legitimate source addresses are considered invalid improperly due to inaccurate SAV rules.¶
False Negative: The validation results that the packets with spoofed source addresses are considered valid improperly due to inaccurate SAV rules.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The proposed architecture is shown in Figure 1. In the architecture, there is a communication channel connecting two entities, i.e., Source Entity and Validation Entity. Source Entity is the information source. It has some SAV-related information that can be useful for Validation Entity to generate SAV rules. The SAV-related information is transmitted through the channel between the two entities.¶
An entity can be a router, a server or some other SAV-equipped devices. A device can act as a Source Entity, a Validation Entity, or both of them.¶
+-------------------+ +-------------------+
| Source Entity |Communication| Validation Entity |
| +---------------+ | Channel | +---------------+ |
| | Source +-----------------+ Validation | |
| | Speaker | | | | Speaker | |
| +-------+-------+ | | +-------+-------+ |
| | | | | |
| | | | | |
| +-------+-------+ | | +-------+-------+ |
| | SAV-related | | | | SAV | |
| | Information | | | | Agent | |
| +---------------+ | | +---------------+ |
+-------------------+ +-------------------+
As shown in Figure 1, Source Speaker resides in Source Entity, and Validation Speaker is in Validation Entity. Either Source Speaker or Validation Speaker is an abstracted speaker which represents a union of multiple protocol speakers as illustrated in Figure 2. These protocol speakers can advertise and receive the messages carrying SAV-related information. The followings are some kinds of the protocol speakers:¶
These kinds of protocol speakers are NOT REQUIRED to be supported in one SAV mechanism following the architecture. For example, a SAV mechanism can only support YANG speaker and one SAV protocol speaker for getting SAV-related information.¶
+--------------------+
| Source/Validation |
| Speaker |
| +----------------+ |
| | Configuration <------------
| | Speaker | | |
| +----------------+ | |
| +----------------+ | ---> Interact
| |Routing Protocol<--------------> with other
| |Speaker | | ---> speakers
| +----------------+ | |
| +----------------+ | |
| | SAV Protocol <------------
| | Speaker | |
| +----------------+ |
+--------------------+
The communication channel is constructed between the Source Speaker and Validation Speaker. The primary purpose of the channel is for Source Entity to advertise SAV-related information to Validation Entity. In the channel, there can be multiple sessions maintained by the speakers belonging to configuration speakers, routing protocol speakers, and/or SAV protocol speakers. The concrete manner of constructing a session depends on the actual protocol speakers, but the following requirements SHOULD be satisfied:¶
Figure 3 shows SAV Agent. SAV Information Manager in SAV Agent parses the messages received by Validation Speaker. The SAV-related information carried in the messages will be stored in SAV Information Base. The information of Source Speaker, protocol speaker, timestamp, and other useful things will also be recorded together. The recorded information will be disseminated to SAV Rule Generator. SAV rules (e.g., tuples like <prefix, interface set, validity state>) will be generated and stored in SAV Table [I-D.huang-savnet-sav-table]. Besides rule generation, SAV Information Base also provides the support of diagnosis. Operators can look up the information in the base for protocol monitoring or troubleshooting.¶
Messages from
Validation Speaker
|
+---------------|---------------+
| SAV Agent | |
| +-------------\/------------+ |
| | SAV Information Manager | |
| | +-----------------------+ | |
| | | SAV Information Base | | |
| | +-----------------------+ | |
| +-------------+-------------+ |
| | |
| SAV-related | information |
| | |
| +-------------\/------------+ |
| | SAV Rule Generator | |
| | +-----------------------+ | |
| | | SAV Table | | |
| | +-----------------------+ | |
| +---------------------------+ |
+-------------------------------+
It can be noticed that SAV Information Base stores SAV-related information from different Source Entities and different protocol speakers. When SAV Rule Generator generates rules based on the stored information, rule conflicts may appear. For example, for a given prefix, the information from different entities or speakers may indicate a different list of valid incoming interfaces.¶
To solve the problem of rule conflicts, each Source Entity or protocol speaker can be set with a priority. So, the SAV-related information from the entity or protocol speaker is also tagged with a priority. When rule conflicts exist, the rule based on the information with a higher priority will override that based on the information with a lower priority. If two conflicted rules are based on the information with the same priority, they can be merged to one rule (i.e., taking a union set). When the settings of priority change, the affected information MUST be reprocessed for updating rules.¶
Consider that one Validation Entity receives the information about prefix P1 from one Source Entity through two protocol speakers. Based on the information from speaker 1, the rule is <P1, {intf1}, valid>. While based on the information from speaker 2, the rule is <P1, {intf2}, valid>. Next, consider two cases of priority settings. In case 1, speaker 1 has a higher priority than speaker 2. Then, the rule of <P1, {intf1}, valid> will be finally stored in SAV Table. In case 2, two speakers have the same priority. Then, <P1, {intf1, intf2}, valid> is the output rule.¶
It should be noted that priority is OPTIONAL and not a mandatory requirement. It is one possible method to deal with rule conflicts.¶
This section presents some examples of connectivity models of the architecture.¶
One Validation Entity can collect SAV-related information from multiple Source Entities as shown in Figure 4. For each Source Entity, Validation Entity maintains a communication channel for receiving messages.¶
+-----------------+
| Source Entity 1 |---------
+-----------------+ \
\
+-----------------+ \ +-------------------+
| Source Entity 2 |-------------| Validation Entity |
+-----------------+ / +-------------------+
... /
+-----------------+ /
| Source Entity n |---------
+-----------------+
One Source Entity can provide information for multiple Validation Entities as shown in Figure 5. Source Entity will maintain a communication channel with each Validation Entity.¶
By combining Example 1 and Example 2, it can be seen that the connectivity model can also be "multiple Source Entities to multiple Validation Entities".¶
+---------------------+
----------| Validation Entity 1 |
/ +---------------------+
/
+---------------+/ +---------------------+
| Source Entity |-------------| Validation Entity 2 |
+---------------+\ +---------------------+
\ ...
\ +---------------------+
----------| Validation Entity n |
+---------------------+
As mentioned previously, a device can be both Source and Validation Entity. In Figure 6, the middle entity is such a device. It can receive information messages from the top Source Entity and can advertise information messages to the bottom Validation Entity. The middle entity can also relay the messages from the top Source Entity to the bottom Validation Entity, which is just like routing information spreading.¶
+-------------------+
| Source Entity |
+-------------------+
|
+-------------------+
| Source&Validation |
| Entity |
+-------------------+
|
+-------------------+
| Validation Entity |
+-------------------+
Network topologies may change sometimes and result in the change of SAV-related information. Convergence of the architecture is needed. Source Entity MUST advertise the updates of SAV-related information to Validation Entity in time. Then, Validation Entity MUST update local SAV rules immediately. Even so, there will still be delay of message delivery (sometimes re-transmission delay due to packet loss) and information processing. Therefore, during the convergence process, the SAV rules for checking packets are possibly inaccurate, which may result in severes false positive or too much false negative.¶
Existing routing information-based SAV mechanisms like strict uRPF is also faced with convergence problem. Inaccurate validation may appear during the convergence of routing, which is inevitable in practice. However, the proposed architecture involves SAV protocols that are especially for SAV. The convergence process can be slowed down due to the existence of SAV protocols.¶
The protocol for implementing the architecture MUST carefully consider the convergence problems, so that normal packet forwarding won't be impacted too much. There are some potential work directions for dealing with convergence problems:¶
Although an intra-domain network mostly has one administration, partial deployment may still exist due to phased deployment or the limitations coming from multi-vendor supplement. Under partial deployment, routing information usually can be easily obtained by Validation Entity. The main challenge is that Validation Entity may not be able to get enough SAV-tailored information for generating accurate SAV rules. False positive problems may appear under inaccurate rules.¶
The implementation of Validation Entity is RECOMMENDED to support flexible validation modes such as interface-based prefix allowlist, interface-based prefix blocklist, and prefix-based interface allowlist [I-D.huang-savnet-sav-table]. The first two modes are interface-scale, and the last one is device-scale. Under partial deployment, the device of Validation Entity SHOULD take on the proper validation mode according to the deploying of Source Entities. For example, if Validation Entity is able to get the complete set of legitimate source prefixes arriving at a given interface, interface-based prefix allowlist can be enabled at the given interface, and false positive will not exist.¶
Another approach to deal with partial deployment is to take conservative actions on the validated data packets. That is to say, the packet with an invalid result will not be dropped directly. Instead, they can be conducted rate-limiting action, redirecting action, or sampling action for supporting further analysis. These conservative actions will not result in serious consequences under false positive validation results, while still providing protection for the network.¶
In an extreme case, no SAV-tailored information can be obtained by Validation Entity. Then, the existing mechanisms that purely rely on routing information for SAV can be used. The operators SHOULD fully understand the limitations of existing mechanisms.¶
In many cases, an intra-domain network can be considered as a trusted domain. There will be no threats within the domain.¶
However, in some other cases, devices within the domain do not trust each other. Operators SHOULD be aware of potential threats involved in deploying the architecture. Typically, the potential threats and solutions are as follows:¶
Entity impersonation.¶
Message blocking.¶
Message alteration.¶
Message replay.¶
When implementing the architecture in an extended protocol, the existing security mechanisms of the protocol can be taken.¶
The architecture provides a general design for collecting SAV-related information and generating accurate SAV rules. Protocol-independent mechanisms SHOULD be provided for operating and managing SAV-related configurations. For example, a YANG data model for SAV configuration and operation is necessary for the ease of management.¶
SAV may affect the normal forwarding of data packets. The diagnosis approach and necessary logging information SHOULD be provided. SAV Information Base SHOULD store some information that may not be useful for rule generation but is helpful for management.¶
Messages carrying SAV-related information come from different protocol speakers. Each corresponding protocol SHOULD have monitoring and troubleshooting mechanisms, which is necessary for efficiently operating the architecture.¶
The advertised SAV-related information mainly indicates the incoming directions of source prefixes. Devices under the architecture will learn more forwarding information of data packets.¶
An intra-domain network is mostly operated by a single organization or company, and the advertised information is only used within the network. Therefore, the architecture does not import critical privacy issues in usual cases.¶
The architecture makes the forwarding information in the network clearer, which can be helpful for network management such as fault diagnosis and traffic visualization.¶
This document has no IANA requirements.¶
Many thanks to the valuable comments from: Igor Lubashev, Alvaro Retana, Aijun Wang, Joel Halpern, Jared Mauch, Kotikalapudi Sriram, Rüdiger Volk, Jeffrey Haas, etc.¶