Internet-Draft | BGP FlowSpec for SAV | March 2024 |
Geng & Li | Expires 4 September 2024 | [Page] |
BGP FlowSpec reuses BGP route to distribute infrastructure and propogates traffic flow information with filtering actions. This document specifies a new flow specification called Incoming-Interface-Set. Incoming-Interface-Set can be used together with the Source Prefix component to disseminate SAV rules.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 September 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Source Address Validation (SAV) is an efficient method for preventing source address spoofing-based attacks. SAV rules indicate the valid/invalid incoming interfaces of a specific source IP address or source IP prefix. The rules can be deployed on edge routers, border routers, or aggregation routers for checking the validity of intra-domain and inter-domain packets. For invalid packets, filtering actions can be taken such as block, rate-limit, redirect, and sampling [I-D.huang-savnet-sav-table].¶
There are many mechanisms that can distributely generate SAV rules on routers ([RFC2827], [RFC3704], [RFC5210], [RFC8704], and [manrs-antispoofing]). To facilitate flexible SAV management and improve validation accuracy, centralized SAV rule dissemination is also needed [I-D.li-savnet-intra-domain-architecture][I-D.wu-savnet-inter-domain-architecture], which can be a complementary to existing distributed SAV mechanisms.¶
BGP FlowSpec is a convenient and flexible tool for traffic filtering/controling ([RFC8955], [RFC8956]). It propogates traffic flow information for different traffic control purposes through the BGP protocol extension. Existing BGP FlowSpec has supported source prefix matching and various traffic filtering actions but does not support binding valid/invalid incoming interfaces to source prefixes. With a minor extension, BGP FlowSpec can be used for SAV rule dissemination.¶
This document specifies a new flow specification component named Incoming-Interface-Set. SAV rules can be disseminated through BGP FlowSpec by carrying the new flow specification component together with Source Prefix component. Traffic filtering actions of existing BGP FlowSpec can also be carried to specify the actions for the packets failing source address validation.¶
The new extension can be used to configure SAV rules on remote routers. It can also act as a supplement of existing SAV mechanisms and help improve SAV accuracy.¶
SAV: Source address validation¶
SAV Rule: The rule that indicates the valid/invalid incoming interfaces of a specific source IP address or source IP prefix.¶
Group Identifier: An ID value that indentifies a set of interfaces on the target routers (e.g., all the interfaces connected to customer ASes).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
SAV rules can be used for checking the validity of source addresses of incoming packets. A rule usually has a format of <source prefix, interface set, validity indicator>. Source prefix is for matching specific packets. Interface set represents a set of physical interfaces from which the packets arrive. Validity indicator indicates whether the packets matching the source prefix and arrival interface are valid or invalid. So, validity indicator has a value of either valid or invalid.¶
For example, the rule <P1, [intf1, intf2], valid> means the source prefix P1 must arrive the router at interface Intf1 or Intf2, otherwise, P1 is invalid. For the packets with invalid source addresses/prefixes, the filtering actions, such as block, rate-limit, and redirect, can be taken [I-D.huang-savnet-sav-table].¶
In real networks, the interface set in SAV rules usually can be grouped. For example, the interfaces can be grouped as:¶
Subnet interface set that contains the interfaces connecting a target subnet.¶
All customer AS interfaces set or the customer AS interfaces set of a customer AS.¶
All lateral peer AS interfaces set or the lateral peer AS interfaces set of a lateral peer AS.¶
All transit provider AS interfaces set or the transit provider AS interfaces set of a transit provider AS.¶
These interface set can be indentified by a Group Identifier for easy management. Group Identifier is a local interface property on the target routers, and the meaning of it depneds on the configurations of network administrator. Any interface may be associated with one or more Group Identifiers.¶
SAV can be disseminated to Edge/Border/Aggragation routers (i.e., target routers) through BGP FlowSpec, as shown in the figure below. The controller is used to set up BGP connection with the routers in a SAV-deployed AS or domain. Note that, SAV rules disseminated by BGP FlowSpec can take effect alone or acts as a management tool of other SAV mechanisms (e.g., [RFC8704]).¶
+------------+ | Controller | +------------+ / | \ / FS | FS \ FS / | \ +-------------+ +--------------+ +---------+ | Provider or | | SAV-deployed | | | | Customer or |------# AS/Domain #------| Subnets | | Peer AS | | | | | +-------------+ +--------------+ +---------+¶
Existing BGP FlowSpec has supported source prefix matching and various traffic filtering actions. To dissenimate SAV rules (<source prefix, interface set, validity indicator>), a new flow specification component is needed to carry the information of interface set and validity indicator.¶
The new flow specification component is encoded in the BGP Flowspec NLRI. It SHOULD appear together with Source Prefix component.¶
The following new component type is defined:¶
The new component contains a set of {numeric_op, value} pairs that are used to match the Incoming-Interface-Set (i.e., the valid or invalid interfaces of a specific source prefix).¶
The numeric operator (numeric_op) is encoded as (see RFC8955 sec. 4.2.1.1):¶
0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 |lt |gt |eq | +---+---+---+---+---+---+---+---+¶
The value field is encoded as:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V|U| Group Identifier (variable, 6, 14, 30, or 62 bits) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
The length of the value field can be 1, 2, 4, or 8 octets, which depends on the len in numeric_op. Partiularly, the most two significant bits in the value field are two flags:¶
Flag V (1 bit): The most significant bit in the value field. If set, the identified interface set is valid for the source prefix. If unset, it means the interface set is invalid for the source prefix.¶
Flag U (1 bit): The second most significant bit in the value field. If set, it is unknown for the source prefix whether the rest of interfaces (not included in the interface set) on the target router are valid or invalid. If unset, it means the rest of interfaces on the target router are invalid (when V is set) or valid (when V is unset) for the source prefix.¶
The bits lt, gt, and eq can be combined to match a specific Group Identifier or a range of Group Identifiers (e.g., greater than Group ID1 and less than Group ID2).¶
If a receiving BGP speaker cannot support this new flow specification component type, it MUST discard the NLRI value field that contains such unknown components (section 10 of [RFC8955]). A NLRI value field MUST only contain a Source Prefix component and a Incoming-Interface-Set component. If the NLRI value does not satisfy this principle, the receiving BGP speaker SHOULD discard the NLRI value field (see Section Section 3.3). Since the NLRI field encoding (Section 4 of [RFC8955]) is defined in the form of a 2-tuple <length, NLRI value>, message decoding can skip over the unknown NLRI value and continue with subsequent remaining NLRIs.¶
Example 1: Configure soucre prefix P1 as valid at AS1's interfaces (Group Identifier=ID1) connecting a multi-homed subnet.¶
Encoding description: NLRI carries a P1 in a Source Prefix componentand a Incoming-Interface-set component with V=1, U=1, Group Identifier=ID1.¶
Example 2: Configure soucre prefix P2 as invalid at AS2's interfaces (Group Identifier=ID2) connecting to transit providers and as valid for any other interfaces.¶
Encoding description: NLRI carries a P2 in a Source Prefix componentand a Incoming-Interface-set component with V=0, U=0, Group Identifier=ID2.¶
The Incoming-Interface-Set component can be used as a general flow specification instead of SAV-specific component. Other components can be conbined with the new component for matching specific traffic.¶
This document requests a new entry in "Flow Spec component types registry" with the following values:¶
+=======+========================+===============+ | Type | IPv4/IPv6 Name | Reference | +=======+========================+===============+ | TBD1 | Incoming-Interface-set | This document | +-------+------------------------+---------------+¶
Many thanks to the comments from Shunwan Zhuang, Susan Hares, Jeffrey Haas, Mingqing Huang etc.¶