Internet-Draft | BGP-LS Extensions for SAVNET | March 2024 |
Tong, et al. | Expires 5 September 2024 | [Page] |
BGP Link-state uses the BGP protocol to collect and report network topology to the network controller. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-tong-idr-bgp-ls-savnet/.¶
Discussion of this document takes place on the Intra Domain Routing Working Group mailing list (mailto:idr@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/idr/. Subscribe at https://www.ietf.org/mailman/listinfo/idr/.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 September 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Source address spoofing-based attacks is one of the main sources of network threats. Source address validation (SAV) is an effective method to prevent source address spoofing-based attacks [I-D.li-savnet-intra-domain-architecture] [I-D.wu-savnet-inter-domain-architecture].¶
Many network operators have deployed network controllers in their networks. Network controllers can be used to generate SAV rules based on the network topology information. The generated SAV rules can be then disseminated to network devices for SAV.¶
BGP Link-State (BGP-LS) protocol is a convenient tool for collecting network topology information [RFC9552]. It aggregates the topology information collected by IGP protocol and sends the information to the upper controller. BGP-LS can help controllers collect topology information. However, to generate accurate SAV rules, the currently supported information in BGP-LS is not enough. Controllers need to know which interface is connected to a specific subnet and which source prefixes the interface can reach. The information that is useful for SAV rule generation is called SAV-related information in this document.¶
This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally.¶
This section introduces the SAV rules, SAV-related information, and BGP Link-State for SAV.¶
SAV rules can be used for checking the validity of source addresses of incoming packets. The rules are usually in the format of <source prefix, incoming interface set>. The source prefix is for matching specific packets. Interface set represents a set of physical interfaces from which the packets should arrive. For example, the rule <P1, [intf1, intf2]> means the source prefix P1 must arrive the router at interface Intf1 or Intf2, otherwise, P1 is invalid. For invalid source prefixes, the filtering actions, such as block, rate-limit, and redirect, can be taken on the packets [I-D.huang-savnet-sav-table].¶
SAV-related information is the relevant information required by the controller to generate SAV rules, including:¶
Multi-instance identifier: Identifier of the IGP domain used to identify different protocol instances when running IS-IS, OSPF multi-instance, and OSPFv3 multi-instance.¶
Subnet identifier: Identifier of the customer subnet that identifies different customer subnets.¶
Subnet prefix: Describes the prefix information of the customer subnet.¶
Access interface: Identifies the interface of the device from which the customer subnet is accessed.¶
BGP Link-State protocol is a new way to collect network topology and summarize the topology information collected by the IGP protocol to be uploaded to the upper layer controller, which normalizes the topology uploading protocol and reduces the requirement on the computational power of the upper layer controller. In the SDN controller-based intra-domain SAV capability enhancement scheme, SAV-related information can be uploaded to the network controller via BGP-LS. As shown in Figure 1, the controller establishes BGP connections with routers in the AS domain, including both SAV-enabled and SAV-disabled devices, to upload SAV-related information.¶
A new BGP-LS NLRI type (TBD1) called SAVNET NLRI is defined in this section. The value field part of the NLRI contains the SAV-related information described in Section 2.2 and is encoded as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+ | Protocol-ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Multiple instance identifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Local Node Descriptors TLV (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Prefix Descriptors TLVs (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Link Descriptors TLVs (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Subnet Descriptors TLV (variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
The format of Protocol-ID, Multiple instance identifier, Local Node Descriptors TLV, Prefix Descriptors TLVs, and Link Descriptors TLVs in the above figure is defined same as that in [RFC9552].¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Subnet identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
The meaning of fields:¶
Type (TBD2): This field indicates a subnet interface identification.¶
Length: This field indicates the total length of the prefix TLV.¶
Subnet identifier: This field indicates the access subnet and needs to be configured locally.[I-D.geng-idr-bgp-savnet]¶
No new security issues are introduced.¶
IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new Descriptor TLV type (TBD2) for the extensions proposed in this document.¶
The authors would like to acknowledge the contributions from Wenxiang Lv and Jing Zhao.¶