Internet-Draft BGP-LS Extensions for SAVNET March 2024
Tong, et al. Expires 5 September 2024 [Page]
Workgroup:
Intra Domain Routing
Internet-Draft:
draft-tong-idr-bgp-ls-savnet-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
T. Tong
China Unicom
R. Pang
China Unicom
N. Geng
Huawei
M. liu
Huawei

BGP Link-State Extensions for Source Address Validation Networks (SAVNET)

Abstract

BGP Link-state uses the BGP protocol to collect and report network topology to the network controller. This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at https://datatracker.ietf.org/doc/draft-tong-idr-bgp-ls-savnet/.

Discussion of this document takes place on the Intra Domain Routing Working Group mailing list (mailto:idr@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/idr/. Subscribe at https://www.ietf.org/mailman/listinfo/idr/.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 5 September 2024.

Table of Contents

1. Introduction

Source address spoofing-based attacks is one of the main sources of network threats. Source address validation (SAV) is an effective method to prevent source address spoofing-based attacks [I-D.li-savnet-intra-domain-architecture] [I-D.wu-savnet-inter-domain-architecture].

Many network operators have deployed network controllers in their networks. Network controllers can be used to generate SAV rules based on the network topology information. The generated SAV rules can be then disseminated to network devices for SAV.

BGP Link-State (BGP-LS) protocol is a convenient tool for collecting network topology information [RFC9552]. It aggregates the topology information collected by IGP protocol and sends the information to the upper controller. BGP-LS can help controllers collect topology information. However, to generate accurate SAV rules, the currently supported information in BGP-LS is not enough. Controllers need to know which interface is connected to a specific subnet and which source prefixes the interface can reach. The information that is useful for SAV rule generation is called SAV-related information in this document.

This document defines a new type of BGP-LS NLRI for reporting source address validation-related information to the controller. The reported information can be used to generate SAV rules centrally.

1.1. Terminology

  • SAV: Source address validation

  • SAV Rule: The rule that indicates the valid/invalid incoming interfaces of a specific source IP address or source IP prefix.

  • AS: Autonomous System

4. Security Considerations

No new security issues are introduced.

5. IANA Considerations

IANA is required to allocate a new BGP-LS NLRI type (TBD1) and a new Descriptor TLV type (TBD2) for the extensions proposed in this document.

6. References

6.1. Normative References

[RFC9552]
Talaulikar, K., Ed., "Distribution of Link-State and Traffic Engineering Information Using BGP", RFC 9552, DOI 10.17487/RFC9552, , <https://www.rfc-editor.org/rfc/rfc9552>.

6.2. Informative References

[I-D.geng-idr-bgp-savnet]
Geng, N., Li, Z., Tan, Z., Liu, Li, D., and F. Gao, "BGP Extensions for Source Address Validation Networks (BGP SAVNET)", Work in Progress, Internet-Draft, draft-geng-idr-bgp-savnet-03, , <https://datatracker.ietf.org/doc/html/draft-geng-idr-bgp-savnet-03>.
[I-D.huang-savnet-sav-table]
Huang, M., Cheng, W., Li, D., Geng, N., Liu, Chen, L., and C. Lin, "General Source Address Validation Capabilities", Work in Progress, Internet-Draft, draft-huang-savnet-sav-table-05, , <https://datatracker.ietf.org/doc/html/draft-huang-savnet-sav-table-05>.
[I-D.li-savnet-intra-domain-architecture]
Li, D., Wu, J., Qin, L., Geng, N., Chen, L., Huang, M., and F. Gao, "Intra-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-li-savnet-intra-domain-architecture-06, , <https://datatracker.ietf.org/doc/html/draft-li-savnet-intra-domain-architecture-06>.
[I-D.wu-savnet-inter-domain-architecture]
Wu, J., Li, D., Huang, M., Chen, L., Geng, N., Liu, L., and L. Qin, "Inter-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-wu-savnet-inter-domain-architecture-06, , <https://datatracker.ietf.org/doc/html/draft-wu-savnet-inter-domain-architecture-06>.

Acknowledgments

The authors would like to acknowledge the contributions from Wenxiang Lv and Jing Zhao.

Authors' Addresses

Tian Tong
China Unicom
Ran Pang
China Unicom
Nan Geng
Huawei
Mingxing Liu
Huawei