SAVNET W. Cheng Internet-Draft China Mobile Intended status: Standards Track C. Lin Expires: September 3, 2024 New H3C Technologies S. Yue China Mobile March 4, 2024 Intra-domain SAV Support via BGP draft-cheng-savnet-intra-domain-sav-bgp-00 Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on September 3, 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Cheng, et al. Expires September, 2024 [Page 1] Internet-Draft Intra-domain SAV Support via BGP March 2024 Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This document describes a method for publishing source prefixes via the BGP protocol, iterating through the SAVNET table entries based on intra-domain next hop SAVNET rules. The generation of intra- domain next hop SAVNET rules is implemented by the intra-domain IGP protocol, and the BGP protocol inherits the source interface list from its next hop SAVNET rules to generate the SAVNET rule table for source prefixes. Table of Contents 1. Introduction...................................................3 2. Terminology....................................................3 3. Solution.......................................................4 3.1. Overview..................................................4 3.2. Procedure.................................................6 4. Example........................................................7 5. Deployment Considerations......................................7 6. IANA Considerations............................................8 7. Security Considerations........................................8 8. References.....................................................8 8.1. Normative References......................................8 8.2. Informative References....................................9 Acknowledgments...................................................9 Authors' Addresses................................................9 Cheng, et al. Expires September, 2024 [Page 2] Internet-Draft Intra-domain SAV Support via BGP March 2024 1. Introduction As shown in Figure 1, the existing network has the following scenario: within the intra-domain network, topology information is disseminated via the IGP protocol, while prefix information is distributed via iBGP neighbors. All iBGP nodes establish iBGP neighbor relationships with Route Reflectors (RRs) and exchange source prefix information. The IGP protocol contains network topology information but lacks source prefix information, while the BGP protocol holds source prefix information but does not include network topology information. In this scenario, it is necessary to combine the network topology information from IGP with the source prefix information from the BGP protocol in order to compute the source prefix's associated source port information and generate SAV rules. +---------------------------------------------------------+ | AS | | | | iBGP =========== RR =========== iBGP | | +---------+ ( ) +---------+ | | |iBGP Node|---( IGP Network )-----|iBGP Node| | | +---------+ ( ) +---------+ | +---------------------------------------------------------+ Figure 1: The case of the SAVNET Procedure The scenario described in [draft-cheng-savnet-intra-domain-sav-IGP- 00] and [I-D.lin-Intra-domain-savnet-method] involves the publication of SAVNET source prefix by the IGP protocol, and the generation of SAVNET rules based on the connectivity calculation using the IGP's topology information. However, for the scenario described in this document, where the source prefix information is published by the BGP protocol, it is unable to generate the required SAV rules. This document describes how to generate SAV rules using the topology information from the IGP protocol and the source prefix information from the BGP protocol in this network scenario. 2. Terminology The following terminologies are used in this document. Cheng, et al. Expires September, 2024 [Page 3] Internet-Draft Intra-domain SAV Support via BGP March 2024 SAV Rule: The rule that indicates the source validity of a specific IP address or an IP prefix. SAV Table: The table or data structure that implements the SAV rules and is used for source address validation in the data plane. IGP: Interior Gateway Protocol. BGP: Border Gateway Protocol. Source prefix: The source prefixes are used to validate source addresses in the data plane. 3. Solution 3.1. Overview This section introduces a new method for computing and generating SAV rules based on BGP source prefix and IGP topology information in an intra-domain scenario. This method relies on two fundamental pieces of information: the source prefix information and reachability information. The source prefix information can be transmitted through static configuration or the BGP protocol. This document addresses the scenario where source prefix information is transmitted via the BGP protocol. The source prefix information consists of the source prefix and the next-hop information for the prefix publication. The IGP's topology information includes the connectivity details between nodes and the IGP prefix information published by each node. As depicted in Figure 2, source prefix information is disseminated via the BGP protocol, where Router C advertises the source prefix Prefix1 with a next hop of Router 2, Router D advertises the source prefix Prefix2 with a next hop of Router 3, and Router E advertises the source prefix Prefix3 with a next hop of Router 4. Router B, serving as the BGP Route Reflector, is responsible for collecting and reflecting all BGP source prefix information. Based on the IGP's topology information, the interface list corresponding to the IGP prefix can be calculated. The specific calculation process can be found in [draft-cheng-savnet-intra- domain-sav-BGP-00]. The first-level NextHop SAV rule table is generated based on this information in the form of (IGP-Prefix, if). Cheng, et al. Expires September, 2024 [Page 4] Internet-Draft Intra-domain SAV Support via BGP March 2024 The calculation of the next-hop SAV rule is not limited to IGP and can involve other new extended protocols not described in this document. Subsequently, using the source prefix information distributed via the iBGP protocol, a match is made against the first-level SAV rule table based on the source prefix information. Once a match is found, the interface list "if" is inherited to produce the second-level SAV rule table (BGP-Prefix, if). This document relies on the generation of SAVNET rules based on the next hop derived from the IGP protocol. The relationships of the generated SAVNET rule table are illustrated in Figure 3. +---------------------------------------------------------+ | AS | | iBGP Router1 | | SAV Rule: +--------3-+ | | (Prefix1, A-1) | Router A | | | (Prefix2, A-1) +1--------2+ | | (Prefix3, A-2) /\ /\ | | / \ | | / \ | | / \ | / \ | RR +----------+ +----------+ | |iBGP Router5| Router B | | Router E | iBGP Router6 | | +1--------2+ +---------1+ | | /\ /\ /\ | | / \ \ | | / \ \ | | +----------+ +----------+ +----------+ | | | Router C | | Router D | | Router F | | | +----------+ +----------+ +----------+ | | | | | | | iBGP Router2 iBGP Router3 iBGP Router4 | | Prefix1 Prefix2 Prefix3 | +---------------------------------------------------------+ Figure 2: Example 1 of Topology Calculation This approach enables automatic adjustment of SAV table entries based on topological changes, thereby achieving secure protection for source addresses within the domain. Cheng, et al. Expires September, 2024 [Page 5] Internet-Draft Intra-domain SAV Support via BGP March 2024 +----------+ +----------+ | BGP Route| | IGP LSDB | +----------+ +----------+ | | | | | V | V +------------+ | NextHop <- - - - -> |NextHop SAVA| | | +------------+ | | V V Source NextHop Prefix If | V +------------+ | BGP SAVA | +------------+ Figure 3: Example 1 of Topology Calculation 3.2. Procedure The calculation process for intra-domain SAVNET rules based on BGP is as follows: Step 1: Perform calculation based on the LSDB of the IGP protocol and generate first-level SAV rules using the prefix information published by the IGP nodes. The generated SAVNET rule takes the form: (IGP-Prefix, if). This also forms the next-hop SAVNET table required for BGP. Step 2: Iterate through all source prefix information distributed by the BGP protocol. For each source prefix, match it with the corresponding next-hop information of the publisher. Then, search and match this next-hop address in the SAV rules generated in Step 1. Obtain and utilize the inherited interface list from the first- level SAV rules to generate second-level SAV rules. The generated rules take the form: (BGP-Prefix, if). Step 3: If there are changes in the topological information of the IGP protocol, repeat the calculation in Step 1. If there are changes in the SAV rules generated in Step 1, the BGP protocol refreshes the (BGP-Prefix, if) rule table based on the next-hop associated SAVNET table, thus skipping Step 2. Step 4: If there are changes in the source prefix information distributed by the BGP protocol, skip Step 1 and proceed with the Cheng, et al. Expires September, 2024 [Page 6] Internet-Draft Intra-domain SAV Support via BGP March 2024 calculation according to Step 2, refreshing the rule list generated by BGP. 4. Example +---------------------------------------------------------+ | AS | | iBGP 11.11.11.11 | | SAV Rule: +--------3-+ | | (10.0.0.0/24, A-1) | Router A | | | (20.0.0.0/24, A-1) +1--------2+ | | (30.0.0.0/24, A-2) /\ /\ | | / \ | | / \ | | / \ | / \ | RR +----------+ +----------+ | |iBGP | Router B | | Router E | iBGP | |55.55.55.55 +1--------2+ +---------1+ 66.66.66.66 | | /\ /\ /\ | | / \ \ | | / \ \ | | +----------+ +----------+ +----------+ | | | Router C | | Router D | | Router F | | | +----------+ +----------+ +----------+ | | | | | | | iBGP 22.22.22.22 iBGP 33.33.33.33 iBGP 44.44.44.44 | | P: 10.0.0.0/24 P: 20.0.0.0/24 P:30.0.0.0/24 | +---------------------------------------------------------+ Figure 4: Example 3 of Topology Calculation After conducting internal IGP calculations, on router A, it is determined that BGP neighbors reachable via A-1 are 22.22.22.22 and 33.33.33.33. BGP neighbor 44.44.44.44 is reachable via A-2. Following the source prefix calculation in BGP, inheriting the outgoing interface information from the connectivity calculation, router A can compute the following savnet table entries: (10.0.0.0/24, A-1) obtained from BGP neighbor 22.22.22.22, (20.0.0.0/24, A-1) obtained from BGP neighbor 33.33.33.33, and (30.0.0.0/24, A-2) obtained from BGP neighbor 44.44.44.44. 5. Deployment Considerations If the network topology information and source prefix information within the domain are both conveyed by the IGP protocol, SAVNET rules can be automatically generated following the calculation Cheng, et al. Expires September, 2024 [Page 7] Internet-Draft Intra-domain SAV Support via BGP March 2024 method described in [draft-cheng-savnet-intra-domain-sav-IGP-00] or [I-D.lin-Intra-domain-savnet-method]. If in the network, the intra-domain network topology information is conveyed by the IGP protocol, while the intra-domain source prefix information is transmitted via the BGP protocol, this SAVNET calculation method can be deployed to generate SAVNET rules for preventing source address attacks in outbound and inbound traffic. If the intra-domain source prefixes are transmitted via BGP, while network connectivity information is conveyed by protocols other than IGP, this deployment can still be used to calculate SAVNET rules. The BGP protocol simply inherits the interfaces from the topological calculation into the final generated SAVNET rules, based on the next-hop information in the source prefixes. Furthermore, it is also possible to plan a separate BGP domain within the intra-domain, using BGP RR to reflect and propagate all intra-domain source prefixes. First, through IGP or other extended technologies, the savnet table entries corresponding to the next hops of BGP source prefixes are calculated. Finally, through the next hop of BGP, the savnet table entries of the next hops are obtained to generate the BGP-published source prefix SAVNET table entries, ultimately achieving BGP calculation SAVNET functionality within the intra-domain. 6. IANA Considerations This document does not involve IANA. 7. Security Considerations TBD 8. References 8.1. Normative References [I-D.li-savnet-intra-domain-architecture] Li, D., Wu, J., Huang, M., Chen, L., Geng, N., Qin, L., and F. Gao, "Intra-domain Source Address Validation (SAVNET) Architecture", Work in Progress, Internet-Draft, draft-li-savnet-intra-domain-architecture-03, 25 July 2023, . Cheng, et al. Expires September, 2024 [Page 8] Internet-Draft Intra-domain SAV Support via BGP March 2024 [I-D.lin-Intra-domain-savnet-method] D. Li,"Intra-domain SAVNET method", Work in Progress, 8.2. Informative References [I-D.ietf-savnet-intra-domain-problem-statement] Li, D., Wu, J., Qin, L., Huang, M., and N. Geng, "Source Address Validation in Intra-domain Networks Gap Analysis, Problem Statement, and Requirements", Work in Progress, Internet-Draft, draft-ietf-savnet-intra-domain-problem- statement-02, 17 August 2023, . Acknowledgments TBD Authors' Addresses Weiqiang Cheng China Mobile China Email: chengweiqiang@chinamobile.com Changwang Lin New H3C Technologies China Email: linchangwang.04414@h3c.com Shengnan Yue China Mobile China yueshengnan@chinamobile.com Cheng, et al. Expires September, 2024 [Page 9]