idr T. Tong
Internet-Draft China Unicom
Intended status: Standards Track D. Li
Expires: 24 April 2025 Tsinghua University
N. Geng
Huawei
N. Wang
China Unicom
S. Zhuang
Huawei
21 October 2024
Advertisement of Multi-Sourced SAV Rules using BGP Link-State
draft-tong-idr-bgp-ls-sav-rule-00
Abstract
This document describes the protocol extensions of BGP Link-State to
collect source address validation (SAV) rules generated by different
protocols/mechanisms, to facilitate multi-sourced SAV rule monitoring
and management.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 24 April 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Tong, et al. Expires 24 April 2025 [Page 1]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. BGP-LS NLRI Advertisement for SAV Rules . . . . . . . . . . . 3
2.1. SAV Rule NLRIs . . . . . . . . . . . . . . . . . . . . . 3
2.2. SAV Rule Descriptors TLVs . . . . . . . . . . . . . . . . 4
2.2.1. Interface Name TLV . . . . . . . . . . . . . . . . . 5
2.2.2. Interface Group TLV . . . . . . . . . . . . . . . . . 5
2.2.3. SAV Prefix TLV . . . . . . . . . . . . . . . . . . . 6
3. BGP-LS Attribute for SAV Mode . . . . . . . . . . . . . . . . 7
4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Manageability Considerations . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6.1. "BGP-LS NLRI-Types" registry . . . . . . . . . . . . . . 7
6.2. "BGP-LS SAV Rule Descriptors TLVs" registry . . . . . . . 8
6.3. "BGP-LS SAV Mode Attribute TLV" registry . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
Source Address Validation (SAV) can efficiently prevent source
address spoofing-based attacks. SAV rules, which indicate the valid/
invalid incoming interfaces of a specific source IP address or source
IP prefix, are installed on routers for checking the source addresses
of received packets.
SAV rules can be generated by static configuration, management tools,
or based on different routing protocols such as OSPFv2, OSPFv3, IS-
IS, BGP, or their extensions [I-D.li-savnet-intra-domain-architecture
][I-D.wu-savnet-inter-domain-architecture]. Due to the requirements
of application scenarios, a router may use more than one tool at the
same time to get the SAV rules. Therefore, the rules on the router
will be multi-sourced, which complicates management. What is more
challenging is that there may exist conflicts of these multi-sourced
rules and the rules can be dynamic.
Tong, et al. Expires 24 April 2025 [Page 2]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
To facilitate SAV rule monitoring and management, this document
proposes to extend BGP-LS ([RFC9552]) for advertising SAV rules on
routers to a centralized server. The centralized server can
effectively collect multi-sourced SAV rules from routers. For the
purpose of advertising SAV rules within BGP-LS advertisements, two
new NLRIs called SAV Rule NLRIs are proposed for IPv4 and IPv6,
respectively.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. BGP-LS NLRI Advertisement for SAV Rules
The "Link-State NLRI" defined in [RFC9552] is extended to carry the
SAV rule information. The format of "Link-State NLRI" is defined in
[RFC9552] as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NLRI Type | Total NLRI Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Link-State NLRI (variable) //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Link-State NLRI
This document defines two new "NLRI Type" known as SAV Rule NLRIs
(values are TBD) for the advertisement of SAV rule Information.
2.1. SAV Rule NLRIs
This document defines SAV Rule NLRI Types with their common format as
shown in the following figure:
Tong, et al. Expires 24 April 2025 [Page 3]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
| Protocol-ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier |
+ (8 octets) +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Local Node Descriptors TLV (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// SAV Rule Descriptors TLVs (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: BGP-LS SAV Rule NLRI
The fields are defined as follows:
* Protocol-ID: Protocol-ID field specifies the source of the SAV
rules in this NLRI. Protocol-ID values defined in RFC9552
[RFC9086] can be reused.
* Identifier: An 8 octet value defined in [RFC9552].
* Local Node Descriptors TLV: It contains Node Descriptors for the
node storing SAV rules. This is a mandatory TLV in SAV Rule
NLRIs. The Type is 256. The length of this TLV is variable. The
value contains one or more Node Descriptor sub-TLVs defined in
[RFC9552].
* SAV Rule Descriptors TLVs: There can be one or more SAV Rule
Descriptors TLVs for carring SAV rules.
2.2. SAV Rule Descriptors TLVs
The SAV Rule Descriptor field is a set of TLV triplets. SAV Rule
Descriptors TLVs identify a set of SAV rule having the same set of
valid interfaces as defined in [I-D.huang-savnet-sav-table]. The
following TLVs are valid as SAV Rule Descriptors in the SAV Rule
NLRI:
Tong, et al. Expires 24 April 2025 [Page 4]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
+-------------+---------------------+----------+
| TLV Code | Description | Length |
| Point | | |
+-------------+---------------------+----------+
| TBD | Interface Name | variable |
| TBD | Interface Group | 4 |
| TBD | SAV Prefix | variable |
+-------------+---------------------+----------+
Figure 3: SAV Rule Descriptor TLVs
2.2.1. Interface Name TLV
A Interface Name TLV is to identify one valid interface of the source
prefixes carried in SAV Prefix TLVs. The format of Interface Name
TLV is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Interface Name (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Interface Name TLV
There can be zero, one or more Interface Name TLVs in the SAV Rule
Descriptor field.
2.2.2. Interface Group TLV
A Interface Group TLV is to identify a group of valid interfaces of
the source prefixes carried in SAV Prefix TLVs. The format of
Interface Group TLV is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Interface Group (4 octets) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Interface Group TLV
Tong, et al. Expires 24 April 2025 [Page 5]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
The Interface Group value can have either local meaning or global
meaning. On the one hand, it can be a local interface property on
the target routers, and the meaning of it depends on the
configurations of network administrator
[I-D.ietf-idr-flowspec-interfaceset]. On the other hand, a global
meaning Group Identifier field carries AS number, which represents
all the interfaces connected to the neighboring AS with the AS
number. [I-D.geng-idr-flowspec-sav]
Interface Group value can also be an Interface ID for identifying a
specific interface.
There can be zero, one or more Interface Group TLVs in the SAV Rule
Descriptor field. Interface Group TLVs can be used together with
Interface Name TLVs.
When there is neither an Interface Name TLV nor an Interface Group
TLV, the source prefixes carried in SAV Prefix TLVs are considered
valid for all the interfaces on the router.
2.2.3. SAV Prefix TLV
A SAV Prefix TLV carries one IP address prefix (IPv4 or IPv6). The
format of SAV Prefix TLV is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix Length | IP Prefix (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: SAV Prefix TLV
There can be one or more SAV Prefix TLVs in the SAV Rule Descriptor
field. The IPv4 SAV Prefix TLVs will only appear in the IPv4 SAV
Rule NLRI, and The IPv6 SAV Prefix TLVs are only for the IPv6 SAV
Rule NLRI
There can be more than one SAV mechanisms based on the same source
(identified by Protocol-ID). In order to distinguish the different
sources of rules in a more fine-grained manner, the Type field needs
to be allocated for multiple values, and each value identifies a
specific SAV mechanism based on the same source identified by
Protocol-ID.
Tong, et al. Expires 24 April 2025 [Page 6]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
3. BGP-LS Attribute for SAV Mode
The BGP-LS Attribute, an optional and non-transitive BGP Attribute,
is used to carry the validation mode information of SAV rules
[I-D.huang-savnet-sav-table]. The following SAV Mode Attribute TLV
is defined for the BGP-LS Attribute associated with a SAV Rule NLRI:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved |
+-+-+-+-+-+-+-+-+
Figure 7: SAV Mode TLV
The SAV Mode TLV carries a Mode Flag (M flag shown in the figure)
describing the validation mode attribute.
* When M flag is unset, the mode is blocklist mode. The NLRI
carries the source prefixes included in the specified interfaces'
blocklists.
* When M flag is set, the mode is allowlist mode. The NLRI carries
the source prefixes included in the specified interfaces'
allowlists.
4. Procedures
The BGP-LS advertisements for the SAV Rule NLRI type are generally
originated by the node running SAV mechanisms/protocols.
5. Manageability Considerations
The Existing BGP operational and management procedures apply to this
document. No new procedures are defined in this document. The
considerations as specified in [RFC9552] apply to this document.
6. IANA Considerations
This section describes the code point allocation by IANA for this
document.
6.1. "BGP-LS NLRI-Types" registry
This document requests assigning code-points from the registry for
SAV Rule NLRIs:
Tong, et al. Expires 24 April 2025 [Page 7]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
+------+---------------------------+
| Type | NLRI Type |
+------+---------------------------+
| TBD | IPv4 SAV Rule NLRI |
| TBD | IPv6 SAV Rule NLRI |
+------+---------------------------+
6.2. "BGP-LS SAV Rule Descriptors TLVs" registry
This document requests assigning code-points from the registry for
BGP-LS SAV Rule Descriptors TLVs based on Figure 3.
6.3. "BGP-LS SAV Mode Attribute TLV" registry
This document requests assigning a code-point from the registry for
the BGP-LS SAV Mode attribute TLV.
7. Security Considerations
Procedures and protocol extensions defined in this document do not
affect the base BGP security model. See [RFC6952] for details. The
security considerations of the base BGP-LS specification as described
in [RFC9552] also apply.
8. References
8.1. Normative References
[RFC9552] Talaulikar, K., Ed., "Distribution of Link-State and
Traffic Engineering Information Using BGP", RFC 9552,
DOI 10.17487/RFC9552, December 2023,
<https://www.rfc-editor.org/info/rfc9552>.
[RFC9086] Previdi, S., Talaulikar, K., Ed., Filsfils, C., Patel, K.,
Ray, S., and J. Dong, "Border Gateway Protocol - Link
State (BGP-LS) Extensions for Segment Routing BGP Egress
Peer Engineering", RFC 9086, DOI 10.17487/RFC9086, August
2021, <https://www.rfc-editor.org/info/rfc9086>.
[I-D.huang-savnet-sav-table]
Huang, M., Cheng, W., Li, D., Geng, N., Liu, Chen, L., and
C. Lin, "General Source Address Validation Capabilities",
Work in Progress, Internet-Draft, draft-huang-savnet-sav-
table-07, 25 August 2024,
<https://datatracker.ietf.org/doc/html/draft-huang-savnet-
sav-table-07>.
Tong, et al. Expires 24 April 2025 [Page 8]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References
[I-D.li-savnet-intra-domain-architecture]
Li, D., Wu, J., Qin, L., Geng, N., Chen, L., Huang, M.,
and F. Gao, "Intra-domain Source Address Validation
(SAVNET) Architecture", Work in Progress, Internet-Draft,
draft-li-savnet-intra-domain-architecture-07, 16 March
2024, <https://datatracker.ietf.org/doc/html/draft-li-
savnet-intra-domain-architecture-07>.
[I-D.wu-savnet-inter-domain-architecture]
Li, D., Wu, J., Huang, M., Chen, L., Geng, N., Liu, L.,
and L. Qin, "Inter-domain Source Address Validation
(SAVNET) Architecture", Work in Progress, Internet-Draft,
draft-wu-savnet-inter-domain-architecture-11, 6 August
2024, <https://datatracker.ietf.org/doc/html/draft-wu-
savnet-inter-domain-architecture-11>.
[I-D.ietf-idr-flowspec-interfaceset]
Litkowski, S., Simpson, A., Patel, K., Haas, J., and L.
Yong, "Applying BGP flowspec rules on a specific interface
set", Work in Progress, Internet-Draft, draft-ietf-idr-
flowspec-interfaceset-05, 18 November 2019,
<https://datatracker.ietf.org/doc/html/draft-ietf-idr-
flowspec-interfaceset-05>.
[I-D.geng-idr-flowspec-sav]
Geng, N., Li, D., tongtian124, and M. Huang, "BGP Flow
Specification for Source Address Validation", Work in
Progress, Internet-Draft, draft-geng-idr-flowspec-sav-04,
12 October 2024, <https://datatracker.ietf.org/doc/html/
draft-geng-idr-flowspec-sav-04>.
Authors' Addresses
Tian Tong
China Unicom
Beijing
China
Tong, et al. Expires 24 April 2025 [Page 9]
�
Internet-Draft BGP-LS for Advertising SAV Rules October 2024
Email: tongt5@chinaunicom.cn
Dan Li
Tsinghua University
Beijing
China
Email: tolidan@tsinghua.edu.cn
Nan Geng
Huawei
Beijing
China
Email: gengnan@huawei.com
Nan Wang
China Unicom
Beijing
China
Email: wangn161@chinaunicom.cn
Shunwan Zhuang
Huawei
Beijing
China
Email: zhuangshunwan@huawei.com
Tong, et al. Expires 24 April 2025 [Page 10]