SAV for intra- and inter-domain networks
bofreq-li-sav-for-intra-and-inter-domain-networks-03
Document | Type | Approved BOF request | |
---|---|---|---|
Title | SAV for intra- and inter-domain networks | ||
Last updated | 2022-02-10 | ||
State | Approved | ||
Editor | Dan Li | ||
Responsible leadership | Éric Vyncke | ||
Send notices to | (None) |
Name: Source Address Validation in Intra-domain and Inter-domain Networks (SAVNET)
Description
Source address validation (SAV) is important for mitigating source address spoofing attacks and accurately tracing back to the attackers. In the past few years, much attention has been attracted by SAV from both academia and industry. Recently, the Mutually Agreed Norms for Routing Security (MANRS) initiative is calling on network operators to implement SAV to prevent source address spoofing.
According to the operating feature of the Internet, RFC 5210 describes a source address validation architecture (SAVA) which carries out SAV at three checking levels, i.e., access network, Intra-domain, and Inter-domain. Different levels provide different granularities of source IP address authenticity. The SAVI working group focused on SAV at access networks, which aims to promote previous prefix-level SAV to address-level SAV. Nevertheless, SAVI is fully effective only when deployed by all access networks. In the cases where SAVI cannot be deployed simultaneously at all access networks, it is much necessary to implement intra-domain and inter-domain SAV through ISPs to prevent spoofed traffic as close to the source as possible (this is also what MANRS calls for). However, existing intra-domain and inter-domain SAV mechanisms like uRPF-related technologies [RFC 3704, RFC 8704] may improperly permit spoofed traffic or improperly block legitimate traffic. Both cases can have serious consequences.
To implement accurate SAV in intra-domain and inter-domain networks, a network-wide protocol should be considered.
Entirely new protocols or extensions of existing protocols are needed to meet the following requirements of SAV in intra-domain and inter-domain networks:
- High accuracy: The protocols should avoid improper block and reduce improper permit as much as possible
- High scalability: The protocols should not induce much overhead
- Incremental deployment: The protocols should support incremental deployment
- High security: The protocols should guarantee the integrity of the protocol messages
In this BoF, we are going to focus on the gap analysis of existing SAV mechanisms and a brief overview of possible protocols. The main goal of this BoF is to solicit suggestions.
Required Details
- Status: not WG Forming
- Responsible AD: Eric Vyncke
- BoF proponents: Dan Li <tolidan@tsinghua.edu.cn>, Jianping Wu <jianping@cernet.edu.cn>, Hongfang Yu <yuhf@uestc.edu.cn>, Shu Yang <yang.shu@szu.edu.cn>, Shizhong Nie <nieshzh@chinatelecom.cn>, Mingqing Huang <huangmingqing@huawei.com>, Xiangqing Chang <chang.xiangqing@h3c.com>
- BoF chairs: Joel Halpern, Job Snijders
- Number of people expected to attend: 100
- Length of session (1 or 2 hours): 2 hours
- Conflicts (whole Areas and/or WGs)
- Chair Conflicts: TBD
- Technology Overlap: opsec, intarea, rtgwg, idr
- Key Participant Conflict: TBD
Agenda
- Welcome & Preliminary Notes (10 min)
- Background & Gap Analysis (15 min)
- DSAV Framework (15 min)
- DSAV Open Discussion (20 min)
- PSAV Framework (15 min)
- PSAV Open Discussion (20 min)
- Q&A (15 min)
Links to the mailing list, draft charter if any, relevant Internet-Drafts, etc.
- Mailing List: TBD
- Draft charter: TBD
- Relevant drafts:
- Source Address Validation: Use Cases and Gap Analysis:
- Distributed Source Address Validation (DSAV) Framework
- Practical Inter-Domain Source Address Validation