SAVNET's Incentive Consideration for Defence Against Reflection Attacks
draft-qin-savnet-incentive-01
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Lancheng Qin , Dan Li , Jianping Wu , Li Chen , Fang Gao | ||
| Last updated | 2022-10-24 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-qin-savnet-incentive-01
Network Working Group L. Qin
Internet-Draft D. Li
Intended status: Informational J. Wu
Expires: 27 April 2023 Tsinghua University
L. Chen
F. Gao
Zhongguancun Laboratory
24 October 2022
SAVNET's Incentive Consideration for Defence Against Reflection Attacks
draft-qin-savnet-incentive-01
Abstract
Source address spoofing remains a significant challenge in today's
Internet. Although source address validation (SAV) mechanisms, such
as ingress filtering [RFC2827], unicast Reverse Path Forwarding
(uRPF) [RFC3704], and the Enhanced Feasible-Path Unicast Reverse Path
Forwarding (EFP-uRPF) [RFC8704], have been proposed for a long time,
none of them have been widely deployed due to their limitation in
accuracy, lack of incentive, or other cost concerns. This document
specifically explains the incentive problem of existing SAV
mechanisms and clarifies the direct incentive that SAVNET hopes to
achieve.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 8174 [RFC8174].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 April 2023.
Qin, et al. Expires 27 April 2023 [Page 1]
Internet-Draft SAVNET Incentive October 2022
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Importance of Incentive for SAV Deployment . . . . . . . 4
4. Incentive Comparison Between EFP-uRPF and SAVNET . . . . . . 4
4.1. Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1. Case 1: only AS3 deploys SAV . . . . . . . . . . . . 6
4.1.2. Case 2: AS1 and AS3 deploy SAV . . . . . . . . . . . 7
4.1.3. Case 3: AS2 and AS3 deploy SAV . . . . . . . . . . . 7
4.1.4. Case 4: AS1, AS2, and AS3 deploy SAV . . . . . . . . 8
4.2. Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . 9
4.2.1. Case 1: only AS3 deploys SAV . . . . . . . . . . . . 9
4.2.2. Case 2: AS1 and AS3 deploy SAV . . . . . . . . . . . 10
4.2.3. Case 3: AS2 and AS3 deploy SAV . . . . . . . . . . . 10
4.2.4. Case 4: AS1, AS2, and AS3 deploy SAV . . . . . . . . 11
4.3. Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . 11
4.3.1. Case 1: only AS3 deploys SAV . . . . . . . . . . . . 12
4.3.2. Case 2: AS1 and AS3 deploy SAV . . . . . . . . . . . 13
4.3.3. Case 3: AS2 and AS3 deploy SAV . . . . . . . . . . . 13
4.3.4. Case 4: AS1, AS2, and AS3 deploy SAV . . . . . . . . 14
5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
7. Normative References . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
Source address spoofing is one of the most important security threats
in the Internet. By using forged source IP addresses, attackers can
well hide their real identities and carry out various malicious
attacks [RFC6959], among which reflection attack is the most common
and harmful. In the reflection attack, the attacker spoofs the
victim's source IP address and sends requests to servers with
Qin, et al. Expires 27 April 2023 [Page 2]
Internet-Draft SAVNET Incentive October 2022
reflection and amplification functions, such as DNS or NTP servers.
Upon receiving the requests, these servers will reply a large number
of responses to the victim, resulting in a large-scale Distributed
Denial of Service (DDoS) attack to the victim.
To mitigate source address spoofing, several source address
validation (SAV) mechanisms (e.g., ingress filtering [RFC2827],
unicast Reverse Path Forwarding (uRPF) [RFC3704], and the Enhanced
Feasible-Path Unicast Reverse Path Forwarding (EFP-uRPF) [RFC8704])
have been proposed to identify and reject traffic with forged source
IP addresses. However, they have not been widely deployed due to
their limitation in accuracy, lack of incentive, or other cost
concerns. Source address spoofing remains a significant challenge in
today's Internet.
To help narrow the gap of existing SAV mechanisms,
[draft-li-savnet-intra-domain-problem-statement] and
[draft-wu-savnet-inter-domain-problem-statement] summarize the
fundamental problems of existing SAV mechanisms and define the
requirements for new SAV mechanisms. This document further explains
the misaligned incentive problem of existing SAV mechanisms and
specifies the direct incentive that SAVNET hopes to achieve. The
direct incentive of SAV refers to a network deploying SAV can protect
itself against source address spoofing attacks, including the most
important reflection attack.
2. Terminology
SAV: Source Address Validation, i.e. validating the authenticity of a
packet's source IP address.
Three roles in a reflection attack:
* Attacker. A malicious host that spoofs the victim's source IP
address when sending a request to the reflector.
* Reflector. A reflective server (e.g., DNS or NTP server) that
receives the forged request and responds to the victim.
* Victim. An innocent host that receives a lot of responses from
the reflector, resulting in a DoS attack.
Two results in the incentive comparison between EFP-uRPF and SAVNET:
* "FAIL" means the victim network deploying SAV (EFP-uRPF or SAVNET)
cannot help itself prevent the reflection attack.
Qin, et al. Expires 27 April 2023 [Page 3]
Internet-Draft SAVNET Incentive October 2022
* "WORK" means the victim network deploying SAV (EFP-uRPF or SAVNET)
can help itself prevent the reflection attack.
3. The Importance of Incentive for SAV Deployment
Ingress filtering, or BCP38 [RFC2827] requires the network to
implement SAV filtering on its outgoing traffic. If all networks
deploy BCP38 and only allow outgoing traffic with legitimate source
addresses, source address spoofing can be effectively prevented.
However, although BCP38 has been proposed for more than 20 years and
is highly recommended by the Mutually Agreed Norms for Routing
Security (MANRS), it is still not widely deployed in today's
Internet. One main reason is that operators lack incentive to deploy
BCP38 in their networks. The benefits from deploying BCP38 do not
flow to the deployed network, but to the rest of the Internet.
Specifically, if a network deploys BCP38, it does not gain any
protection from the deployment and is still vulnerable to reflection
attacks from other networks. As a result, most networks are
reluctant to deploy BCP38 and prefer to wait for others to deploy.
The deployment problem faced by BCP38 tells us that a desirable SAV
mechanism must provide direct incentive/benefits to the deployed
network. If a network deploys SAV but finds that it only helps other
networks, the network will not be motivated to deploy SAV. If a
network deploys SAV and finds that sometimes it can help itself
(compared with not deploying), the network will be more motivated to
deploy SAV.
4. Incentive Comparison Between EFP-uRPF and SAVNET
Nowadays, reflection attack has become one of the most common attacks
based on source address spoofing. However, the victim network in a
reflection attack may not receive the spoofing request. If an
intermediate network deploys SAV to protect itself against source
address spoofing attacks, such as single-packet attacks, flood-based
DoS, and etc [RFC6959], it can help prevent the reflection attack
when receiving the spoofing request. Therefore, to mitigate
reflection attacks, customer or user networks are increasingly asking
their upstreaming providers to deploy SAV as close to the source as
possible and to protect their source addresses from being forged.
Considering the security requirements of customer or user networks,
network operators are willing to improve their competitiveness by
implementing SAV, so they will attract more users and gain more
profits.
More recently, RFC8704 or BCP84 [RFC8704] proposes the Enhanced
Feasible-Path Unicast Reverse Path Forwarding (EFP-uRPF) and
recommends operators to adopt EFP-uRPF at customer interfaces in most
Qin, et al. Expires 27 April 2023 [Page 4]
Internet-Draft SAVNET Incentive October 2022
inter-domain scenarios. Different from BCP38, EFP-uRPF provides
direct incentive to some extent, as it aims to prevent spoofed
packets from entering the deployed network. However, EFP-uRPF is
essentially performing ingress filtering at a higher aggregation
point (i.e., the top AS of a customer cone) and does not provide
protection against spoofing traffic from provider and peer
interfaces. Moreover, the victim network will not gain additional
protection against reflection attack even if it deploys EFP-uRPF.
Therefore, EFP-uRPF cannot perfectly meet the above security
requirements of customer or user networks.
In the following, we use reflection attack as an example to measure
the incentive that EFP-uRPF or SAVNET can provide to the victim
network. We simplify the participants in a reflection attack into
three roles (attacker network, reflector network, and victim network)
and enumerate three attack scenarios by changing the relative
positions of the three roles. In each scenario, we suppose the
victim network always deploys SAV mechanism (EFP-uRPF or SAVNET),
because only the victim can get benefit from the SAV mechanism.
Then, for any deployment case of the other two networks (i.e.,
attacker network and reflector network), we check whether the
reflection attack can be prevented. If so, the victim network has
strong motivation to deploy SAV; if not, the victim network has weak
motivation to deploy SAV.
Since there is no specific SAVNET solution yet, we assume SAVNET can
meet the "Accuracy SAV" requirement defined in
[draft-li-savnet-intra-domain-problem-statement] and
[draft-wu-savnet-inter-domain-problem-statement], i.e, learning real
incoming interfaces for source prefixes based on control-plane
information sent from the owner of the source prefixes. In the
preliminary idea of SAVNET, each deployed network notifies the valid
incoming interfaces for its source prefixes to other deployed
networks.
4.1. Scenario 1
Figure 1 shows the first reflection attack scenario where the
reflector network is located between the attacker network and the
victim network. The attacker spoofs the source address of the victim
and sends a forged request to the reflector. After receiving the
request from attacker, the reflector responds to the victim.
Qin, et al. Expires 27 April 2023 [Page 5]
Internet-Draft SAVNET Incentive October 2022
+---------+
| AS2 +-+Reflector
++/\+-----+
/ \
request / \ response
/ \
/ \
+---------+ +-+\/+----+
Attacker+-+ AS1 | | AS3 +-+ Victim
+---------+ +---------+
AS1: Attacker network
AS2: Reflector network
AS3: Victim network
Figure 1: The first reflection attack scenario.
4.1.1. Case 1: only AS3 deploys SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS2 | algorithm | algorithm | |
| and AS2 | and AS3 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
Table 1: All SAV mechanisms fail if only AS3 deploys SAV in
scenario 1
Table 1 shows the effectiveness of EFP-uRPF and SAVNET against the
reflection attack under different relationships among AS1, AS2, and
AS3. We omit combinations of relationships that violate valley-free
principle. If only the victim network deploys SAV, both EFP-uRPF and
SAVNET fail to prevent the reflection attack in scenario 1, because
the victim network does not receive the forged request at all.
Qin, et al. Expires 27 April 2023 [Page 6]
Internet-Draft SAVNET Incentive October 2022
4.1.2. Case 2: AS1 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS2 | algorithm | algorithm | |
| and AS2 | and AS3 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 2: SAVNET works best if AS1 and AS3 deploy SAV in
scenario 1
Table 2 shows that SAVNET works best when victim network and attacker
network deploy SAV. If AS1 and AS3 deploy SAVNET, AS1 learns that
traffic with victim's source address must come from outside the AS,
not inside the AS. Therefore, SAVNET in AS1 can successfully detect
the forged request and prevent the reflection attack. However, since
EFP-uRPF in AS1 does not verify outgoing traffic, EFP-uRPF fails in
this deployment case.
4.1.3. Case 3: AS2 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS2 | algorithm | algorithm | |
| and AS2 | and AS3 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
Qin, et al. Expires 27 April 2023 [Page 7]
Internet-Draft SAVNET Incentive October 2022
Table 3: SAVNET works best if AS2 and AS3 deploy SAV in
scenario 1
As shown in Table 3, SAVNET works best when victim network and
reflector network deploy SAV. If AS2 and AS3 deploy SAVNET, AS2
learns that traffic with victim's source address must come from AS3,
so it will block the forged request from AS1. If AS2 and AS3 deploy
EFP-uRPF, since EFP-uRPF only work for traffic from customer
interfaces, EFP-uRPF algorithm A and algorithm B both fail when AS1
is the provider/peer of AS2. EFP-uRPF algorithm A works well when
AS1 is the customer of AS2, but EFP-uRPF algorithm B still fails when
AS1 and AS3 are both in the customer cone of AS2, because EFP-uRPF
algorithm B cannot identify source address spoofing between ASes in
customer cone.
4.1.4. Case 4: AS1, AS2, and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS2 | algorithm | algorithm | |
| and AS2 | and AS3 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 4: SAVNET works best if AS1, AS2, and AS3 deploy SAV
in scenario 1
In scenario 1, SAVNET still works best when all three roles deploy
SAV. When they deploy SAVNET, both AS1 and AS2 can effectively
identify and block the forged request. When they deploy EFP-uRPF,
only AS2 sometimes can prevent the reflection attack, with the same
results as Section 4.1.3.
Qin, et al. Expires 27 April 2023 [Page 8]
Internet-Draft SAVNET Incentive October 2022
4.2. Scenario 2
Figure 2 shows the second reflection attack scenario. In scenario 2,
the victim network is located between the attack network and the
reflector network. When attacker sends a forged request to the
reflector, the request first arrives at the victim network and then
be forwarded to the reflector network. Subsequently, the reflector
responds to the victim.
+---------+
| AS3 +-+Victim
++/\+--+/\+
/ \ \
/ \ \
/request \ \ response
/ \ \
+---------+ + \/+-----+
Attacker+-+ AS1 | | AS2 +-+Reflector
+---------+ +---------+
AS1: Attacker network
AS2: Reflector network
AS3: Victim network
Figure 2: The second reflection attack scenario.
4.2.1. Case 1: only AS3 deploys SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS3 | algorithm | algorithm | |
| and AS3 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 5: SAVNET works best if only AS3 deploys SAV in scenario 2
Qin, et al. Expires 27 April 2023 [Page 9]
Internet-Draft SAVNET Incentive October 2022
Table 5 shows the effectiveness of EFP-uRPF and SAVNET when only AS3
in scenario 2 deploys SAV. If AS3 deploys SAVNET, it can reject the
forged request when it receives the forged request. If AS3 deploys
EFP-uRPF, it only works when AS1 is the customer of AS3 because EFP-
uRPF only implements SAV filtering at customer interfaces.
We also compare EFP-uRPF and SAVNET in the following three deployment
cases. We find that if the SAV mechanism is EFP-uRPF algorithm A or
EFP-uRPF algorithm B, only the victim network in scenario 2 has the
possibility to reject the forged request by implementing SAV. Even
if attacker network or reflector network also deploys EFP-uRPF, it
does not provide additional assistance to victim network. Therefore,
on the basis that the victim network has deployed SAV, SAVNET always
works best in different deployment cases.
4.2.2. Case 2: AS1 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS3 | algorithm | algorithm | |
| and AS3 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 6: SAVNET works best if AS1 and AS3 deploy SAV in
scenario 2
4.2.3. Case 3: AS2 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS3 | algorithm | algorithm | |
| and AS3 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
Qin, et al. Expires 27 April 2023 [Page 10]
Internet-Draft SAVNET Incentive October 2022
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 7: SAVNET works best if AS2 and AS3 deploy SAV in
scenario 2
4.2.4. Case 4: AS1, AS2, and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS1 | between AS3 | algorithm | algorithm | |
| and AS3 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | WORK | WORK | WORK |
+--------------+--------------+-----------+-----------+--------+
Table 8: SAVNET works best if AS1, AS2, and AS3 deploy SAV
in scenario 2
4.3. Scenario 3
Figure 3 shows the third reflection attack scenario. The attacker
network is located between the victim network and the reflector
network. Attacker spoofs victim's source address in the request sent
to reflector. Reflector receives the request from the attacker
network and sends a response to the victim network via the attacker
network.
Below we make the incentive comparison between EFP-uRPF and SAVNET in
scenario 3. By varying SAV deployment status of attacker network and
reflector network, we find all SAV mechanisms fail in preventing the
reflection attack in this scenario. For victim network, it does not
receive the forged request. For attacker network and reflector
network, SAV in their networks cannot identify this spoofing because
Qin, et al. Expires 27 April 2023 [Page 11]
Internet-Draft SAVNET Incentive October 2022
the forged source address (i.e., victim's source address) shares the
same valid incoming interface with the actual one (i.e., attacker's
source address).
+---------+
| AS1 +-+Attacker
+----+/\+-+
/ \ \
/ \ \
/response\ \request
/ \ \
+----+\/+-+ +--+\/+---+
Victim+-+ AS3 | | AS2 +-+Reflector
+---------+ +---------+
AS1: Attacker network
AS2: Reflector network
AS3: Victim network
Figure 3: The third reflection attack scenario.
4.3.1. Case 1: only AS3 deploys SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS3 | between AS1 | algorithm | algorithm | |
| and AS1 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
Table 9: All SAV mechanisms fail if only AS3 deploys SAV in
scenario 3
Qin, et al. Expires 27 April 2023 [Page 12]
Internet-Draft SAVNET Incentive October 2022
4.3.2. Case 2: AS1 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS3 | between AS1 | algorithm | algorithm | |
| and AS1 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
Table 10: All SAV mechanisms fail if AS1 and AS3 deploy SAV
in scenario 3
4.3.3. Case 3: AS2 and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS3 | between AS1 | algorithm | algorithm | |
| and AS1 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
Table 11: All SAV mechanisms fail if AS2 and AS3 deploy SAV
in scenario 3
Qin, et al. Expires 27 April 2023 [Page 13]
Internet-Draft SAVNET Incentive October 2022
4.3.4. Case 4: AS1, AS2, and AS3 deploy SAV
+==============+==============+===========+===========+========+
| Relationship | Relationship | EFP-uRPF | EFP-uRPF | SAVNET |
| between AS3 | between AS1 | algorithm | algorithm | |
| and AS1 | and AS2 | A | B | |
+==============+==============+===========+===========+========+
| P2C | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| P2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | C2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2P | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
| C2P | P2C | FAIL | FAIL | FAIL |
+--------------+--------------+-----------+-----------+--------+
Table 12: All SAV mechanisms fail if AS1, AS2, and AS3
deploy SAV in scenario 3
5. Summary
Overall, neither SAVNET nor EFP-uRPF completely prevents the
reflection attack. But for any attack scenario or deployment case,
we find that SAVNET is doing better or not worse than EFP-uRPF. It
is worth noting that AS1 and AS2 in above scenarios can also be
targets of reflection attacks from other networks. Therefore, a
network has more incentive to deploy SAVNET as the SAV mechanism,
because its own network will have high probability of being protected
against reflection attacks.
6. Acknowledgments
TBD
7. Normative References
[draft-li-savnet-intra-domain-problem-statement]
Li, D., Wu, J., Qin, L., Huang, M., and N. Geng, "Source
Address Validation in Intra-domain Networks (Intra-domain
SAVNET) Gap Analysis, Problem Statement and Requirements",
22 October 2022.
Qin, et al. Expires 27 April 2023 [Page 14]
Internet-Draft SAVNET Incentive October 2022
[draft-wu-savnet-inter-domain-problem-statement]
Wu, J., Li, D., Qin, L., Huang, M., and N. Geng, "Source
Address Validation in Inter-domain Networks (Inter-domain
SAVNET) Gap Analysis, Problem Statement and Requirements",
22 October 2022.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March
2004, <https://www.rfc-editor.org/info/rfc3704>.
[RFC6959] McPherson, D., Baker, F., and J. Halpern, "Source Address
Validation Improvement (SAVI) Threat Scope", RFC 6959,
DOI 10.17487/RFC6959, May 2013,
<https://www.rfc-editor.org/info/rfc6959>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8704] Sriram, K., Montgomery, D., and J. Haas, "Enhanced
Feasible-Path Unicast Reverse Path Forwarding", BCP 84,
RFC 8704, DOI 10.17487/RFC8704, February 2020,
<https://www.rfc-editor.org/info/rfc8704>.
Authors' Addresses
Lancheng Qin
Tsinghua University
Beijing
China
Email: qlc19@mails.tsinghua.edu.cn
Dan Li
Tsinghua University
Beijing
China
Email: tolidan@tsinghua.edu.cn
Qin, et al. Expires 27 April 2023 [Page 15]
Internet-Draft SAVNET Incentive October 2022
Jianping Wu
Tsinghua University
Beijing
China
Email: jianping@cernet.edu.cn
Li Chen
Zhongguancun Laboratory
Beijing
China
Email: Lichen@zgclab.edu.cn
Fang Gao
Zhongguancun Laboratory
Beijing
China
Email: gaofang@zgclab.edu.cn
Qin, et al. Expires 27 April 2023 [Page 16]