# Name: Source Address Validation in Intra-domain and Inter-domain Networks (SAVNET) ## Description Source address validation (SAV) is important for mitigating source address spoofing attacks and accurately tracing back to the attackers. In the past few years, much attention has been attracted by SAV from both academia and industry. Recently, the Mutually Agreed Norms for Routing Security (MANRS) initiative is calling on network operators to implement SAV to prevent source address spoofing. According to the operating feature of the Internet, RFC 5210 describes a source address validation architecture (SAVA) which carries out SAV at three checking levels, i.e., access network, Intra-domain, and Inter-domain. Different levels provide different granularities of source IP address authenticity. The SAVI working group focused on SAV at access networks, which aims to enhance previous prefix-level SAV to address-level SAV. Nevertheless, SAVI is fully effective only when deployed by all access networks. In the cases where SAVI cannot be deployed simultaneously at all access networks, it is much necessary to implement intra-domain and inter-domain SAV through ISPs to prevent spoofed traffic as close to the source as possible (this is also what MANRS calls for). However, existing intra-domain and inter-domain SAV mechanisms like uRPF-related technologies [RFC 3704, RFC 8704] may improperly permit spoofed traffic or improperly block legitimate traffic. Both cases can have serious consequences. To implement accurate SAV in intra-domain and inter-domain networks, a network-wide protocol should be considered. Entirely new protocols or extensions of existing protocols are needed to meet the following requirements of SAV in intra-domain and inter-domain networks: - High accuracy: The protocols should avoid improper block and reduce improper permit as much as possible - High scalability: The protocols should not induce much overhead - Incremental deployment: The protocols should support incremental deployment - High security: The protocols should guarantee the integrity of the protocol messages In this BoF, we are going to focus on the gap analysis of existing SAV mechanisms and a brief overview of possible solutions (including a control-plane solution and a data-plane solution). The main goal of this BoF is to solicit suggestions. ## Required Details - Status: not WG Forming - Responsible AD: Eric Vyncke - BoF proponents: Dan Li , Jianping Wu , Hongfang Yu , Shu Yang , Shizhong Nie , Mingqing Huang , Xiangqing Chang - BoF chairs: Joel Halpern, Job Snijders - Number of people expected to attend: 100 - Length of session (1 or 2 hours): 2 hours - Conflicts (whole Areas and/or WGs) - Chair Conflicts: Jari Arkko, Zhenbin Li - Technology Overlap: opsec, intarea, rtgwg, idr, grow, sidrops - Key Participant Conflict: TBD ## Agenda - Welcome & Preliminary Notes (10 min) - Background & Gap Analysis: Presentation (15 min) -- https://datatracker.ietf.org/doc/draft-li-opsec-sav-gap-analysis/ - Background & Gap Analysis: Open Discussion (20 minutes) - DSAV Framework: Presentation (15 min) -- https://datatracker.ietf.org/doc/draft-li-dsav-framework/ - DSAV Framework: Open Discussion (20 min) - ESAV Framework: Presentation (10 min) - ESAV Framework: Open Discussion (10 min) - Q&A (20 min) ## Links to the mailing list, draft charter if any, relevant Internet-Drafts, etc. - Mailing List: savnet@ietf.org - Draft charter: N/A - Relevant drafts: - Source Address Validation: Use Cases and Gap Analysis - https://datatracker.ietf.org/doc/draft-li-sav-gap-analysis/ - Distributed Source Address Validation (DSAV) Framework - https://datatracker.ietf.org/doc/draft-li-dsav-framework/ - Practical Inter-Domain Source Address Validation - https://datatracker.ietf.org/doc/draft-xu-psav/