IETF116 Savnet WG minutes Chairs introduction: brief agenda review, no comments Dan Li presenting slides on intradomain Gap analysis, problem statement and requirements. * Xiangqing Chang asked about scaling and raised some additional problems with the current situation. o Too many access devices, so it is hard to fully deploy SAV at access network. Necessary to improve existing mechanism. o The main limitation of existing mechanisms is that they do SAV based on routing information which may not be accurate enough for SAV. This draft helps. o Achieving 100 percent SAV is impossible. May lead to serious vulnerabilities. * Aijun Wang: looking for new solutions to the problem. Libin Liu presenting inter-domain Gap analysis, problem statement and requirements. * Addresses boundary between intra-domain and inter-domain SAV * Kotikalapudi Sriram o Many possible forwarding paths. Difficult to pinpoint the real path. Real Forwarding Path, what is the definition? * ANS: Path that traffic goes through o Under asymmetric routing or hidden prefix situation, difficult to get such path, could only have possible path o For provider interface, good/bad packets can both come, but hard to tell. For SAV at Provider interface(P22), the spoofed packets should be stopped at AS4 at provider interface, otherwise it would be hard for AS2 to identify the spoofed packets * Libing o To avoid improper block/permit we need new solutions. Be careful to design the solutions. Nan Geng presenting Intra-domain SAVNET Architecture * Removed details which may related to a specific solution * Joel: Focus first on problems/gaps, not the solution. We don?t standardize component level. * Xueyan Song comment: Question about the SAV protocol extension. The extension is out of the scope of the WG. Suggest to focus on the framework and requirements. Protocol extension is about solution. o Nan: it?s high level but not about solution details * Rudiger Volk: o What is the security consideration, such as authentication of the speaker in the mechanism * Answer: May use the mechanisms of existing protocols o Should think about security right at the beginning of the architecture * Nan: o Entity can be server/router, speaker can use routing protocols. Three kinds of speakers. * Jeff Haas o Strongly suggest that as part of your in scope discussion about eventually using routing protocols talk about the security characteristics of the information carried. o You don't necessarily want routers receiving information that is, for example, crypto signed. o A solution that wants to carry the information safely in routing means that you have a solution that potentially has difficulties being deployed. Similar to the obstacles brought by crypto-based solutions. Lancheng Qin presesnting Inter-domain SAVNET Architecture * Removed details which may related to a specific solution * Kotikalapudi Sriram: o slide 5, terminology. BGP is also an active collaboration. Passive Acquired Information and Active Collaboration Information may not be clearly defined. * Igor Lubashev: o Security concern of control flow messages taking same data path as the packets o Concern of delay or loss of active collaboration information, resulting in improper block * Zhen Tan: o What is relationship between the Architecture draft and the other draft about SAV table? * Xueyan Song: o What is relationship and difference between the inter- and intra-domain Architecture draft? o Components are different. Sources are different. SAV table usage, collaborative messages are different * Rdiger Volk: o Network is always in convergence and never stable. Actively diagnosis/logging to address the problem. Should not only address the partially deployed situation, should also consider the convergence issue, since the internet is a consistently moving system. o Actively elaborate on what diagnosis and logging you would do to allow operators to address the underlying problems. * Ben Maddison: o Agree that security issues should be considered in the architecture. o Maybe useful to address such protocols may exist but need to find a point between a detailed solution and an abstract arch. o Think about relative security properties of BGP sessions. How does BGPsec correlate with non-BGPsec session? Mingqing (Michael) Huang presenting Source Address Validation Table Abstraction and Application * No comments due to time limitation Li Chen presentinng SAV Open Playground& the Real Path Discovery Protocol * No comments due to time limitation Libin Liu presenting Real Path Discovery Protocol (RPDP) and the SAV Open Playground (SAVOP) * No comments due to time limitation Feng Yang presenting Source Address Verification for SRv6 * Chairs advice: Should be on the SPRING WG, better send an e-mail about the use of the SID information. Xuesong Guo presenting SAV enhances its security using blockchain * Chairs: Validation of routing protocols is out of scope of the SAVNET WG Weiqiang Cheng presenting Proactive Defense Network based on Source Address Validation * No comments due to time limitation No time for presentation of SAVA-based Anti-DDoS Architecture