IETF 121 SAVNET Minutes 1. Intra-domain SAVNET architecture(Lancheng Qin) Peter Psenak: Support the idea. Joel: Understand the edge deployment is simpler. Concerned about the incremental deployment. Doc must be clear about this scenario. Lancheng: Should first define full deployment, and then show incremental deployment benefits. 2. Source Prefix Advertisement for Intra-domain SAVNET (Lancheng Qin) No question 3. Intra-domain SAVNET Support via IGP & Intra-domain SAV Support via BGP (Shengnan Yue) Peter: How to deal with FRR cases on intermediate routers when something fails? Shengnan: We calculate path based on connectivity. FRR won’t affect the result. Aijun: In your solution all the interfaces are allowed. Peter: Take this offline. Lancheng: Go to page 4. It’s not asymmetric routing scenario. So it doesn’t address the problem in the PS document. Joel: Thank for running tests. May need more complex topology for evaluation and show how to cope with all kinds of scenarios which are very useful. Weiqiang: For FRR, all nodes running IGP are dynamically updating the routing information, so we have some functions. We need some extra text in the draft. Chongfeng: How to verify the source address for SRv6 paths? Weiqiang: Interesting point. SRv6 is HbH. We don’t support it now and it’s out of scope. Joel: In SRv6 you are checking the tunnel address. It’s a different kind of question and we need to be careful. It’s not out of scope but we need to be careful. Aijun: More discussion on the list. 4. General Source Address Validation Capabilities (Mingqing Huang) XXX: Go to the comment page. Computation is also a limitation in addition to memory. Mingqing: Right, it’s a dataplane design challenge. Aijun: You can raise the question in the mailing list to ask for opinions. 5. Remote Measurement of Outbound Source Address Validation Deployment (Shuai Wang) No question. 6. Inter-domain Source Address Validation (SAVNET) Architecture (Libin Liu) Sriram: Thank you for considering the comments on the mailing list. Two main issues: Prioritization of different types of data sources (removed now); and SAV specific data and protocol. About hidden AS and security issues. Libin: We’ll consider the details in the solution. 7. Update on the BAR-SAV draft (K. Sriram) Aijun: Go to slide 6. Why you get all prefixes in ROA? Sriram: We want to be prepared for that. Aijun: So you allow all the prefixes. Sriram: Yes that are legitimate on the basis of GDP Aijun: More efficient method can be found. Mingqing: In short term can we get the information by local management? Sriram: yes. Can discuss on the mailing list. Maria: Is that a good idea to use BGP community to send information? Sriram: Consider security and abuse. Like to discuss with you in more detail. Azimov: Do you propose to apply it on customer facing links? Sriam: No Azimov: Two comments. The second is a general concern on the last slide. It may affect your network connectivity. May cause packet loss. So I see her the possibility of false positives. Siriam: Talk offline. Azimov: I would agree in the ideal situation. But not in the incremental deployment scenario. Sriram: ok to have extra few prefixes in the allow list. Being conservative is favorable. 8. Bicone Source Address Validation (Lancheng Qin) No question. 9. BGP Operations for Inter-domain SAVNET (Xueyan Song) Libin: How does this address the problem in the inter-domain PS draft? Xueyan: This draft is mainly for multi-homing scenarios. Libin: We can discuss offline. Aijun: You should compare with the inter-domain architecture and solutions. 10. Source Address Validation Enhanced by Network Controller (Tian Tong) Jeffery Haas: BGP LS distributes is traffic engineering interfaces rather than IGP topology. It’s not guaranteed base case for BGP LS to carry IGP topology. Should note in your proposal. Tian: ok Lancheng: You introduce a high level idea but no solution. How this can address the problem in PS document. Tian: Will talk offline to figure out solution. Michael: This is a centralized control system which is challenging. What kind of information to collect and what kind algorithm is feasible? Tian: Now it’s overall and general solution. Will add details. 11. Segment Routing Policy-Based Source Address Validation (SAV) (Xueting Li) Lancheng: Go to Page 4. Another use case is edge only SAV which cannot protect against malicious traffic from internal nodes. The early version of the intro-domain PS doc has a scenario about malicious internal nodes which was removed because it is not really happened. Xueting : Internal nodes may attempt to send malicious traffic through a non-standard path set which is not detected. Lancheng: It’s not easy to find which router is trusted or not. Suggest focusing on spoofing traffic from the host. Xueting: Ok. Maria: If host is able to spoof some traffic, isn't that host also able to spoof the routing traffic? Aijun: Please take the question to the mailing list. 12. A Profile of Signed SAVNET-Peering Information (SiSPI) Object for Deploying Inter-domain (Libin Liu) No question. Time out, cut off 3 scheduled talks.