Network Working Group W. Cheng Internet Draft China Mobile Intended status: Informational D. Li Expires: April 28, 2025 Tsinghua University C. Lin New H3C Technologies S. Yue China Mobile October 21, 2024 Inter-domain Source Address Validation (SAVNET) OAM draft-cheng-savnet-inter-domain-oam-00 Abstract This document is a framework for how Source Address Validation (SAVNET) can be applied to operations and maintenance procedures for Inter-domain network. The document is structured to outline how Operations and Management (OAM) functionality can be used to assist in fault, configuration, accounting, performance, and security management, commonly known by the acronym FCAPS. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 28, 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents lin, et al. Expire April 28, 2025 [Page 1] Internet-Draft Inter-domain SAVNET OAM October 2024 (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction...................................................2 2. Requirements Language..........................................3 3. Overview.......................................................3 4. Terminology....................................................4 5. Fault Management...............................................4 5.1. Fault Detection...........................................4 5.2. Fault Isolation...........................................5 6. Operational and Manageability Considerations...................6 6.1. OAM1: Source information from different origins...........6 6.1.1. Configuration for RPKI...............................6 6.1.2. Configuration for source information from Local Routing ............................................................7 6.1.3. Configuration for source information IRR Data........7 6.1.4. Configuration for source information from BGP Update.7 6.1.5. Configuration for source information from specific...8 6.1.6. Notification for Source information..................8 6.1.7. Count for Source information.........................9 6.2. OAM2: SAV Information Base Manager........................9 6.2.1. Organization of Base Manager.........................9 6.2.2. Notification for Base Manager........................9 6.2.3. Count for Base Manager...............................9 6.3. OAM3: SAV Rules..........................................10 6.3.1. Count for SAV Rules.................................10 6.3.2. Permit Rules and Block Rules........................11 6.3.3. Performance.........................................11 6.4. Security Management......................................12 7. Security Considerations.......................................12 8. IANA Considerations...........................................12 9. References....................................................12 9.1. Normative References.....................................12 9.2. Informational References.................................13 Authors' Addresses...............................................13 1. Introduction Source address spoofing is one of the most serious security threats to today's Internet. It serves as a main attack vector for large- Cheng, et al. Expires April 28, 2025 [Page 2] Internet-Draft Inter-domain SAVNET OAM October 2024 scale Distributed Denial of Service (DDoS) attacks and is commonly used in reflective DDoS attacks. To mitigate source address spoofing, many source address validation (SAV) solutions (e.g., BCP38 [RFC2827] and BCP84 [RFC3704] [RFC8704]) have been proposed. The primary design goal of SAV solutions is avoiding improper block (i.e., blocking legitimate traffic) while maintaining directionality, especially in partial deployment scenarios (see [I- D.ietf-savnet-inter-domain-problem-statement] and [RFC8704]). To address these issues and guide the design of new inter-domain SAV solutions, [I-D.draft-wu-savnet-inter-domain-architecture] proposes the architecture of inter-domain SAVNET and introduces the use of SAV-specific information in inter-domain networks. Based on the architecture of inter-domain SAVNET, this document provides a framework and requirements for Inter-domain SAVNET Operations, Administration, and Maintenance (OAM). The approach of this document is to outline the functionality, potential mechanisms to provide the functions, and the required applicability of inter- domain OAM functions. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Overview This document primarily explores the functions that SAV Inter-domain OAM needs to accomplish. As shown in the architecture of Figure 1, the following OAM tasks need to be addressed: OAM1: Configure for different data sources, including RPKI, Local Routing, IRR Data, BGP Update, and SAV-Specific. OAM2: Based on the source information from the different data sources in OAM1, provide the functionality to view source information by AS number. OAM3: Based on the source information from different origins, optimize to generate SAV Rules, and maintain Permit Rules and Block Rules. Cheng, et al. Expires April 28, 2025 [Page 3] Internet-Draft Inter-domain SAVNET OAM October 2024 +-----------------------------------------------------------+ | AS X | | +-------------------------------------------------------+ | | | SAVNET Agent | | ---| | +---------------------+ +--------------------------+ | | | | | | General Information | | SAV-specific Information | | | | | | +---------------------+ +--------------------------+ | | | | | | | | | OAM1 \/ \/ | | | | | +---------------------------------------------------+ | | | | | | +-----------------------------------------------+ | | | ---| | | | SAV Information Base | | | | | | | | +-----------------------------------------------+ | | | OAM2 | | SAV Information Base Manager | | | | | | +---------------------------------------------------+ | | OAM3 | |SAV Rules | | | | +-------------------------------------------------------+ | ---| | | | \/ | | +-------------------------------------------------------+ | | | SAV Table | | | +-------------------------------------------------------+ | +-----------------------------------------------------------+ Figure 1 4. Terminology * ROA: Route Origin Authorization * ASPA: Autonomous System Provider Authorizations * IRR: Internet Routing Registry * Refer to the terms defined in Section 2 of [I-D.draft-wu-savnet- inter-domain-architecture] 5. Fault Management 5.1. Fault Detection - Real-time Monitoring Network Monitoring Systems: Use protocols like SNMP, NetFlow, sFlow, etc., to monitor network traffic and device status in real- time, quickly identifying anomalies through monitoring data. Cheng, et al. Expires April 28, 2025 [Page 4] Internet-Draft Inter-domain SAVNET OAM October 2024 Log Analysis: Automated log collection and analysis to detect abnormal logs or device error messages. Performance Monitoring: Monitor network performance metrics (such as latency, packet loss rate, jitter, etc.) to identify potential issues. - Alert System Threshold Alerts: Set threshold values to automatically trigger alerts when performance metrics exceed preset ranges. Pattern Recognition: Detect abnormal traffic patterns or behaviors using machine learning and pattern recognition techniques. - Automated Diagnostic Tools Self-check Tools: Use built-in self-check tools to perform regular checks on SAVNET configurations to detect configuration errors or inconsistencies. Fault Diagnostic System: Utilize intelligent fault diagnostic systems to quickly identify and locate faults. - Routing Protocol Analysis BGP Status Monitoring: Monitor BGP protocol status changes to identify routing table anomalies. RPKI Status Monitoring: Monitor BPKI protocol status changes to identify RPKI ROA RPKI ASPA anomalies. SAVNET Table Validation: Regularly validate SAV table entries to avoid faults caused by incorrect configurations. 5.2. Fault Isolation - Interface Level Disable Interface: If the fault comes from a specific network interface, you can temporarily disable that interface to prevent the spread of abnormal traffic. Adjust Traffic Path: Modify the routing policy to reroute traffic around the faulty interface. Cheng, et al. Expires April 28, 2025 [Page 5] Internet-Draft Inter-domain SAVNET OAM October 2024 - Routing Level Adjust Routing Table: Modify the BGP routing table to avoid routing traffic through the faulty node or path. Withdraw Route Advertisements: Withdraw route advertisements for the faulty path in BGP, preventing other routers from forwarding traffic to the fault path. - Device Level Isolate Faulty Device: Temporarily isolate the faulty device from the network and activate backup devices. Device Restart: If the fault is due to a temporary issue with the device, try restarting the device to restore it to normal operation. 6. Operational and Manageability Considerations 6.1. OAM1: Source information from different origins For each type of source information, it is necessary to configure whether it is supported. and set the priority for processing this source. Generally, SAV-specific has the highest priority, followed by RPKI ROA Obj. and ASPA Obj, then Local Routing, and finally IRR Data. 6.1.1. Configuration for RPKI - Enable Enable the function to obtain prefix origin information via RPKI. - Priority The usage priority of prefix origin information obtained through RPKI. - Capacity Maximum capacity for prefix origin information via RPKI. - Cache time For source information of RPKI, its cache time Cheng, et al. Expires April 28, 2025 [Page 6] Internet-Draft Inter-domain SAVNET OAM October 2024 6.1.2. Configuration for source information from Local Routing - Enable Enable the function to obtain prefix origin information via Local Routing. - Priority The usage priority of prefix origin information obtained through Local Routing. - Capacity Maximum capacity for prefix origin information via Local Routing. - Cache time For source information of Local Routing, its cache time 6.1.3. Configuration for source information IRR Data - Enable Enable the function to obtain prefix origin information via IRR Data. - Priority The usage priority of prefix origin information obtained through IRR Data. - Capacity Maximum capacity for prefix origin information via IRR Data. - Cache time For source information of IRR Data, its cache time 6.1.4. Configuration for source information from BGP Update - Enable Cheng, et al. Expires April 28, 2025 [Page 7] Internet-Draft Inter-domain SAVNET OAM October 2024 Enable the function to obtain prefix origin information via BGP Update. - Priority The usage priority of prefix origin information obtained through BGP Update. - Capacity Maximum capacity for prefix origin information via BGP Update. - Cache time For source information of BGP Update, its cache time 6.1.5. Configuration for source information from specific - Enable Enable the function to obtain prefix origin information via SAV- specific. - Priority The usage priority of prefix origin information obtained through SAV-specific. - Capacity Maximum capacity for prefix origin information via SAV-specific. - Cache time For source information of SAV-specific, its cache time 6.1.6. Notification for Source information The maximum number of supported information entries for each type of Source Information. - When cache count exceeds specifications, a notification needs to be sent Cheng, et al. Expires April 28, 2025 [Page 8] Internet-Draft Inter-domain SAVNET OAM October 2024 - Faults detected by proactive mechanisms. - Logged security incidents pertaining to the OAM Message Channel. - Protocol errors (for example, as caused by misconfiguration). 6.1.7. Count for Source information - Source Information entry Count by type Count the SAV Source information by source type. - Source Information entry modify count Count of Source Information Table Entries Added/Deleted/Modified 6.2. OAM2: SAV Information Base Manager You can view source information based on prefixes, different source types, and source AS. Each data source's information corresponds to a different priority level 6.2.1. Organization of Base Manager - Organization source information Based on Source AS. - Organization source information based on prefix - Maintain the inbound AS list and inbound interface list for table entries. 6.2.2. Notification for Base Manager - Faults detected by proactive mechanisms. - Logged security incidents pertaining to the OAM Message Channel. - Protocol errors (for example, as caused by misconfiguration). 6.2.3. Count for Base Manager - Global Count Count the SAV Source information by type. Count the SAV Source information by Source AS. - Count of Source Information entry modified Cheng, et al. Expires April 28, 2025 [Page 9] Internet-Draft Inter-domain SAVNET OAM October 2024 Count of Base Manager Entries Added/Deleted/Modified 6.3. OAM3: SAV Rules 6.3.1. Count for SAV Rules - Global Count Count the SAV Source information by type. Count the SAV Source information by Source AS. - AS-based Statistics: Collect statistics at the AS level for traffic where the source address fails the inter-domain source address validation. Record the five-tuple information of the flows. - AS-based Statistics: Collect statistics at the AS level for traffic where the source address passes the inter-domain source address validation. Record the five-tuple information of the flows. - AS-based Statistics: Collect statistics at the AS level for traffic where the source address is not found in the inter-domain SAVNET table. Record the five-tuple information of the flows. - Per Inter-domain SAVNET Table Entry Statistics: Collect statistics for each table entry on the number of passes and drops, recording the five-tuple information of the flows. - Global Statistics: Collect global statistics for inter-domain source address checks, including the number of passes, drops, lookups not found, and blacklist hits. This aids in overall operational management. - Blacklist Statistics: Collect statistics for traffic where the source address hits the blacklist. Record the five-tuple information of the flows. - Count of SAV Rule modified Count of SAV Rule Added/Deleted/Modified Cheng, et al. Expires April 28, 2025 [Page 10] Internet-Draft Inter-domain SAVNET OAM October 2024 6.3.2. Permit Rules and Block Rules Based on the actions after matching SAV table entries, there are Permit Rules and Block Rules. The Permit Rule allows traffic matching the prefix and inbound interface entry to pass through, while the Block Rule prevents traffic matching the prefix and inbound interface entry from passing through. The Permit Rule is used when the inbound interface of the address is precisely known. The Block Rule is applied when the source address is known from some inbound interfaces, with others uncertain, ensuring that the source address does not arrive from specific interfaces where the Block Rule is generated. 6.3.3. Performance Performance management allows the measurement of the information transfer characteristics of Inter-domain SAVNET, which can then be compared against an SLA. This falls into two categories: latency (including jitter as a variation in latency) and information loss. Perform performance measurements for traffic from different sources: - Traffic entering the inter-domain from outside the inter-domain. - Traffic leaving the inter-domain. - Traffic within the inter-domain. - Memory occupied by record entries - Time Spent on Calculating Table Items The goal is to monitor performance characteristics when the inter- domain SAVNET function is enabled. The network operator can extract performance monitoring metrics based on whether one-way or two-way performance monitoring functions are performed: - For one-way performance monitoring functions, the metrics will be available at the target router. - For two-way performance monitoring functions, all metrics will be available at the source router, while a subset will be available at the target router. Specifically, metrics for both the direction from source to target and from target to source will be available at the source router. Metrics for the direction from source to target will be available at the target router. Cheng, et al. Expires April 28, 2025 [Page 11] Internet-Draft Inter-domain SAVNET OAM October 2024 6.4. Security Management TBD 7. Security Considerations The security considerations described in [I-D.draft-wu-savnet-inter- domain-architecture] also applies to this document. 8. IANA Considerations TBD 9. References 9.1. Normative References [RFC8704] Sriram, K., Montgomery, D., and J. Haas, "Enhanced Feasible-Path Unicast Reverse Path Forwarding", BCP 84, RFC 8704, DOI 10.17487/RFC8704, February 2020, . [ietf-savnet-inter-domain-problem-statement] "Source Address Validation in Inter-domain Networks Gap Analysis, Problem Statement, and Requirements", 2024, . [draft-wu-savnet-inter-domain-architecture] D. Li, J. Wu, Tsinghua University, M. Huang, L. Chen, Zhongguancun Laboratory, N. Geng, Huawei, L. Liu, Zhongguancun Laboratory, "Inter- domain Source Address Validation (SAVNET) Architecture", draft-wu-savnet-inter-domain-architecture-11, DOI 10.17487/draft-wu-savnet-inter-domain-architecture-11.txt, February 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Cheng, et al. Expires April 28, 2025 [Page 12] Internet-Draft Inter-domain SAVNET OAM October 2024 9.2. Informational References [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, . [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March 2004, . Authors' Addresses Weiqiang Cheng China Mobile China Email: chengweiqiang@chinamobile.com Dan Li Tsinghua University Beijing China Email: tolidan@tsinghua.edu.cn Changwang Lin New H3C Technologies China Email: linchangwang.04414@h3c.com Shengnan Yue China Mobile China yueshengnan@chinamobile.com Cheng, et al. Expires April 28, 2025 [Page 13]