Internet-Draft SRsav September 2024
Li, et al. Expires 3 April 2025 [Page]
Workgroup:
SAVNET Working Group
Internet-Draft:
draft-li-savnet-srsav-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
X. Li
China Telecom
A. Wang
China Telecom
W. Wang
China Telecom
Y. Zhang
Zhongguancun Laboratory

Segment Routing Policy-Based Source Address Validation (SAV) Mechanism

Abstract

This draft proposes a novel mechanism for Source Address Validation (SAV) message propagation based on Segment Routing policies (SR-policy). Traditional SAV mechanisms often rely on routing tables (RIB) and Policy-Based Routing (PBR), but these methods lack the flexibility and granularity needed for some network environments. By leveraging the flexibility and control capabilities of SR-policy, the proposed mechanism ensures that SAV messages are propagated along well-defined paths, ensuring efficient, secure, and accurate source address validation.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 3 April 2025.

Table of Contents

1. Introduction

In modern network environments, Source Address Validation (SAV) [SAVNET] mechanisms are critical for ensuring that data packets have legitimate source addresses. Traditional SAV mechanisms typically rely on routing tables (RIB) to control and generate strategies for verifying source addresses. However, these methods often lack flexibility and granular control. While Policy-Based Routing (PBR) [sav-ospf] improves upon these traditional methods by allowing for more customized routing policies, it still falls short in environments where Segment Routing (SR) [RFC8402] policies are employed. This is because SR-policy [RFC8987] allows traffic to be routed along pre-defined paths that may not align with traditional SAV control mechanisms, leading to potential failures in source address validation [SAV].

To address these challenges, this document proposes a novel mechanism for SAV message propagation based on Segment Routing policies (SR-policy). By utilizing the flexibility and control capabilities of SR-policy, we can define explicit paths for SAV messages, ensuring their efficient, secure, and accurate propagation through the network.

The mechanism involves generating SR-policies that specify explicit paths using Segment Identifiers (SIDs). These policies are then disseminated to key nodes within the network. The headend router parses the SR-policy, generates the SAV message, and forwards the SAV message along the specified paths. Routers along the path verify their role using the SID list, if they are key nodes, process the SAV message and create the SAV rule , and then propagate the message to nexthop.

2. Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174].

3. Terminology

The following terms are used in this draft:

4. The SAV Message Propagation based on SR-policy

In an SR-policy-configured network, SAV messages are propagated according to the paths defined by the SR-policy. Each router along the path uses the SID list specified in the SR-policy to forward SAV messages hop-by-hop.

Consider a network scenario where SR-policy is utilized for SAV message propagation. Take Figure 1 as an example. The network topology consists of several routers, with a source server (S1) sending traffic destined for a destination server (D1). The routers involved in the SR-policy path include R1, R2, R3, R5, and R7.

In this scenario, the SR-policy path for traffic from S1 to D1 is defined to go through R1, R2, R3, R5, and finally R7. The segment list for this SR-policy path includes the segment identifiers (SID) for each router along the path: SID1 for R1, SID2 for R2, SID3 for R3, SID5 for R5, and SID7 for R7.

When Router R1, the head-end router, receives traffic from the source prefix 10.1.1.0/24 destined for the destination prefix 10.7.0.0/16, it generates a SAV message based on the SR-policy. This SAV message includes the source router (R1), the neighbor router (R2), the source prefix (10.1.1.0/24), and the segment list [SID1, SID2, SID3, SID5, SID7].

R1 forwards the SAV message to R2. Upon receiving it, R2 processes the message and designates the interface that received it from R1 as valid for traffic from the source prefix 10.1.1.0/24, creating the SAV rules. After checking the SID list, R2 forwards the message to R3. Similarly, R3 processes the SAV message, designates the interface that received it from R2 as valid for the same source prefix, and creates the SAV rules. This process continues as R3 forwards the message to R5, with R5 designating the interface that received it from R3 as valid, creates the SAV rules.

Then R5 forwards the SAV message to R7. R7 designates the interface that received the message from R5 as valid. Finally, R7, recognizing itself as the destination router, processes the SAV message, creates the SAV rules, and designates its interface for traffic destined 10.1.1.0/24.

   +---------+        +---------+        +---------+        +---------+
   |  Source |        |         |        |         |        |         |
   |  Server |        | Router  |        | Router  |        | Router  |
   |   S1    +--------+    R1   +--------+    R2   +--------+    R3   |
   +---------+        +---------+        +---------+        +---------+
    10.1.1.0/24                                |                   |
                                               |                   |
                                         +---------+        +---------+
                                         |         |        |         |
                                         | Router  |        | Router  |
                                         |    R4   +--------+    R5   |
                                         +---------+        +---------+
                                              |                   |
                                              |                   |
                                         +---------+        +---------+
                                         |         |        |         |
                                         | Router  |        | Router  |
                                         |    R6   +--------+    R7   |
                                         +---------+        +---------+
                                                                 |
                                                                 |
                                                            +---------+
                                                            |         |
                                                            |  Dest.  |
                                                            | Server  |
                                                            |   D1    |
                                               10.7.0.0/16  +---------+
  Figure 1 An example of intra-domain network

4.1. SR-policy Generation and Distribution

  1. Controller Generation and Distribution: In an SR-policy-configured network, the controller generates SR-policy and distributes it to key nodes such as gateways, core routers, or edge routers. The controller directly delivers the SR-policy to the headend router.

  2. SR-policy Parsing: Upon receiving the SR-policy from the controller, the headend router parses the policy to extract the Segment List and associated strategy information, such as path selection and QoS parameters. The headend router parses the segment routing policy sent by the controller to obtain a target segment list; the target segment list is composed of ordered segment identifiers, the segment identifiers in the target segment list are used to represent nodes in the network, and the target segment list is used to define a forwarding path.

  3. Message Generation: The headend router generates the SAV message based on the SR-policy.

  4. Message Distribution: The headend router forwards the SAV messages according to the forwarding path.

4.2. The SAV Messages Generation and SAV Rule's Creation

The headend router generates the SAV message based on SR-policy and forwards the SAV message to other routers according to the forwarding path. Then the other routers create SAV rules at the receiving interface after receiving the SAV message, which to ensure accurate and secure traffic forwarding. The SAV rules verify the legitimacy of packet source addresses to prevent malicious or misleading information.

4.2.1. The SAV Messages Fields

The structure of the SAV message was proposed in [ID.draft-zhang-savnet-sav-ospf-00], and we have referenced it, providing the following explanations for each field. It should be noted that [ID.draft-zhang-savnet-sav-ospf-00] assigns field values based on the routing table, while this draft assigns field values based on SR policy. The SAV message includes: Message Type field, Source Router field, Neighbor Router field, Source Prefix field, and Segment List field. The SAV message further includes one or more of a Security Level field and a Quality Of Service field.

  • Message Type (MT): Used to indicates the type of message.

  • Source Router (SR): Used to identifier of the source router.

  • Neighbor Router (NR): Used to identifier of the neighbor router.

  • Source Prefix (SP): Used to identify source prefix.

  • Segment ID List (SID_list): Used to list of segment IDs defined by the SR-policy.

  • Security Level (SEC): Used to indicates security requirements.

  • Quality of Service (QoS): Used to indicates quality of service requirements.

4.2.2. Text representation of the SAV message

Based on the SR-policy, this document RECOMMENDED text representation of SAV message through following structure:

  1. <srcIP, other, SID_list>:

    • SP: srcIP

    • DR: Updated according to SID_list.

    • SID_list: Segment IDs specified by the SR-policy.

  2. <*, other, SID_list>:

    • SP: Default value, representing all source prefixes from the head-end router.

    • DR: Updated according to SID_list.

    • SID_list: Segment IDs specified by the SR-policy.

  3. Security and QoS Settings:

    • SEC: Set according to the security requirements defined in the SR-policy.

    • QoS: Set according to the QoS requirements defined in the SR-policy.

Explain and clarify the above structure:

1. When the SR-policy includes source prefixes, the Source Prefix (SP) field in the SAV message can be directly set to srcIP in the policy by the headend router. Specifically:

  • The headend router determines the value of the Source Prefix field in the SAV message based on the SR-policy.

  • The headend router sets the value of the Segment ID List field in the SAV message to the target Segment List defined by the SR-policy.

2. When the SR-policy does not include source prefixes, the Source Prefix (SP) field in the SAV message is set to the default value by the headend router according to the local traffic control policy. Specifically:

  • The headend router sets the default value for the Source Prefix field in the SAV message according to its local traffic control policy.

  • The headend router sets the value of the Segment ID List field in the SAV message to the target Segment List defined by the SR-policy.

3. The headend router determines the value of the security level field in the SAV message based on the security requirements in the SR-policy; The headend router determines the value of the quality of service field in the source address verification message based on the quality of service requirements in the SR-policy.

4.2.3. The SAV Rule's Creation

The headend router generates the SAV message and forwards it to the other forwarding routers. The forwarding routers process the SAV message, identifying the interface receiving the SAV message as a valid interface, creating the SAV rules. Then The forwarding routers forward the SAV message to the next hop based on the Segment List in the SAV message. The SAV rules are created to ensure that the data packets enter the router meet the required SAV rules. To guide routers on how to handle source address verification of actual data packets. The SAV rule includes these fields: SP field and List of valid interfaces field.

  • Source prefix (SP): The source prefix that needs to be verified.

  • List of valid interfaces: which interfaces can receive data packets from the specified source prefix.

  • Security Level (SEC): Define how to handle non compliant data packets (optional).

  • Quality of Service (QoS): Quality of Service requirements related to packet processing (optional).

4.3. The SAV Message Forwarding Decisions

1. Basic Forwarding Logic:

When a router receives an SAV message, it must forward the message along the path specified by its SR-policy rules.

The process involves several steps:

2. Interface Policies:

3. Message Forwarding:

4.4. Handling Exceptions

4.5. Mechanism Optimization

4.6. Usecase: SAV Message Propagation Based on SR-policy

Network Topology Consider a network topology with the following routers and connections: R1: Headend router R2: Intermediate router R3: Intermediate router R4: Intermediate router R5: Destination router. As shown in Figure 2.

The network connections are as follows: R1 is connected to R2 and R3. R2 is connected to R4. R3 is connected to R4. R4 is connected to R5. In this scenario, we have the following SR-policy defined:

The goal is to redirect traffic from the source IP addresses within 10.1.1.0/24 heading towards the destination prefix 10.5.0.0/16 to follow the path defined by the SR-policy: R1 -> R2 -> R4 -> R5. This ensures that all interfaces along the path create appropriate the SAV rule to validate incoming traffic.

Steps:

Control Plane: SR-policy Creation and Distribution:

R1 Control Plane: SAV Message Generation:

Data Plane: SAV Message Propagation:

The SAV message includes:

R1 forwards the SAV message to R2. At R2: R2 receives the SAV message from R1. R2 matches the SID2 from the SID_list to its local SID and recognizes itself as a key node. R2 designates the interface for receiving the SAV message from R1 is valid for incoming traffic from 10.1.1.0/24. R2 handles the SAV message and creates the SAV rule at the interface of receiving the SAV message. Then R2 forwards the SAV message to R4 (next hop according to SID_list).

At R4: R4 receives the SAV message from R2. R4 matches the SID4 from the SID_list to its local SID and recognizes itself as a key node. R4 designates the interface for receiving the SAV message from R2 is valid for incoming traffic from 10.1.1.0/24. R4 handles the SAV message and creates the SAV rule at the interface of receiving the SAV message. Then R4 forwards the SAV message to R5 (next hop according to SID_list).

At R5: R5 receives the SAV message from R4. R5 matches the SID5 from the SID_list to its local SID and recognizes itself as the final destination. R5 designates the interface for receiving the SAV message from R4 is valid for incoming traffic from 10.1.1.0/24. R5 handles the SAV message and creates the SAV rule at the interface of receiving the SAV message.

During the SAV message forwarding process, there may be the following situations:

  1. Missing Neighbor Router: If a router cannot find NR when forwarding the SAV message along the forwarding path, it floods the SAV message to all neighboring routers. This forwarding path is the path specified by SID_list in the SAV message. This approach ensures that the SAV message does not get dropped due to the missing of a specified NR, allowing the message to continue its propagation and potentially be processed by a router that can provide further direction.

  2. Non-path Next-hop Router: If the next hop router does not match in the SID_ list, the router will not handle the SAV message and create the SAV rule since the next-hop router is not part of the predefined path in the SID_ list. The router floods the SAV message to all its neighboring routers. This ensures that only routers on the specified path create the SAV rule, maintaining the integrity and accuracy of the SR-policy.

Results By propagating the SAV message, each router along the path (R1 -> R2 -> R4 -> R5) has validated interfaces for incoming traffic from the source prefix 10.1.1.0/24. This ensures that subsequent traffic can be validated and follow pre-defined paths, thereby enhancing the security and reliability of the network.

   +-----+       +-----+       +-----+       +-----+
   | R1  |-------| R2  |-------| R4  |-------| R5  |
   +-----+       +-----+       +-----+       +-----+
          \                    /
            \               /
              \          /
                 +-----+
                 | R3  |
                 +-----+
Figure 2 An example of usecase

5. Conclusion

This SR-policy-based SAV message propagation mechanism provides enhanced control and flexibility compared to traditional methods, ensuring efficient, secure, and accurate propagation of source address validation messages. By leveraging SR-policy's capabilities, network administrators can define optimal paths, enforce the SAV rule at key nodes, and maintain high security and QoS standards throughout the network.

This draft outlines a robust and adaptable approach to SAV message propagation, paving the way for improved network security and performance in SR-policy-configured environments.

6. IANA Considerations

7. Acknowledgement

8. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words".
[RFC8402]
"Segment Routing Architecture".
[RFC8793]
Wissingh, B., Wood, C., Afanasyev, A., Zhang, L., Oran, D., and C. Tschudin, "Information-Centric Networking (ICN): Content-Centric Networking (CCNx) and Named Data Networking (NDN) Terminology", RFC 8793, DOI 10.17487/RFC8793, , <https://www.rfc-editor.org/info/rfc8793>.
[RFC8987]
"Segment Routing Policy Architecture.".
[SAV]
"General Source Address Validation Capabilities", .
[sav-ospf]
"draft-zhang-savnet-sav-ospf-00", .
[SAVNET]
"Intra-domain Source Address Validation (SAVNET) Architecture".

Authors' Addresses

Xueting Li
China Telecom
Beiqijia Town, Changping District
Beijing
Beijing, 102209
China
Aijun Wang
China Telecom
Beiqijia Town, Changping District
Beijing
Beijing, 102209
China
Wei Wang
China Telecom
Beiqijia Town, Changping District
Beijing
Beijing, 102209
China
Yuanyuan Zhang
Zhongguancun Laboratory
Beijing
Beijing, 100000
China