Nowadays, many attack methods, such as redirection, amplification, and anonymity, exploit source IP address spoofing, thereby making it a significant threat to Internet security.
To cope with this, network operators have implemented Source Address Validation (SAV) mechanisms, to filter out packets with spoofed source IP addresses. However, these mechanisms still grapple with challenges concerning validation accuracy and operational efficiency.
In 2022, the Source Address Validation in Intra-domain and Inter-domain Networks Working Group (SAVNET WG) was formed by the Internet Engineering Task Force (IETF). This initiative is dedicated to enhancing SAV capabilities across both intra-domain and inter-domain networks, bolstering security measures against such threats.
In this post, my co-authors and I present a comprehensive overview of the IETF 117 SAVNET WG meeting and introduce an open source project known as the SAV Open Playground (SAVOP) and forthcoming endeavours for SAVNET WG.
IETF 117 SAVNET WG meeting
The IETF 117 SAVNET WG meeting encompassed six presentations. These presentations included an overview of the intra-domain and inter-domain SAV problem statements, as well as a detailed introduction to both intra-domain and inter-domain SAVNET architectures. Notably, the meeting delved into the scale analysis applied to Internet-scale SAV tables, utilizing real BGP data. The presentations also provided an introduction to the recent progress of the SAV Open Playground (SAVOP) and the SAVNET YANG model.
The IETF 117 presentations summarize the recent progress of the IETF SAVNET WG:
- ‘A Summary of Intra-domain and Inter-domain SAV Problem Statements and Next-step Work‘ provides an overview of the fundamental problems of existing SAV mechanisms, outlines the requirements for the new SAV mechanisms, and offers insights into the WG’s future endeavours.
- ‘SAVNET Architecture for Intra-domain Network‘ introduces a comprehensive framework to guide the design of the new intra-domain SAV mechanisms to satisfy the requirements proposed in the intra-domain problem statement draft.
- ‘SAVNET Architecture for Inter-domain Network‘ illustrates the SAV-specific information communicated between ASNs and showcases how to use the SAV-specific information and the general information to generate SAV rules for performing inter-domain SAV.
- ‘How Much Larger Is SAV Table Compared to FIB? A Study with Real BGP Data‘ presents detailed analyses of the scale of the SAV tables with three modes using the BGP data from RouteViews and RIPE RIS and reveals that 85% of ASNs boast SAV tables smaller than their corresponding FIBs.
- ‘Recent Progress of SAV Open Playground‘ dissects the contributions of SAVOP to the IETF SAVNET WG, spotlighting key components within SAVOP.
- ‘A Yang Model for SAVNET‘ introduces an initial yet foundational YANG model for managing and operating SAV-related configurations.
Watch the recording IETF 117 SAVNET WG meeting:
At IETF 117, the SAVNET WG met for the fourth time and reached a significant milestone. Both the intra-domain and inter-domain SAV problem statement drafts have been adopted by the SAVNET WG, allowing the SAVNET WG to focus on the design of the intra-domain and inter-domain SAVNET architectures next.
In addition, it is worth highlighting that SAVOP garnered the comment “This is really neat. Want to play with it.” by Joseph Hall from ISOC during the IETF 117 meeting. Subsequently, below is a comprehensive illustration of SAVOP, encompassing its objectives, architecture, and contributions to the SAVNET WG.
SAV Open Playground
Many consumer CPEs are based on one of a couple of chipsets and software provided as a reference implementation by a few vendors (e.g. Broadcom, Intel, etc.) and various open-source software components, but then retail vendors (OEMs) take that architecture and augment it with features and additional code as they deem necessary, which results in significant diversity in implementation and lack of a baseline standard.
Deployment considerations: Implementation of anti-spoofing mechanisms and solutions in key open-source projects is equally important.Addressing the challenge of IP spoofing, Internet Society, February 2015
In 2015, during a roundtable organized by the Internet Society, network practitioners underlined the significance of incorporating SAV mechanisms and solutions into key open source projects. This emphasis holds true to this day. Our study reveals a series of requirements within our SAV community:
- A foundational reference project, designed to facilitate the development of novel SAV technologies. This project should ideally be constructed using open-source software routers, emphasizing scalability as a core principle.
- An experimentation environment that embraces container-based virtual network topologies. This environment serves as a testing ground for network operators to assess and refine their configurations effectively.
- A visualization tool that can aid networking professionals in comprehending diverse SAV mechanisms.
- An educational platform that can reproduce SAV experiments and also serves as an accessible resource for students to gain a comprehensive understanding of SAV principles.
SAVOP is purposefully developed to meet these requirements. The architecture of SAVOP is shown in Figure 1, comprising four core components: SAV Reference Router, Virtual Network Manager, Browser-based Visualization, and Emulated SAV Scenarios. As illustrated in Figure 1, SAVOP adopts a user-friendly web interface, facilitating the construction of network topologies and configuration of networks using containerized network technologies.
Leveraging user-defined configurations, the SAVOP backend effectively builds SAV scenarios via software routers and SAV Agents. Additionally, SAVOP incorporates a configuration database to store the emulated SAV scenarios, which can be readily replayed within the web interface. Consequently, SAVOP establishes a virtualized network platform that greatly simplifies the implementation and emulation of SAV mechanisms.
As shown in Figure 2, the SAV Agent comprises three components — the SAV Application, the SAV Information Base, and the SAV Table Manager. SAV Agent can extract relevant information for SAV from the software router using command line and router-native extensions and store it in the SAV Information Base. Organizing the use of this stored information, the SAV Application plays a guiding role, determining both the selection of relevant entries of the SAV Information Base and the methodology to generate SAV rules. The SAV Table Manager executes the SAV rules in the dataplane by manipulating the IP tables within the Linux data path.
SAVOP is readily accessible as an open source project at GitHub, boasting three distinct repositories: SAV Reference Router, SAV Agent, and SAV Operations Tools. SAVOP has a total commitment of 15K lines of code across these repositories so far.
SAVOP’s contributions to SAVNET WG
The unofficial mantra at the IETF is that ‘we believe in rough consensus and running code’. In that spirit, SAVOP aims to provide the running code to match the proposed work in the SAVNET WG. We invite all contributions to this open source project.
SAVOP plays a significant role in fulfilling the objectives outlined in the SAVNET WG charter.
First, the charter emphasizes the need to include an analysis of the current solutions, such as uRPF-related technologies, and their limitations. In response, SAVOP has successfully implemented and emulated various uRPF-based SAV mechanisms, including Strict uRPF, Loose uRPF, FP-uRPF, and EFP-uRPF. These implementations were tested and analysed across diverse network scenarios involving limited propagation of prefixes, hidden prefixes, and source address spoofing attacks.
Second, the charter underscores the expectation that new SAV mechanisms should enhance the validation accuracy of the current ones. Correspondingly, SAVOP introduced a novel SAV mechanism known as the Real Path Discovery Protocol (RPDP). Through meticulous implementation and emulation, RPDP’s accuracy was evaluated under varying network scenarios.
Furthermore, in line with the charter’s directive to collaborate with other working groups, we plan to implement new SAV mechanisms by extending existing routing protocols. Based on SAVOP, forthcoming endeavours involve the creation of novel mechanisms to generate SAV rules via routing protocol extensions. These mechanisms will be implemented, emulated, and evaluated within diverse network contexts, thereby substantiating their validation effect.
SAVNET WG’s next steps
Moving forward, the SAVNET WG will improve the intra-domain and inter-domain SAVNET architectures based on the feedback during the IETF 117 meeting, optimize the SAVNET YANG model for operating and managing the configurations within the new SAVNET architectures, as well as developing existing and new SAV mechanisms on top of SAVOP.
Finally, as the SAVNET WG members, we encourage network practitioners with an interest in SAV to join the discussion on the IETF mailing list and plan to collaborate closely with our community to promote the deployment of SAV.
Many thanks to Jared Mauch, Jeffrey Haas, Alvaro Retana, Kotikalapudi Sriram, Rüdiger Volk, Xueyan Song, Ben Maddison, Barry Greene, Fang Gao, Anthony Somerset, Yuanyuan Zhang, Igor Lubashev, Joel Halpern, Aijun Wang, Michael Richardson, Li Chen, Gert Doering, Xiangqing Chang, Changwang Lin, Mingxing Liu, John O’Brien, Roland Dobbins, and many others. Their comments and feedback shared through both mailing lists and IETF meetings, have significantly enriched our work.
Libin Liu is an assistant researcher at Zhongguancun Laboratory
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.