Hi all, We just updated the draft about new SAV (Source Address Validation) mechanism. Basically the new SAV mechanism wants to address: 1) we may need native source- address-based validation rather than current FIB (uRPF, policy routing) /ACL-based validation, which introduce scenario limitation and scalability issues. The new SAV may be generated automatically by protocol extension etc. by router itself, or just can be configured from local/remote control center. 2) Currently, the ingress filtering is interface-based source prefix permission list mechanism, which requires router system get the whole-set of source prefix for a specific interface accurately, while that in some cases is impossible. So new prefix-based interface permission list or deny list may help in some scenarios, overall we defined 3 SAV modes in the draft. 3) traditionally, route system just drop the SAV-failed packets silently, which make us don’t know what exactly going on and whom/ what service is the victim, who is the attack source . so we think we may need introduce various actions for SAV, e.g. filtering/CAR, sampling etc.
Although the draft now is submitted to SAVNET WG, but actually it is more related to general spoofing prevention operation, not about protocol extension etc. So I forward the update in OpSec WG, any comments are welcome. BR, Mingqing (Michael) Huang -----Original Message----- From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Tuesday, March 7, 2023 2:31 PM To: liumingxing (E) <liumingxi...@huawei.com>; Dan Li <toli...@tsinghua.edu.cn>; Li Chen <lic...@zgclab.edu.cn>; Huangmingqing (Michael) <huangmingq...@huawei.com>; liumingxing (E) <liumingxi...@huawei.com>; gengnan <geng...@huawei.com>; Weiqiang Cheng <chengweiqi...@chinamobile.com> Subject: New Version Notification for draft-huang-savnet-sav-table-01.txt A new version of I-D, draft-huang-savnet-sav-table-01.txt has been successfully submitted by Nan Geng and posted to the IETF repository. Name: draft-huang-savnet-sav-table Revision: 01 Title: Source Address Validation Table Abstraction and Application Document date: 2023-03-06 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-huang-savnet-sav-table-01.txt Status: https://datatracker.ietf.org/doc/draft-huang-savnet-sav-table/ Htmlized: https://datatracker.ietf.org/doc/html/draft-huang-savnet-sav-table Diff: https://author-tools.ietf.org/iddiff?url2=draft-huang-savnet-sav-table-01 Abstract: Source address validation (SAV) table consists of SAV rules that are manually configured or automatically generated. The table will take effect in data plane for checking the validity of source addresses. SAV mechanisms may enable SAV tables in data plane using different methods (e.g., ACL or FIB), and these tables are suitable for different application scenarios. This document aims to provide a systematic view of existing SAV tables, which makes it convenient for engineers or operators to improve existing SAV mechanisms or properly apply SAV on routers. The document first examines existing forms of SAV tables and provides a unified abstraction. Then, three validation modes are concluded as well as suggestions for application scenarios. Finally, diversified actions for each validity state are introduced for compliance of different operation requirements. The IETF Secretariat -- savnet mailing list sav...@ietf.org https://www.ietf.org/mailman/listinfo/savnet _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
