Session Date/Time: 08 Nov 2023 08:30

savnet

Summary

This session focused on Source Address Validation (SAV) Network technologies. Presentations covered intra-domain and inter-domain architectures, data plane capabilities, large-scale measurements of IP address spoofing, a SAV open playground, IGP extensions for intra-domain SAV, and BGP operations for inter-domain SAV. Discussions addressed architectural details, security considerations, deployment strategies, and performance evaluations of various SAV mechanisms.

Key Discussion Points

Intra-domain Architecture: The discussion centered on the need for automatic updates and more accurate validation compared to existing MSAT/uRPF mechanisms. A key point raised was the need for trust models and how to handle asymmetric routing scenarios.
Inter-domain Architecture: Clarification sought on contents of self-specific message and general information to achieve source address validation. Incremental deployments are important.
Data Plane Capabilities: Presented a proposed implementation, "general source address validation capability" covering challenges such as asymmetric routes and limitations of ACL-based solutions. Discussed interface-based vs. prefix-based approaches, and desired traffic handling policies beyond simple dropping.
Large-Scale Measurements: Showed methods to assess spoofing rates and discussed a measurement methodology. Measurement results showed high rates of inbound spoofing and pointed to locations where these issues need to be addressed.
SAV Open Playground: Showcased a platform for implementing and emulating SAV mechanisms, including uRPF-based solutions, passport, and DISA. Covered aspects of validation accuracy, control/data plane performance, and scalability.
IGP Extensions: Discussed techniques for incorporating source validation information into IGP to ensure fast convergence and backward compatibility. Key discussion was on applicability of the proposal to route policies.
BGP Operations: The use of "Point of Interface" policies for inter-domain validation was discussed. Operator-managed ASBRs need the local policy to achieve source address validation.
AI-Based Validation: A system that leverage as-relationship as a validation mechanism was introduced.

Decisions and Action Items

Problems Draft: Review the problem statement draft to ensure it accurately reflects operator needs, especially regarding automation of ACL updates. Fix the problems draft so it doesn't claim a gap that operators don't have.
Simulation Validation: Sriram to provide more details on the SAV Open Playground experiments to the list, to help validate the results and identify potential issues in the simulation setup (especially regarding ASPA configuration).
Implementation Consolidation: Evaluate proposals related to pgb PDP based on the PGP protocol after the architecture has been finished

Next Steps

Continue discussion on the mailing list, addressing raised questions and comments.
Refine drafts based on feedback, focusing on security considerations, deployment strategies, and performance evaluations.
Further develop the SAV Open Playground and encourage community contributions.