Session Date/Time: 22 Jul 2025 12:30

savnet

Summary

The SAVNET meeting covered updates on several working group documents and drafts, focusing on intra-domain and inter-domain source address validation (SAV) solutions. Key discussions revolved around the deployment location of SAV, the use of Traffic Origin Authorization (TOA), and scaling considerations. Presentations covered topics such as intra-domain problem statements, general SAV capabilities, BGP-based intra-domain SAV solutions, on-demand SAV mechanisms, inter-domain SAV gap analysis, and benchmarking methodologies.

Key Discussion Points

Intra-domain Problem Statement Document: The document was returned to the working group due to concerns that requirements were informational rather than normative and that some terms were not clearly defined. A suggestion was made to split the document into two: one informational document outlining use cases and gaps, and another standard track document defining normative requirements. The need for working group consensus on whether to split the document was emphasized.
General SAV Capabilities: Updates included adding a traffic counting policy, suggesting a default policy combination of discard for traffic control and count for traffic monitoring, and discussing the relationship with traditional URPF. The modes and scaling problems were discussed.
BGP-based Intra-domain SAV: Presentation of a solution applicable to edge, internal, and border routers using BGP. Concern raised about the use of BMSP, specifically forcing symmetric routing which may not always be desired. Deployment of SAV within the AS vs. at the border was debated.
On-Demand SAV: A proposal for on-demand SAV activation based on policy changes was presented. A question was raised about how to dynamically instantiate rules in FRR scenarios.
Inter-domain SAV Gap Analysis: Updates included refinements to examples, updated requirements descriptions, and clarifications on incremental deployment.
BARSAV: Updates on the coordination of BARSAV with FIB, RIB, and RPKI. The importance of sequencing and allowing sufficient delay for convergence was emphasized.
Traffic Origin Authorization (TOA): The need for a mechanism to authorize traffic origin separate from route origin was discussed, particularly for hidden prefixes. Two possible approaches were mentioned: defining a new RPKI signed object for TOA, and extending the semantics of an existing ROA field.
Biconsav: Updates on the usage of TOA in Biconsav for generating block lists. The benefits and tradeoffs of using allow lists vs. block lists were discussed, with a recommendation to use allow lists when completeness can be ensured.
AS Relationship-Based Inter-domain SAV: Updated terminology and requirements language. Implementations of key components in the inter-domain system based on current security mechanisms. Simulation was implemented using US in -G-S-3.
Inter-domain SPA: Proposing Inter-domain SPA to address hidden source prefixes and hidden passes of source prefixes, but needed to protect against prefix and path hijacking.
Benchmarking Methodology for SAV: Updates on SAV performance indicators and benchmarking tests for intra-domain and inter-domain SAV.
Scaling Problem: Scaling and convergence issues for various proposals were discussed, focusing on the time involved in propagating routes and programming SAV tables, potential synchronization effects, and the impact of different enforcement mechanisms.

Decisions and Action Items

Intra-domain Problem Statement Document: Authors to ensure a working group discussion and consensus is reached on whether to keep the document as a single informational document or split it into separate informational and standards-track documents.
Various Solutions: Continue discussions on the mailing list to address concerns and refine the proposals.

Next Steps

Continue discussions on the mailing list to refine the various SAV proposals.
Address scaling considerations and convergence issues in the development of SAV solutions.
Further explore the use of TOA for addressing hidden prefixes and source address validation.