idnits 2.17.00 (12 Aug 2021) /tmp/idnits2830/draft-savola-bcp38-multihoming-update-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Dec 2003) is 6725 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 3330 (ref. '3') (Obsoleted by RFC 5735) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Operations Area F. Baker 2 Internet-Draft Cisco Systems 3 Updates: 2827 (if approved) P. Savola 4 Expires: May 31, 2004 CSC/FUNET 5 Dec 2003 7 Ingress Filtering for Multihomed Networks 8 draft-savola-bcp38-multihoming-update-03 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that other 17 groups may also distribute working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at http:// 25 www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on May 31, 2004. 32 Copyright Notice 34 Copyright (C) The Internet Society (2003). All Rights Reserved. 36 Abstract 38 RFC 2827, BCP 38, is designed to limit the impact of distributed 39 denial of service attacks, by denying traffic with spoofed addresses 40 access to the network, and to help ensure that traffic is traceable 41 to its correct source network. As a side effect of protecting the 42 Internet against such attacks, the network implementing the solution 43 also protects itself from this and other attacks, such as spoofed 44 management access to networking equipment. There are cases when this 45 may create problems, e.g., with multihoming. This document describes 46 the current ingress filtering operational mechanisms, examines 47 generic issues related to ingress filtering and delves into the 48 effects on multihoming in particular. This memo updates RFC 2827. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Different Ways to Implement Ingress Filtering . . . . . . . . 4 54 2.1 Ingress Access Lists . . . . . . . . . . . . . . . . . . . . . 4 55 2.2 Strict Reverse Path Forwarding . . . . . . . . . . . . . . . . 5 56 2.3 Feasible Path Reverse Path Forwarding . . . . . . . . . . . . 6 57 2.4 Loose Reverse Path Forwarding . . . . . . . . . . . . . . . . 6 58 2.5 Loose Reverse Path Forwarding Ignoring Default Routes . . . . 7 59 3. Clarifying the Applicability of Ingress Filtering . . . . . . 8 60 3.1 Ingress Filtering at Multiple Levels . . . . . . . . . . . . . 8 61 3.2 Ingress Filtering to Protect Your Own Infrastructure . . . . . 8 62 3.3 Ingress Filtering on Peering Links . . . . . . . . . . . . . . 8 63 4. Solutions to Ingress Filtering with Multihoming . . . . . . . 9 64 4.1 Use Loose RPF When Appropriate . . . . . . . . . . . . . . . . 10 65 4.2 Ensure That Each ISP's Ingress Filter Is Complete . . . . . . 10 66 4.3 Send Traffic Using a Provider Prefix Only to That Provider . . 11 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 68 6. Conclusions and Future Work . . . . . . . . . . . . . . . . . 13 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 70 Normative References . . . . . . . . . . . . . . . . . . . . . 14 71 Informative References . . . . . . . . . . . . . . . . . . . . 14 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14 73 Intellectual Property and Copyright Statements . . . . . . . . 16 75 1. Introduction 77 RFC 2827 [1], BCP 38, is designed to limit the impact of distributed 78 denial of service attacks, by denying traffic with spoofed addresses 79 access to the network, and to help ensure that traffic is traceable 80 to its correct source network. As a side effect of protecting the 81 Internet against such attacks, the network implementing the solution 82 also protects itself from this and other attacks, such as spoofed 83 management access to networking equipment. There are cases when this 84 may create problems, e.g., with multihoming. This document describes 85 the current ingress filtering operational mechanisms, examines 86 generic issues related to ingress filtering and delves into the 87 effects on multihoming in particular. 89 RFC 2827 recommends that ISPs police their customers' traffic by 90 dropping traffic entering their networks that is coming from a source 91 address not legitimately in use by the customer network. The 92 filtering includes but is in no way limited to the traffic whose 93 source address is a so-called "Martian Address" - an address that is 94 reserved [3], including any address within 0.0.0.0/8, 10.0.0.0/8, 95 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or 96 240.0.0.0/4. 98 The reasoning behind the ingress filtering procedure is that 99 Distributed Denial of Service Attacks frequently spoof other systems' 100 source addresses, placing a random number in the field. In some 101 attacks, this random number is deterministically within the target 102 network, simultaneously attacking one or more machines and causing 103 those machines to attack others with ICMP messages or other traffic; 104 in this case, the attacked sites can protect themselves by proper 105 filtering, by verifying that their prefixes are not used in the 106 source addresses in packets received from the Internet. In other 107 attacks, the source address is literally a random 32 bit number, 108 resulting in the source of the attack being difficult to trace. If 109 the traffic leaving an edge network and entering an ISP can be 110 limited to traffic it is legitimately sending, attacks can be 111 somewhat mitigated: traffic with random or improper source addresses 112 can be suppressed before it does significant damage, and attacks can 113 be readily traced back to at least their source networks. 115 This document is aimed at ISP and edge network operators who 1) would 116 like to learn more of ingress filtering methods in general, or 2) are 117 already using ingress filtering to some degree but who would like to 118 expand its use and want to avoid the pitfalls of ingress filtering in 119 the multihomed/asymmetric scenarios. 121 In section 2, several different ways to implement ingress filtering 122 are described and examined in the generic context. In section 3, 123 some clarifications on the applicability of ingress filtering methods 124 are made. In section 4, ingress filtering is analyzed in detail from 125 the multihoming perspective. In section 5, conclusions and potential 126 future work items are identified. 128 2. Different Ways to Implement Ingress Filtering 130 This section serves as an introduction to different operational 131 techniques used to implement ingress filtering as of writing this 132 memo. The mechanisms are described and analyzed in general terms, and 133 multihoming-specific issues are described in Section 4. 135 There are at least five ways one can implement RFC 2827, with varying 136 impacts. These include (the names are in relatively common usage): 138 o Ingress Access Lists 140 o Strict Reverse Path Forwarding 142 o Feasible Path Reverse Path Forwarding 144 o Loose Reverse Path Forwarding 146 o Loose Reverse Path Forwarding ignoring default routes 148 Other mechanisms are also possible, and indeed, there are a number of 149 techniques that might profit from further study, specification, 150 implementation, and/or deployment; see Section 6. However, these are 151 out of scope. 153 2.1 Ingress Access Lists 155 An Ingress Access List is a filter that checks the source address of 156 every message received on a network interface against a list of 157 acceptable prefixes, dropping any packet that does not match the 158 filter. While this is by no means the only way to implement an 159 ingress filter, it is the one proposed by BCP 38 [1], and in some 160 sense the most deterministic one. 162 However, Ingress Access Lists are typically maintained manually; for 163 example, forgetting to have the list updated at the ISPs if the set 164 of prefixes changes (e.g., as a result of multihoming) might lead to 165 discarding the packets if they do not pass the ingress filter. 167 Naturally, this problem is not limited to Ingress Access Lists -- it 168 is inherent to Ingress Filtering when the ingress filter is not 169 complete. However, usually Ingress Access Lists are more difficult to 170 maintain than the other mechanisms, and having an outdated list can 171 prevent legitimate access. 173 2.2 Strict Reverse Path Forwarding 175 Strict Reverse Path Forwarding (Strict RPF) is a simple way to 176 implement an ingress filter. It is conceptually identical to using 177 access lists for ingress filtering, with the exception that the 178 access list is dynamic. This may also be used to avoid duplicate 179 configuration (e.g., maintaining both static routes or BGP 180 prefix-list filters and interface access-lists). The procedure is 181 that the source address is looked up in the Forwarding Information 182 Base (FIB) - and if the packet is received on the interface which 183 would be used to forward the traffic to the source of the packet, it 184 passes the check. 186 Strict Reverse Path Forwarding is a very reasonable approach in front 187 of any kind of edge network; in particular, it is far superior to 188 Ingress Access Lists when the network edge is advertising multiple 189 prefixes using BGP. It makes for a simple, cheap, fast, and dynamic 190 filter. 192 But Strict Reverse Path Forwarding has some problems of its own. 193 First, the test is only applicable in places where routing is 194 symmetrical - where IP datagrams in one direction and responses from 195 the other deterministically follow the same path. While this is 196 common at edge network interfaces to their ISP, it is in no sense 197 common between ISPs, which normally use asymmetrical "hot potato" 198 routing. Also, if BGP is carrying prefixes and some legitimate 199 prefixes are not being advertised or not being accepted by the ISP 200 under its policy, the effect is the same as ingress filtering using 201 an incomplete access list: some legitimate traffic is filtered for 202 lack of a route in the filtering router's Forwarding Information 203 Base. 205 There are operational techniques, especially with BGP but somewhat 206 applicable to other routing protocols as well, to make strict RPF 207 work better in the case of asymmetric or multihomed traffic. The ISP 208 assigns a better metric which is not propagated outside of the 209 router, either a vendor-specific "weight" or a protocol distance to 210 prefer the directly received routes. With BGP and sufficient 211 machinery in place, setting the preferences could even be automated, 212 using BGP Communities [2]. That way, the route will always be the 213 best one in the FIB, even in the scenarios where only the primary 214 connectivity would be used and typically no packets would pass 215 through the interface. This method assumes that there is no strict 216 RPF filtering between the primary and secondary edge routers; in 217 particular, when applied to multihoming to different ISPs, this 218 assumption may fail. 220 2.3 Feasible Path Reverse Path Forwarding 222 Feasible Path Reverse Path Forwarding (Feasible RPF) is an extension 223 of Strict RPF. The source address is still looked up in the FIB (or 224 an equivalent, RPF-specific table) but instead of just inserting one 225 best route there, the alternative paths (if any) have been added as 226 well, and are valid for consideration. The list is populated using 227 routing-protocol specific methods, for example by including all or N 228 (where N is less than all) feasible BGP paths in the Routing 229 Information Base (RIB). Sometimes this method has been implemented 230 as part of a Strict RPF implementation. 232 In the case of asymmetric routing and/or multihoming at the edge of 233 the network, this approach provides a way to relatively easily 234 address the biggest problems of Strict RPF. 236 It is critical to understand the context in which Feasible RPF 237 operates. The mechanism relies on consistent route advertisements 238 (i.e., the same prefix(es), through all the paths) propagating to all 239 the routers performing Feasible RPF checking. For example, this may 240 not hold e.g., in the case where a secondary ISP does not propagate 241 the BGP advertisement to the primary ISP e.g., due to route-maps or 242 other routing policies not being up-to-date. The failure modes are 243 typically similar to "operationally enhanced Strict RPF", as 244 described above. 246 As a general guideline, if an advertisement is filtered, the packets 247 will be filtered as well. 249 In consequence, properly defined, Feasible RPF is a very powerful 250 tool in certain kinds of asymmetric routing scenarios, but it is 251 important to understand its operational role and applicability 252 better. 254 2.4 Loose Reverse Path Forwarding 256 Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar 257 to strict RPF, but differs in that it checks only for the existence 258 of a route (even a default route, if applicable), not where the route 259 points to. Practically, this could be considered as a "route presence 260 check" ("loose RPF is a misnomer in a sense because there is no 261 "reverse path" check in the first place). 263 The questionable benefit of Loose RPF is found in asymmetric routing 264 situations: a packet is dropped if there is no route at all, such as 265 to "Martian addresses" or addresses that are not currently routed, 266 but is not dropped if a route exists. 268 Loose Reverse Path Forwarding has problems, however. Since it 269 sacrifices directionality, it loses the ability to limit an edge 270 network's traffic to traffic legitimately sourced from that network, 271 in most cases, rendering the mechanism useless as an ingress 272 filtering mechanism. 274 Also, many ISPs use default routes for various purposes such as 275 collecting illegitimate traffic at so-called "Honey Pot" systems or 276 discarding any traffic they do not have a "real" route to, and 277 smaller ISPs may well purchase transit capabilities and use a default 278 route from a larger provider. At least some implementations of Loose 279 RPF check where the default route points to. If the route points to 280 the interface where Loose RPF is enabled, any packet is allowed from 281 that interface; if it points nowhere or to some other interface, the 282 packets with bogus source addresses will be discarded at the Loose 283 RPF interface even in the presence of a default route. If such 284 fine-grained checking is not implemented, presence of a default route 285 nullifies the effect Loose RPF completely. 287 One case where Loose RPF might fit well could be an ISP filtering 288 packets from its upstream providers, to get rid of packets with 289 "Martian" or other non-routed addresses. 291 If other approaches are unsuitable, loose RPF could be used as a form 292 of contract verification: the other network is presumably certifying 293 that it has provided appropriate ingress filtering rules, so the 294 network doing the filtering need only verify the fact and react if 295 any packets which would show a breach in the contract are detected. 296 Of course, this mechanism would only show if the source addresses 297 used are "martian" or other unrouted addresses -- not if they are 298 from someone else's address space. 300 2.5 Loose Reverse Path Forwarding Ignoring Default Routes 302 The fifth implementation technique may be characterized as Loose RPF 303 ignoring default routes, i.e., an "explicit route presence check". In 304 this approach, the router looks up the source address in the route 305 table, and preserves the packet if a route is found. However, in the 306 lookup, default routes are excluded. Therefore, the technique is 307 mostly usable in scenarios where default routes are used only to 308 catch traffic with bogus source addresses, with an extensive (or even 309 full) list of explicit routes to cover legitimate traffic. 311 Like Loose RPF, this is useful in places where asymmetric routing is 312 found, such as on inter-ISP links. However, like Loose RPF, since it 313 sacrifices directionality, it loses the ability to limit an edge 314 network's traffic to traffic legitimately sourced from that network. 316 3. Clarifying the Applicability of Ingress Filtering 318 What may not be readily apparent is that ingress filtering is not 319 applied only at the "last-mile" interface between the ISP and the end 320 user. It's perfectly fine, and recommended, to also perform ingress 321 filtering at the edges of ISPs where appropriate, at the routers 322 connecting LANs to an enterprise network, etc. -- this increases the 323 defense in depth. 325 3.1 Ingress Filtering at Multiple Levels 327 Because of wider deployment of ingress filtering, the issue is 328 recursive. Ingress filtering has to work everywhere where it's used, 329 not just between the first two parties. That is, if a user 330 negotiates a special ingress filtering arrangement with his ISP, he 331 should also ensure (or make sure the ISP ensures) that the same 332 arrangements also apply to the ISP's upstream and peering links, if 333 ingress filtering is being used there -- or will get used, at some 334 point in the future; similarly with the upstream ISPs and peers. 336 In consequence, manual models which do not automatically propagate 337 the information to every party where the packets would go and where 338 ingress filtering might be applied have only limited generic 339 usefulness. 341 3.2 Ingress Filtering to Protect Your Own Infrastructure 343 Another feature stemming from wider deployment of ingress filtering 344 may not be readily apparent. The routers and other ISP 345 infrastructure are vulnerable to several kinds of attacks. The 346 threat is typically mitigated by restricting who can access these 347 systems. 349 However, unless ingress filtering (or at least, a limited subset of 350 it) has been deployed at every border (towards the customers, peers 351 and upstreams) -- blocking the use of your own addresses as source 352 addresses -- the attackers may be able to circumvent the protections 353 of the infrastructure gear. 355 Therefore, by deploying ingress filtering, one does not just help the 356 Internet as a whole, but protects against several classes of threats 357 to your own infrastructure as well. 359 3.3 Ingress Filtering on Peering Links 361 Ingress filtering on peering links, whether by ISPs or by end-sites, 362 is not really that much different from the more typical "downstream" 363 or "upstream" ingress filtering. 365 However, it's important to note that with mixed upstream/downstream 366 and peering links, the different links may have different properties 367 (e.g., relating to contracts, trust, viability of the ingress 368 filtering mechanisms, etc.). In the most typical case, just using an 369 ingress filtering mechanism towards a peer (e.g., Strict RPF) works 370 just fine as long as the routing between the peers is kept reasonably 371 symmetric. It might even be considered useful to be able to filter 372 out source addresses coming from an upstream link which should have 373 come over a peering link (implying something like Strict RPF is used 374 towards the upstream) -- but this is a more complex topic and 375 considered out of scope; see Section 6. 377 4. Solutions to Ingress Filtering with Multihoming 379 First, one must ask why a site multihomes; for example, the edge 380 network might: 382 o use two ISPs for backing up the Internet connectivity to ensure 383 robustness, 385 o use whichever ISP is offering the fastest TCP service at the 386 moment, 388 o need several points of access to the Internet in places where no 389 one ISP offers service, or 391 o be changing ISPs (and therefore multihoming only temporarily). 393 One can imagine a number of approaches to working around the 394 limitations of ingress filters for multihomed networks. Options 395 include: 397 1. Do not multihome. 399 2. Do not use ingress filters. 401 3. Accept that service will be incomplete. 403 4. On some interfaces, weaken ingress filtering by using an 404 appropriate form of loose RPF check, as described in Section 4.1. 406 5. Ensure, by BGP or by contract, that each ISP's ingress filter is 407 complete, as described in Section 4.2. 409 6. Ensure that edge networks only deliver traffic to their ISPs that 410 will in fact pass the ingress filter, as described in Section 411 4.3. 413 The first three of these are obviously mentioned for completeness; 414 they are not and cannot be viable positions; the final three are 415 considered below. 417 The fourth and the fifth must be ensured in the upstream ISPs as 418 well, as described in Section 3.1. 420 Next, we now look at the viable ways for dealing with the 421 side-effects of ingress filters. 423 4.1 Use Loose RPF When Appropriate 425 Where asymmetric routing is preferred or is unavoidable, ingress 426 filtering may be difficult to deploy using a mechanism such as strict 427 RPF which requires the paths to be symmetrical. In many cases, using 428 operational methods or feasible RPF may ensure the ingress filter is 429 complete, like described below. Failing that, the only real options 430 are to not perform ingress filtering, use a manual access-list 431 (possibly in addition to some other mechanisms), or to using some 432 form of Loose RPF check. 434 Failing to provide any ingress filter at all essentially trusts the 435 downstream network to behave itself, which is not the wisest course 436 of action. However, especially in the case of very large networks of 437 even hundreds or thousands of prefixes, maintaining manual 438 access-lists may be too much to ask. 440 The use of Loose RPF does not seem like a good choice between the 441 edge network and the ISP, since it loses the directionality of the 442 test. This argues in favor of either using a complete filter in the 443 upstream network or ensuring in the downstream network that packets 444 the upstream network will reject will never reach it. 446 Therefore, the use of Loose RPF cannot be recommended, except as a 447 way to measure whether "martian" or other unrouted addresses are 448 being used. 450 4.2 Ensure That Each ISP's Ingress Filter Is Complete 452 For the edge network, if multihoming is being used for robustness or 453 to change routing from time to time depending on measured ISP 454 behavior, the simplest approach will be to ensure that its ISPs in 455 fact carry its addresses in routing. This will often require the edge 456 network to use provider-independent prefixes and exchange routes with 457 its ISPs with BGP, to ensure that its prefix is carried upstream to 458 the major transit ISPs. Of necessity, this implies that the edge 459 network will be of a size and technical competence to qualify for a 460 separate address assignment and an autonomous system number from its 461 RIR. 463 There are a number of techniques which make it easier to ensure the 464 ISP's ingress filter is complete. Feasible RPF and Strict RPF with 465 operational techniques both work quite well for multihomed or 466 asymmetric scenarios between the ISP and an edge network. 468 When a routing protocol is not being used, but rather the customer 469 information is generated from databases such as Radius, TACACS, or 470 Diameter, the ingress filtering can be the most easily ensured and 471 kept up-to-date with Strict RPF or Ingress Access Lists generated 472 automatically from such databases. 474 4.3 Send Traffic Using a Provider Prefix Only to That Provider 476 For smaller edge networks that use provider-based addressing and 477 whose ISPs implement ingress filters (which they should do), the 478 third option is to route traffic being sourced from a given 479 provider's address space to that provider. 481 This is not a complicated procedure, but requires careful planning 482 and configuration. For robustness, the edge network may choose to 483 connect to each of its ISPs through two or more different Points of 484 Presence (POPs), so that if one POP or line experiences an outage, 485 another link to the same ISP can be used. Alternatively, a set of 486 tunnels could be configured instead of multiple connections to the 487 same ISP [4][5]. This way the edge routers are configured to first 488 inspect the source address of a packet destined to an ISP and shunt 489 it into the appropriate tunnel or interface toward the ISP. 491 If such a scenario is applied exhaustively, so that an exit router is 492 chosen in the edge network for every prefix the network uses, traffic 493 originating from any other prefix can be summarily discarded instead 494 of sending it to an ISP. 496 5. Security Considerations 498 Ingress filtering is typically performed to ensure that traffic 499 arriving on one network interface legitimately comes from a computer 500 residing on a network reachable through that interface. 502 The closer to the actual source ingress filtering is performed, the 503 more effective it is. One could wish that the first hop router would 504 ensure that traffic being sourced from its neighboring end system was 505 correctly addressed; a router further away can only ensure that it is 506 possible that there is such a system within the indicated prefix. 507 Therefore, ingress filtering should be done at multiple levels, with 508 different level of granularity. 510 It bears to keep in mind that while one goal of ingress filtering is 511 to make attacks traceable, it is impossible to know whether the 512 particular attacker "somewhere in the Internet" is being ingress 513 filtered or not. Therefore, one can only guess whether the source 514 addresses have been spoofed or not: in any case, getting a possible 515 lead -- e.g., to contact a potential source to ask whether they're 516 observing an attack or not -- is still valuable, and more so when the 517 ingress filtering gets more and more widely deployed. 519 In consequence, every administrative domain should try to ensure a 520 sufficient level of ingress filtering on its borders. 522 Security properties and applicability of different ingress filtering 523 types differ a lot. 525 o Ingress Access Lists require typically manual maintenance, but are 526 the most bulletproof when done properly; typically, ingress access 527 lists are best fit between the edge and the ISP when the 528 configuration is not too dynamic if strict RPF is not an option, 529 between ISPs if the number of used prefixes is low, or as an 530 additional layer of protection. 532 o Strict RPF check is a very easy and sure way to implement ingress 533 filtering. It is typically fit between the edge network and the 534 ISP. In many cases, a simple strict RPF can be augmented by 535 operational procedures in the case of asymmetric traffic patterns, 536 or the feasible RPF technique to also account for other 537 alternative paths. 539 o Feasible Path RPF check is an extension of Strict RPF. It is 540 suitable in all the scenarios where Strict RPF is, but multihomed 541 or asymmetric scenarios in particular. However, one must remember 542 that Feasible RPF assumes the consistent origination and 543 propagation of routing information to work; the implications of 544 this must be understood especially if a prefix advertisement 545 passes through third parties. 547 o Loose RPF primarily filters out unrouted prefixes such as Martian 548 addresses. It can be applied in the upstream interfaces to reduce 549 the size of DoS attacks with unrouted source addresses. In the 550 downstream interfaces it can only be used as a contract 551 verification, that the other network has performed at least some 552 ingress filtering. 554 When weighing the tradeoffs of different ingress filtering 555 mechanisms, the security properties of a more relaxed approach should 556 be carefully considered before applying it. Especially when applied 557 by an ISP towards an edge network, there don't seem to be many 558 reasons why a stricter form of ingress filtering would not be 559 appropriate. 561 6. Conclusions and Future Work 563 This memo describes ingress filtering techniques in general and the 564 options for multihomed networks in particular. 566 It is important for ISPs to implement ingress filtering to prevent 567 spoofed addresses being used, both to curtail DoS attacks and to make 568 them more traceable, and to protect their own infrastructure. This 569 memo describes mechanisms that could be used to achieve that effect, 570 and the tradeoffs of those mechanisms. 572 To summarize: 574 o Ingress filtering should always be done between the ISP and a 575 single-homed edge network. 577 o Ingress filtering with Feasible RPF or similar Strict RPF 578 techniques could almost always be applied between the ISP and 579 multi-homed edge networks as well. 581 o Both the ISPs and edge networks should verify that their own 582 addresses are not being used in source addresses in the packets 583 coming from outside their network. 585 o Some form of ingress filtering is also reasonable between ISPs, 586 especially if the number of prefixes is low. 588 This memo will lower the bar for the adoption of ingress filtering 589 especially in the scenarios like asymmetric/multihomed networks where 590 the general belief has been that ingress filtering is difficult to 591 implement. 593 One can identify multiple areas where additional work would be 594 useful: 596 o Specify the mechanisms in more detail: there is some variance 597 between implementations e.g., on whether traffic to multicast 598 destination addresses will always pass the Strict RPF filter or 599 not. By formally specifying the mechanisms the implementations 600 might get harmonized. 602 o Study and specify Routing Information Base (RIB) -based RPF 603 mechanisms, e.g., Feasible Path RPF, in more detail. In 604 particular, consider under which assumptions these mechanisms work 605 as intended and where they don't. 607 o Write a more generic note on the ingress filtering mechanisms than 608 this memo, after the taxonomy and the details or the mechanisms 609 (points above) have been fleshed out. 611 o Consider the more complex case where a network has connectivity 612 with different properties (e.g., peers and upstreams), and wants 613 to ensure that traffic sourced with a peer's address should not be 614 accepted from the upstream. 616 7. Acknowledgements 618 Rob Austein, Barry Greene, Christoph Reichert, Daniel Senie, Pedro 619 Roque, and Iljitsch van Beijnum reviewed this document and helped in 620 improving it. Thomas Narten, Ted Hardie, and Russ Housley provided 621 good feedback which boosted the document in its final stages. 623 Normative References 625 [1] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating 626 Denial of Service Attacks which employ IP Source Address 627 Spoofing", BCP 38, RFC 2827, May 2000. 629 Informative References 631 [2] Chandrasekeran, R., Traina, P. and T. Li, "BGP Communities 632 Attribute", RFC 1997, August 1996. 634 [3] IANA, "Special-Use IPv4 Addresses", RFC 3330, September 2002. 636 [4] Bates, T. and Y. Rekhter, "Scalable Support for Multi-homed 637 Multi-provider Connectivity", RFC 2260, January 1998. 639 [5] Hagino, J. and H. Snyder, "IPv6 Multihoming Support at Site Exit 640 Routers", RFC 3178, October 2001. 642 Authors' Addresses 644 Fred Baker 645 Cisco Systems 647 Santa Barbara, CA 93117 648 US 650 EMail: fred@cisco.com 651 Pekka Savola 652 CSC/FUNET 654 Espoo 655 Finland 657 EMail: psavola@funet.fi 659 Intellectual Property Statement 661 The IETF takes no position regarding the validity or scope of any 662 intellectual property or other rights that might be claimed to 663 pertain to the implementation or use of the technology described in 664 this document or the extent to which any license under such rights 665 might or might not be available; neither does it represent that it 666 has made any effort to identify any such rights. Information on the 667 IETF's procedures with respect to rights in standards-track and 668 standards-related documentation can be found in BCP-11. Copies of 669 claims of rights made available for publication and any assurances of 670 licenses to be made available, or the result of an attempt made to 671 obtain a general license or permission for the use of such 672 proprietary rights by implementors or users of this specification can 673 be obtained from the IETF Secretariat. 675 The IETF invites any interested party to bring to its attention any 676 copyrights, patents or patent applications, or other proprietary 677 rights which may cover technology that may be required to practice 678 this standard. Please address the information to the IETF Executive 679 Director. 681 Full Copyright Statement 683 Copyright (C) The Internet Society (2003). All Rights Reserved. 685 This document and translations of it may be copied and furnished to 686 others, and derivative works that comment on or otherwise explain it 687 or assist in its implementation may be prepared, copied, published 688 and distributed, in whole or in part, without restriction of any 689 kind, provided that the above copyright notice and this paragraph are 690 included on all such copies and derivative works. However, this 691 document itself may not be modified in any way, such as by removing 692 the copyright notice or references to the Internet Society or other 693 Internet organizations, except as needed for the purpose of 694 developing Internet standards in which case the procedures for 695 copyrights defined in the Internet Standards process must be 696 followed, or as required to translate it into languages other than 697 English. 699 The limited permissions granted above are perpetual and will not be 700 revoked by the Internet Society or its successors or assignees. 702 This document and the information contained herein is provided on an 703 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 704 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 705 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 706 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 707 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 709 Acknowledgment 711 Funding for the RFC Editor function is currently provided by the 712 Internet Society.