Network Working Group F. Baker Request for Comments: 3704 Cisco Systems Updates: 2827 P. Savola BCP: 84 CSC/FUNET Category: Best Current Practice March 2004 Ingress Filtering for Multihomed Networks Status of this Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved.
AbstractBCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827.
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Different Ways to Implement Ingress Filtering . . . . . . . . 4 2.1 Ingress Access Lists . . . . . . . . . . . . . . . . . . . 4 2.2 Strict Reverse Path Forwarding . . . . . . . . . . . . . . 5 2.3 Feasible Path Reverse Path Forwarding . . . . . . . . . . 6 2.4 Loose Reverse Path Forwarding . . . . . . . . . . . . . . 6 2.5 Loose Reverse Path Forwarding Ignoring Default Routes . . 7 3. Clarifying the Applicability of Ingress Filtering . . . . . . 8 3.1 Ingress Filtering at Multiple Levels . . . . . . . . . . . 8 3.2 Ingress Filtering to Protect Your Own Infrastructure . . . 8 3.3 Ingress Filtering on Peering Links . . . . . . . . . . . . 9 4. Solutions to Ingress Filtering with Multihoming . . . . . . . 9 4.1 Use Loose RPF When Appropriate . . . . . . . . . . . . . . 10 4.2 Ensure That Each ISP's Ingress Filter Is Complete . . . . 11 4.3 Send Traffic Using a Provider Prefix Only to That Provider 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. Conclusions and Future Work . . . . . . . . . . . . . . . . . 13 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 14 9. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 15 10. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 16
BCP 38, RFC 2827 , is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering and delves into the effects on multihoming in particular. RFC 2827 recommends that ISPs police their customers' traffic by dropping traffic entering their networks that is coming from a source address not legitimately in use by the customer network. The filtering includes but is in no way limited to the traffic whose source address is a so-called "Martian Address" - an address that is reserved , including any address within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 184.108.40.206/4, or 240.0.0.0/4. The reasoning behind the ingress filtering procedure is that Distributed Denial of Service Attacks frequently spoof other systems' source addresses, placing a random number in the field. In some attacks, this random number is deterministically within the target network, simultaneously attacking one or more machines and causing those machines to attack others with ICMP messages or other traffic; in this case, the attacked sites can protect themselves by proper filtering, by verifying that their prefixes are not used in the source addresses in packets received from the Internet. In other attacks, the source address is literally a random 32 bit number, resulting in the source of the attack being difficult to trace. If the traffic leaving an edge network and entering an ISP can be limited to traffic it is legitimately sending, attacks can be somewhat mitigated: traffic with random or improper source addresses can be suppressed before it does significant damage, and attacks can be readily traced back to at least their source networks. This document is aimed at ISP and edge network operators who 1) would like to learn more of ingress filtering methods in general, or 2) are already using ingress filtering to some degree but who would like to expand its use and want to avoid the pitfalls of ingress filtering in the multihomed/asymmetric scenarios.
In section 2, several different ways to implement ingress filtering are described and examined in the generic context. In section 3, some clarifications on the applicability of ingress filtering methods are made. In section 4, ingress filtering is analyzed in detail from the multihoming perspective. In section 5, conclusions and potential future work items are identified. Section 4. There are at least five ways one can implement RFC 2827, with varying impacts. These include (the names are in relatively common usage): o Ingress Access Lists o Strict Reverse Path Forwarding o Feasible Path Reverse Path Forwarding o Loose Reverse Path Forwarding o Loose Reverse Path Forwarding ignoring default routes Other mechanisms are also possible, and indeed, there are a number of techniques that might profit from further study, specification, implementation, and/or deployment; see Section 6. However, these are out of scope. RFC 2827 , and in some sense the most deterministic one. However, Ingress Access Lists are typically maintained manually; for example, forgetting to have the list updated at the ISPs if the set of prefixes changes (e.g., as a result of multihoming) might lead to discarding the packets if they do not pass the ingress filter.
Naturally, this problem is not limited to Ingress Access Lists -- it is inherent to Ingress Filtering when the ingress filter is not complete. However, usually Ingress Access Lists are more difficult to maintain than the other mechanisms, and having an outdated list can prevent legitimate access. 2]. That way, the route will always be the best one in the FIB, even in the scenarios where only the primary connectivity would be used and typically no packets would pass
through the interface. This method assumes that there is no strict RPF filtering between the primary and secondary edge routers; in particular, when applied to multihoming to different ISPs, this assumption may fail.
The questionable benefit of Loose RPF is found in asymmetric routing situations: a packet is dropped if there is no route at all, such as to "Martian addresses" or addresses that are not currently routed, but is not dropped if a route exists. Loose Reverse Path Forwarding has problems, however. Since it sacrifices directionality, it loses the ability to limit an edge network's traffic to traffic legitimately sourced from that network, in most cases, rendering the mechanism useless as an ingress filtering mechanism. Also, many ISPs use default routes for various purposes such as collecting illegitimate traffic at so-called "Honey Pot" systems or discarding any traffic they do not have a "real" route to, and smaller ISPs may well purchase transit capabilities and use a default route from a larger provider. At least some implementations of Loose RPF check where the default route points to. If the route points to the interface where Loose RPF is enabled, any packet is allowed from that interface; if it points nowhere or to some other interface, the packets with bogus source addresses will be discarded at the Loose RPF interface even in the presence of a default route. If such fine-grained checking is not implemented, presence of a default route nullifies the effect of Loose RPF completely. One case where Loose RPF might fit well could be an ISP filtering packets from its upstream providers, to get rid of packets with "Martian" or other non-routed addresses. If other approaches are unsuitable, loose RPF could be used as a form of contract verification: the other network is presumably certifying that it has provided appropriate ingress filtering rules, so the network doing the filtering need only verify the fact and react if any packets which would show a breach in the contract are detected. Of course, this mechanism would only show if the source addresses used are "martian" or other unrouted addresses -- not if they are from someone else's address space.
Like Loose RPF, this is useful in places where asymmetric routing is found, such as on inter-ISP links. However, like Loose RPF, since it sacrifices directionality, it loses the ability to limit an edge network's traffic to traffic legitimately sourced from that network.
5. Ensure, by BGP or by contract, that each ISP's ingress filter is complete, as described in Section 4.2. 6. Ensure that edge networks only deliver traffic to their ISPs that will in fact pass the ingress filter, as described in Section 4.3. The first three of these are obviously mentioned for completeness; they are not and cannot be viable positions; the final three are considered below. The fourth and the fifth must be ensured in the upstream ISPs as well, as described in Section 3.1. Next, we now look at the viable ways for dealing with the side- effects of ingress filters.
4]. This way the edge routers are configured to first inspect the source address of a packet destined to an ISP and shunt it into the appropriate tunnel or interface toward the ISP. If such a scenario is applied exhaustively, so that an exit router is chosen in the edge network for every prefix the network uses, traffic originating from any other prefix can be summarily discarded instead of sending it to an ISP.
propagation of routing information to work; the implications of this must be understood especially if a prefix advertisement passes through third parties. o Loose RPF primarily filters out unrouted prefixes such as Martian addresses. It can be applied in the upstream interfaces to reduce the size of DoS attacks with unrouted source addresses. In the downstream interfaces it can only be used as a contract verification, that the other network has performed at least some ingress filtering. When weighing the tradeoffs of different ingress filtering mechanisms, the security properties of a more relaxed approach should be carefully considered before applying it. Especially when applied by an ISP towards an edge network, there don't seem to be many reasons why a stricter form of ingress filtering would not be appropriate.
This memo will lower the bar for the adoption of ingress filtering especially in the scenarios like asymmetric/multihomed networks where the general belief has been that ingress filtering is difficult to implement. One can identify multiple areas where additional work would be useful: o Specify the mechanisms in more detail: there is some variance between implementations e.g., on whether traffic to multicast destination addresses will always pass the Strict RPF filter or not. By formally specifying the mechanisms the implementations might get harmonized. o Study and specify Routing Information Base (RIB) -based RPF mechanisms, e.g., Feasible Path RPF, in more detail. In particular, consider under which assumptions these mechanisms work as intended and where they don't. o Write a more generic note on the ingress filtering mechanisms than this memo, after the taxonomy and the details or the mechanisms (points above) have been fleshed out. o Consider the more complex case where a network has connectivity with different properties (e.g., peers and upstreams), and wants to ensure that traffic sourced with a peer's address should not be accepted from the upstream.  Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.  Chandrasekeran, R., Traina, P. and T. Li, "BGP Communities Attribute", RFC 1997, August 1996.
BCP 78 and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- firstname.lastname@example.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.