<?xmlversion="1.0" encoding="US-ASCII"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC2827 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2827.xml"> <!ENTITY RFC3704 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3704.xml"> <!ENTITY RFC6811 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6811.xml"> <!ENTITY RFC6482 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6482.xml"> <!ENTITY RFC4271 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4271.xml"> <!ENTITY RFC4036 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4036.xml"> <!ENTITY RFC4364 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4364.xml"> <!ENTITY RFC7454 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7454.xml"> <!ENTITY RFC8174 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> ]> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?><?rfc strict="yes" ?> <?rfc toc="yes"?> <?rfc tocdepth="4"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes" ?> <?rfc compact="yes" ?> <?rfc subcompact="no" ?>"rfc2629-xhtml.ent"> <rfc number="8704" xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" docName="draft-ietf-opsec-urpf-improvements-04" category="bcp"seriesNo="84 (if approved)"updates="3704" consensus="yes"ipr="trust200902">ipr="trust200902" obsoletes="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!--<rfc category="bcp" updates="3704" docName="draft-ietf-opsec-urpf-improvements-04" ipr="trust200902">xml2rfc v2v3 conversion 2.31.0 --> <front> <title abbrev="Enhanced FP-uRPF">Enhanced Feasible-Path Unicast Reverse Path Forwarding</title> <seriesInfo name="RFC" value="8704" /> <seriesInfo name="BCP" value="84"/> <author fullname="Kotikalapudi Sriram" initials="K." surname="Sriram"> <organization abbrev="USA NIST">USA National Institute of Standards and Technology</organization> <address> <postal> <street>100 Bureau Drive</street><!-- Reorder these if your country does things differently --><city>Gaithersburg</city><region></region> <code>MD 20899</code> <country>USA</country><region>MD</region> <code>20899</code> <country>United States of America</country> </postal> <email>ksriram@nist.gov</email> </address> </author> <author fullname="Doug Montgomery" initials="D." surname="Montgomery"> <organization abbrev="USA NIST">USA National Institute of Standards and Technology</organization> <address> <postal> <street>100 Bureau Drive</street><!-- Reorder these if your country does things differently --><city>Gaithersburg</city><region></region> <code>MD 20899</code> <country>USA</country><region>MD</region> <code>20899</code> <country>United States of America</country> </postal> <email>dougm@nist.gov</email> </address> </author> <author fullname="Jeffrey Haas" initials="J." surname="Haas"> <organization>Juniper Networks, Inc.</organization> <address> <postal> <street>1133 Innovation Way</street><!-- Reorder these if your country does things differently --><city>Sunnyvale</city><region></region> <code>CA 94089</code> <country>USA</country><region>CA</region> <code>94089</code> <country>United States of America</country> </postal> <email>jhaas@juniper.net</email> </address> </author> <dateyear="" /> <!-- Meta-data Declarations -->month="February" year="2020"/> <area>Operations</area> <workgroup>OPSEC Working Group</workgroup> <keyword>BGP, source address spoofing, source address validation (SAV), Reverse Path Forwarding (RPF), unicast RPF (uRPF), DDoS mitigation, BCP 38, BCP 84</keyword> <abstract> <t> This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38).The strictStrict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF)techniques, whichtechniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV).HenceHence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for theircustomers,customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. </t> </abstract> </front> <middle> <section anchor="intro"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t> SourceAddress Validationaddress validation (SAV) refers to the detection and mitigation of source address (SA) spoofing <xreftarget="RFC2827"></xref>.target="RFC2827" format="default"/>. This document identifies a need for and proposes improvement ofimprovement ofthe unicast Reverse Path Forwarding (uRPF) techniques <xreftarget="RFC3704"></xref>target="RFC3704" format="default"/> for SAV.The strictStrict uRPF is inflexible about directionality (see <xreftarget="RFC3704"></xref>target="RFC3704" format="default"/> for definitions), the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two <xreftarget="RFC3704"></xref>.target="RFC3704" format="default"/>. However, as shown in this document, the existing feasible-path uRPF still has shortcomings. Even with the feasible-path uRPF, ISPs are often apprehensive that they may be dropping customers' data packets with legitimate source addresses. </t> <t> This document describesanenhanced feasible-path uRPF (EFP-uRPF)technique, which aimstechniques that aim to be more flexible (in a meaningful way) about directionality than the feasible-path uRPF. It is based on the principle that if BGP updates for multiple prefixes with the same origin AS were received on different interfaces (at border routers), then incoming data packets with source addresses in any of those prefixes should be accepted on any of those interfaces (presented in <xreftarget="newtech"></xref>).target="newtech" format="default"/>). For some challenging ISP-customer scenarios (see <xreftarget="challenge"></xref>),target="challenge" format="default"/>), this document also describes a more relaxed version of the enhanced feasible-path uRPF technique (presented in <xreftarget="algB"></xref>).target="algB" format="default"/>). Implementation and operations considerations are discussed in <xreftarget="impl"></xref>.target="impl" format="default"/>. </t> <t> Throughout this document, the routes under consideration are assumed to have been vetted based on prefix filtering <xreftarget="RFC7454"></xref>target="RFC7454" format="default"/> and possibly origin validation <xreftarget="RFC6811"></xref>.target="RFC6811" format="default"/>. </t> <t> The EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in SAV. They are expected to add greater operational robustness and efficacy touRPF,uRPF while minimizing ISPs' concerns about accidental service disruption for their customers. It is expected that this will encourage more deployment of uRPF to help realize itsDDoSDenial of Service (DoS) and Distributed DoS (DDoS) prevention benefits network wide. </t> <sectiontitle="Terminology">numbered="true" toc="default"> <name>Terminology</name> <t> The Reverse Path Forwarding (RPF)list: Thelist is the list of permissible source-address prefixes for incoming data packets on a given interface. </t> <t> Peering relationships considered in this document are provider-to-customer (P2C), customer-to-provider (C2P), and peer-to-peer(p2p). Provider here(P2P). Here, "provider" refers to a transit provider. The first two are transit relationships. A peer connected via ap2pP2P link is known as a lateral peer (non-transit). </t> <t>Customer Cone:AS A's customer cone is A plus all the ASes that can be reached from A following only P2C links <xreftarget="Luckie"></xref>.target="Luckie" format="default"/>. </t> <t> A stub AS is an AS that does not have any customers or lateral peers. In this document, a single-homed stub AS is one that has a single transit provider and amulti-homedmultihomed stub AS is one that has multiple (two or more) transit providers. </t> </section> <sectiontitle="Requirements Language">numbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref>target="RFC2119"/> <xreftarget="RFC8174"></xref>target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <section anchor="review"title="Reviewnumbered="true" toc="default"> <name>Review of Existing Source Address ValidationTechniques">Techniques</name> <t> There are various existing techniques for the mitigationagainst DDoSof DoS/DDoS attacks with spoofed addresses <xreftarget="RFC2827"></xref> <xref target="RFC3704"></xref>. <!-- There are also some techniques used for mitigating reflection attacks <xref target="RRL"></xref>target="RFC2827" format="default"/> <xreftarget="TA14-017A"></xref>, which are used to amplify the impact in DDoS attacks. Employing a combination of these preventive techniques (as applicable) in enterprise and ISP border routers, broadband and wireless access network, data centers, and DNS/NTP servers provides reasonably effective protection against DDoS attacks. </t> <t> --> Source address validation (SAV)target="RFC3704" format="default"/>. SAV is performed in network edgedevicesdevices, such as border routers, Cable Modem Termination Systems (CMTS) <xreftarget="RFC4036"></xref>,target="RFC4036" format="default"/>, and Packet Data NetworkgatewaysGateways (PDN-GW) in mobile networks <xreftarget="Firmin"></xref>.target="Firmin" format="default"/>. Ingress Access Control List (ACL) andunicast Reverse Path Forwarding (uRPF)uRPF are techniques employed for implementing SAV <xreftarget="RFC2827"></xref>target="RFC2827" format="default"/> <xreftarget="RFC3704"></xref>target="RFC3704" format="default"/> <xreftarget="ISOC"></xref>.target="ISOC" format="default"/>. </t> <section anchor="acl"title="SAV usingnumbered="true" toc="default"> <name>SAV Using Access ControlList">List</name> <t> Ingress/egressAccess Control Lists (ACLs)ACLs are maintained to list acceptable (or alternatively, unacceptable) prefixes for the source addresses in the incoming/outgoing Internet Protocol (IP) packets. Any packet with a source address that fails the filtering criteria is dropped. The ACLs for the ingress/egress filters need to be maintained to keep them up to date. Updating the ACLs is an operator-driven manualprocess, and henceprocess; hence, it is operationally difficult or infeasible.<!-- Hence, this method may be operationally difficult or infeasible in dynamic environments such as when a customer network is multihomed, has address space allocations from multiple ISPs, or dynamically varies its BGP announcements (i.e. routing) for traffic engineering purposes. In such environments, keeping the ACLs up to date would be challenging, especially if the rate of change is high. --></t> <t> Typically, the egress ACLs in access aggregation devices (e.g., CMTS, PDN-GW) permit source addresses only from the address spaces (prefixes) that are associated with the interface on which the customer network is connected. Ingress ACLs are typically deployed on borderrouters,routers and drop ingress packets when the source address is spoofed (e.g., belongs to obviously disallowed prefix blocks, IANA special-purpose prefixes <xreftarget="SPAR-v4"></xref><xref target="SPAR-v6"></xref>,target="SPAR-v4" format="default"/><xref target="SPAR-v6" format="default"/>, provider's own prefixes, etc.). </t> </section> <section anchor="surpf"title="SAV usingnumbered="true" toc="default"> <name>SAV Using Strict Unicast Reverse PathForwarding">Forwarding</name> <t> Note: In the figures (scenarios) in this section and the subsequent sections, the following terminology is used: </t> <ul spacing="normal"> <li> "fails" means drops packets with legitimate sourceaddresses;addresses. </li> <li> "works (but not desirable)" means passes all packets with legitimate source addresses but is oblivious todirectionality;directionality. </li> <li> "works best" means passes all packets with legitimate source addresses with no (or minimal) compromise of directionality.Further, the</li> <li> The notation Pi[ASn ASm ...] denotes a BGP update with prefix Pi and an AS_PATH as shown in the square brackets.</t></li> </ul> <t> In the strictunicast Reverse Path Forwarding (uRPF)uRPF method, an ingress packet at a border router is accepted only if the Forwarding Information Base (FIB) contains a prefix that encompasses the sourceaddress,address and forwarding information for that prefix points back to the interface over which the packet was received. In other words, the reverse path for routing to the source address (if it were used as a destination address) should use the same interface over which the packet was received. It is well known that this method has limitations when networks aremulti-homed,multihomed, routes are not symmetrically announced to all transit providers, and there is asymmetric routing of data packets. Asymmetric routing occurs (see <xreftarget="fig1"></xref>)target="fig1" format="default"/>) when a customer AS announces one prefix (P1) to one transit provider (ISP-a) and a different prefix (P2) to another transit provider(ISP-b),(ISP-b) but routes data packets with source addresses in the second prefix (P2) to the first transit provider (ISP-a) or vice versa.ThenThen, data packets with a source address in prefix P2 that are received at AS2 directly from AS1 will get dropped. Further, data packets with a source address in prefix P1 that originate from AS1 and traverse via AS3 to AS2 will also get dropped at AS2. </t> <figurealign="center" anchor="fig1" title="Scenarioanchor="fig1"> <name>Scenario 1 forillustrationIllustration ofefficacyEfficacy of uRPFschemes.">Schemes</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ +------------+ ---- P1[AS2 AS1] ---> +------------+ | AS2(ISP-a) | <----P2[AS3 AS1] ---- |AS3(ISP-b)|AS3(ISP-b) | +------------+ +------------+ /\ /\ \ / \ / \ / P1[AS1]\ /P2[AS1] \ / +-----------------------+ | AS1(customer) | +-----------------------+ P1, P2 (prefixes originated) Consider data packets received at AS2 (1) from AS1 with a source address (SA) in P2, or (2) from AS3 that originated from AS1 with a SA in P1: * Strict uRPF fails * Feasible-path uRPF fails * Loose uRPF works (but not desirable) * EnhancedFeasible-pathfeasible-path uRPF works best ]]></artwork> </figure></t></section> <section anchor="fp-urpf"title="SAV usingnumbered="true" toc="default"> <name>SAV Using Feasible-Path Unicast Reverse PathForwarding">Forwarding</name> <t> The feasible-path uRPF technique helps partially overcome the problem identified with the strict uRPF in themulti-homingmultihoming case. The feasible-path uRPF is similar to the strict uRPF, but in addition to inserting the best-path prefix, additional prefixes from alternative announced routes are also included in the RPF list. This method relies on either (a) announcements for the same prefixes (albeit some may be prepended to effect lower preference) propagating to all transit providers performing feasible-path uRPFchecks,checks or (b) announcement of an aggregateless specificless-specific prefix to all transit providers while announcingmore specificmore-specific prefixes (covered by theless specificless-specific prefix) to different transit providers as needed for trafficengineering. Asengineering.</t> <t>As an example, in themulti-homingmultihoming scenario (see Scenario 2 in <xreftarget="fig2"></xref>),target="fig2" format="default"/>), if the customer AS announces routes for both prefixes (P1, P2) to both transit providers (with suitable prepends if needed for traffic engineering), then the feasible-path uRPF method works. It should be mentioned that the feasible-path uRPF works in this scenario only if customer routes are preferred at AS2 and AS3 over a shorter non-customer route. However, the feasible-path uRPF method has limitations as well. One form of limitation naturally occurs when the recommendation (a) or (b) mentioned above regarding propagation of prefixes is notfollowed. Anotherfollowed.</t> <t>Another form of limitation can be described as follows. In Scenario 2 (described here, illustrated in <xreftarget="fig2"></xref>),target="fig2" format="default"/>), it is possible that the second transit provider (ISP-b or AS3) does not propagate the prepended route for prefix P1 to the first transit provider (ISP-a or AS2). This is because AS3's decision policy permits giving priority to a shorter route to prefix P1 via a lateral peer (AS2) over a longer route learned directly from the customer (AS1). In such a scenario, AS3 would not send any route announcement for prefix P1 to AS2 (over thep2pP2P link).ThenThen, a data packet with a source address in prefix P1 that originates from AS1 and traverses via AS3 to AS2 will get dropped at AS2. </t> <figurealign="center" anchor="fig2" title="Scenarioanchor="fig2"> <name>Scenario 2 forillustrationIllustration ofefficacyEfficacy of uRPFschemes.">Schemes</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ +------------+ routes for P1, P2+-----------++------------+ | AS2(ISP-a) |<-------------------->|AS3(ISP-b)|AS3(ISP-b) | +------------+ (P2P) +------------+(p2p) +-----------+/\ /\ \ / P1[AS1]\ /P2[AS1] \ / P2[AS1 AS1 AS1]\ /P1[AS1 AS1 AS1] \ / +-----------------------+ | AS1(customer) | +-----------------------+ P1, P2 (prefixes originated) Consider data packets received at AS2 via AS3 that originated from AS1 and have a source address in P1: * Feasible-path uRPF works (if the customer route to P1 is preferred at AS3 over the shorter path) * Feasible-path uRPF fails (if the shorter path to P1 is preferred at AS3 over the customer route) * Loose uRPF works (but not desirable) * EnhancedFeasible-pathfeasible-path uRPF works best ]]></artwork> </figure></t></section> <section anchor="lurpf"title="SAV usingnumbered="true" toc="default"> <name>SAV Using Loose Unicast Reverse PathForwarding">Forwarding</name> <t> In the looseunicast Reverse Path Forwarding (uRPF)uRPF method, an ingress packet at the border router is accepted only if the FIB has one or more prefixes that encompass the source address. That is, a packet is dropped if no route exists in the FIB for the source address. Loose uRPF sacrifices directionality.<!-- This method is not effective for prevention of address spoofing since there is little unrouted address space in IPv4. --> It only drops packets if the source addressIt only drops packets if the source address is unreachable in the current FIB (e.g., IANA special-purpose prefixes <xreftarget="SPAR-v4"></xref><xref target="SPAR-v6"></xref>,target="SPAR-v4" format="default"/><xref target="SPAR-v6" format="default"/>, unallocated, allocated but currently not routed). </t> </section> <section anchor="vrf"title="SAV usingnumbered="true" toc="default"> <name>SAV Using VRFTable">Table</name> <t> The Virtual Routing and Forwarding (VRF) technology <xreftarget="RFC4364"></xref>target="RFC4364" format="default"/> <xreftarget="Juniper"></xref>target="Juniper" format="default"/> allows a router to maintain multiple routing table instances separate from the global Routing Information Base (RIB). External BGP (eBGP) peering sessions send specific routes to be stored in a dedicated VRF table. The uRPF process queries the VRF table (instead of the FIB) for source address validation. A VRF table can be dedicated per eBGP peer and used for uRPF for only that peer, resulting in strict mode operation.<!-- This can also be a way of implementing feasible path uRPF if the dedicated VRF table contains all announced paths on a given interface. -->For implementing loose uRPF on an interface, the corresponding VRF table would be global, i.e., contains the same routes as in the FIB. </t> </section> </section> <section anchor="newtech"title="SAV usingnumbered="true" toc="default"> <name>SAV Using Enhanced Feasible-PathuRPF">uRPF</name> <section anchor="descrip"title="Descriptionnumbered="true" toc="default"> <name>Description of theMethod">Method</name> <t>EnhancedThe enhanced feasible-path uRPF (EFP-uRPF) method adds greater operational robustness and efficacy to existing uRPF methods discussed in <xreftarget="review"></xref>.target="review" format="default"/>. That is because it avoids dropping legitimate data packets andavoidscompromising directionality. The method is based on the principle that if BGP updates for multiple prefixes with the same origin AS were received on different interfaces (at border routers), then incoming data packets with source addresses in any of those prefixes should be accepted on any of those interfaces. The EFP-uRPF method can be best explained with anexampleexample, as follows: </t> <t> Let us say, in its Adj-RIBs-In <xref target="RFC4271" format="default"/>, a border router of ISP-A hasin its Adj-RIBs-In <xref target="RFC4271"></xref>the set of prefixes {Q1, Q2,Q3}Q3}, each of which has AS-x as its origin and AS-x is in ISP-A's customer cone. In this set, the border router received the route for prefix Q1 over acustomer facing interface,customer-facing interface while it learned the routes for prefixes Q2 and Q3 from a lateral peer and an upstream transit provider, respectively. In this example scenario, the enhanced feasible-path uRPF method requires Q1, Q2, and Q3 be included in the RPF list for the customer interface under consideration. </t> <t> Thus, theenhanced feasible-path uRPF (EFP-uRPF)EFP-uRPF method gathers feasible paths for customer interfaces in a more precise way (as compared to the feasible-path uRPF) so that all legitimate packets are accepted while the directionality property is not compromised. </t> <t> Theabove describedabove-described EFP-uRPF method is recommended to be applied on customer interfaces. It can also be extended to create the RPF lists for lateral peerinterfaces also.interfaces. That is, the EFP-uRPF method can be applied (and loose uRPF avoided) on lateral peer interfaces. That will help to avoidcompromise ofcompromising directionality for lateral peer interfaces (which is inevitable with loose uRPF; see <xreftarget="lurpf"></xref>).target="lurpf" format="default"/>). </t><!-- In the above example, routes for prefixes Q2 and Q3 were not received on the customer facing interface at the border router, yet data packets with source addresses in Q2 or Q3 are accepted by the router if they come in on the same customer interface on which the route for prefix Q1 was received (based on these prefix routes having the same origin AS). --><t> Looking back at Scenarios 1 and 2(<xref target="fig1"></xref>(Figures <xref target="fig1" format="counter"/> and <xreftarget="fig2"></xref>),target="fig2" format="counter"/>), theenhanced feasible-path uRPF (EFP-uRPF)EFP-uRPF method works better than the other uRPF methods. Scenario 3 (<xreftarget="fig3"></xref>)target="fig3" format="default"/>) further illustrates the enhanced feasible-path uRPF method with a more concrete example. In this scenario, the focus is on operation of thefeasible-path uRPFEFP-uRPF at ISP4 (AS4). ISP4 learns a route for prefix P1 via acustomer-to-provider (C2P)C2P interface from customer ISP2 (AS2). This route for P1 has origin AS1. ISP4 also learns a route for P2 via another C2P interface from customer ISP3 (AS3). Additionally, AS4 learns a route for P3 via a lateralpeer-to-peer (p2p)P2P interface from ISP5 (AS5). Routes for all three prefixes have the same origin AS (i.e., AS1). Using the enhanced feasible-path uRPFscheme,scheme and given the commonality of the origin AS across the routes for P1,P2P2, and P3, AS4 includes all of these prefixes in the RPF list for the customer interfaces (from AS2 and AS3). </t><t><figurealign="center" anchor="fig3" title="Scenarioanchor="fig3"> <name>Scenario 3 forillustrationIllustration ofefficacyEfficacy of uRPFschemes.">Schemes</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ +----------+ P3[AS5 AS1] +------------+ | AS4(ISP4)|<---------------| AS5(ISP5) | +----------+(p2p)(P2P) +------------+ /\ /\ /\ / \ / P1[AS2 AS1]/ \P2[AS3 AS1] / (C2P)/ \(C2P) / / \ / +----------+ +----------+ / | AS2(ISP2)| | AS3(ISP3)| / +----------+ +----------+ / /\ /\ / \ / / P1[AS1]\ /P2[AS1] /P3[AS1] (C2P)\ /(C2P) /(C2P) \ / / +----------------+ / | AS1(customer) |/ +----------------+ P1, P2, P3 (prefixes originated) Consider that data packets (sourced from AS1) may be received at AS4 with a source address in P1,P2P2, or P3 via any of the neighbors (AS2, AS3, AS5): * Feasible-path uRPF fails * Loose uRPF works (but not desirable) * EnhancedFeasible-pathfeasible-path uRPF works best ]]></artwork> </figure></t><section anchor="algA"title="Algorithmnumbered="true" toc="default"> <name>Algorithm A: Enhanced Feasible-PathuRPF">uRPF</name> <t> The underlying algorithm in the solution method described above (<xreftarget="descrip"></xref>)target="descrip" format="default"/>) can be specified as follows (to be implemented in a transit AS): </t><t><list style="numbers"> <t><ol spacing="normal" type="1"> <li> Create the set of unique origin ASes considering only the routes in the Adj-RIBs-In of customer interfaces. Call it Set A = {AS1, AS2, ..., ASn}.</t> <t></li> <li> Considering all routes in Adj-RIBs-In for all interfaces (customer, lateral peer, and transit provider), form the set of unique prefixes that have a common origin AS1. Call it Set X1.<!-- (Note: The routes for these prefixes have potentially been received on different customer/ lateral peer/ provider interfaces. The routes passed prefix filtering rules that are in effect.) --> </t> <t></li> <li> IncludesetSet X1 inReverse Path Filter (RPF)the RPF list on all customer interfaces on which one or more of the prefixes insetSet X1 were received.</t> <t></li> <li> Repeat Steps 2 and 3 for each of the remaining ASes in Set A (i.e., for ASi, where i = 2, ..., n).</t> </list></t></li> </ol> <t> The above algorithm can also be extended to apply the EFP-uRPF method to lateral peerinterfaces also.interfaces. However, it is left up to the operator to decide whether they should apply the EFP-uRPF or loose uRPF method on lateral peer interfaces. The loose uRPF method is recommended to be applied on transit provider interfaces. </t> </section> </section> <section anchor="recomm"title="Operational Recommendations">numbered="true" toc="default"> <name>Operational Recommendations</name> <t> The following operational recommendations will make the operation of the enhanced feasible-path uRPF robust: </t> <t> Formulti-homedmultihomed stub AS: </t><t><list style="symbols"> <t><ul spacing="normal"> <li> Amulti-homedmultihomed stub AS should announce at least one of the prefixes it originates to each of its transit provider ASes. (It is understood that a single-homed stub AS would announce all prefixes it originates to its sole transit provider AS.)</t> </list></t></li> </ul> <t> For non-stub AS: </t><t><list style="symbols"> <t><ul spacing="normal"> <li> A non-stub AS should also announce at least one of the prefixes it originates to each of its transit provider ASes.</t> <t></li> <li> Additionally, from the routes it has learned from customers, a non-stub ASSHOULD<bcp14>SHOULD</bcp14> announce at least one route per origin AS to each of its transit provider ASes.</t> </list></t> <!-- <t> (Note: It is worth noting that in the above recommendations if "at least one" is replaced with "all", then even traditional feasible-path uRPF would work effectively. But the latter recommendation ("all") does not seem practical.) </t> --></li> </ul> </section> <section anchor="challenge"title="Anumbered="true" toc="default"> <name>A ChallengingScenario">Scenario</name> <t> It should be observed that in the absence of ASes adhering to above recommendations, the following examplescenario may be constructedscenario, which poses a challenge for the enhanced feasible-path uRPF (as well as for traditional feasible-pathuRPF).uRPF), may be constructed. In the scenario illustrated in <xreftarget="fig4"></xref>,target="fig4" format="default"/>, since routes for neither P1 nor P2 are propagated on the AS2-AS4 interface (due to the presence of NO_EXPORT Community), the enhanced feasible-path uRPF at AS4 will reject data packets received on that interface with source addresses in P1 or P2. (For a little more complex example scenario, see slide #10 in <xreftarget="sriram-urpf"></xref>.)target="Sriram-URPF" format="default"/>.) </t><!-- But this can be clearly avoided if the above recommendations for stub and non-stub ASes are followed. In this example, this would mean that the NO_EXPORT is avoided and instead AS prepending is used (to depref routes) on the AS1-AS2 peering session. --> <t><figurealign="center" anchor="fig4" title="Illustrationanchor="fig4"> <name>Illustration of achallenging scenario.">Challenging Scenario</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ +----------+ | AS4(ISP4)| +----------+ /\ /\ / \ P1[AS3 AS1] P1 and P2 not / \ P2[AS3 AS1] propagated / \ (C2P) (C2P) / \ +----------+ +----------+ | AS2(ISP2)| | AS3(ISP3)| +----------+ +----------+ /\ /\ \ / P1[AS1] P1[AS1] NO_EXPORT \ / P2[AS1] P2[AS1] NO_EXPORT \ / (C2P) (C2P) \ / +----------------+ | AS1(customer) | +----------------+ P1, P2 (prefixes originated) Consider that data packets (sourced from AS1) may be received at AS4 with a source address in P1 or P2 via AS2: * Feasible-path uRPF fails * Loose uRPF works (but not desirable) * EnhancedFeasible-pathfeasible-path uRPF with Algorithm A fails * EnhancedFeasible-pathfeasible-path uRPF with Algorithm B works best ]]></artwork> </figure></t></section> <section anchor="algB"title="Algorithmnumbered="true" toc="default"> <name>Algorithm B: Enhanced Feasible-Path uRPF with Additional FlexibilityAcrossacross CustomerCone">Cone</name> <t> Adding further flexibility to the enhanced feasible-path uRPF method can help address the potential limitation identified above using the scenario in <xreftarget="fig4"></xref>target="fig4" format="default"/> (<xreftarget="challenge"></xref>).target="challenge" format="default"/>). In the following, "route" refers to a route currently existing in theAdj-RIB-in.Adj-RIBs-In. Including the additional degree of flexibility, the modified algorithm called Algorithm B (implemented in a transit AS) can be described as follows: </t><t><list style="numbers"> <t><ol spacing="normal" type="1"> <li> Create the set of alldirectly-connecteddirectly connected customer interfaces. Call it Set I = {I1, I2, ..., Ik}.</t> <t></li> <li> Create the set of all unique prefixes for which routes exist in Adj-RIBs-In for the interfaces in Set I. Call it Set P = {P1, P2, ..., Pm}.</t> <t></li> <li> Create the set of all unique origin ASes seen in the routes that exist in Adj-RIBs-In for the interfaces in Set I. Call it Set A = {AS1, AS2, ..., ASn}.</t> <t></li> <li> Create the set of all unique prefixes for which routes exist in Adj-RIBs-In of all lateral peer and transit provider interfaces such that each of the routes has its origin AS belonging in Set A. Call it Set Q = {Q1, Q2, ..., Qj}.</t> <t></li> <li> Then, Set Z = Union(P,Q) is the RPF list that is applied for every customer interface in Set I.</t> </list></t></li> </ol> <t> When Algorithm B (which is more flexible than Algorithm A) is employed on customer interfaces, the type of limitation identified in <xreftarget="fig4"></xref>target="fig4" format="default"/> (<xreftarget="challenge"></xref>)target="challenge" format="default"/>) is overcome and the method works. The directionality property is minimally compromised, butstillthe proposed EFP-uRPF method with Algorithm B is still a much better choice (for the scenario under consideration) than applying the loose uRPFmethodmethod, which is oblivious to directionality. </t> <t> So, applying the EFP-uRPF method with Algorithm B is recommended on customer interfaces for the challengingscenariosscenarios, such as those described in <xreftarget="challenge"></xref>. <!-- Further, it is recommended that loose uRPF method should be applied on lateral peer and transit provider interfaces. --> </t> <!-- This should eliminate or significantly reduce the possibility of blocking legitimate customer-data packets in uRPF implementations. --> <!-- <t> It should be emphasized that, in spite of the flexibilities incorporated into uRPF, a multi-homed customer should be always advised to advertise their routes to each of its upstream ISPs. When a customer AS is known to be single-homed stub, then strict uRPF should be used and would serve well.target="challenge" format="default"/>. </t>--></section> <section anchor="augment"title="Augmentingnumbered="true" toc="default"> <name>Augmenting RPF Lists with ROA and IRRData">Data</name> <t> It is worth emphasizing that an indirect part of the proposal in this document is that RPF filters may be augmented from secondary sources. Hence, the construction of RPF lists using a method proposed in this document (Algorithm A or B) can be augmented with data from Route Origin Authorization (ROA) <xreftarget="RFC6482"></xref>target="RFC6482" format="default"/>, as well as Internet Routing Registry (IRR) data. Special care should be exercised when using IRR data because it is not always accurate or trusted.<!-- Prefixes from registered ROAs and IRR route objects that include ASes in an ISP's customer cone SHOULD be used to augment the relevant RPF lists. -->In the EFP-uRPF method with Algorithm A (see <xreftarget="algA"></xref>),target="algA" format="default"/>), if a ROA includes prefix Pi and ASj, then augmentwith Pithe RPF list of each customer interface on which at least one route with origin ASj wasreceived.received with prefix Pi. In the EFP-uRPF method with Algorithm B, if ASj belongs insetSet A (see Step #3 <xreftarget="algB"></xref>)target="algB" format="default"/>) and if a ROA includes prefix Pi and ASj, then augmentwith Pithe RPF list Z in Step 5 of AlgorithmB.B with prefix Pi. Similar procedures can be followed with reliable IRR data as well. This will help make the RPF lists more robust about source addresses that may be legitimately used by customers of the ISP. </t> </section> <section anchor="impl"title="Implementationnumbered="true" toc="default"> <name>Implementation and OperationsConsiderations">Considerations</name> <section anchor="rpfsize"title="Impactnumbered="true" toc="default"> <name>Impact on FIB Memory SizeRequirement">Requirement</name> <t> The existing RPF checks in edge routers take advantage of existing line card implementations to perform the RPF functions. For implementation of the enhanced feasible-path uRPF, the general necessary feature would be to extend the line cards to take arbitrary RPF lists that are not necessarily the same as the existing FIB contents. In the algorithms(<xref target="algA"></xref>(Sections <xref target="algA" format="counter"/> and <xreftarget="algB"></xref>)target="algB" format="counter"/>) described here, the RPF lists are constructed by applying a set of rules to all received BGP routes (not just those selected as best path and installed in the FIB). The concept of uRPF querying an RPF list (instead of the FIB) is similar to uRPF querying a VRF table (see(<xref target="vrf"></xref>).<xref target="vrf" format="default"/>). </t> <t> The techniques described in this document require that there should be additional memory (i.e., ternarycontent addressablecontent-addressable memory (TCAM)) available to store the RPF lists in line cards. For an ISP's AS, the RPF list size for each line card will roughly equal the total number of originated prefixes from ASes in its customer cone (assuming Algorithm B in <xreftarget="algB"></xref>target="algB" format="default"/> is used). (Note: EFP-uRPF with Algorithm A (see <xreftarget="algA"></xref>)target="algA" format="default"/>) requires much less memory than EFP-uRPF with Algorithm B.) </t> <t> The following table shows the measured customer cone sizes in number of prefixes originated (from all ASes in the customer cone) for various types of ISPs <xreftarget="sriram-ripe63"></xref>:target="Sriram-RIPE63" format="default"/>: </t><texttable anchor="ccsize" title="Customer cone sizes<table anchor="ccsize"> <name>Customer Cone Sizes (#prefixes)Prefixes) forvarious typesVarious Types ofISPs."> <ttcol width="50%" align='left'>Type of ISP</ttcol> <ttcol width="50%" align='left'>MeasuredISPs</name> <thead> <tr> <th>Type of ISP</th> <th>Measured Customer Cone Size in # Prefixes (in turn this is an estimate for RPF list size on the linecard)</ttcol> <c>Verycard)</th> </tr> </thead> <tbody> <tr> <td>Very Large Global ISP#1</c> <c>32393</c> <c> ------------------------------- </c> <c> ------------------------------- </c> <c>Very#1</td> <td>32393</td> </tr> <tr> <td>Very Large Global ISP#2</c> <c>29528</c> <c> ------------------------------- </c> <c> ------------------------------- </c> <c>Large#2</td> <td>29528</td> </tr> <tr> <td>Large GlobalISP</c> <c>20038</c> <c> ------------------------------- </c> <c> ------------------------------- </c> <c>Mid-sizeISP</td> <td>20038</td> </tr> <tr> <td>Mid-size GlobalISP</c> <c>8661</c> <c> ------------------------------- </c> <c> ------------------------------- </c> <c>RegionalISP</td> <td>8661</td> </tr> <tr> <td>Regional ISP (inAsia) </c> <c>1101</c> </texttable>Asia)</td> <td>1101</td> </tr> </tbody> </table> <t> For some super large global ISPs that are at the core of the Internet, the customer cone size (# prefixes) can be as high as a few hundred thousand <xreftarget="CAIDA"></xref>. Buttarget="CAIDA" format="default"/>, but uRPF is most effective when deployed at ASes at the edges of the Internet where the customer cone sizes aresmallersmaller, as shown in <xreftarget="ccsize"></xref>.target="ccsize" format="default"/>. </t> <t> A very large global ISP's router line card is likely to have a FIB size large enough to accommodate 2 million routes <xreftarget="Cisco1"></xref>.target="Cisco1" format="default"/>. Similarly, the line cards in routers corresponding to a large global ISP, amid-sizemidsize global ISP, and a regional ISP are likely to have FIB sizes large enough to accommodate about 1 million, 0.5 million, and100K100k routes, respectively <xreftarget="Cisco2"></xref>.target="Cisco2" format="default"/>. Comparing these FIB size numbers with the corresponding RPF list size numbers in <xreftarget="ccsize"></xref>,target="ccsize" format="default"/>, it can be surmised that the conservatively estimated RPF list size is only a small fraction of the anticipated FIB memory size under relevant ISP scenarios. What is meant here by relevant ISP scenarios is that only smaller ISPs (and possibly somemid-sizemidsize and regional ISPs) are expected to implement the proposed EFP-uRPF method since it is most effective closer to the edges of the Internet. </t> </section> <section anchor="hyst"title="Copingnumbered="true" toc="default"> <name>Coping with BGP's TransientBehavior">Behavior</name> <t> BGP routing announcements can exhibit transient behavior. Routes may be withdrawn temporarily and thenre-announcedreannounced due to transientconditionsconditions, such as BGP session reset or linkfailure-recovery.failure recovery. To cope with this, hysteresis should be introduced in the maintenance of the RPF lists. Deleting entries from the RPF listsSHOULD<bcp14>SHOULD</bcp14> be delayed by apre-determinedpredetermined amount (the value based on operational experience) when responding to route withdrawals. This should help suppress the effects due to the transients in BGP. </t> </section> </section> <section anchor="summ_recomm"title="Summarynumbered="true" toc="default"> <name>Summary ofRecommendations">Recommendations</name> <t> Depending on the scenario, an ISP or enterprise AS operator should follow one of the following recommendations concerning uRPF/SAV: </t><t><list style="numbers"> <t><ol spacing="normal" type="1"> <li> For directly connected networks, i.e., subnets directly connected to the AS, the AS under considerationSHOULD perform ACL-based source address validation (SAV). <!-- For directly connected networks, i.e., subnets directly connected to the AS and not multi-homed, the AS under consideration SHOULD<bcp14>SHOULD</bcp14> perform ACL-basedsource address validation (SAV). --> </t> <t>SAV. </li> <li> For a directly connected single-homed stub AS (customer), the AS under considerationSHOULD<bcp14>SHOULD</bcp14> perform SAV based on the strict uRPF method.</t></li> <li> <t> For all other scenarios:<list style="symbols"> <t></t> <ul spacing="normal"> <li> Theenhanced feasible-path uRPF (EFP-uRPF)EFP-uRPF method with Algorithm B (see <xreftarget="algB"></xref>) SHOULDtarget="algB" format="default"/>) <bcp14>SHOULD</bcp14> be applied on customer interfaces.</t> <t> Loose</li> <li> The loose uRPF methodSHOULD<bcp14>SHOULD</bcp14> be applied on lateral peer and transit provider interfaces.</t> </list> </t> </list> </t></li> </ul> </li> </ol> <t> It is also recommended that prefixes from registered ROAs and IRR route objects that include ASes in an ISP's customer coneSHOULD<bcp14>SHOULD</bcp14> be used to augment the pertaining RPF lists (see <xreftarget="augment"></xref>target="augment" format="default"/> for details). </t> <section anchor="discuss"title="Applicabilitynumbered="true" toc="default"> <name>Applicability of theenhanced feasible-path uRPF (EFP-uRPF) methodEFP-uRPF Method with AlgorithmA"> <t>A</name> <t>The EFP-uRPF method with Algorithm A is not mentioned in the above set of recommendations. It is an alternative to EFP-uRPF with Algorithm B and can be used in limited circumstances. The EFP-uRPF method with Algorithm A is expected to work fine if an ISP deploying it has onlymulti-homedmultihomed stub customers. It is trivially equivalent to strict uRPF if an ISP deploys it for a single-homed stub customer. More generally, it is also expected to work fine when there is absence oflimitationslimitations, such as those described in <xreftarget="challenge"></xref>.target="challenge" format="default"/>. However, caution is required for use of EFP-uRPF with Algorithm A because even if the limitations are not expected at the time of deployment, the vulnerability to change in conditions exists. It may be difficult for an ISP to know or track the extent of use of NO_EXPORT (see <xreftarget="challenge"></xref>)target="challenge" format="default"/>) on routes within its customer cone. If an ISP decides to use EFP-uRPF with Algorithm A, it should make its direct customers aware of the operational recommendations in <xreftarget="recomm"></xref>.target="recomm" format="default"/>. This means that the ISP notifies direct customers that at least one prefix originated by each AS in the direct customer's customer cone must propagate to the ISP. </t> <t> On a lateral peer interface, an ISP may choose to apply the EFP-uRPF method with Algorithm A (with appropriate modification of the algorithm). This is because stricter forms of uRPF (than the loose uRPF) may be considered applicable by some ISPs on interfaces with lateral peers. </t> </section> </section> </section> <section anchor="seccon"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t> The security considerations in BCP 38 <xreftarget="RFC2827"></xref>target="RFC2827" format="default"/> andBCP 84RFC 3704 <xreftarget="RFC3704"></xref>target="RFC3704" format="default"/> apply for this document as well. In addition, if considering using the EFP-uRPF method with Algorithm A, an ISP or AS operator should be aware of the applicability considerations and potential vulnerabilities discussed in <xreftarget="discuss"></xref>. <!-- In addition, AS operator should apply the uRPF method that performs best (i.e., with zero or low possibility of dropping legitimate data packets) for the type of peer (customer, transit provider, etc.) in consideration. -->target="discuss" format="default"/>. </t> <t> In augmenting RPF lists with ROA (and possibly reliable IRR) information (see <xreftarget="augment"></xref>),target="augment" format="default"/>), a trade-off is made in favor of reducing false positives (regarding invalid detection in SAV) at the expense ofaanother slightotherrisk. The other risk being that a malicious actor at another AS in the neighborhood within the customer cone might take advantage (of the augmented prefix) to some extent. This risk also exists even with normal announced prefixes (i.e., without ROA augmentation) for any uRPF method other than thestrict.strict uRPF. However, the risk is mitigated if the transit provider of the other AS in question is performing SAV. </t> <t> Though not within the scope of this document, security hardening of routers and other supporting systems (e.g., Resource PKI (RPKI) and ROA management systems) against compromise is extremely important. The compromise of those systems can affect the operation and performance of the SAV methods described in this document. </t> </section> <sectiontitle="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>This documentdoes not request new capabilities or attributes. It does not create any newhas no IANAregistries. </t> </section> <section title=" Acknowledgements"> <t>The authors would like to thank Sandy Murphy, Alvaro Retana, Job Snijders, Marco Marzetti, Marco d'Itri, Nick Hilliard, Gert Doering, Fred Baker, Igor Gashinsky, Igor Lubashev, Andrei Robachevsky, Barry Greene, Amir Herzberg, Ruediger Volk, Jared Mauch, Oliver Borchert, Mehmet Adalier, and Joel Jaeggli for comments and suggestions. The comments and suggestions received from the IESG reviewers are also much appreciated.actions. </t> </section> </middle> <back><references title="Normative References"> &RFC2119; &RFC2827; &RFC3704; &RFC4271; &RFC8174;<references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2827.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3704.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4271.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references><references title="Informative References"> &RFC4036; &RFC4364; &RFC6811; &RFC6482; &RFC7454; <!-- <reference anchor="RRL" target="http://www.redbarn.org/dns/ratelimits"> <front> <title>Response Rate Limiting in the Domain Name System</title> <author initials="" surname=""> <organization></organization> </author> <date month='' year='' /> </front> <seriesInfo name='Redbarn blog' value=''/> </reference> --><references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4036.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4364.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6811.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6482.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7454.xml"/> <reference anchor="Firmin" target="https://www.3gpp.org/technologies/keywords-acronyms/100-the-evolved-packet-core"> <front> <title>The Evolved Packet Core</title> <author initials="F" surname="Firmin"><organization></organization><organization/> </author><date month='' year='' /></front><seriesInfo name='3GPP The Mobile Broadband Standard' value=''/></reference> <reference anchor="ISOC" target="https://www.internetsociety.org/resources/doc/2015/addressing-the-challenge-of-ip-spoofing/"> <front> <title>Addressing the challenge of IP spoofing</title><author initials="P." surname="Vixie (Ed.)"> <organization></organization><author> <organization>Internet Society</organization> </author> <datemonth='September' year='2015' />month="September" year="2015"/> </front><seriesInfo name='ISOC report' value=''/></reference> <reference anchor="CAIDA" target="https://spoofer.caida.org/as.php?asn=174"> <front> <title>Information for AS 174 (COGENT-174)</title><author initials="" surname=""> <organization></organization><author> <organization>CAIDA</organization> </author> <datemonth='' year='' />month="October" year="2019"/> </front><seriesInfo name='CAIDA Spoofer Project' value=''/></reference> <referenceanchor="sriram-ripe63"anchor="Sriram-RIPE63" target="http://www.ietf.org/proceedings/83/slides/slides-83-sidr-7.pdf"> <front> <title>Estimating CPU Cost of BGPSEC on a Router</title> <author initials="K" surname="Sriram"><organization></organization><organization/> </author> <author initials="R" surname="Bush"><organization></organization><organization/> </author> <dateyear="March 2012" />month="March" year="2012"/> </front><seriesInfo name="Presented<refcontent>Presented atRIPE-63;" value="also,RIPE 63 and atIETF-83the SIDR WGMeeting" />meeting at IETF 83</refcontent> </reference> <referenceanchor="sriram-urpf"anchor="Sriram-URPF" target="https://datatracker.ietf.org/meeting/101/materials/slides-101-opsec-draft-sriram-opsec-urpf-improvements-00"> <front> <title>Enhanced Feasible-Path Unicast Reverse Path Filtering</title> <author initials="K"surname="Sriram et al."> <organization></organization>surname="Sriram"> <organization/> </author> <author initials="D" surname="Montgomery"> <organization/> </author> <author initials="J" surname="Haas"> <organization/> </author> <dateyear="March 2018" />month="March" year="2018"/> </front><seriesInfo name="Presented<refcontent>Presented at the OPSEC WGMeeting, IETF-101 London" value="" />meeting at IETF 101</refcontent> </reference> <reference anchor="Cisco1" target="https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116999-problem-line-card-00.html"> <front> <title>Internet Routing Table Growth CausesROUTING-FIB-4-RSRC_LOW%ROUTING-FIB-4-RSRC_LOW Message on Trident-Based Line Cards</title> <author initials="" surname=""><organization></organization><organization>Cisco</organization> </author> <datemonth='January' year='2014' />month="January" year="2014"/> </front><seriesInfo name="Cisco Trouble-shooting Tech-notes" value=""/></reference> <reference anchor="Cisco2" target="https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_NewChange.html"> <front> <title>Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 5.x (Chapter 15:Managing'Managing the Unicast RIB andFIB)</title> <author initials="" surname=""> <organization></organization>FIB')</title> <author> <organization>Cisco</organization> </author> <datemonth='March' year='2018' />month="March" year="2018"/> </front><seriesInfo name="Cisco Configuration Guides" value=""/></reference> <reference anchor="Juniper" target="https://www.juniper.net/documentation/en_US/junos/topics/topic-map/l3-vpns-routes-vrf-tables.html#id-understanding-virtual-routing-and-forwarding-tables"> <front> <title>Creating Unique VPN Routes Using VRF Tables</title><author initials="" surname=""> <organization></organization><author> <organization>Juniper Networks</organization> </author> <datemonth='March' year='2019' />month="May" year="2019"/> </front><seriesInfo name="Juniper Networks TechLibrary" value=""/></reference> <reference anchor="SPAR-v4"target="https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml">target="https://www.iana.org/assignments/iana-ipv4-special-registry/"> <front> <title>IANA IPv4 Special-Purpose Address Registry</title><author initials="" surname=""> <organization></organization><author> <organization>IANA</organization> </author><date month='' year='' /></front><seriesInfo name="IANA" value=""/></reference> <reference anchor="SPAR-v6"target="https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml">target="https://www.iana.org/assignments/iana-ipv6-special-registry/"> <front> <title>IANA IPv6 Special-Purpose Address Registry</title><author initials="" surname=""> <organization></organization><author> <organization>IANA</organization> </author><date month='' year='' /></front><seriesInfo name="IANA" value=""/></reference> <reference anchor="Luckie"target="http://www.caida.org/~amogh/papers/asrank-IMC13.pdf">target="https://dl.acm.org/doi/10.1145/2504730.2504735"> <front> <title>AS Relationships,Customer Cones,customer cones, andValidation</title>validation</title> <seriesInfo name="DOI" value="10.1145/2504730.2504735"/> <author initials="M." surname="Luckie"><organization></organization><organization/> </author> <author initials="B." surname="Huffaker"><organization></organization><organization/> </author> <author initials="A." surname="Dhamdhere"><organization></organization><organization/> </author> <author initials="V." surname="Giotsas"><organization></organization><organization/> </author> <author initials="kc" surname="claffy"><organization></organization><organization/> </author> <datemonth='October' year='2013' />month="October" year="2013"/> </front><seriesInfo name='In<refcontent>In Proceedings of the 2013ACMInternet MeasurementConference' value='(IMC)' /> <seriesInfo name="DOI" value="10.1145/2504730.2504735" />Conference</refcontent> </reference><!-- <reference anchor="Cisco3" target="https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf"> <front> <title>Unicast reverse path forwarding enhancements</references> </references> <section numbered="false" toc="default"> <name>Acknowledgements</name> <t>The authors would like to thank <contact fullname="Sandy Murphy" />, <contact fullname="Alvaro Retana" />, <contact fullname="Job Snijders" />, <contact fullname="Marco Marzetti" />, <contact fullname="Marco d'Itri" />, <contact fullname="Nick Hilliard" />, <contact fullname="Gert Doering" />, <contact fullname="Fred Baker" />, <contact fullname="Igor Gashinsky" />, <contact fullname="Igor Lubashev" />, <contact fullname="Andrei Robachevsky" />, <contact fullname="Barry Greene" />, <contact fullname="Amir Herzberg" />, <contact fullname="Ruediger Volk" />, <contact fullname="Jared Mauch" />, <contact fullname="Oliver Borchert" />, <contact fullname="Mehmet Adalier" />, and <contact fullname="Joel Jaeggli"/> for comments and suggestions. The comments and suggestions received from theInternet service provider</title> <author initials="" surname=""> <organization></organization> </author> <date year='2005' /> </front> <seriesInfo name="Cisco white paper" value=""/> </reference> --> </references>IESG reviewers are also much appreciated. </t> </section> </back> </rfc>