Problem Statement of SAVI Beyond the First Hop
IETF Source Address Validation Improvements (SAVI) working group is chartered for source address validation within the first hop from the end hosts, i.e. preventing a node from spoofing the IP source address of another node in the same IP link. For source address validation beyond the first hop (SAVI-BF), Ingress Filtering [BCP38]/[BCP84] is the best current practice. However Ingress Filtering may drop legitimate packets (false positive) or fail to recognize spoofing packets (false negative) in case of asymmetric routing, which is not rare under SAVI-BF scenario. This document states the possible scenarios in which Ingress Filtering may have problems (false positive or false negative), and lists five causes of the problems. These fives causes, we believe, are the challeges that need be conquered by SAVI-BF solutions (including possible improved version of Ingress Filtering). We also observe that the incentive for Internet Service Providers (ISP) to deploy SAVI-BF differs from intra-domain scenario to inter-domain scenario, and incenting ISPs to deploy inter-domain SAVI is more challenging. Although not intend to provide any SAVI-BF solution in this document, we discuss the philosophy in designing a SAVI-BF mechanism.