draft-ietf-savi-framework-01.txt   draft-ietf-savi-framework-02.txt 
Network Working Group Jianping Wu Network Working Group J. Wu
Internet-Draft Jun Bi Internet-Draft J. Bi
Intended status: Informational CERNET Intended status: Informational Tsinghua Univ.
Expires: April 28, 2011 Marcelo Bagnulo Expires: August 15, 2011 M. Bagnulo
UC3M UC3M
Fred Baker F. Baker
Cisco Cisco
Christian Vogt, Ed. C. Vogt, Ed.
Ericsson Ericsson
October 25, 2010 February 11, 2011
Source Address Validation Improvement Framework Source Address Validation Improvement Framework
draft-ietf-savi-framework-01 draft-ietf-savi-framework-02
Abstract Abstract
The Source Address Validation Improvement method was developed to The Source Address Validation Improvement method was developed to
complement ingress filtering with finer-grained, standardized IP complement ingress filtering with finer-grained, standardized IP
source address validation. This document describes and motivates the source address validation. This document describes and motivates the
design of the SAVI method. design of the SAVI method.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on August 15, 2011.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Deployment Options . . . . . . . . . . . . . . . . . . . . . . 5 3. Deployment Options . . . . . . . . . . . . . . . . . . . . . . 6
4. Scalability Optimizations . . . . . . . . . . . . . . . . . . . 6 4. Scalability Optimizations . . . . . . . . . . . . . . . . . . 7
5. Reliability Optimizations . . . . . . . . . . . . . . . . . . . 8 5. Reliability Optimizations . . . . . . . . . . . . . . . . . . 9
6. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Mix Scenario . . . . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Since IP source addresses are used by hosts and network entities to Since IP source addresses are used by hosts and network entities to
determine the origin of a packet and as a destination for return determine the origin of a packet and as a destination for return
data, spoofing of IP source addresses can enable impersonation, data, spoofing of IP source addresses can enable impersonation,
concealment, and malicious traffic redirection. Unfortunately, the concealment, and malicious traffic redirection. Unfortunately, the
Internet architecture does not prevent IP source address spoofing. Internet architecture does not prevent IP source address spoofing.
Since the IP source address of a packet generally takes no role in Since the IP source address of a packet generally takes no role in
forwarding the packet, it can be selected arbitrarily by the sending forwarding the packet, it can be selected arbitrarily by the sending
skipping to change at page 10, line 21 skipping to change at page 10, line 21
SAVI instance supports: The SAVI method variant for Stateless SAVI instance supports: The SAVI method variant for Stateless
Address Autoconfiguration and for Secure Neighbor Discovery verifies Address Autoconfiguration and for Secure Neighbor Discovery verifies
an IP address through the Duplicate Address Detection procedure. The an IP address through the Duplicate Address Detection procedure. The
SAVI method variant for DHCP verifies an IP address through a DHCP SAVI method variant for DHCP verifies an IP address through a DHCP
Lease Query message exchange with the DHCP server. If verification Lease Query message exchange with the DHCP server. If verification
indicates that the IP address is unique on the link, the SAVI indicates that the IP address is unique on the link, the SAVI
instance creates a binding for the IP address. Otherwise, no binding instance creates a binding for the IP address. Otherwise, no binding
is created, and packets sent from the IP address continue to be is created, and packets sent from the IP address continue to be
dropped. dropped.
6. Acknowledgment 6. Mix Scenario
While multiple assignment methods can be used on the same link, the
SAVI device may have to deal with a mix of binding discovery methods.
if the address prefix used for each assignment method is different,
mix scenario can handle the same as scenario with only one assignment
method. If different address assignment methods are used to assign
addresses from the same prefix, additional considerations are needed
because one binding mechanism may create a binding violating an
existing binding from another binding mechanism, e.g., binding from
SAVI-FCFS may violate binding from SAVI-DHCP. Thus, the collision
between different SAVI mechanisms in mix scenario must be handled in
case more than one address assignment method is used to assign
addresses from the same prefix.
Prioritization relationship between different address assignment
methods is used as the basis to solve possible collisions. Current
standard documents of address assignment methods have implied the
prioritization relationship in general cases. However, considering
in some scenarios, default prioritization level may not be quite
suitable. Configurable prioritization level should be supported in a
document of SAVI solution for the mix scenario.
7. Acknowledgment
The author would like to thank the SAVI working group for a thorough The author would like to thank the SAVI working group for a thorough
technical discussion on the design and the framework of the SAVI technical discussion on the design and the framework of the SAVI
method, as captured in this document, in particular Erik Nordmark, method, as captured in this document, in particular Erik Nordmark,
Guang Yao, Eric Levy-Abegnoli, and Alberto Garcia. Thanks also to Guang Yao, Eric Levy-Abegnoli, and Alberto Garcia. Thanks also to
Torben Melsen for reviewing this document. Torben Melsen for reviewing this document.
This document was generated using the xml2rfc tool. This document was generated using the xml2rfc tool.
7. References 8. References
[BA2007] Baker, F., "Cisco IP Version 4 Source Guard", IETF Internet [BA2007] Baker, F., "Cisco IP Version 4 Source Guard", IETF Internet
draft (work in progress), November 2007. draft (work in progress), November 2007.
[BCP38] Paul, P. and D. Senie, "Network Ingress Filtering: [BCP38] Paul, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", RFC 2827, BCP 38, May 2000. Address Spoofing", RFC 2827, BCP 38, May 2000.
Authors' Addresses Authors' Addresses
Jianping Wu Jianping Wu
CERNET
Computer Science, Tsinghua University Computer Science, Tsinghua University
Beijing 100084 Beijing 100084
China China
Email: jianping@cernet.edu.cn Email: jianping@cernet.edu.cn
Jun Bi Jun Bi
CERNET
Network Research Center, Tsinghua University Network Research Center, Tsinghua University
Beijing 100084 Beijing 100084
China China
Email: junbi@cernet.edu.cn Email: junbi@tsinghua.edu.cn
Marcelo Bagnulo Marcelo Bagnulo
Universidad Carlos III de Madrid Universidad Carlos III de Madrid
Avenida de la Universidad 30 Avenida de la Universidad 30
Leganes, Madrid 28911 Leganes, Madrid 28911
Spain Spain
Email: marcelo@it.uc3m.es Email: marcelo@it.uc3m.es
Fred Baker Fred Baker
Cisco Systems Cisco Systems
Santa Barbara, CA 93117 Santa Barbara, CA 93117
United States United States
Email: fred@cisco.com Email: fred@cisco.com
Christian Vogt (editor) Christian Vogt (editor)
Ericsson Ericsson
200 Holger Way 200 Holger Way
 End of changes. 17 change blocks. 
35 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/