draft-ietf-savi-mix-11.txt   draft-ietf-savi-mix-12.txt 
SAVI J. Bi SAVI J. Bi
Internet-Draft Tsinghua Univ. Internet-Draft THU
Intended status: Standards Track G. Yao Intended status: Standards Track G. Yao
Expires: November 22, 2016 Baidu Expires: April 21, 2017 Baidu/THU
J. Halpern J. Halpern
Newbridge Newbridge
E. Levy-Abegnoli, Ed. E. Levy-Abegnoli, Ed.
Cisco Cisco
May 21, 2016 October 18, 2016
SAVI for Mixed Address Assignment Methods Scenario SAVI for Mixed Address Assignment Methods Scenario
draft-ietf-savi-mix-11 draft-ietf-savi-mix-12
Abstract Abstract
In networks that use multiple techniques for address assignment, the In networks that use multiple techniques for address assignment, the
appropriate Source Address Validation Improvement (SAVI) methods must appropriate Source Address Validation Improvement (SAVI) methods must
be used to prevent spoofing of addresses assigned by each such be used to prevent spoofing of addresses assigned by each such
technique. This document reviews how multiple SAVI methods can technique. This document reviews how multiple SAVI methods can
coexist in a single SAVI device and collisions are resolved when the coexist in a single SAVI device and collisions are resolved when the
same binding entry is discovered by two or more methods. same binding entry is discovered by two or more methods.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 22, 2016. This Internet-Draft will expire on April 21, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
3. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Recommendations for preventing collisions . . . . . . . . . . 5 5. Recommendations for preventing collisions . . . . . . . . . . 5
6. Resolving binding collisions . . . . . . . . . . . . . . . . 6 6. Resolving binding collisions . . . . . . . . . . . . . . . . 6
6.1. Same Address on Different Binding Anchors . . . . . . . . 6 6.1. Same Address on Different Binding Anchors . . . . . . . . 6
6.1.1. Basic preference . . . . . . . . . . . . . . . . . . 6 6.1.1. Basic preference . . . . . . . . . . . . . . . . . . 6
6.1.2. Overwritten preference . . . . . . . . . . . . . . . 7 6.1.2. Overwritten preference . . . . . . . . . . . . . . . 7
6.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . 8 6.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . 8
6.2. Same Address on the Same Binding Anchor . . . . . . . . . 8 6.2. Same Address on the Same Binding Anchor . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
9. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 9 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 10 11.1. Normative References . . . . . . . . . . . . . . . . . . 9
11.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
There are currently several Source Address Validaiton Improvement There are currently several Source Address Validaiton Improvement
(SAVI) documents ([RFC6620], [RFC7513] and [RFC7219]) that describe (SAVI) documents ([RFC6620], [RFC7513] and [RFC7219]) that describe
the different methods by which a switch can discover and record the different methods by which a switch can discover and record
bindings between a node's IP address and a binding anchor and use bindings between a node's IP address and a binding anchor and use
that binding to perform source address validation. Each of these that binding to perform source address validation. Each of these
documents specifies how to learn on-link addresses, based on the documents specifies how to learn on-link addresses, based on the
skipping to change at page 3, line 34 skipping to change at page 3, line 36
In addition, there is a fourth technique for managing (i.e., In addition, there is a fourth technique for managing (i.e.,
creation, management, deletion) a binding on the switch, referred to creation, management, deletion) a binding on the switch, referred to
as "manual". It is based on manual binding configuration and is as "manual". It is based on manual binding configuration and is
analyzed in [RFC6620] and [RFC7039]. analyzed in [RFC6620] and [RFC7039].
All combinations of address assignment techniques can coexist within All combinations of address assignment techniques can coexist within
a layer-2 domain. A SAVI device MUST implement the corresponding a layer-2 domain. A SAVI device MUST implement the corresponding
binding setup methods (referred to as a "SAVI method") for each such binding setup methods (referred to as a "SAVI method") for each such
technique that is in use if it is to provide Source Address technique that is in use if it is to provide Source Address
Validation. If more than one SAVI method is enabled on a SAVI Validation.
device, the method is referred to as "mix address assignment method"
in this document.
SAVI methods are normally viewed as independent from each other, each SAVI methods are normally viewed as independent from each other, each
one handling its own entries. If multiple methods are used in the one handling its own entries. If multiple methods are used in the
same device without coordination, each method will attempt to reject same device without coordination, each method will attempt to reject
packets sourced with any addresses that method did not discover. To packets sourced with any addresses that method did not discover. To
prevent addresses discovered by one SAVI method from being filtered prevent addresses discovered by one SAVI method from being filtered
out by another method, the SAVI binding table should be shared by all out by another method, the SAVI binding table should be shared by all
the SAVI methods in use in the device. This in turn could create the SAVI methods in use in the device. This in turn could create
some conflict when the same entry is discovered by two different some conflict when the same entry is discovered by two different
methods. The purpose of this document is of two folds: provide methods. The purpose of this document is of two folds: provide
skipping to change at page 4, line 22 skipping to change at page 4, line 22
corresponding entry in the binding table. Then SAVI-MIX will check corresponding entry in the binding table. Then SAVI-MIX will check
if there is any conflict in the binding table. A new binding will be if there is any conflict in the binding table. A new binding will be
generated if there is no conflict. If there is a conflict, SAVI-MIX generated if there is no conflict. If there is a conflict, SAVI-MIX
will determine whether to replace the existing binding or reject the will determine whether to replace the existing binding or reject the
candidate binding based on the policies specified in Section 6. candidate binding based on the policies specified in Section 6.
As a result of this, the packet filtering in the SAVI device will not As a result of this, the packet filtering in the SAVI device will not
be performed by each SAVI method separately. Instead, the table be performed by each SAVI method separately. Instead, the table
resulting from applying SAVI-MIX will be used to perform filtering. resulting from applying SAVI-MIX will be used to perform filtering.
Thus the filtering is based on the combined results of the differents Thus the filtering is based on the combined results of the differents
SAVI mechanisms. SAVI mechanisms. It is beyond the scope of this document to describe
the details of the filtering mechanism and its use of the combined
SAVI binding table.
+--------------------------------------------------------+ +--------------------------------------------------------+
| | | |
| SAVI Device | | SAVI Device |
| | | |
| | | |
| +------+ +------+ +------+ | | +------+ +------+ +------+ |
| | SAVI | | SAVI | | SAVI | | | | SAVI | | SAVI | | SAVI | |
| | | | | | | | | | | | | | | |
| | FCFS | | DHCP | | SEND | | | | FCFS | | DHCP | | SEND | |
skipping to change at page 7, line 51 skipping to change at page 7, line 51
1. The target in the DAD message does not exist in the binding table 1. The target in the DAD message does not exist in the binding table
2. The target is within configured "prefix" (or equal to "address") 2. The target is within configured "prefix" (or equal to "address")
3. The anchor bound to target is different from the configured 3. The anchor bound to target is different from the configured
anchor, when specified anchor, when specified
4. The configured method, if any, is different from SAVI-FCFS 4. The configured method, if any, is different from SAVI-FCFS
The switch should defend the address by responding to the DAD The switch should defend the address by responding to the DAD
message, with a NA message, on behalf of the target node. SeND nodes message, with a NA message, on behalf of the target node. The DAD
message should be discarded and not forwarded. Forwarding it may
cause other SAVI devices to send additional defense NAs. SeND nodes
in the network MUST disable the option to ignore unsecured in the network MUST disable the option to ignore unsecured
advertisements (see s8 of [RFC3971]). If the option is enabled, the advertisements (see s8 of [RFC3971]). If the option is enabled, the
case is outside the scope of this document. case is outside the scope of this document. It is suggested to limit
the rate of defense NAs to reduce security threats to the switch.
It should not install the entry into the binding table. It will It should not install the entry into the binding table. It will
simply prevent the node to assign the address, and will de-facto simply prevent the node to assign the address, and will de-facto
prioritize the configured anchor. This is especially useful to prioritize the configured anchor. This is especially useful to
protect well known bindings such as a static address of a server over protect well known bindings such as a static address of a server over
anybody, even when the server is down. It is also a way to give anybody, even when the server is down. It is also a way to give
priority to a binding learnt from SAVI-DHCP over a binding for the priority to a binding learnt from SAVI-DHCP over a binding for the
same address, learnt from SAVI-FCFS. same address, learnt from SAVI-FCFS.
6.1.3. Multiple SAVI Device Scenario 6.1.3. Multiple SAVI Device Scenario
skipping to change at page 8, line 48 skipping to change at page 8, line 51
7. Security Considerations 7. Security Considerations
SAVI MIX does not eliminate the security problems of each SAVI SAVI MIX does not eliminate the security problems of each SAVI
method. Thus, the potential attacks, e.g., the DoS attack against method. Thus, the potential attacks, e.g., the DoS attack against
the SAVI device resource, can still happen. In deployment, the the SAVI device resource, can still happen. In deployment, the
security threats from each enabled SAVI methods should be prevented security threats from each enabled SAVI methods should be prevented
by the corresponding proposed solutions in each document. by the corresponding proposed solutions in each document.
SAVI MIX is only a binding setup/removal arbitration mechanism. It SAVI MIX is only a binding setup/removal arbitration mechanism. It
does not introduce additional security threats if the principle of does not introduce additional security threats if the arbitration is
decision is reasonable. However, there is a slight problem. SAVI reasonable. However, there is a slight problem. SAVI MIX is more
MIX is more tolerant about binding establishment than each SAVI tolerant about binding establishment than each SAVI method alone. As
method alone. As long as one of the enabled SAVI methods generates a long as one of the enabled SAVI methods generates a binding, the
binding, the binding will be applied. As a result, the allowed binding will be applied. As a result, the allowed number of SAVI
number of SAVI bindings or allowed SAVI binding setup rate will be bindings or allowed SAVI binding setup rate will be the sum of that
the sum of that of all the enabled SAVI methods. In deployment, of all the enabled SAVI methods. In deployment, whether a SAVI
whether a SAVI device is capable of supporting the resulting resource device is capable of supporting the resulting resource requirements
requirements should be evaluated. should be evaluated.
8. IANA Considerations The SAVI MIX preferences of all the SAVI devices in the same layer-2
domain should be consistent. Inconsistent configurations may cause
network breaks.
8. Privacy Considerations
When implementing multiple SAVI methods, privacy considerations of
all methods apply cumulatively. In addition, there is a minor
additional loss of privacy in that the SAVI device can correlate
information from different SAVI methods.
9. IANA Considerations
This memo asks the IANA for no new parameters. This memo asks the IANA for no new parameters.
9. Acknowledgment 10. Acknowledgment
Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun and Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun, David
Jari Arkko for their valuable contributions. Lamparter and Jari Arkko for their valuable contributions.
10. References 11. References
10.1. Normative References 11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997, RFC 2131, DOI 10.17487/RFC2131, March 1997,
<http://www.rfc-editor.org/info/rfc2131>. <http://www.rfc-editor.org/info/rfc2131>.
skipping to change at page 10, line 20 skipping to change at page 10, line 36
[RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor
Discovery (SEND) Source Address Validation Improvement Discovery (SEND) Source Address Validation Improvement
(SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014, (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014,
<http://www.rfc-editor.org/info/rfc7219>. <http://www.rfc-editor.org/info/rfc7219>.
[RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address
Validation Improvement (SAVI) Solution for DHCP", Validation Improvement (SAVI) Solution for DHCP",
RFC 7513, DOI 10.17487/RFC7513, May 2015, RFC 7513, DOI 10.17487/RFC7513, May 2015,
<http://www.rfc-editor.org/info/rfc7513>. <http://www.rfc-editor.org/info/rfc7513>.
10.2. Informative References 11.2. Informative References
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007, DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>. <http://www.rfc-editor.org/info/rfc4861>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007, DOI 10.17487/RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>. <http://www.rfc-editor.org/info/rfc4862>.
skipping to change at page 10, line 33 skipping to change at page 11, line 4
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007, DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>. <http://www.rfc-editor.org/info/rfc4861>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007, DOI 10.17487/RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>. <http://www.rfc-editor.org/info/rfc4862>.
Authors' Addresses Authors' Addresses
Jun Bi Jun Bi
Tsinghua University Tsinghua University
Network Research Center, Tsinghua University Network Research Center, Tsinghua University
Beijing 100084 Beijing 100084
China China
EMail: junbi@tsinghua.edu.cn EMail: junbi@tsinghua.edu.cn
Guang Yao Guang Yao
Baidu Baidu/Tsinghua University
Baidu Science and Technology Park, Building 1 Baidu Science and Technology Park, Building 1
Beijing 100193 Beijing 100193
China China
EMail: yaoguang.china@gmail.com EMail: yaoguang.china@gmail.com
Joel M. Halpern Joel M. Halpern
Newbridge Networks Inc Newbridge Networks Inc
EMail: jmh@joelhalpern.com EMail: jmh@joelhalpern.com
Eric Levy-Abegnoli (editor) Eric Levy-Abegnoli (editor)
Cisco Systems Cisco Systems
Village d'Entreprises Green Side - 400, Avenue Roumanille Village d'Entreprises Green Side - 400, Avenue Roumanille
Biot-Sophia Antipolis 06410 Biot-Sophia Antipolis 06410
France France
 End of changes. 20 change blocks. 
34 lines changed or deleted 49 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/