Network Working Group J. Kaippallimalil Internet-Draft F. Xia Expires: December 14, 2009 Huawei USA June 12, 2009 SAVI for Delegated IPv6 Prefixes draft-kaippallimalil-savi-dhcp-pd-00.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 14, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Kaippallimalil & Xia Expires December 14, 2009 [Page 1] Internet-Draft SAVI Delegated Prefix June 2009 Abstract This memo introduces a public access topology which includes hosts, Customer Premise Equipment Router (CPE-R), switches and access routers. A CPE-R advertises prefixes to a host for its address configuration, while these prefixes are in turn delegated to the CPE-R from the access router. A switch located between the CPE-R and the router builds filtering table for traffic originating from the host by snooping prefix delegating signaling. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Design Considerations . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Prefix Delegation Architecture . . . . . . . . . . . . . . 4 2.3. Scope of SAVI for Delegated Prefixes . . . . . . . . . . . 5 2.4. Prefix Ownership Determination . . . . . . . . . . . . . . 5 2.5. Data Structures . . . . . . . . . . . . . . . . . . . . . . 5 2.6. SAVI Lower Layer Binding . . . . . . . . . . . . . . . . . 6 3. SAVI for Delegated Prefix Specification . . . . . . . . . . . . 6 4. Applicability to Broadband Forum Architecture . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Kaippallimalil & Xia Expires December 14, 2009 [Page 2] Internet-Draft SAVI Delegated Prefix June 2009 1. Introduction This memo introduces a public access topology which includes hosts, Customer Premise Equipment Router (CPE-R), switches and access routers. A CPE-R advertises prefixes to a host for its address configuration, while these prefixes are in turn delegated to the CPE-R from the access router. A switch located between the CPE-R and the router builds filtering table for traffic originating from the host by snooping prefix delegating signaling. This mechanism provides a fine level of filtering for upstream traffic in a provider network. The proposed mechanisms are intended to complement other control packet snooping and ingress filtering recommendations ([RFC2728]). Kaippallimalil & Xia Expires December 14, 2009 [Page 3] Internet-Draft SAVI Delegated Prefix June 2009 2. Design Considerations 2.1. Terminology Host: A network device that connects to the service provider network through a residential gateway. User: An entity that attaches to the network using one or more hosts. The user is usually the subscriber that owns the CPE- Router. CPE-Router: Gateway device located at the edge of the customer network and is an IP router. For a user within the customer network, the CPE-R is a gateway to the service provider network. CPE-R Customer Premise Equipment Router DHCP Dynamic Host Configuration Protocol MAC Medium Access Control SAVI Source Address Validation Improvements 2.2. Prefix Delegation Architecture Customer Network | Provider Network | | | \ \ +---+ +-------+ | \+--------+ \ +---------------+ | H |------| CPE-R |--|------| Switch |---------| Access Router |---- +---+ +-------+ | /+--------+ / +---------------+ | / / | / | +--------+ / | | Switch |--/ | +--------+ | Figure 1: Provider Network Architecture Figure 1 shows a network topology in which prefix delegation maybe used. The provider network consists of access Routers (AR) and switches. CPE-Rs are located at the boundary of the customer Kaippallimalil & Xia Expires December 14, 2009 [Page 4] Internet-Draft SAVI Delegated Prefix June 2009 network. Hosts in the customer network are attached to the CPE-R. The CPE-R behaves as a router for hosts attached to it (i.e. CPE-R is the router for H). A host attached to an CPE-R uses prefixes that are advertised by the CPE-R. These prefixes are in turn delegated to the CPE-R using [RFC3633]. Details of prefix delegation, and other address configuration mechanisms for CPE-R are described in [I-D.ietf-v6ops-ipv6-cpe-router] . A switch in the provider network terminates access lines and aggregates connections. The access router is the first router in the provider network. The provider network should be able to verify if packets from the CPE-R belong to the prefix delegated by the access router. 2.3. Scope of SAVI for Delegated Prefixes SAVI for delegated prefixes applies on the link between CPE-R and the switch, access router . Source prefix validation is intended to ensure that the source prefix of the packets forwarded by the CPE-R has not been spoofed. In this case, the CPE-R behaves as a router that forwards traffic originated by hosts. The switch aggregates traffic from several CPE-R and inspects upstream data packets to validate the source prefix. Upstream traffic from the CPE-R that arrives at the switch and access router may contain prefixes and addresses configured through prefix delegation ([RFC3633]), DHCPv6 ([RFC3315]) and SLAAC ([RFC4861]). Only source validation for delegated prefixes is described here. 2.4. Prefix Ownership Determination The main function performed in source prefix validation is to verify that the source prefix of the upstream data packets belongs to the originator of the packet. In order to validate the source prefix in data packets, we need to determine the ownership of the prefix. Prior to using a prefix, it has to be provisioned in the CPE-R. The switch snoops the prefix provisioning protocol and builds a prefix filtering table that associates the prefix and the MAC address of the CPE-R. 2.5. Data Structures This section describes a set of conceptual data structures that are necessary for this mechanism. A Binding State Table (BST) contains the state of the binding between the delegated prefix and the CPE-R MAC address, and is keyed by the CPE-R MAC address. A Prefix Filter Table contains bindings between the delegated prefix and CPE-R MAC Kaippallimalil & Xia Expires December 14, 2009 [Page 5] Internet-Draft SAVI Delegated Prefix June 2009 address. The data structures are similar to those described in [draft-bi-savi-cps-00]. Binding state for prefix delegation is given below: IAPD_INIT DHCPv6 Solicit with IA_PD is received from CPE-R. IAPD_RENEW DHCPv6 Renew with IA_PD, requested delegated prefix is received from CPE-R. IAPD_BOUND DHCPv6 Advertise or Reply with IA_PD, delegated prefix is received from access router. 2.6. SAVI Lower Layer Binding To ensure that the delegated prefix is not spoofed, a IPv6 prefix, MAC address pair for a connection is stored. However, the MAC address itself should not be spoofable. This may be accomplished in many ways, a few of which are mentioned here. The MAC address and the line id may be correlated during device initialization. Alternatively, a connection id that contains the MAC address, ciphering and other information may be established following device authentication. 3. SAVI for Delegated Prefix Specification The [RFC3633] protocol is snooped when the CPE-R is provisioning a delegated prefix. When a DHCPv6 Solicit with an IA_PD is received from a CPE-R (requesting router), the Binding State Table transitions to IAPD_INIT. The prefix filter table stores CPE-R MAC address of the incoming request. A DHCPv6 Advertise message with an IA_PD, delegated prefix from the access router (delegating router), causes a transition from IAPD_INIT to IAPD_BOUND. The prefix filter table stores the delegated IPv6 prefix, length and lifetime of validity. Prefix Filter Table +-------------------+-------------+--------+----------+ | CPE-R MAC Address | IPv6 Prefix | Length | Lifetime | +-------------------+-------------+--------+----------+ Figure 2: Prefix Filter Table Kaippallimalil & Xia Expires December 14, 2009 [Page 6] Internet-Draft SAVI Delegated Prefix June 2009 When a DHCPv6 Renew with IA_PD, requested prefix is received from the CPE-R, the Binding State Table transitions to IAPD_RENEW. When the DHCPv6 Reply with IA_PD, delegated prefix is received, the state transitions to IAPD_BOUND. If the lifetime of the delegated prefix expires without a renewal, the entry is removed from prefix filter table, the binding state entry returns to uninitialized. The switch uses the following rules to filter upstream traffic packets originated by a host and forwarded by the CPE-R: o Discard all packets, except authentication protocol frames, from hosts that are not in prefix filter table. o If host MAC address of incoming packet is in prefix filter table, the packet is forwarded only if the following are satisfied: * Destination MAC address of incoming packet matches an entry in host's access router MAC field in prefix filter table. * Corresponding IPv6 prefix field in the table matches leftmost bits of length of prefix in incoming packet source IPv6 address. 4. Applicability to Broadband Forum Architecture Broadband Forum specifications for IPv6 in WT-177 [Migration to IPv6 in the Context of TR-101] describe IPv6 requirements. These requirements include filtering requirements in the Access Node (AN) and Broadband Network Gateway (BNG). In figure Figure 1 in section Section 2.2, the switch corresponds to the AN, and the access router corresponds to the BNG. WT-177 requirements state that the AN SHOULD inspect upstream and downstream DHCPv6 (RFC3315, RFC3633) and ND (RFC 4861, 4862) per user port, discover the mapping of IPv6 prefix to MAC address and populate its IP Anti-spoofing table accordingly. This memo provides guidelines for building the filtering (anti- spoofing) table when [RFC3633] prefix delegation is used. 5. Security Considerations This document does not introduce any new vulnerabilities to IPv6 specifications or operation. Source address validation of hosts attached to various access networks supported by the fixed broadband network architecture is the subject of these specifications. 6. References Kaippallimalil & Xia Expires December 14, 2009 [Page 7] Internet-Draft SAVI Delegated Prefix June 2009 6.1. Normative References [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery for IP version 6", RFC 1981, August 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2728] Panabaker, R., Wegerif, S., and D. Zigmond, "The Transmission of IP Over the Vertical Blanking Interval of a Television Signal", RFC 2728, November 1999. 6.2. Informative References [I-D.ietf-v6ops-ipv6-cpe-router] Singh, H. and W. Beebee, "IPv6 CPE Router Recommendations", draft-ietf-v6ops-ipv6-cpe-router-00 (work in progress), March 2009. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC4562] Melsen, T. and S. Blake, "MAC-Forced Forwarding: A Method for Subscriber Separation on an Ethernet Access Network", RFC 4562, June 2006. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. Kaippallimalil & Xia Expires December 14, 2009 [Page 8] Internet-Draft SAVI Delegated Prefix June 2009 Authors' Addresses John Kaippallimalil Huawei USA 1700 Alma Dr. Suite 500 Plano, TX 75075 Phone: +1 214-606-2005 Email: jkaippal@huawei.com Frank Xia Huawei USA 1700 Alma Dr. Suite 500 Plano, TX 75075 Phone: +1 972-509-5599 Email: xiayangsong@huawei.com Kaippallimalil & Xia Expires December 14, 2009 [Page 9]