SAVI J. Yang, H. Zhang, Y. Zhang Internet Draft ICT Intended status: Informational August 31, 2010 Expires: March 2011 SAVI Solution for Data Packet Triggered Binding Process draft-yang-savi-data-packet-triggered-binding-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on March 04, 2011. Yang Expires March 04, 2011 [Page 1] Internet-Draft data-packet-triggered-binding August 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This document specifies the procedure of data packet triggered binding creation, which is suitable for DHCP assigned addresses, stateless addresses and manually configured addresses. This procedure can help minimize loss of legitimate packets as well as prevent the use of forged or spoofed addresses. Table of Contents 1. Introduction ................................................ 3 2. Conventions & Terminology ................................... 3 2.1. Conventions used in this document ...................... 3 2.2. Abbreviations and Terminology .......................... 3 3. Mechanism Overview .......................................... 4 4. Modified Data Structures .................................... 4 4.1. Filtering Table(FT) .................................... 4 4.2. Binding State Table(BST) ............................... 5 5. Binding States Description .................................. 5 6. Additional Anchor Attributes ................................ 5 7. Data Packet Triggered Binding Creation Process .............. 6 7.1. Send a Data Packet ..................................... 7 7.2. Source Address Check ................................... 7 7.3. Bound Address Reachability Detection ................... 7 7.4. Binding Address Reachability Detection ................. 8 7.5. Send SAVI Multicast Query Message ...................... 9 7.6. Query Address from FT .................................. 9 7.7. Bound Address Reachability Detection .................. 10 7.8. SAVI Query Reply ...................................... 10 7.9. Update BST and FT ..................................... 10 8. Arguments & Backup Approach in DHCP Network ................ 11 8.1. Arguments in DHCP Network ............................. 11 8.2. Backup Approach in DHCP Network........................ 12 Yang Expires March 04, 2011 [Page 2] Internet-Draft data-packet-triggered-binding August 2010 9. Constants .................................................. 16 10. Security Considerations ................................... 16 11. IANA Considerations ....................................... 16 12. References ................................................ 16 12.1. Normative References ................................. 16 12.2. Informative References ............................... 16 1. Introduction The existing drafts perform control packets snooping during the course of address assignment to set up bindings between IP addresses and corresponding anchors. But referring to [SAVI Analysis], there are various circumstances which will cause a data packet's address unbound at the first SAVI device of its forwarding path. Therefore, when a SAVI device receives a data packet with unbound source address, it SHOULD perform data triggered binding creation process, instead of directly discarding the packet. This document describes a procedure of data packet triggered binding creation, which is suitable for DHCP assigned addresses, stateless address and manually configured addresses. This procedure can help minimize loss of legitimate packets as well as prevent the use of forged or spoofed addresses. This solution provides a kind of supplemental binding process for existing drafts ([SAVI DHCP] and [SAVI Stateless]). 2. Conventions & Terminology 2.1. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Abbreviations and Terminology SAVI - Source Address Validation Improvement DHCP - Dynamic Host Configuration Protocol SLAAC - StateLess Address AutoConfiguration ND - Neighbor Discovery Protocol DAD - Duplicate Address Detection NS - Neighbor Solicitation NA - Neighbor Advertisement Yang Expires March 04, 2011 [Page 3] Internet-Draft data-packet-triggered-binding August 2010 ARP - Address Resolution Protocol BST - Binding State Table FT - Filtering Table Control Packet - In this document, packets that may cause state transit are classified into control packets, including DHCPv4/v6 Request, DHCPv6 Confirm, DHCPv6 Solicitation with Rapid Commit option, DAD NS and gratuitous ARP. Whenever a SAVI device receives a control packet from its SAVI-Validation anchor, it will start binding creation process for the source address or target address of the packet. Data Packet - All other packets are considered to be data packets in this document. Every data packet received by the SAVI-Validation anchor MUST be checked. If the source address of the data packet matches an entry of FT, this packet MUST be forward; if not, the data packet triggered binding creation process SHOULD be started. 3. Mechanism Overview The mechanism specified in this document is designed to provide a possible approach about how to deal with data packets with unbound addresses. When the SAVI device receives a data packet with unbound address from its SAVI-Validation anchor, it will perform Address Reachability Detection to detect the address's activity, and communicate with other SAVI devices in the same subnet to check the address's binding status. If the detection and the check are successful, the SAVI device will add an entry for the address in its local FT. 4. Modified Data Structures This section describes the possible two data structures used in this mechanism. The two data structures follow the structures defined in existing drafts, with a MAC address field added. 4.1. Filtering Table (FT) Yang Expires March 04, 2011 [Page 4] Internet-Draft data-packet-triggered-binding August 2010 +----------+---------+-------------+ | Anchor | Address | MAC Address | +----------+---------+-------------+ | Anchor-1 | IP-1 | MAC-1 | +----------+---------+-------------+ | Anchor-2 | IP-2 | MAC-2 | +----------+---------+-------------+ Figure 1 Instance of Modified FT This small modification is necessary and has the following goods: * Validate IP addresses as well as MAC addresses * Use MAC addresses besides switch ports as binding anchors * Serve the Address Reachability Detection specified in section 7 4.2 Binding State Table (BST) +----------+---------+-------------+-------+----------+------+ | Anchor | Address | MAC Address | State | Lifetime | Other| +----------+---------+-------------+-------+----------+------+ | Anchor-1 | IP-1 | MAC-1 | Bound | 65535 | | +----------+---------+-------------+-------+----------+------+ | Anchor-2 | IP-2 | MAC-2 | Bound | 10000 | | +----------+---------+-------------+-------+----------+------+ Figure 2 Instance of Modified BST 5. Binding States Description This section describes the binding states added in this mechanism. Probe: When a SAVI device performs Address Reachability Detection for a binding or bound address, the corresponding entry's State in local BST MUST be set to Probe. Add: When a SAVI device communicates with other SAVI devices in the same subnet to check an address's binding status, the corresponding entry's State in local BST MUST be set to Add. 6. Additional Anchor Attributes This section specifies the anchor attribute added in this mechanism. SAVI-AddBinding: If and only if an anchor with SAVI-Validation attribute can have SAVI-AddBinding attribute. The SAVI device MUST change the anchor's attribute from SAVI-Validation to SAVI-AddBinding, when data packet triggered binding process is performed on this anchor. An anchor with SAVI-AddBinding attribute will discard any data packets with unbound addresses. Yang Expires March 04, 2011 [Page 5] Internet-Draft data-packet-triggered-binding August 2010 7. Data Packet Triggered Binding Creation Process This section specifies the procedure of creating bindings for data packets' unbound source addresses. The binding procedure specified here is exclusively designed for anchor with SAVI-Validation attribute. Host-X Host-Z SAVI-X SAVI-Y Host-Y | | | | | | 1.Send a Data Packet | | | |----------------------->| | | | | | | | | | 2.Source Address Check | | | | | | | +------------------------------+ | | . | |3.Bound Address | . | | . | | Reachability | . | | . | | Detection | . | | . | |<-------------->| . | | +------------------------------+ | | | 4.Binding Address | | | | Reachability Detection | | | |<-----------------------| 5.Send SAVI | | | | | Multicast | | | | | Query Message| | | | |------------->| | | | | | | | | | 6.Query Address from FT | | | | | | | | | |7.Bound Address | | | | | Reachability | | | | | Detection | | | | |<-------------->| | | | 8.SAVI Query | | | | | Reply | | | | |<-------------| | | | | | | | | 9.Update BST and FT | | | | | | | Figure 3 Data Packet Trigger Binding Process The Host-X is the host sending the data packet; the SAVI-X is the SAVI device that Host-X connected to; the Host-Z is the host bound at SAVI-X through anchor Anchor-Z; the SAVI-Y represents any SAVI device except SAVI-X in the subnet; the Host-Y is the host bound at SAVI-Y through anchor-Y. Yang Expires March 04, 2011 [Page 6] Internet-Draft data-packet-triggered-binding August 2010 7.1. Send a Data Packet Host-X sends a data packet, and the packet is received by SAVI-X from an SAVI-Validation anchor, which is marked Anchor-X. The source address of this packet MAY be a legal address that Host-X got from normal address assignment, or MAY be an illegal address for malicious purpose. 7.2. Source Address Check SAVI-X reads the data packet's source MAC address (MAC-X) and source IP address (IP-X), and then queries local FT for IP-X and MAC-X: - If IP-X is in FT, but the entry's MAC address is not MAC-X, then the data packet MUST be discarded, and the binding creation process is terminated here. - If IP-X is in FT, and the entry's MAC address is MAC-X, and the entry's anchor is Anchor-X, then the data packet MUST be forwarded, and the binding creation process is terminated here. - If IP-X is in FT, and the entry's MAC address is MAC-X, but the entry's anchor is Anchor-Z, then the data packet SHOULD be discarded and Anchor-X's attribute MUST be set to SAVI-AddBinding. After that, go to subsection 7.3.. - If IP-X is not in FT, then the data packet SHOULD be discarded and Anchor-X's attribute MUST be set to SAVI-AddBinding. After that, go to subsection 7.4.. 7.3. Bound Address Reachability Detection This subsection is aimed to detect whether the bound address in FT is still reachable through the port it was bound. The detecting entry in FT is as Figure 4 shows: +----------+---------+-------------+ | Anchor | Address | MAC Address | +----------+---------+-------------+ | Anchor-Z | IP-X | MAC-X | +----------+---------+-------------+ Figure 4 the Detecting Entry in FT of SAVI-X SAVI-X sends an Echo Request Message towards Host-Z through Anchor-Z, using IP-X as source IP address and MAC-X as source MAC address. Then, SAVI-X waits for the reply. The case that an Echo Reply Message is received from Anchor-Z implies the bound address is still reachable. SAVI-X can get the fact that Host-X is spoofing the source address of Host-Z. Therefore, SAVI-X Yang Expires March 04, 2011 [Page 7] Internet-Draft data-packet-triggered-binding August 2010 MUST set Anchor-X's attribute back to SAVI-Validation and terminate the binding creation process here. The case that no Echo Reply Message is received implies the bound address is not reachable now. This situation is probably resulted by the host's moving from Anchor-Z to Anchor-X, or by link topology change. Then SAVI-X will perform the following subsections. Before that, SAVI-X MUST delete the entry about IP-X in FT and update the entry about IP-X in BST as Figure 5 shows: +----------+---------+-------------+-------+---------------+-------+ | Anchor | Address | MAC Address | State | Lifetime | Other | +----------+---------+-------------+-------+---------------+-------+ | Anchor-X | IP-X | MAC-X | Probe | MAX_PROBE_ |DHCP or| | | | | | RESPONSE_TIME |NO_DHCP| +----------+---------+-------------+-------+---------------+-------+ Figure 5 the Updated Entry about IP-X in BST of SAVI-X The DHCP or NO_DHCP is kept to mark the address assignment method is DHCP or not DHCP. 7.4. Binding Address Reachability Detection This subsection is aimed to detect whether the source address of the data packet received in subsection 7.1 is a communicational and active address. SAVI-X sends an Echo Request Message towards Host-X through Anchor-X, using IP-X as source IP address and MAC-X as source MAC address. Then, SAVI-X waits for the reply. The case that no Echo Reply Message is received from Anchor-X implies IP-X or MAC-X is inactive. SAVI-X can get the fact that Host-X is using forged addresses. Therefore, SAVI-X MUST set Anchor-X's attribute back to SAVI-Validation and terminate the binding creation process here. In addition, the entry about IP-X in BST MUST be deleted, if there is one. The case that an Echo Reply Message is received implies IP-X and MAC-X are active. SAVI-X needs to make a decision now. - If this subsection is arrived after successfully performed subsection 7.3., SAVI-X MUST update the entry about IP-X in BST as Figure 6 shows, and insert an entry about IP-X into FT (as Figure 7 shows). Finally, SAVI-X MUST set Anchor-X's attribute back to SAVI-Validation to finish the data packet triggered binding creation process. Yang Expires March 04, 2011 [Page 8] Internet-Draft data-packet-triggered-binding August 2010 +----------+---------+-------------+-------+---------------+-------+ | Anchor | Address | MAC Address | State | Lifetime | Other | +----------+---------+-------------+-------+---------------+-------+ | Anchor-X | IP-X | MAC-X | Bound | Lease time or |DHCP or| | | | | |Prefix lifetime|NO_DHCP| +----------+---------+-------------+-------+---------------+-------+ Figure 6 the Updated Entry about IP-X in BST of SAVI-X +----------+---------+-------------+ | Anchor | Address | MAC Address | +----------+---------+-------------+ | Anchor-X | IP-X | MAC-X | +----------+---------+-------------+ Figure 7 the Inserted Entry about IP-X in FT of SAVI-X - If this subsection is arrived from subsection 7.2. by skipping subsection 7.3., SAVI-X MUST perform the following subsections. Before that, an entry about IP-X MUST be inserted into BST (as Figure 8 shows ): +----------+---------+-------------+-------+------------+-------+ | Anchor | Address | MAC Address | State | Lifetime | Other | +----------+---------+-------------+-------+------------+-------+ | Anchor-X | IP-X | MAC-X | Add | MAX_SAVI_ |DHCP or| | | | | | QUERY_TIME |NO_DHCP| +----------+---------+-------------+-------+------------+-------+ Figure 8 the Inserted Entry about IP-X in BST of SAVI-X 7.5. Send SAVI Multicast Query Message SAVI-X sends a SAVI Multicast Query Message to the SAVI multicast address, with querying address IP-X and MAC-X inside. The SAVI multicast address is the address of the multicast group that every SAVI device joined. 7.6. Query Address from FT SAVI-Y receives the SAVI Multicast Query Message, gets the querying address IP-X and MAC-X. Then SAVI-Y queries local FT for IP-X and MAC-X: - If IP-X is not in FT, SAVI-Y will do nothing and keep silent. - If IP-X is in FT, but the entry's MAC address is not MAC-X, SAVI-Y will send a SAVI-MReply-AddrError Message to SAVI-X, with IP-X inside. Then go to subsection 7.9.. Yang Expires March 04, 2011 [Page 9] Internet-Draft data-packet-triggered-binding August 2010 - If IP-X is in FT, and the entry's MAC address is MAC-X, SAVI-Y will perform the next subsection. 7.7. Bound Address Reachability Detection This subsection is aimed to detect whether the bound address in FT of SAVI-Y is still reachable through the port it was bound. The detecting entry in FT is as Figure 9 shows: +----------+---------+-------------+ | Anchor | Address | MAC Address | +----------+---------+-------------+ | Anchor-Y | IP-X | MAC-X | +----------+---------+-------------+ Figure 9 the Detecting Entry in FT of SAVI-Y SAVI-Y sends an Echo Request Message towards Host-Y through Anchor-Y, using IP-X as source IP address and MAC-X as source MAC address. 7.8. SAVI Query Reply If SAVI-Y receives an Echo Reply Message from Anchor-Y, SAVI-Y will send a SAVI-MReply-Reachable Message to SAVI-X, with IP-X inside. If SAVI-Y does not receive any Echo Reply Message, SAVI-Y will send a SAVI-MReply-Unreachable Message to SAVI-X, with IP-X inside. SAVI-Y will also delete the entry about IP-X in local FT and BST. 7.9. Update BST and FT SAVI-X waits and collects the SAVI Reply Messages: If SAVI-X receives a SAVI-MReply-AddrError Message, it can get the fact that Host-X is spoofing the IP address of Host-Y. SAVI-X MUST delete the entry about IP-X in local BST, and set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. If SAVI-X receives a SAVI-MReply-Reachable Message, it can get the fact that Host-X is spoofing the IP address and MAC address of Host-Y. SAVI-X MUST delete the entry about IP-X in local BST, and set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. If SAVI-X receives a SAVI-MReply-Unreachable Message, it can get the fact that IP-X had been bound at another SAVI device. This situation is probably resulted by the host's moving from SAVI-Y to SAVI-X, or by link topology change. SAVI-X MUST update the entry about IP-X in Yang Expires March 04, 2011 [Page 10] Internet-Draft data-packet-triggered-binding August 2010 BST as Figure 10 shows and insert an entry about IP-X into FT (as Figure 7 shows). SAVI-X MUST also set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. +----------+---------+-------------+-------+---------------+-------+ | Anchor | Address | MAC Address | State | Lifetime | Other | +----------+---------+-------------+-------+---------------+-------+ | Anchor-X | IP-X | MAC-X | Bound | Lease time or |DHCP or| | | | | |Prefix lifetime|NO_DHCP| +----------+---------+-------------+-------+---------------+-------+ Figure 10 the Updated Entry about IP-X in BST of SAVI-X If SAVI-X does not receive any SAVI Reply Message, it can get the fact that IP-X has not appeared in the subnet before. This situation is probably resulted by control packets loss or SAVI state loss or it MAY be an invalid address. SAVI-X will perform different actions according to the value of Other field in BST: - If the Other in BST is DHCP, SAVI-X SHOULD delete the entry about IP-X in local BST, and set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. - If the Other in BST is NO_DHCP, SAVI-X SHOULD update the entry about IP-X in BST as Figure 10 shows and insert an entry about IP-X into FT (as Figure 7 shows). SAVI-X MUST also set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. 8. Arguments & Backup Approach in DHCP Network 8.1. Arguments in DHCP Network Subsection 7.5.~7.9. described the mechanism of SAVI Multicast Query, which is perfectly light and effective in both DHCP and SLAAC network. However, there is a tiny shortcoming when implement it in DHCP network. In the procedure of SAVI Multicast Query, a SAVI device sends a SAVI Multicast Query Message to all SAVI devices to query certain addresses. Every SAVI device receiving the message will reply to the message sender in case it finds the querying addresses in its local FT. In this way, if the SAVI Multicast Query Message sender does not get any reply, it will understand that the querying addresses have not appeared in the subnet before. However, the exactly SAVI device which has the record of the querying addresses may reboot or get off the link. This extreme case can also cause the no-reply result Yang Expires March 04, 2011 [Page 11] Internet-Draft data-packet-triggered-binding August 2010 described above. Ignoring the extreme case, SAVI Multicast Query mechanism regards the set of recorded IP addresses in all SAVI devices' FTs as the set of IP addresses that DHCP server has authorized. In other words, an IP address is a forged address, if it has never appeared in any SAVI devices' FTs. So, a SAVI device will delete the corresponding entry in BST when it does not receive any SAVI Reply message during subsection 7.9., which well reflects the rigorous feature of SAVI Multicast Query mechanism. Obviously, this treatment is based on the assumption that the extreme case would not happen. Once the extreme case unfortunately happened, SAVI device would make false judgments. 8.2. Backup Approach in DHCP Network The following part of this section designs a mechanism named SAVI Center Query as a backup approach of SAVI Multicast Query in DHCP network. SAVI Center Query mechanism needs a SAVI Center Server to store the binding statuses of the whole subnet. SAVI Center Server can implement on the DHCP server or DHCP Relay. In case the SAVI devices reboot or get off the link, SAVI Center Server will still provide reliable binding statuses about querying addresses. SAVI Center Server holds a SAVI Info Table (SIT): +---------+-------------+--------------+----------+ | Address | MAC Address | SAVI address | Anchor | +---------+-------------+--------------+----------+ | IP-1 | MAC-1 | SAVI-1 | Anchor-1 | +---------+-------------+--------------+----------+ | IP-2 | MAC-2 | SAVI-2 | Anchor-2 | +---------+-------------+--------------+----------+ Figure 11 Instance of SIT Every SAVI device in the subnet will report the new bound address when it creates an entry in its local FT, and will report the new deleted address when it removes an entry in its local FT. An address is a forged address if it isn't recorded in SIT. The following subsections specify the procedure of data packet triggered binding creation based on SAVI Center Query. Yang Expires March 04, 2011 [Page 12] Internet-Draft data-packet-triggered-binding August 2010 Host-X Host-Z SAVI-X SAVI Center SAVI-Y Host-Y | | | | | | |1. Send a Data Packet| | | | |-------------------->| | | | | | 2.Source Address Check | | | | | | | | | +--------------------------+ | | | . | |3.Bound Address| . | | | . | | Reachability | . | | | . | | Detection | . | | | . | |<------------->| . | | | +--------------------------+ | | | | 4.Binding Address | | | | | Reachability | | | | | Detection | | | | |<--------------------|5.Send SAVI | | | | | |Center Query| | | | | | Message | | | | | |----------->| | | | | | | | | | | | 6. Query Address from | | | | | SAVI Info Table | | | | | | | | | | | |7.SAVI Uncast| | | | | | Query | | | | | |------------>|8.Bound Address| | | | | | Reachability | | | | | | Detection | | | | |9.SAVI Query |<------------->| | | | | Reply | | | | | 10.SAVI |<------------| | | | |Center Reply| | | | | |<-----------| | | | | | | | | | | 11. Update BST and FT | | | | | | | | | Figure 12 Data Packet Trigger Binding Process Based on SAVI Center Query The Host-X is the host sends the data packet; the SAVI-X is the SAVI device that Host-X connected to; the Host-Z is the host bound at SAVI-X through anchor Anchor-Z; the SAVI-Y represents any SAVI device except SAVI-X in the subnet; the Host-Y is the host bound at SAVI-Y through anchor-Y; SAVI Center is the SAVI Center Server. 8.2.1. Send a Data Packet Refer to subsection 7.1.. Yang Expires March 04, 2011 [Page 13] Internet-Draft data-packet-triggered-binding August 2010 8.2.2. Source Address Check Refer to subsection 7.2.. 8.2.3. Bound Address Reachability Detection Refer to subsection 7.3.. 8.2.4. Binding Address Reachability Detection Refer to subsection 7.4.. 8.2.5. Send SAVI Center Query Message SAVI-X sends SAVI Center Query Message to SAVI Center Server, with querying address IP-X and MAC-X inside. 8.2.6. Query Address from SAVI Info Table SAVI Center Server receives the SAVI Center Query Message, gets the querying address IP-X and MAC-X. Then SAVI Center Server queries SIT for IP-X and MAC-X: - If IP-X is in SIT, but the entry's MAC address is not MAC-X, or IP-X is not in SIT, SAVI Center Server will send a SAVI-CReply-AddrError Message to SAVI-X, with IP-X and MAC-X inside. Then go to subsection8.2.11.. - If SAVI Center Server finds an entry about IP-X as Figure 13 shows, it will perform the following subsections. +---------+-------------+--------------+----------+ | Address | MAC Address | SAVI address | Anchor | +---------+-------------+--------------+----------+ | IP-X | MAC-X | SAVI-Y | Anchor-Y | +---------+-------------+--------------+----------+ Figure 13 the Entry about IP-X in SIT 8.2.7. SAVI Uncast Query SAVI Center Server sends a SAVI Uncast Query Message to SAVI-Y, with IP-X, MAC-X and Anchor-Y inside. 8.2.8. Bound Address Reachability Detection This subsection is aimed to detect whether the address bound at SAVI-Y is still reachable through the port it was bound. Yang Expires March 04, 2011 [Page 14] Internet-Draft data-packet-triggered-binding August 2010 SAVI-Y receives the SAVI Uncast Query Message, reads the querying address IP-X and MAC-X and querying port Anchor-Y. Then it sends an Echo Request Message towards Host-Y through Anchor-Y, using IP-X as source IP address and MAC-X as source MAC address. 8.2.9. SAVI Query Reply If SAVI-Y receives an Echo Reply Message from Anchor-Y, SAVI-Y will send a SAVI-CReply-Reachable Message to SAVI Center Server, with IP-X inside. Besides, if there is not any entry about IP-X in its local BST or FT, SAVI-Y will also add one there. If SAVI-Y does not receive any Echo Reply Message, SAVI-Y will send a SAVI-CReply-Unreachable Message to SAVI Center Server, with IP-X inside. Besides, SAVI-Y will also delete the entries about IP-X in local FT and BST, if there is any. 8.2.10. SAVI Center Reply If SAVI Center Sever receives a SAVI-CReply-Reachable Message, it can get the fact that Host-X is spoofing the IP address and MAC address of Host-Y. Then, SAVI Center Server sends a SAVI-CReply-Prohibit Message to SAVI-X. If SAVI Center Server receives a SAVI-CReply-Unreachable Message, it can get the fact that the original bound address is not reachable through its anchor now. This situation is probably resulted by the host's movement or by link topology change. SAVI Center Server MUST delete the entry about IP-X in SIT, and then sends a SAVI-CReply-Permit Message to SAVI-X. If SAVI Center Server does not receive any reply from SAVI-Y, we can guess that SAVI-Y is off the link now. SAVI Center Server MUST delete the entry about IP-X in SIT, and then sends a SAVI-CReply-Permit Message to SAVI-X. 8.2.11. Update BST and FT SAVI-X waits and collects the SAVI Center Reply Messages: If SAVI-X receives a SAVI-CReply-AddrError Message or a SAVI-CReply-Prohibit Message, it will delete the entry about IP-X in local BST, and set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process finishes. If SAVI-X receives a SAVI-CReply-Permit Message, SAVI-X will update the entry IP-X in BST as Figure 10 shows, and insert an entry about IP-X into FT as Figure 7 shows, and set Anchor-X's attribute back to SAVI-Validation. The data packet triggered binding creation process Yang Expires March 04, 2011 [Page 15] Internet-Draft data-packet-triggered-binding August 2010 finishes. 9. Constants MAX_PROBE_RESPONSE_TIME: The time that a SAVI device waits for Echo Reply Message during Address Reachability Detection. MAX_SAVI_QUERY_TIME: The time that a SAVI device waits for reply message from other SAVI devices or SAVI Center Server during SAVI Multicast Query or SAVI Center Query. 10. Security Considerations This solution needs some policies to ensure that all devices in the protection perimeter and all SAVI devices in the subnet are legal and honest. If the Backup Approach (SAVI Center Query) is implemented, some strategies are needed to authenticate the identity of SAVI Center and SAVI devices during their communication. 11. IANA Considerations There is no IANA consideration currently. 12. References 12.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 12.2 Informative References [SAVI Framework] Vogt, CV., "Source Address Validation Improvement Protocol Framework", , October 2009. [SAVI Stateless] Bi, J., Yao, G., Wu, J., and F. Baker, "SAVI Solution for Stateless Address", draft-bi-savi-stateless-00 (work in progress), April 2010. [SAVI DHCP] Bi, J., Wu, J., Yao, G., and F. Baker, "SAVI Solution for DHCP", draft-ietf-savi-dhcp-05(work in progress), July 2010. Yang Expires March 04, 2011 [Page 16] Internet-Draft data-packet-triggered-binding August 2010 [SAVI Analysis] Marcelo, B., Joel M. H., "Analysis of data-triggered binding creation in SAVI", draft-bagnulo-savi-analysis-02 (work in progress), March 2010. Author's Addresses Jingjing Yang ICT Email: yangjingjing@ict.ac.cn Hanwen Zhang ICT Email: hwzhang@ict.ac.cn Yujun Zhang ICT Email: zhmj@ict.ac.cn Yang Expires March 04, 2011 [Page 17] Internet-Draft data-packet-triggered-binding August 2010