Internet DRAFT - draft-ietf-savi-mix

draft-ietf-savi-mix







SAVI                                                               J. Bi
Internet-Draft                                       Tsinghua University
Intended status: Standards Track                                  G. Yao
Expires: July 5, 2017                          Tsinghua University/Baidu
                                                              J. Halpern
                                                                Ericsson
                                                   E. Levy-Abegnoli, Ed.
                                                                   Cisco
                                                         January 1, 2017


           SAVI for Mixed Address Assignment Methods Scenario
                         draft-ietf-savi-mix-15

Abstract

   In networks that use multiple techniques for address assignment, the
   spoofing of addresses assigned by each technique can be prevented
   using the appropriate Source Address Validation Improvement (SAVI)
   methods.  This document reviews how multiple SAVI methods can coexist
   in a single SAVI device and collisions are resolved when the same
   binding entry is discovered by two or more methods.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 5, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Bi, et al.                Expires July 5, 2017                  [Page 1]

Internet-Draft                  SAVI MIX                    January 2017


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Problem Scope . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Architecture  . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Recommendations for assignment separation . . . . . . . . . .   5
   6.  Resolving binding collisions  . . . . . . . . . . . . . . . .   6
     6.1.  Same Address on Different Binding Anchors . . . . . . . .   6
       6.1.1.  Basic preference  . . . . . . . . . . . . . . . . . .   6
       6.1.2.  Exceptions  . . . . . . . . . . . . . . . . . . . . .   7
       6.1.3.  Multiple SAVI Device Scenario . . . . . . . . . . . .   8
     6.2.  Same Address on the Same Binding Anchor . . . . . . . . .   8
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   8.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   9
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   10. Acknowledgment  . . . . . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative References . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   There are currently several Source Address Validation Improvement
   (SAVI) documents ([RFC6620], [RFC7513] and [RFC7219]) that describe
   the different methods by which a switch can discover and record
   bindings between a node's IP address and a binding anchor and use
   that binding to perform source address validation.  Each of these
   documents specifies how to learn on-link addresses, based on the
   technique used for their assignment, respectively: StateLess
   Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and
   Secure Neighbor Discovery (SeND).  Each of these documents describes
   separately how one particular SAVI method deals with address
   collisions (same address, different binding anchor).

   While multiple IP assignment techniques can be used in the same
   layer-2 domain, this means that a single SAVI device might have to
   deal with a combination or mix of SAVI methods.  The purpose of this
   document is to provide recommendations to avoid collisions and to




Bi, et al.                Expires July 5, 2017                  [Page 2]

Internet-Draft                  SAVI MIX                    January 2017


   review collisions handling when two or more such methods come up with
   competing bindings.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Problem Scope

   Three different IP address assignment techniques have been analyzed
   for SAVI:

   1.  StateLess Address AutoConfiguration (SLAAC) - analyzed in SAVI-
       FCFS[RFC6620]

   2.  Dynamic Host Control Protocol address assignment (DHCP) -
       analyzed in SAVI-DHCP[RFC7513]

   3.  Secure Neighbor Discovery (SeND) address assignment, analyzed in
       SAVI-SEND[RFC7219]

   In addition, there is a fourth technique for managing (i.e.,
   creation, management, deletion) a binding on the switch, referred to
   as "manual".  It is based on manual binding configuration.  Because
   how to manage manual bindings is determined by operators, there is
   not a new SAVI method for manual addresses.

   All combinations of address assignment techniques can coexist within
   a layer-2 domain.  A SAVI device MUST implement the corresponding
   binding setup methods (referred to as a "SAVI method") for each such
   technique that is in use if it is to provide Source Address
   Validation.

   SAVI methods are normally viewed as independent from each other, each
   one handling its own entries.  If multiple methods are used in the
   same device without coordination, each method will attempt to reject
   packets sourced with any addresses that method did not discover.  To
   prevent addresses discovered by one SAVI method from being filtered
   out by another method, the SAVI binding table SHOULD be shared by all
   the SAVI methods in use in the device.  This in turn could create
   some conflict when the same entry is discovered by two different
   methods.  The purpose of this document is of two folds: provide
   recommendations and methods to avoid conflicts, and to resolve
   conflicts when they happen.  Collisions happening within a given
   method are outside the scope of this document.




Bi, et al.                Expires July 5, 2017                  [Page 3]

Internet-Draft                  SAVI MIX                    January 2017


4.  Architecture

   A SAVI device may implement and use multiple SAVI methods.  This
   mechanism, called SAVI-MIX, is proposed as a arbiter of the binding
   generation algorithms from these multiple methods, generating the
   final binding entries as illustrated in Figure 1.  Once a SAVI method
   generates a candidate binding, it will request SAVI-MIX to set up a
   corresponding entry in the binding table.  Then SAVI-MIX will check
   if there is any conflict in the binding table.  A new binding will be
   generated if there is no conflict.  If there is a conflict, SAVI-MIX
   will determine whether to replace the existing binding or reject the
   candidate binding based on the policies specified in Section 6.

   As a result of this, the packet filtering in the SAVI device will not
   be performed by each SAVI method separately.  Instead, the table
   resulting from applying SAVI-MIX will be used to perform filtering.
   Thus the filtering is based on the combined results of the differents
   SAVI mechanisms.  It is beyond the scope of this document to describe
   the details of the filtering mechanism and its use of the combined
   SAVI binding table.































Bi, et al.                Expires July 5, 2017                  [Page 4]

Internet-Draft                  SAVI MIX                    January 2017


   +--------------------------------------------------------+
   |                                                        |
   |                                        SAVI Device     |
   |                                                        |
   |                                                        |
   |     +------+    +------+    +------+                   |
   |     | SAVI |    | SAVI |    | SAVI |                   |
   |     |      |    |      |    |      |                   |
   |     | FCFS |    | DHCP |    | SEND |                   |
   |     +------+    +------+    +------+                   |
   |        |            |           |   Binding            |
   |        |            |           |   setup              |
   |        v            v           v   requests           |
   |     +------------------------------+                   |
   |     |                              |                   |
   |     |            SAVI-MIX          |                   |
   |     |                              |                   |
   |     +------------------------------+                   |
   |                     |                                  |
   |                     v               Final Binding      |
   |             +--------------+                           |
   |             |   Binding    |                           |
   |             |              |                           |
   |             |   Table      |                           |
   |             +--------------+                           |
   |                                                        |
   +--------------------------------------------------------+


                      Figure 1: SAVI-Mix Architecture

   Each entry in the binding table will contain the following fields:

   1.  IP source address

   2.  Binding anchor[RFC7039]

   3.  Lifetime

   4.  Creation time

   5.  Binding methods: the SAVI method used for this entry.

5.  Recommendations for assignment separation

   If each address assignment technique uses a separate portion of the
   IP address space, collisions won't happen.  Using non overlapping




Bi, et al.                Expires July 5, 2017                  [Page 5]

Internet-Draft                  SAVI MIX                    January 2017


   address space across address assignment techniques, and thus across
   SAVI methods is therefore recommended.  To that end, one should:

   1.  DHCP and SLAAC: use non-overlapping prefix for DHCP and SLAAC.
       Set the A bit in Prefix information option of Router
       Advertisement for SLAAC prefix, and set the M bit in Router
       Advertisement for DHCP prefix.  For detail explanations on these
       bits, refer to [RFC4861][RFC4862].

   2.  SeND and non-SeND: avoid mixed environment (where SeND and non-
       SeND nodes are deployed) or separate the prefixes announced to
       SeND and non-SenD nodes.  One way to separate the prefixes is to
       have the router(s) announcing different (non-overlapping)
       prefixes to SeND and to non-SeND nodes, using unicast Router
       Advertisements[RFC6085], in response to SeND/non-SeND Router
       Solicit.

6.  Resolving binding collisions

   In situations where collisions can not be avoided by assignment
   separation, two cases should be considered:

   1.  The same address is bound on two different binding anchors by
       different SAVI methods.

   2.  The same address is bound on the same binding anchor by different
       SAVI methods.

6.1.  Same Address on Different Binding Anchors

   This would typically occur in case assignment address spaces could
   not be separated.  For instance, an address is assigned by SLAAC on
   node X, installed in the binding table using SAVI-FCFS, anchored to
   "anchor-X".  Later, the same address is assigned by DHCP to node Y,
   and SAVI-DHCP will generate a candidate binding entry, anchored to
   "anchor-Y".

6.1.1.  Basic preference

   If there is any manually configured binding, the SAVI device SHOULD
   choose the manual configured binding acnhor.

   For an address not covered by any manual bindings, the SAVI device
   must decide to which binding anchor the address should be bound
   (anchor-X or anchor-Y in this example).  Current standard documents
   of address assignment methods have implied the prioritization
   relationship based on order in time, i.e., first-come first-served.




Bi, et al.                Expires July 5, 2017                  [Page 6]

Internet-Draft                  SAVI MIX                    January 2017


   o  SLAAC: s5.4.5 of [RFC4862]

   o  DHCPv4: s3.1-p5 of [RFC2131]

   o  DHCPv6: s18.1.8 of [RFC3315]

   o  SeND: s8 of [RFC3971]

   In the absence of any configuration or protocol hint (see
   Section 6.1.2) the SAVI device SHOULD choose the first-come binding
   anchor, whether it was learnt from SLAAC, SeND or DHCP.

6.1.2.  Exceptions

   There are two identified exceptions to the general prioritization
   model, one of them being CGA addresses[RFC3971], another one
   controlled by the configuration of the switch.

6.1.2.1.  CGA preference

   When CGA addresses are used, and a collision is detected, preference
   should be given to the anchor that carries the CGA credentials once
   they are verified, in particular the CGA parameters and the RSA
   options.  Note that if an attacker was trying to replay CGA
   credentials, he would then compete on the base of "First-Come, First-
   Served" (FCFS) principle.

6.1.2.2.  configuration preference

   For configuration driven exceptions, the SAVI device may allow the
   configuration of a triplet ("prefix", "anchor", "method") or
   ("address", "anchor", "method").  The "prefix" or "address"
   represents the address or address prefix to which this preference
   entry applies.  The "anchor" is the value of a known binding anchor
   that this device expects to see using this address or addresses from
   this prefix.  The "method" is the SAVI method that this device
   expects to use in validating address binding entries from the address
   or prefix.  At least one of "anchor" and "method" MUST be specified.
   Later, if a DAD message [RFC4861] is received with the following
   conditions verified:

   1.  The target in the DAD message does not exist in the binding table

   2.  The target is within the configured "prefix" (or equal to
       "address")

   3.  The anchor bound to target is different from the configured
       anchor, when specified



Bi, et al.                Expires July 5, 2017                  [Page 7]

Internet-Draft                  SAVI MIX                    January 2017


   4.  The configured method, if any, is different from SAVI-FCFS

   The switch SHOULD defend the address by responding to the DAD
   message, with a NA message, on behalf of the target node.  It SHOULD
   NOT install the entry into the binding table.  The DAD message SHOULD
   be discarded and not forwarded.  Forwarding it may cause other SAVI
   devices to send additional defense NAs.  SeND nodes in the network
   MUST disable the option to ignore unsecured advertisements (see s8 of
   [RFC3971]).  If the option is enabled, the case is outside the scope
   of this document.  It is suggested to limit the rate of defense NAs
   to reduce security threats to the switch.  Or else, a malicious host
   could consume the resource of the switch heavily with flooding DAD
   messages.

   This will simply prevent the node from assigning the address, and
   will de-facto prioritize the configured anchor.  It is especially
   useful to protect well known bindings such as a static address of a
   server over anybody, even when the server is down.  It is also a way
   to give priority to a binding learnt from SAVI-DHCP over a binding
   for the same address, learnt from SAVI-FCFS.

6.1.3.  Multiple SAVI Device Scenario

   A single SAVI device doesn't have the information of all bound
   addresses on the perimeter.  Therefore it is not enough to lookup
   local bindings to identify a collision.  However, assuming DAD is
   performed throughout the security perimeter for all addresses
   regardless of the assignment method, then DAD response will inform
   all SAVI devices about any collision.  In that case, "First-Come,
   First- Served" will apply the same way as in a single switch
   scenario.  If the admin configured on one the switches a prefix (or a
   single static binding) to defend, the DAD response generated by this
   switch will also prevent the binding to be installed on other
   switches of the perimeter.  The SAVI MIX preferences of all the SAVI
   devices in the same layer-2 domain should be consistent.
   Inconsistent configurations may cause network breaks.

6.2.  Same Address on the Same Binding Anchor

   A binding may be set up on the same binding anchor by multiple
   methods, typically SAVI-FCFS and SAVI-DHCP.  If the binding lifetimes
   obtained from the two methods are different, priority should be given
   to 1) Manual configuration 2) SAVI-DHCP 3) SAVI-FCFS as the least
   authoritative.  The binding will be removed when the prioritized
   lifetime expires, even if a less authoritative method had a longer
   lifetime.





Bi, et al.                Expires July 5, 2017                  [Page 8]

Internet-Draft                  SAVI MIX                    January 2017


7.  Security Considerations

   Combining SAVI methods (as in SAVI MIX) does not improve on or
   eliminate the security considerations associated with each individual
   SAVI method.  Therefore, security considerations for each enabled
   SAVI method should be addressed as described in that method's
   associated RFC.  Moreover, combining methods (as in SAVI MIX) has two
   additional implications for security.  First, it may increase
   susceptibility to DoS attacks, because the SAVI binding setup rate
   will be the sum of the rates of all enabled SAVI methods.
   Implementers must take these added resource requirements into
   account.  Second, because SAVI MIX supports multiple binding
   mechanisms, it potentially reduces the security level to that of the
   weakest supported method, unless additional steps (e.g. requiring
   non-overlapping address spaces for different methods) are taken.

8.  Privacy Considerations

   When implementing multiple SAVI methods, privacy considerations of
   all methods apply cumulatively.

9.  IANA Considerations

   This memo asks the IANA for no new parameters.

10.  Acknowledgment

   Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun, David
   Lamparter, Scott G.  Kelly and Jari Arkko for their valuable
   contributions.

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, DOI 10.17487/RFC2131, March 1997,
              <http://www.rfc-editor.org/info/rfc2131>.

   [RFC3315]  Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
              C., and M. Carney, "Dynamic Host Configuration Protocol
              for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
              2003, <http://www.rfc-editor.org/info/rfc3315>.



Bi, et al.                Expires July 5, 2017                  [Page 9]

Internet-Draft                  SAVI MIX                    January 2017


   [RFC3971]  Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander,
              "SEcure Neighbor Discovery (SEND)", RFC 3971,
              DOI 10.17487/RFC3971, March 2005,
              <http://www.rfc-editor.org/info/rfc3971>.

   [RFC6085]  Gundavelli, S., Townsley, M., Troan, O., and W. Dec,
              "Address Mapping of IPv6 Multicast Packets on Ethernet",
              RFC 6085, DOI 10.17487/RFC6085, January 2011,
              <http://www.rfc-editor.org/info/rfc6085>.

   [RFC6620]  Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS
              SAVI: First-Come, First-Served Source Address Validation
              Improvement for Locally Assigned IPv6 Addresses",
              RFC 6620, DOI 10.17487/RFC6620, May 2012,
              <http://www.rfc-editor.org/info/rfc6620>.

   [RFC7219]  Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor
              Discovery (SEND) Source Address Validation Improvement
              (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014,
              <http://www.rfc-editor.org/info/rfc7219>.

   [RFC7513]  Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address
              Validation Improvement (SAVI) Solution for DHCP",
              RFC 7513, DOI 10.17487/RFC7513, May 2015,
              <http://www.rfc-editor.org/info/rfc7513>.

11.2.  Informative References

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              DOI 10.17487/RFC4861, September 2007,
              <http://www.rfc-editor.org/info/rfc4861>.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
              Address Autoconfiguration", RFC 4862,
              DOI 10.17487/RFC4862, September 2007,
              <http://www.rfc-editor.org/info/rfc4862>.

   [RFC7039]  Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed.,
              "Source Address Validation Improvement (SAVI) Framework",
              RFC 7039, DOI 10.17487/RFC7039, October 2013,
              <http://www.rfc-editor.org/info/rfc7039>.

Authors' Addresses







Bi, et al.                Expires July 5, 2017                 [Page 10]

Internet-Draft                  SAVI MIX                    January 2017


   Jun Bi
   Tsinghua University
   Network Research Center, Tsinghua University
   Beijing  100084
   China

   EMail: junbi@tsinghua.edu.cn


   Guang Yao
   Tsinghua University/Baidu
   Baidu Science and Technology Park, Building 1
   Beijing  100193
   China

   EMail: yaoguang.china@gmail.com


   Joel M. Halpern
   Ericsson

   EMail: joel.halpern@ericsson.com


   Eric Levy-Abegnoli (editor)
   Cisco Systems
   Village d'Entreprises Green Side - 400, Avenue Roumanille
   Biot-Sophia Antipolis  06410
   France

   EMail: elevyabe@cisco.com




















Bi, et al.                Expires July 5, 2017                 [Page 11]