Internet DRAFT - draft-shi-savi-access

draft-shi-savi-access



SAVI                                                              F.Shi
Internet Draft                                            China Telecom
Intended status: Standard Tracks                K.Xu, L.Zhu, G.Hu, Y.Bo
Expires: Nov 2017                                        Tsinghua Univ.
                                                           May 16, 2017



        SAVI Requirements and Solutions for ISP IPv6 Access Network
                       draft-shi-savi-access-11.txt


Abstract

   Internet is always confronted with many security threats based on IP
   address spoofing which can enable impersonation and malicious traffic
   redirection. Unfortunately, the Internet architecture fails to
   provide the defense mechanism. Source Address Validation Improvement
   (SAVI) was developed to prevent IP source address spoofing.
   Especially, the mechanism is essential for ISPs. However, due to the
   diversity of address assignment methods, SAVI solution is also
   different accordingly. This document describes five scenarios of
   ISPs'IPv6 access network, and moreover, states its SAVI requirements
   and tentative solutions accordingly.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on Nov 16, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors. All rights reserved.





Shi, et al.              Expires Nov 16,2017                  [Page 1]

Internet-Draft               SAVI Access                      May 2017


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents carefully,
   as they describe your rights and restrictions with respect to this
   document. Code Components extracted from this document must include
   Simplified BSD License text as described in Section 4.e of the Trust
   Legal Provisions and are provided without warranty as described in
   the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November 10
   2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.



Table of Contents


   1. Introduction ................................................. 3
   2. Conventions used in this document ............................ 4
   3. Terminology .................................................. 4
   4. Scenarios for ISPs'IPv6 Access Network ....................... 4
      4.1. Scenario 1: HRG acts as DHCPv6 proxy .................... 5
      4.2. Scenario 2: STB gets IP address via DHCPv6 .............. 7
      4.3. Scenario 3: PC gets IP address via PPPoE & RA ........... 8
      4.4. Scenario 4: Laptop accesses Internet via WLAN ........... 9
      4.5. Scenario 5: Laptop accesses Internet via C+W ............ 10
   5. Conclusions .................................................. 12
   6. References ................................................... 13
      6.1. Normative References  ................................... 13
   7. Acknowledgments .............................................. 14









Shi, et al.             Expires Nov 16, 2017                  [Page 2]

Internet-Draft               SAVI Access                      May 2017


1. Introduction

   Spoofing of IP source addresses can jeopardize people's privacy,
   enable malicious traffic redirection which causes the network
   topology and traffic information to be leaked out. Further, it will
   be difficult to trace the source host which has forged the packet.
   The Source Address Validation Improvement (SAVI) method was designed
   to prevent hosts attached to the same link from spoofing each other's
   IP address. It is developed to complement ingress filtering with
   finer-grained, standardized IP source address validation. It is also
   can be deployed easily in networks due to its modularization and
   extensibility.

   ISPs that provide Internet access services, information services and
   value-added services to the customers always have to be confronted
   with many threats enabled by IP source address spoofing, while the
   Internet architecture fails to prevent IP source address spoofing
   [draft-ietf-savi-threat-scope]. So they have an imperative demand to
   apply the mechanism in order to defend the attack and ensure the
   security of its network and customers' privacy.

   Internet Service Provider has multiple access scenarios not limited
   to Ethernet, and usually is deployed with DHCP. Other scenarios such
   as ADSL with PPP and Ethernet with PPP are also popular in the real
   world. Unfortunately, SAVI Switch only works in the scenarios of wire
   or wireless Ethernet and does not support all address assignment
   methods that can be used in access network. There are four address
   assigned methods identified in one of the SAVI documents:

   1. Stateless Address Auto Configuration (SLACC) [I-D.ietf-savi-fcfs]

   2. Dynamic Host Control Protocol address assignment (DHCP)
      [I-D.ietf-savi-dhcp]

   3. Secure Neighbor Discovery (SeND) address assignment
      [I-D.ietf-savi-send]

   4. Mix Address assignment methods
      [I-D.ietf-savi-mix]

   Thus, According to different access network scenarios, SAVI should
   adjust its deployment and make improvement to adapt to the real
   situation. This note analyzes five scenarios of ISPs' IPv6 access
   network, and on this basis, gives tentative SAVI solutions
   accordingly.




Shi, et al.             Expires Nov 16, 2017                  [Page 3]

Internet-Draft               SAVI Access                      May 2017


2. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [RFC2119].

   In this document, these words will appear with that interpretation
   only when in ALL CAPS. Lower case uses of these words are not to be
   interpreted as carrying RFC-2119 significance.

3. Terminology

   The following acronyms and terms are used throughout this document.

   HRG: Home Residential Gateway, an intelligent gateway between network
   devices and external network in a family.

   BRAS: Broadband Remote Access Server, a network switch that funnels
     traffic from DSL and/or cable modem aggregation devices to various
     carriers' networks based on the type of an application or that of
     a service required.

   STB: Set Top Box, a device which can provide value-added services
     used to enhance or extend the function of TV.

   AAA: Authentication, Authorization, Accounting. AAA server can
     provide verification and authority service.

   C+W: CDMA (CDMA2000) + WLAN, an integrated wireless broadband network
   business of China telecom.

   WAG: Wireless Access Gateway.

   PDSN: Packet Data Serving Node, responsible for the establishment and
     terminating point-to-point protocol (PPP) connection and assign
     dynamic address for nodes.



4. Scenarios for ISPs'IPv6 Access Network

   There are various access methods for ISPs'IPv6 access network. To
   facilitate the deployment of the SAVI method in networks of various
   kinds, the SAVI method is designed to support different IP address
   assignment methods [I-D.ietf-savi-framework]. However, there are
   still some mixed address assignment methods which cannot be supported.
   It is important to note that the deployment of SAVI device has been


Shi, et al.             Expires Nov 16, 2017                  [Page 4]

Internet-Draft               SAVI Access                      May 2017


   impacted greatly by access network scenarios and its address
   assignment methods.  In order to meet different IP Source Address
   Validation requirements, SAVI solutions may need to be improved to
   adapt to the real situation.

   From the perspective of SAVI deployment, there are five typical
   scenarios of ISPs'IPv6 access network:

   1. Home Residential gateway (HRG) acts as DHCPv6 proxy.

   2. Set Top-box (STB) gets an IP address via DHCPv6.

   3. Host gets IP address via PPPoE & RA.

   4. Laptop accesses Internet via WLAN.

   5. Laptop accesses Internet via C+W.

   We will discuss the SAVI solution for each scenario in detail in the
   next section.

4.1. Scenario 1: Home Residential gateway (HRG) acts as DHCPv6 proxy



                                +--------+
                                |  BRAS  |
                                +-------,+
                       (PPPoE/ND/RA)|| (DHCPv6-PD)
                                    ||
                                +---||---+
                                |   HRG  |
                                +--/----/+
                          (DHCPv6)|     |(DHCPv6)
                            +----\-+   +\-----+
                            |  PC  |   |  STB |
                            +------+   +------+

                           Figure 1: Scenario 1


   Figure 1 shows the main elements in scenario 1. PC and STB connect to
   the Internet via HRG. Its address assignment mechanism can be
   described as follows: First, HRG gets a link-local IPv6-IPv6 address
   from BRAS via PPPoE and ND/RA. Then, HRG gets an IPv6 address from
   BRAS via DHCPv6-PD. At last, PC and STB get IPv6 addresses from HRG


Shi, et al.             Expires Nov 16, 2017                  [Page 5]

Internet-Draft               SAVI Access                      May 2017


   via DHCPv6. Of course, PC and STB can also get IPv6 addresses via
   ND/RA, but the DHCPv6 is much more popular.

   According to the SAVI mechanism, in order to achieve Source Address
   Validation, the SAVI device must snoop the whole procedure of Address
   assignment. In addition, the preferred location of SAVI instances is
   close to hosts, such as in access switches that directly attach to
   the hosts where host IP addresses are being validated [I-D.ietf-savi-
   framework]. So we can deploy the SAVI device in places close to the
   HRG, such as the first hop access device. It can be illustrated in
   figure 2.


                                +--------+
                                |  BRAS  |
                                +-------,+
                       (PPPoE/ND/RA)|| (DHCPv6-PD)
                                    ||
                         . . . . . .|| . . . . . . .
                         .          ||    Protection.
                         .       +-------+ Perimeter.
                         .       | SAVI  |          .
                         .       | Device|          .
                         .       +-------+          .
                         .          ||              .
                         . . . . . .|| . . . . . . .
                                 +--||---+
                                 |   HRG |
                                 +-/----/+
                          (DHCPv6) |    |(DHCPv6)
                            +----\-+   +\-----+
                            |  PC  |   |  STB |
                            |      |   |      |
                            +------+   +------+

                  Figure 2: SAVI solution for Scenario 1


   Figure 2 shows the deployment of SAVI device. It also allows multiple
   SAVI devices and non-SAVI devices co-existing on a link. In addition,
   for this solution, the SAVI mechanism needs to improve to snoop the
   procedure of DHCPv6-PD, so as to bind the relationship <HRG/PC/STB's
   IP address, port, MAC>.






Shi, et al.             Expires Nov 16, 2017                  [Page 6]

Internet-Draft               SAVI Access                      May 2017


4.2. Scenario 2: STB gets an IP address via DHCPv6

   The difference between scenario 1 and scenario 2 is the absence of HG
   which acts as DHCPv6 proxy. In scenario 2, STB, having its internal
   account and password gets IPv6 prefix by DHCPv6. The general scene
   workflow includes the following steps: STB sends requests to all
   routers on a local link by using a link-local address based on its
   MAC address. The BRAS gives a message to STB to adopt DHCPv6 address
   assignment method as a response. STB initiates the DHCPv6 procedure
   and BRAS acts as a DHCP Relay to add some authorities' messages. An
   AAA server decides whether assign address parameters depend on the
   result of authentication. At last, BRAS receives IPv6 parameters from
   AAA server, and then, informs STB via DHCPv6 protocol. It can be
   illustrated in figure 3.

                           +--------+  +-----------+
                           |   AAA  |  |DHCP server|
                           +--------+  +-----------+
                                    \ /
                                    ||
                                    ||
                                +---||---+
                                |  BRAS  |
                                +--------+
                                     |
                                  (DHCPv6)
                                     |
                                 +-------+
                                 |  STB  |
                                 +-------+

                            Figure 3: Scenario2


   Figure 3 shows the main elements in scenario 2. Due to the pure
   DHCPv6 address assignment method in this scenario, we can deploy SAVI
   device in places close to STB directly and SAVI mechanism need not
   make any improvement. It just needs to bind relationship <STB's IP
   Address, port, STB's MAC Address> which is supported in the existing
   SAVI function. The solution can be illustrated in figure 4.








Shi, et al.             Expires Nov 16, 2017                  [Page 7]

Internet-Draft               SAVI Access                      May 2017


                         +--------+  +-----------+
                         |   AAA  |  |DHCP server|
                         +--------+  +-----------+
                                  \ /
                                +--||---+
                                | BRAS  |
                                +-------+
                                    |
                                 (DHCPv6)
                                    |
                            . . . . . . . . . .  .
                            .  +---------------+ .
                            .  |  SAVI device  | .
                            .  +---------------+ .
                            . . . . . . . . . .  .
                                    |
                                +-------+
                                |  STB  |
                                +-------+

                  Figure 4: SAVI solution for Scenario 2


4.3. Scenario 3: PC gets an IP address via PPPoE & RA

   In this scenario, first of all, PC gets a link-local address from
   BRAS via PPPoE. BRAS broadcasts IPv6 prefix via RA. Finally, PC
   configures its address automatically and gets some additional
   messages from BRAS.

                                +--------+
                                |   AAA  |
                                +--------+
                                    \
                                     |
                                 +---|---+
                                 | BRAS  |
                                 +-------+
                                     |(ND)
                                 +-------+
                                 |   PC  |
                                 +-------+

                            Figure 5: Scenario3

   Figure 5 shows the main elements in scenario 3. As the function of ND
   snooping has already been designed, we only take PPPoE snooping into


Shi, et al.             Expires Nov 16, 2017                  [Page 8]

Internet-Draft               SAVI Access                      May 2017


   account. Thus, the solution to this scenario which is illustrated in
   figure 6 is to deploy the SAVI device directly and binding
   relationship <PC's IP Address, port, PC's MAC>. In this scenario,
   SAVI needs to improve in order to realize PPPoE snooping.

                                +--------+
                                |   AAA  |
                                +--------+
                                    \
                                 +---|---+
                                 | BRAS  |
                                 +-------+
                                 (ND)|
                            . . . . . . . . . .  .
                            .  +---------------+ .
                            .  |  SAVI device  | .
                            .  +---------------+ .
                            . . . . . . . . . .  .
                                     |
                                 +-------+
                                 |  PC   |
                                 +-------+

                  Figure 6: SAVI solution for Scenario 3


4.4. Scenario 4: Laptop accesses Internet via public WLAN

   The interaction in this scenario is relatively simple. The laptop
   gets an IPv6 address via DHCPv6. Then, users are enforced to be
   certified by submitting a password on a portal page.

















Shi, et al.             Expires Nov 16, 2017                  [Page 9]

Internet-Draft               SAVI Access                      May 2017


                         +--------+  +-----------+
                         |   AAA  |  |DHCP server|
                         +--------+  +-----------+
                                   \/
                                +--||---+
                                | BRAS  |
                                +-------+
                                    |(DHCPv6)
                                +-------+
                                |LAPTOP |
                                +-------+

                           Figure 7: Scenario 4


   Figure 7 shows the main elements in scenario 4. We can deploy the
   SAVI device directly and bind relationship <LAPTOP's IP Address, port,
   LAPTOP's MAC>. The solution can be illustrated in figure 8.

                         +--------+  +-----------+
                         |   AAA  |  |DHCP server|
                         +--------+  +-----------+
                                    \ /
                                     ||
                                 +---||---+
                                 |  BRAS  |
                                 +--------+
                                     |(DHCPv6)
                                     |
                            . . . . . . . . . .  .
                            .  +---------------+ .
                            .  |  SAVI device  | .
                            .  +---------------+ .
                            . . . . . . . . . .  .
                                     |
                                +-------+
                                |LAPTOP |
                                +-------+

                  Figure 8: SAVI solution for Scenario 4


4.5. Scenario 5: Laptop accesses Internet via C+W

   This scenario describes that the laptop accesses the Internet via
   CDMA and WLAN. The general scene workflow includes the following
   steps: The laptop gets a temporary IPv6 address from BARS via DHCPv6,


Shi, et al.             Expires Nov 16, 2017                 [Page 10]

Internet-Draft               SAVI Access                      May 2017


   and then, obtains the WAG address from a DNS server. The laptop
   establishes a UDP tunnel to WAG by sending register request. If the
   tunnel is established successfully, the laptop can get IPv6 prefix
   from PDSN via PPP and RA, whereas PDSN acts as the PPP terminal. At
   last, the laptop gets some additional information such as the DNS
   address. When the above steps are all accomplished, the laptop
   acquires the ability to access the Internet.

                         +--------+  +-----------+
                         |   AAA  |--|    PDSN   |
                         +--------+  +------|----+
                         +--------+  +------|----+
                         |AN-AAA  |--|    WAG    |
                         +--------+  +-----------+
                                      //
                                     // UDP tunnel
                                     ||
                                     ||
                                  +--||---+
                                  | BRAS  |
                                  +-------+
                                       |
                                       |(DHCPv6)
                                       |
                                   +-------+
                                   | LAPTOP|
                                   +-------+

                           Figure 9: Scenario 5


   Figure 9 shows the main elements in scenario 5. in this scenario, we
   also can deploy the SAVI device in places close to the LAPTOP. SAVI
   needs to improve to support the PPPoE protocol snooping. It also
   binds relationship <LAPTOP's IP Address, port, LAPTOP's MAC>. The
   solution is described in figure 10.












Shi, et al.             Expires Nov 16, 2017                 [Page 11]

Internet-Draft               SAVI Access                      May 2017


                         +--------+  +-----------+
                         |   AAA  |--|    PDSN   |
                         +--------+  +------|----+
                         +--------+  +------|----+
                         |AN-AAA  |--|    WAG    |
                         +--------+  +-----------+
                                      //
                                     // UDP tunnel
                                     ||
                                     ||
                                  +--||---+
                                  | BRAS  |
                                  +-------+
                                      |
                                    (DHCPv6)
                                      |
                                 +--------+
                                 |  SAVI  |
                                 |  device|
                                 |        |
                                 +--------+
                                     |
                                     |
                                 +-------+
                                 |LAPTOP |
                                 +-------+

                  Figure 10: SAVI solution for Scenario 5


5. Conclusions

   For ISPs, SAVI can defend against many security attacks effectively
   which are based on IP address spoofing. There are various scenarios
   of ISPs'IPv6 Access Network. As each scenario uses a different
   address assignment method and protocol, there are a variety of
   requirements to validate the source address for ISPs' IPv6 access
   network. Though SAVI cannot support all protocols and methods right
   now, due to expansibility of SAVI, the mechanism can satisfy various
   demands with a small improvement. This document presents five typical
   scenarios of ISPs'IPv6 access network, and proposes tentative SAVI
   solutions.

   Moreover, for functional verification, we conducted an experiment on
   China Telecom's access network in Hunan province. The experimental
   results show that source addresses can be validated effectively as we
   expected in most access scenarios. Next, we will deploy more SAVI


Shi, et al.             Expires Nov 16, 2017                 [Page 12]

Internet-Draft               SAVI Access                      May 2017


   devices on a large-scale network in order to form a complete
   architecture.



6. References

6.1. Normative References

   [RFC 2119]                Bradner, S., "Key words for use in RFCs to
                            Indicate Requirement Levels", BCP 14, RFC
                            2119, March 1997.

   [draft-ietf-savi-threat-scope]

                      McPherson, D., Baker, F., and J. Halpern,
                            "SAVI Threat Scope", draft-ietf-savi-
                            threat-scope-05, April 2011.

   [I-D.ietf-savi-dhcp]      Wu, J., Yao, G., Bi, J., and F. Baker,
                            "SAVI Solution for DHCP", draft-ietf-savi-
                            dhcp-10 (work in progress), July 2011.

   [I-D.ietf-savi-fcfs]      Nordmark, E., Bagnulo, M., and E. Levy-
                            Abegnoli, "FCFSSAVI: First-Come First-Serve
                            Source-Address Validation for Locally
                            Assigned IPv6 Addresses", draft-ietf-savi-
                            fcfs-09(work in progress), April 2011.

   [I-D.ietf-savi-send]    Bagnulo, M. and A. Garcia-Martinez, "SEND-
                            based Source-Address Validation
                            Implementation", draft-ietf-savi-send-06
                            (work in progress), October 2011.

   [I-D.ietf-savi-framework] Wu, J., Bi, J., Bagnulo, M., Baker, F., and
                            C. Vogt, "Source Address Validation
                            Improvement Framework",draft-ietf-savi-
                            framework-05 (work in progress), July 2011.











Shi, et al.             Expires Nov 16, 2017                 [Page 13]

Internet-Draft               SAVI Access                      May 2017


7. Acknowledgments

   This document was prepared using 2-Word-v2.0.template.dot.

Authors' Addresses

     Fan Shi
     China Telecom
     Beijing Research Institute, China Telecom
     Beijing, 100035
     China
     Email: shifan@ctbri.com.cn

      Ke Xu
      Tsinghua University
      Department of Computer Science, Tsinghua University
      Beijing, 100084
      China
      Email: xuke@mail.tsinghua.edu.cn

     Liang Zhu
      Tsinghua University
      Department of Computer Science, Tsinghua University
      Beijing, 100084
      China
      Email: tshbruce@gmail.com

     Guangwu Hu
      Tsinghua University
      Department of Computer Science, Tsinghua University
     Beijing, 100084
      China
     Email: hgw09@mails.tsinghua.edu.cn















Shi, et al.             Expires Nov 16, 2017                 [Page 14]