Dear all - Marcelo and Guang had an interesting discussion on whether FCFS SAVI should establish bindings based on data packets or based on control packets. I would like to follow up on this. To summarize: Whereas draft-bagnulo-savi-fcfs proposes the exclusive use of data packets to establish bindings, Guang believes that bindings should be established exclusively based on control packets. According to Guang, the advantage of exclusively using control packets to establish bindings would be a better means to synchronize hosts and SAVI devices regarding a host's right to use an address. The standard way for hosts to determine their right to use an address is via the Duplicate Address Detection or DHCP procedure, whereas according to draft-bagnulo-savi-fcfs, SAVI devices determine such right based on previously received data packets. The use of different procedures for hosts and SAVI devices raises the question of whether hosts and SAVI devices may lose sync regarding the right to use an address. One case where this is an issue, as brought up by Guang, is the deliberate establishment of bogus bindings by an attacker in order to keep a victim host from aquiring a functioning address. The Neighbor Solicitation message that the victim host must send during the Duplicate Address Detection procedure discloses the address that the victim host is trying to acquire without establishing a binding for the address. This enables the attacker to establish a bogus binding, and hence to make the address dysfunctional for the victim host, by sending a data packet that appears to originate from the address. To prevent this attack, Guang concludes that bindings should exclusively be established based on control packets, i.e., based on monitoring the messages exchanged during the Duplicate Address Detection or DHCP procedure. Like Marcelo, I agree with this partly, but not entirely: Although using control packets for binding establishment is necessary to prevent the attack described above, it is not required that control packets are used /exclusively/. Using both, control and data packets, for binding establishment would be possible as well. More specifically, the reason for the aforementioned attack is the existence of a shortcut for binding establishment, which is non-legitimate, but which is not prevented either. To prevent the attack, the shortcut must be eliminated. And this means that binding establishment should be based on the first packet independent of whether this is a data packet or a control packet. The residual question therefore is whether or not data packets should be used for binding establishment in addition to control packets. There are pros and cons for either approach: - The advantage of using data packets is that statically configured addresses become straightforward to support. Hosts with statically configured addresses cannot be expected to engage in any exchange of control packets, so a simple method to establish a binding in this case is based on the first data packet. - The advantage of /not/ using data packets is that it becomes less likely for hosts and SAVI devices to lose sync regarding a host's right to use an address. A host and its connected SAVI device then always determine such right based on the same control packets, so in the absence of control packet loss on the link segment between the host and the SAVI device, it is impossible for the host and the SAVI device to have different understanding regarding the host's right to use an address. However, neither of these is a strong argument for or against the use of data packets for binding establishment. Statically configured addresses could also be supported if bindings were established based on only control packets: A SAVI device could, e.g., initiate a Duplicate Address Detection procedure on behalf of a host when the host sends the first data packet from a statically configured address. Loss of synchronization between hosts and SAVI devices could, e.g., also be resolved with the Neighbor Unreachability Detection procedure, such as proposed in draft-bagnulo-savi-fcfs. I think that, in order to move forward and decide whether or not to use data packets for binding establishment, we should also consider the affects on SAVI solution components other than the initial binding establishment. One such component is inter-switch mobility: Would the re-establishment of the binding in the new switch become easier based on data packets or control packets? How about the removal of the binding in the old switch? Another component is SeND support (in the SeND-based SAVI variant): If binding establishment is exclusively based on control packets, the use of SeND automatically protects binding establishment. This is not the case if data packets are used to establish bindings because SeND does not protect the source address in data packets. SeND can then only protect the Neighbor Unreachability Detection procedure, which is used for garbage collection in draft-bagnulo-savi-fcfs. What does the working group think about this? Please comment. One final, important note: Of course, the FCFS principle, the core idea of draft-bagnulo-savi-fcfs, is orthogonal to whether or not data packets are used for binding establishment. And based on the feedback we got at the SAVI meeting in Minneapolis and so far on this mailing list, the FCFS principle is by many considered the way to go. - Christian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.