Hi Christian, thanks for the summary some comments below... Christian Vogt <christian.vogt at ericsson.com> dijo:
More specifically, the reason for the aforementioned attack is the existence of a shortcut for binding establishment, which is non-legitimate, but which is not prevented either. To prevent the attack, the shortcut must be eliminated. And this means that binding establishment should be based on the first packet independent of whether this is a data packet or a control packet.
Right, i concur with this, the savi state must be created with the firs packet, either data or control packet (dhcp, ND)
The residual question therefore is whether or not data packets should be used for binding establishment in addition to control packets. There are pros and cons for either approach: - The advantage of using data packets is that statically configured addresses become straightforward to support. Hosts with statically configured addresses cannot be expected to engage in any exchange of control packets, so a simple method to establish a binding in this case is based on the first data packet.
Actually, i think there are more reasons for using data packetsThe main reason is that DAD is not reliable. The ND packet can be lost and not make it to the SAVI device (e.g. error in the packet for instance)
Let's consider the following situation:Suppose that the SAVI device receives a data packet for which source address it doens't have a binding, what does the savi device does_? does it discards the packet? It seems an overkill to me, since we are not sure what happned. In the data based approach, we create the state. Using only control packet introduces this error mode.
- The advantage of /not/ using data packets is that it becomes less likely for hosts and SAVI devices to lose sync regarding a host's right to use an address. A host and its connected SAVI device then always determine such right based on the same control packets, so in the absence of control packet loss on the link segment between the host and the SAVI device, it is impossible for the host and the SAVI device to have different understanding regarding the host's right to use an address.
I don't understand this.Suppose that a host configures the address performs DAD and then goes quit for a really long time. At some point the SAVI device will discard the state for that address. The node then sends a data packet, what happnes? In this case, they are out of sync and the straight forward way to deal with this is to react upon the reception of data packets.
However, neither of these is a strong argument for or against the use of data packets for binding establishment.
IMHO there is strong case for using data packets, as described above
Statically configured addresses could also be supported if bindings were established based on only control packets: A SAVI device could, e.g., initiate a Duplicate Address Detection procedure on behalf of a host when the host sends the first data packet from a statically configured address. Loss of synchronization between hosts and SAVI devices could, e.g., also be resolved with the Neighbor Unreachability Detection procedure, such as proposed in draft-bagnulo-savi-fcfs.
Right, actually this is what i was thinking as inter switch protocol to spread the state crated using data packets
I think that, in order to move forward and decide whether or not to use data packets for binding establishment, we should also consider the affects on SAVI solution components other than the initial binding establishment. One such component is inter-switch mobility: Would the re-establishment of the binding in the new switch become easier based on data packets or control packets?
Does the node needs to perform DAD when the host moves from one swithc to another?
How about the removal of the binding
in the old switch? Another component is SeND support (in the SeND-based SAVI variant): If binding establishment is exclusively based on control packets, the use of SeND automatically protects binding establishment. This is not the case if data packets are used to establish bindings because SeND does not protect the source address in data packets.
The SEND based savi already performs a ND query to verify address ownership. i.e. upon the reception of a data packet it forces the sender to generate a control packet, which is ok for send imho
Regards, marcelo SeND
can then only protect the Neighbor Unreachability Detection procedure, which is used for garbage collection in draft-bagnulo-savi-fcfs. What does the working group think about this? Please comment. One final, important note: Of course, the FCFS principle, the core idea of draft-bagnulo-savi-fcfs, is orthogonal to whether or not data packets are used for binding establishment. And based on the feedback we got at the SAVI meeting in Minneapolis and so far on this mailing list, the FCFS principle is by many considered the way to go. - Christian
-- ---- MARCELO BAGNULO BRAUN WebCartero Universidad Carlos III de Madrid
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.