-----------------------------------------------------------
Minutes of the SAVI working group meeting at IETF 75
Thursday, July 30, 9:00am – 11:30am, Cabaret room
-----------------------------------------------------------

Minutes taken by Ren Gang (rengang@cernet.edu.cn) and Joel Halpern
(jmh@joelhalpern.com), and compiled by Jun Bi (junbi@cernet.edu.cn).


1. Introduction and administrative (Christian Vogt)


2. On protecting unassigned IP addresses (Christian Vogt)
Threats: Impersonation and concealement
Existing protection insufficient
Capabilities to address threats depend on other factors such as 
assignment mechanism.

Q: Jun Bi – Clarification as to what unassigned means, since Christian 
has argued that unassigned is not meaningful without central assignment, 
while Jun Bi suggests that DAD is sufficient to define assignment.
Q: Erik Nordmark – If the definition is that the goal is to control who 
can allocate a previously unused address, then SLAAC does not fit.  If 
the definition is having a registered assignment, then DHCP is needed.
Q: Marcelo Bagnulo – There is no definition that a host can not use an 
address without DAD.
Q: Eric Levy –
Q: Fred Baker – What are we trying to do?  Without that answer, this is 
frivolous.
Q; Richard Barnes – In SLAAC there is no concept of unassigned.  As Fred 
said, we need a clear goal.

Christian then posted an effort to describe where we stood.  There was 
discussion of what was agreed.  There ensued a debate about what had 
been said at an authors meeting.

Christian as chair described an agreement that there be two documents, 
one for DHCP networks and one for SLAAC networks.  He suggested that the 
approach should be based on merging the existing work, and existing 
proposal names should be put aside.
Discussion of how this split will relate to real networks where there 
may be components that are mixed.  The simplest mix is that link-local 
addresses are always done using SLAAC, even if DHCP is being used for 
global addresse.


3 SAVI model discussion (Erik Nordmark)
Switched network with protection boundary and some trusted ports.  The 
trust boundary may or may not align with the bridged network boundary.
Q: Jun Bi – Which proposal is this for?  Answer: This is a general model 
for discussing solutions.  We need to discuss the implications of having 
untrusted portions of the bridged network.
There are potentially different authority / trustworthiness: Statically 
assigned, DHCP, SeND, SLAAC.
Brief discussion of how to summarize the presentation.
Q: -John Kaippallimalli -  How does authenticated ports / access such as 
802.1?  Answer: Depends upon how much coupling there is to the address 
binding process.
Q: Marcelo Bagnulo – Can a single network use different kinds of lower 
layer anchors?  Answer: If one has a mix of physical and virtual ports, 
there may be mixing, but one has to be careful to avoid weakening the 
system.
Q: Jun Bi – Trust anchor may be unspoofable MAC address, and that has 
implications for trustworthiness.  Answer that indeed this can extend 
the reach of the savi system by providing more bindings within the topology.
Q:Guang Yao - I think trust must be different in different cases.



4 Discussion of unassigned addresses in FCFS – Eric Nordmark
Some ideas that can be added to FCFS, based on discussion.
DAD is not an address assignment authority, it is a sanity check.
Suggestion: SAVI device proxies DAD for host.  The device generates 
multiple(rate limited) DAD requests until it gets a response (or not)
Q: Jun Bi – He likes the idea, but wants it optional.  He is concerned 
about managing the triggering from data plane and managing the rate 
limiting.  Discussion ensued.
Q: Eric Levy – Dropping the original DAD packet may not be the right answer.
Q: Richard Barnes – How effective can this be in practice?  How does 
this work if the verification rate is very low?  Answer: If a host is 
generating too many addresses per second, then we can deal with that in 
other ways.  The rate of new addresses normally ought to be low.
Q: Dave Harrington – Please let the presenters give their presentations.
Q: Alessandro Spjnella – Could problems trigger SNMP traps or syslog 
entries?  Answer: Yes, you can do it on triggering, or later on problem 
detection.

Can also play the same game with IPv4 ARP to filter hard-configured IP 
addresses.
This comes up and is probably required with IPv6 link locals, since 
those are always DAD based.  Use with other things is optional.
Q: Jun Bi – Triggering control action by data is dangerous, so IPv4 
handling should be optional.


5 Control Plane Snooping Overview – Jun Bi
Presentation of "Control Packet Snooping" approach.
draft-bi-savi-cps-01.txt
Set up bindings at switch ports based on observing control packets for 
both the DHCP and SLAAC cases. Drop packets for which suitable control has not been seen.
Details include port properties,state machines in switch, list of control protocols observed,
and how it support the host changes ports and switches,etc.
There is a control packet trigger probe, while in FCFS the probe is triggered by data packet. 
Jun believes controbl packet triggered action is fessible for real switch to implement.
Q: Behcet Sarkaya – What kind of switch?  Answer: Wired Ethernet layer 2 
with switches that support L3 intelligence (aka L2.5 switches.)
Q: Richard Barnes – Is this purely passive, or also an active packet 
producer:  Answer: Basically, it is passive, but while it produces some control packets, that is rate 
limited.


6 Increasing binding table accuracy – Eric Levy-Abegnoli
Binding accuracy depends upon order of events and the use or non-use of 
things like SEND.
This is particularly the case with first-come, first-accepted discipline.
Q: Marcello Bagnulo – You are assuming no DAD?  Discussion of semantics 
of SEND.  SEND includes a rule that SEND users are allowed to ignore 
conflicting DADs upon repeated tries.
The threat is that an attacker may be able to pollute neighbor caches of 
listeners who do not implement SEND.
The idea is to give listeners the benefit of SEND protection relative to 
SEND-using senders, even if the receivers are not using SEND, by having 
the switch notice that SEND was used with a given addresses earlier, and 
prevent misleading advertisements.  This would be an added feature.  It 
requires additional content inspection.



7 Requirements for SAVI in broadband access – Wojciech Dec
Description of VLAN models, including 1-1 and shared vlan (with 
restrictions) models.
Q: Marcelo Bagnulo – Which boxes are switches, which are rotuers? In 
particular, how are the traffic constraints enforced?  Suresh answered 
that it is RFC 4562 and IEEE 802.1q.
Description of port / Mac / IP learning in existing IPv4 nets.
Summary of preliminary requirements.  DHCP-PD is adopted by the 
broadband forum.  Other IPv6 specific requirements are the presenters 
understanding, not yet adopted by the bbf.
Q: Michael Abrahmson-Does bbf have a document describing all the attacks 
at L2 and L3 on the access?  Answer:  No.
Q: Marcelo Bagnulo- The DHCP support requested sounds quite tenable 
(DHCP-PD.)
Q: Erik Normark – If the edge devices were routers it might simplify the 
problems.


8 Control Plane Snooping implementation report (Jun Bi)
Jun Bi introduces that the CPS draft has been implemented in multiple switch vendors
including H3C,ZTE,Digital China, Huawei,Ruijie, Bitway，and Centec.
Jun Showed some videos on how CPS works in those switches to anti-spoofing.
The video could be downloaded at ftp://ietf:ietf@202.112.49.246.
Jun then introduced the CNGI-CERNET2 deployment of the savi-cps switches.
Jun and Guang Yao brought 3 ethernet switches (Digital China) and did the real demo 
at the end of the WG meeting. 
Erik Nordmark: Upload the videos.
Christian Vogt: We will do it after this meeting.