idnits 2.17.1 draft-shi-savi-access-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 3 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (Nov 4, 2013) is 3819 days in the past. Is this intentional? Checking references for intended status: None ---------------------------------------------------------------------------- == Missing Reference: 'I-D.ietf-savi-mix' is mentioned on line 121, but not defined == Missing Reference: 'RFC2119' is mentioned on line 134, but not defined == Unused Reference: 'RFC 2119' is defined on line 510, but no explicit reference was found in the text == Outdated reference: A later version (-34) exists of draft-ietf-savi-dhcp-10 == Outdated reference: A later version (-14) exists of draft-ietf-savi-fcfs-09 == Outdated reference: A later version (-11) exists of draft-ietf-savi-send-06 == Outdated reference: A later version (-06) exists of draft-ietf-savi-framework-05 Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 SAVI F.Shi 2 Internet Draft China Telecom 3 Intended status: Standard Tracks K.Xu, L.Zhu, G.Hu 4 Expires: May 2014 Tsinghua Univ. 5 Nov 4, 2013 7 SAVI Requirements and Solutions for ISP IPv6 Access Network 8 draft-shi-savi-access-04.txt 10 Abstract 12 Internet is always confronted with many security threats based on IP 13 address spoofing which can enable impersonation and malicious traffic 14 redirection. Unfortunately, the Internet architecture fails to 15 provide the defense mechanism. Source Address Validation Improvement 16 (SAVI) was developed to prevent IP source address spoofing. 17 Especially, the mechanism is essential for ISPs. However, due to the 18 diversity of address assignment methods, SAVI solution is also 19 different accordingly. This document describes five scenarios of 20 ISPs'IPv6 access network, and moreover, states its SAVI requirements 21 and tentative solutions accordingly. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on May 4, 2014. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents carefully, 49 as they describe your rights and restrictions with respect to this 50 document. Code Components extracted from this document must include 51 Simplified BSD License text as described in Section 4.e of the Trust 52 Legal Provisions and are provided without warranty as described in 53 the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 10 57 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction ................................................. 3 70 2. Conventions used in this document ............................ 4 71 3. Terminology .................................................. 4 72 4. Scenarios for ISPs'IPv6 Access Network ....................... 4 73 4.1. Scenario 1: HRG acts as DHCPv6 proxy .................... 5 74 4.2. Scenario 2: STB gets IP address via DHCPv6 .............. 7 75 4.3. Scenario 3: PC gets IP address via PPPoE & RA ........... 8 76 4.4. Scenario 4: Laptop accesses Internet via WLAN ........... 9 77 4.5. Scenario 5: Laptop accesses Internet via C+W ........... 10 78 5. Conclusions ................................................. 12 79 6. References .................................................. 13 80 6.1. Normative References ................................... 13 81 7. Acknowledgments ............................................. 14 83 1. Introduction 85 Spoofing of IP source addresses can jeopardize people's privacy, 86 enable malicious traffic redirection which causes the network 87 topology and traffic information to be leaked out. Further, it will 88 be difficult to trace the source host which has forged the packet. 89 The Source Address Validation Improvement (SAVI) method was designed 90 to prevent hosts attached to the same link from spoofing each other's 91 IP address. It is developed to complement ingress filtering with 92 finer-grained, standardized IP source address validation. It is also 93 can be deployed easily in networks due to its modularization and 94 extensibility. 96 ISPs that provide Internet access services, information services and 97 value-added services to the customers always have to be confronted 98 with many threats enabled by IP source address spoofing, while the 99 Internet architecture fails to prevent IP source address spoofing 100 [draft-ietf-savi-threat-scope]. So they have an imperative demand to 101 apply the mechanism in order to defend the attack and ensure the 102 security of its network and customers' privacy. 104 Internet Service Provider has multiple access scenarios not limited 105 to Ethernet, and usually is deployed with DHCP. Other scenarios such 106 as ADSL with PPP and Ethernet with PPP are also popular in the real 107 world. Unfortunately, SAVI Switch only works in the scenarios of wire 108 or wireless Ethernet and does not support all address assignment 109 methods that can be used in access network. There are four address 110 assigned methods identified in one of the SAVI documents: 112 1. Stateless Address Auto Configuration (SLACC) [I-D.ietf-savi-fcfs] 114 2. Dynamic Host Control Protocol address assignment (DHCP) 115 [I-D.ietf-savi-dhcp] 117 3. Secure Neighbor Discovery (SeND) address assignment 118 [I-D.ietf-savi-send] 120 4. Mix Address assignment methods 121 [I-D.ietf-savi-mix] 123 Thus, According to different access network scenarios, SAVI should 124 adjust its deployment and make improvement to adapt to the real 125 situation. This note analyzes five scenarios of ISPs' IPv6 access 126 network, and on this basis, gives tentative SAVI solutions 127 accordingly. 129 2. Conventions used in this document 131 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 132 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 133 document are to be interpreted as described in RFC-2119 [RFC2119]. 135 In this document, these words will appear with that interpretation 136 only when in ALL CAPS. Lower case uses of these words are not to be 137 interpreted as carrying RFC-2119 significance. 139 3. Terminology 141 The following acronyms and terms are used throughout this document. 143 HRG: Home Residential Gateway, an intelligent gateway between network 144 devices and external network in a family. 146 BRAS: Broadband Remote Access Server, a network switch that funnels 147 traffic from DSL and/or cable modem aggregation devices to various 148 carriers' networks based on the type of an application or that of 149 a service required. 151 STB: Set Top Box, a device which can provide value-added services 152 used to enhance or extend the function of TV. 154 AAA: Authentication, Authorization, Accounting. AAA server can 155 provide verification and authority service. 157 C+W: CDMA (CDMA2000) + WLAN, an integrated wireless broadband network 158 business of China telecom. 160 WAG: Wireless Access Gateway. 162 PDSN: Packet Data Serving Node, responsible for the establishment and 163 terminating point-to-point protocol (PPP) connection and assign 164 dynamic address for nodes. 166 4. Scenarios for ISPs'IPv6 Access Network 168 There are various access methods for ISPs'IPv6 access network. To 169 facilitate the deployment of the SAVI method in networks of various 170 kinds, the SAVI method is designed to support different IP address 171 assignment methods [I-D.ietf-savi-framework]. However, there are 172 still some mixed address assignment methods which cannot be supported. 173 It is important to note that the deployment of SAVI device has been 174 impacted greatly by access network scenarios and its address 175 assignment methods. In order to meet different IP Source Address 176 Validation requirements, SAVI solutions may need to be improved to 177 adapt to the real situation. 179 From the perspective of SAVI deployment, there are five typical 180 scenarios of ISPs'IPv6 access network: 182 1. Home Residential gateway (HRG) acts as DHCPv6 proxy. 184 2. Set Top-box (STB) gets an IP address via DHCPv6. 186 3. Host gets IP address via PPPoE & RA. 188 4. Laptop accesses Internet via WLAN. 190 5. Laptop accesses Internet via C+W. 192 We will discuss the SAVI solution for each scenario in detail in the 193 next section. 195 4.1. Scenario 1: Home Residential gateway (HRG) acts as DHCPv6 proxy 197 +--------+ 198 | BRAS | 199 +-------,+ 200 (PPPoE/ND/RA)|| (DHCPv6-PD) 201 || 202 +---||---+ 203 | HRG | 204 +--/----/+ 205 (DHCPv6)| |(DHCPv6) 206 +----\-+ +\-----+ 207 | PC | | STB | 208 +------+ +------+ 210 Figure 1: Scenario 1 212 Figure 1 shows the main elements in scenario 1. PC and STB connect to 213 the Internet via HRG. Its address assignment mechanism can be 214 described as follows: First, HRG gets a link-local IPv6-IPv6 address 215 from BRAS via PPPoE and ND/RA. Then, HRG gets an IPv6 address from 216 BRAS via DHCPv6-PD. At last, PC and STB get IPv6 addresses from HRG 217 via DHCPv6. Of course, PC and STB can also get IPv6 addresses via 218 ND/RA, but the DHCPv6 is much more popular. 220 According to the SAVI mechanism, in order to achieve Source Address 221 Validation, the SAVI device must snoop the whole procedure of Address 222 assignment. In addition, the preferred location of SAVI instances is 223 close to hosts, such as in access switches that directly attach to 224 the hosts where host IP addresses are being validated [I-D.ietf-savi- 225 framework]. So we can deploy the SAVI device in places close to the 226 HRG, such as the first hop access device. It can be illustrated in 227 figure 2. 229 +--------+ 230 | BRAS | 231 +-------,+ 232 (PPPoE/ND/RA)|| (DHCPv6-PD) 233 || 234 . . . . . .|| . . . . . . . 235 . || Protection. 236 . +-------+ Perimeter. 237 . | SAVI | . 238 . | Device| . 239 . +-------+ . 240 . || . 241 . . . . . .|| . . . . . . . 242 +---||---+ 243 | HRG | 244 +--/----/+ 245 (DHCPv6) | |(DHCPv6) 246 +----\-+ +\-----+ 247 | PC | | STB | 248 | | | | 249 +------+ +------+ 251 Figure 2: SAVI solution for Scenario 1 253 Figure 2 shows the deployment of SAVI device. It also allows multiple 254 SAVI devices and non-SAVI devices co-existing on a link. In addition, 255 for this solution, the SAVI mechanism needs to improve to snoop the 256 procedure of DHCPv6-PD, so as to bind the relationship . 259 4.2. Scenario 2: STB gets an IP address via DHCPv6 261 The difference between scenario 1 and scenario 2 is the absence of HG 262 which acts as DHCPv6 proxy. In scenario 2, STB, having its internal 263 account and password gets IPv6 prefix by DHCPv6. The general scene 264 workflow includes the following steps: STB sends requests to all 265 routers on a local link by using a link-local address based on its 266 MAC address. The BRAS gives a message to STB to adopt DHCPv6 address 267 assignment method as a response. STB initiates the DHCPv6 procedure 268 and BRAS acts as a DHCP Relay to add some authorities' messages. An 269 AAA server decides whether assign address parameters depend on the 270 result of authentication. At last, BRAS receives IPv6 parameters from 271 AAA server, and then, informs STB via DHCPv6 protocol. It can be 272 illustrated in figure 3. 274 +--------+ +-----------+ 275 | AAA | |DHCP server| 276 +--------+ +-----------+ 277 \ / 278 || 279 || 280 +--||--+ 281 | BRAS | 282 +------+ 283 | 284 (DHCPv6) 285 | 286 +-------+ 287 | STB | 288 +-------+ 290 Figure 3: Scenario2 292 Figure 3 shows the main elements in scenario 2. Due to the pure 293 DHCPv6 address assignment method in this scenario, we can deploy SAVI 294 device in places close to STB directly and SAVI mechanism need not 295 make any improvement. It just needs to bind relationship which is supported in the existing 297 SAVI function. The solution can be illustrated in figure 4. 299 +--------+ +-----------+ 300 | AAA | |DHCP server| 301 +--------+ +-----------+ 302 \ / 303 +--||---+ 304 | BRAS | 305 +-------+ 306 | 307 (DHCPv6) 308 | 309 . . . . . . . . . . . 310 . +---------------+ . 311 . | SAVI device | . 312 . +---------------+ . 313 . . . . . . . . . . . 314 | 315 +-------+ 316 | STB | 317 +-------+ 319 Figure 4: SAVI solution for Scenario 2 321 4.3. Scenario 3: PC gets an IP address via PPPoE & RA 323 In this scenario, first of all, PC gets a link-local address from 324 BRAS via PPPoE. BRAS broadcasts IPv6 prefix via RA. Finally, PC 325 configures its address automatically and gets some additional 326 messages from BRAS. 328 +--------+ 329 | AAA | 330 +--------+ 331 \ 332 | 333 +---|---+ 334 | BRAS | 335 +-------+ 336 |(ND) 337 +-------+ 338 | PC | 339 +-------+ 341 Figure 5: Scenario3 343 Figure 5 shows the main elements in scenario 3. As the function of ND 344 snooping has already been designed, we only take PPPoE snooping into 345 account. Thus, the solution to this scenario which is illustrated in 346 figure 6 is to deploy the SAVI device directly and binding 347 relationship . In this scenario, 348 SAVI needs to improve in order to realize PPPoE snooping. 350 +--------+ 351 | AAA | 352 +--------+ 353 \ 354 +-- |---+ 355 | BRAS | 356 +-------+ 357 (ND)| 358 . . . . . . . . . . . 359 . +---------------+ . 360 . | SAVI device | . 361 . +---------------+ . 362 . . . . . . . . . . . 363 | 364 +-------+ 365 | PC | 366 +-------+ 368 Figure 6: SAVI solution for Scenario 3 370 4.4. Scenario 4: Laptop accesses Internet via public WLAN 372 The interaction in this scenario is relatively simple. The laptop 373 gets an IPv6 address via DHCPv6. Then, users are enforced to be 374 certified by submitting a password on a portal page. 376 +--------+ +-----------+ 377 | AAA | |DHCP server| 378 +--------+ +-----------+ 379 \/ 380 +--||---+ 381 | BRAS | 382 +-------+ 383 |(DHCPv6) 384 +-------+ 385 |LAPTOP | 386 +-------+ 388 Figure 7: Scenario 4 390 Figure 7 shows the main elements in scenario 4. We can deploy the 391 SAVI device directly and bind relationship . The solution can be illustrated in figure 8. 394 +--------+ +-----------+ 395 | AAA | |DHCP server| 396 +--------+ +-----------+ 397 \ / 398 || 399 +--||---+ 400 | BRAS | 401 +-------+ 402 |(DHCPv6) 403 | 404 . . . . . . . . . . . 405 . +---------------+ . 406 . | SAVI device | . 407 . +---------------+ . 408 . . . . . . . . . . . 409 | 410 +-------+ 411 |LAPTOP | 412 +-------+ 414 Figure 8: SAVI solution for Scenario 4 416 4.5. Scenario 5: Laptop accesses Internet via C+W 418 This scenario describes that the laptop accesses the Internet via 419 CDMA and WLAN. The general scene workflow includes the following 420 steps: The laptop gets a temporary IPv6 address from BARS via DHCPv6, 421 and then, obtains the WAG address from a DNS server. The laptop 422 establishes a UDP tunnel to WAG by sending register request. If the 423 tunnel is established successfully, the laptop can get IPv6 prefix 424 from PDSN via PPP and RA, whereas PDSN acts as the PPP terminal. At 425 last, the laptop gets some additional information such as the DNS 426 address. When the above steps are all accomplished, the laptop 427 acquires the ability to access the Internet. 429 +--------+ +-----------+ 430 | AAA |--| PDSN | 431 +--------+ +------|----+ 432 +--------+ +------|----+ 433 |AN-AAA |--| WAG | 434 +--------+ +-----------+ 435 // 436 // UDP tunnel 437 || 438 || 439 +--||---+ 440 | BRAS | 441 +-------+ 442 | 443 |(DHCPv6) 444 | 445 +-------+ 446 | LAPTOP| 447 +-------+ 449 Figure 9: Scenario 5 451 Figure 9 shows the main elements in scenario 5. in this scenario, we 452 also can deploy the SAVI device in places close to the LAPTOP. SAVI 453 needs to improve to support the PPPoE protocol snooping. It also 454 binds relationship . The 455 solution is described in figure 10. 457 +--------+ +-----------+ 458 | AAA |--| PDSN | 459 +--------+ +------|----+ 460 +--------+ +------|----+ 461 |AN-AAA |--| WAG | 462 +--------+ +-----------+ 463 // 464 // UDP tunnel 465 || 466 || 467 +--||---+ 468 | BRAS | 469 +-------+ 470 | 471 (DHCPv6) 472 | 473 +--------+ 474 | SAVI | 475 | device| 476 | | 477 +--------+ 478 | 479 | 480 +-------+ 481 |LAPTOP | 482 +-------+ 484 Figure 10: SAVI solution for Scenario 5 486 5. Conclusions 488 For ISPs, SAVI can defend against many security attacks effectively 489 which are based on IP address spoofing. There are various scenarios 490 of ISPs'IPv6 Access Network. As each scenario uses a different 491 address assignment method and protocol, there are a variety of 492 requirements to validate the source address for ISPs' IPv6 access 493 network. Though SAVI cannot support all protocols and methods right 494 now, due to expansibility of SAVI, the mechanism can satisfy various 495 demands with a small improvement. This document presents five typical 496 scenarios of ISPs'IPv6 access network, and proposes tentative SAVI 497 solutions. 499 Moreover, for functional verification, we conducted an experiment on 500 China Telecom's access network in Hunan province. The experimental 501 results show that source addresses can be validated effectively as we 502 expected in most access scenarios. Next, we will deploy more SAVI 503 devices on a large-scale network in order to form a complete 504 architecture. 506 6. References 508 6.1. Normative References 510 [RFC 2119] Bradner, S., "Key words for use in RFCs to 511 Indicate Requirement Levels", BCP 14, RFC 512 2119, March 1997. 514 [draft-ietf-savi-threat-scope] 516 McPherson, D., Baker, F., and J. Halpern, 517 "SAVI Threat Scope", draft-ietf-savi- 518 threat-scope-05, April 2011. 520 [I-D.ietf-savi-dhcp] Wu, J., Yao, G., Bi, J., and F. Baker, 521 "SAVI Solution for DHCP", draft-ietf-savi- 522 dhcp-10 (work in progress), July 2011. 524 [I-D.ietf-savi-fcfs] Nordmark, E., Bagnulo, M., and E. Levy- 525 Abegnoli, "FCFSSAVI: First-Come First-Serve 526 Source-Address Validation for Locally 527 Assigned IPv6 Addresses", draft-ietf-savi- 528 fcfs-09(work in progress), April 2011. 530 [I-D.ietf-savi-send] Bagnulo, M. and A. Garcia-Martinez, "SEND- 531 based Source-Address Validation 532 Implementation", draft-ietf-savi-send-06 533 (work in progress), October 2011. 535 [I-D.ietf-savi-framework] Wu, J., Bi, J., Bagnulo, M., Baker, F., and 536 C. Vogt, "Source Address Validation 537 Improvement Framework",draft-ietf-savi- 538 framework-05 (work in progress), July 2011. 540 7. Acknowledgments 542 This document was prepared using 2-Word-v2.0.template.dot. 544 Authors' Addresses 546 Fan Shi 547 China Telecom 548 Beijing Research Institute, China Telecom 549 Beijing, 100035 550 China 551 Email: shifan@ctbri.com.cn 553 Ke Xu 554 Tsinghua University 555 Department of Computer Science, Tsinghua University 556 Beijing, 100084 557 China 558 Email: xuke@mail.tsinghua.edu.cn 560 Liang Zhu 561 Tsinghua University 562 Department of Computer Science, Tsinghua University 563 Beijing, 100084 564 China 565 Email: tshbruce@gmail.com 567 Guangwu Hu 568 Tsinghua University 569 Department of Computer Science, Tsinghua University 570 Beijing, 100084 571 China 572 Email: hgw09@mails.tsinghua.edu.cn