< draft-shi-savi-access-10.txt   draft-shi-savi-access-11.txt >
SAVI F.Shi SAVI F.Shi
Internet Draft China Telecom Internet Draft China Telecom
Intended status: Standard Tracks K.Xu, L.Zhu, G.Hu, Y.Bo Intended status: Standard Tracks K.Xu, L.Zhu, G.Hu, Y.Bo
Expires: May 2017 Tsinghua Univ. Expires: Nov 2017 Tsinghua Univ.
Nov 14, 2016 May 16, 2017
SAVI Requirements and Solutions for ISP IPv6 Access Network SAVI Requirements and Solutions for ISP IPv6 Access Network
draft-shi-savi-access-10.txt draft-shi-savi-access-11.txt
Abstract Abstract
Internet is always confronted with many security threats based on IP Internet is always confronted with many security threats based on IP
address spoofing which can enable impersonation and malicious traffic address spoofing which can enable impersonation and malicious traffic
redirection. Unfortunately, the Internet architecture fails to redirection. Unfortunately, the Internet architecture fails to
provide the defense mechanism. Source Address Validation Improvement provide the defense mechanism. Source Address Validation Improvement
(SAVI) was developed to prevent IP source address spoofing. (SAVI) was developed to prevent IP source address spoofing.
Especially, the mechanism is essential for ISPs. However, due to the Especially, the mechanism is essential for ISPs. However, due to the
diversity of address assignment methods, SAVI solution is also diversity of address assignment methods, SAVI solution is also
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current. Drafts is at http://datatracker.ietf.org/drafts/current.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 14, 2017. This Internet-Draft will expire on Nov 16, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents carefully, publication of this document. Please review these documents carefully,
as they describe your rights and restrictions with respect to this as they describe your rights and restrictions with respect to this
document. Code Components extracted from this document must include document. Code Components extracted from this document must include
Simplified BSD License text as described in Section 4.e of the Trust Simplified BSD License text as described in Section 4.e of the Trust
Legal Provisions and are provided without warranty as described in Legal Provisions and are provided without warranty as described in
skipping to change at page 2, line 37 skipping to change at page 2, line 37
Table of Contents Table of Contents
1. Introduction ................................................. 3 1. Introduction ................................................. 3
2. Conventions used in this document ............................ 4 2. Conventions used in this document ............................ 4
3. Terminology .................................................. 4 3. Terminology .................................................. 4
4. Scenarios for ISPs'IPv6 Access Network ....................... 4 4. Scenarios for ISPs'IPv6 Access Network ....................... 4
4.1. Scenario 1: HRG acts as DHCPv6 proxy .................... 5 4.1. Scenario 1: HRG acts as DHCPv6 proxy .................... 5
4.2. Scenario 2: STB gets IP address via DHCPv6 .............. 7 4.2. Scenario 2: STB gets IP address via DHCPv6 .............. 7
4.3. Scenario 3: PC gets IP address via PPPoE & RA ........... 8 4.3. Scenario 3: PC gets IP address via PPPoE & RA ........... 8
4.4. Scenario 4: Laptop accesses Internet via WLAN ........... 9 4.4. Scenario 4: Laptop accesses Internet via WLAN ........... 9
4.5. Scenario 5: Laptop accesses Internet via C+W ........... 10 4.5. Scenario 5: Laptop accesses Internet via C+W ............ 10
5. Conclusions ................................................. 12 5. Conclusions .................................................. 12
6. References .................................................. 13 6. References ................................................... 13
6.1. Normative References ................................... 13 6.1. Normative References ................................... 13
7. Acknowledgments ............................................. 14 7. Acknowledgments .............................................. 14
1. Introduction 1. Introduction
Spoofing of IP source addresses can jeopardize people's privacy, Spoofing of IP source addresses can jeopardize people's privacy,
enable malicious traffic redirection which causes the network enable malicious traffic redirection which causes the network
topology and traffic information to be leaked out. Further, it will topology and traffic information to be leaked out. Further, it will
be difficult to trace the source host which has forged the packet. be difficult to trace the source host which has forged the packet.
The Source Address Validation Improvement (SAVI) method was designed The Source Address Validation Improvement (SAVI) method was designed
to prevent hosts attached to the same link from spoofing each other's to prevent hosts attached to the same link from spoofing each other's
IP address. It is developed to complement ingress filtering with IP address. It is developed to complement ingress filtering with
skipping to change at page 5, line 30 skipping to change at page 5, line 30
5. Laptop accesses Internet via C+W. 5. Laptop accesses Internet via C+W.
We will discuss the SAVI solution for each scenario in detail in the We will discuss the SAVI solution for each scenario in detail in the
next section. next section.
4.1. Scenario 1: Home Residential gateway (HRG) acts as DHCPv6 proxy 4.1. Scenario 1: Home Residential gateway (HRG) acts as DHCPv6 proxy
+--------+ +--------+
| BRAS | | BRAS |
+-------,+ +-------,+
(PPPoE/ND/RA)|| (DHCPv6-PD) (PPPoE/ND/RA)|| (DHCPv6-PD)
|| ||
+--||---+ +---||---+
| HRG | | HRG |
+--/----/+ +--/----/+
(DHCPv6)| |(DHCPv6) (DHCPv6)| |(DHCPv6)
+----\-+ +\-----+ +----\-+ +\-----+
| PC | | STB | | PC | | STB |
| | | |
+------+ +------+ +------+ +------+
Figure 1: Scenario 1 Figure 1: Scenario 1
Figure 1 shows the main elements in scenario 1. PC and STB connect to Figure 1 shows the main elements in scenario 1. PC and STB connect to
the Internet via HRG. Its address assignment mechanism can be the Internet via HRG. Its address assignment mechanism can be
described as follows: First, HRG gets a link-local IPv6-IPv6 address described as follows: First, HRG gets a link-local IPv6-IPv6 address
from BRAS via PPPoE and ND/RA. Then, HRG gets an IPv6 address from from BRAS via PPPoE and ND/RA. Then, HRG gets an IPv6 address from
BRAS via DHCPv6-PD. At last, PC and STB get IPv6 addresses from HRG BRAS via DHCPv6-PD. At last, PC and STB get IPv6 addresses from HRG
via DHCPv6. Of course, PC and STB can also get IPv6 addresses via via DHCPv6. Of course, PC and STB can also get IPv6 addresses via
skipping to change at page 7, line 20 skipping to change at page 7, line 20
workflow includes the following steps: STB sends requests to all workflow includes the following steps: STB sends requests to all
routers on a local link by using a link-local address based on its routers on a local link by using a link-local address based on its
MAC address. The BRAS gives a message to STB to adopt DHCPv6 address MAC address. The BRAS gives a message to STB to adopt DHCPv6 address
assignment method as a response. STB initiates the DHCPv6 procedure assignment method as a response. STB initiates the DHCPv6 procedure
and BRAS acts as a DHCP Relay to add some authorities' messages. An and BRAS acts as a DHCP Relay to add some authorities' messages. An
AAA server decides whether assign address parameters depend on the AAA server decides whether assign address parameters depend on the
result of authentication. At last, BRAS receives IPv6 parameters from result of authentication. At last, BRAS receives IPv6 parameters from
AAA server, and then, informs STB via DHCPv6 protocol. It can be AAA server, and then, informs STB via DHCPv6 protocol. It can be
illustrated in figure 3. illustrated in figure 3.
+--------+ +-----------+ +--------+ +-----------+
| AAA | |DHCP server| | AAA | |DHCP server|
+--------+ +-----------+ +--------+ +-----------+
\ / \ /
||
|| ||
+---||--+ ||
| BRAS | +---||---+
+-------+ | BRAS |
| +--------+
(DHCPv6) |
| (DHCPv6)
+-------+ |
| STB | +-------+
+-------+ | STB |
+-------+
Figure 3: Scenario2 Figure 3: Scenario2
Figure 3 shows the main elements in scenario 2. Due to the pure Figure 3 shows the main elements in scenario 2. Due to the pure
DHCPv6 address assignment method in this scenario, we can deploy SAVI DHCPv6 address assignment method in this scenario, we can deploy SAVI
device in places close to STB directly and SAVI mechanism need not device in places close to STB directly and SAVI mechanism need not
make any improvement. It just needs to bind relationship <STB's IP make any improvement. It just needs to bind relationship <STB's IP
Address, port, STB's MAC Address> which is supported in the existing Address, port, STB's MAC Address> which is supported in the existing
SAVI function. The solution can be illustrated in figure 4. SAVI function. The solution can be illustrated in figure 4.
+--------+ +-----------+ +--------+ +-----------+
| AAA | |DHCP server| | AAA | |DHCP server|
+--------+ +-----------+ +--------+ +-----------+
\ / \ /
+--||---+ +--||---+
| BRAS | | BRAS |
+-------+ +-------+
| |
(DHCPv6) (DHCPv6)
| |
. . . . . . . . . . . . . . . . . . . . . .
. +---------------+ . . +---------------+ .
. | SAVI device | . . | SAVI device | .
. +---------------+ . . +---------------+ .
. . . . . . . . . . . . . . . . . . . . . .
| |
+-------+ +-------+
skipping to change at page 8, line 34 skipping to change at page 8, line 34
Figure 4: SAVI solution for Scenario 2 Figure 4: SAVI solution for Scenario 2
4.3. Scenario 3: PC gets an IP address via PPPoE & RA 4.3. Scenario 3: PC gets an IP address via PPPoE & RA
In this scenario, first of all, PC gets a link-local address from In this scenario, first of all, PC gets a link-local address from
BRAS via PPPoE. BRAS broadcasts IPv6 prefix via RA. Finally, PC BRAS via PPPoE. BRAS broadcasts IPv6 prefix via RA. Finally, PC
configures its address automatically and gets some additional configures its address automatically and gets some additional
messages from BRAS. messages from BRAS.
+--------+ +--------+
| AAA | | AAA |
+--------+ +--------+
\ \
| |
+---|---+ +---|---+
| BRAS | | BRAS |
+-------+ +-------+
|(ND) |(ND)
+-------+ +-------+
| PC | | PC |
+-------+ +-------+
Figure 5: Scenario3 Figure 5: Scenario3
Figure 5 shows the main elements in scenario 3. As the function of ND Figure 5 shows the main elements in scenario 3. As the function of ND
snooping has already been designed, we only take PPPoE snooping into snooping has already been designed, we only take PPPoE snooping into
account. Thus, the solution to this scenario which is illustrated in account. Thus, the solution to this scenario which is illustrated in
figure 6 is to deploy the SAVI device directly and binding figure 6 is to deploy the SAVI device directly and binding
relationship <PC's IP Address, port, PC's MAC>. In this scenario, relationship <PC's IP Address, port, PC's MAC>. In this scenario,
SAVI needs to improve in order to realize PPPoE snooping. SAVI needs to improve in order to realize PPPoE snooping.
+--------+ +--------+
| AAA | | AAA |
+--------+ +--------+
\ \
+-- |---+ +---|---+
| BRAS | | BRAS |
+-------+ +-------+
(ND)| (ND)|
. . . . . . . . . . . . . . . . . . . . . .
. +---------------+ . . +---------------+ .
. | SAVI device | . . | SAVI device | .
. +---------------+ . . +---------------+ .
. . . . . . . . . . . . . . . . . . . . . .
| |
+-------+ +-------+
| PC | | PC |
+-------+ +-------+
Figure 6: SAVI solution for Scenario 3 Figure 6: SAVI solution for Scenario 3
4.4. Scenario 4: Laptop accesses Internet via public WLAN 4.4. Scenario 4: Laptop accesses Internet via public WLAN
The interaction in this scenario is relatively simple. The laptop The interaction in this scenario is relatively simple. The laptop
gets an IPv6 address via DHCPv6. Then, users are enforced to be gets an IPv6 address via DHCPv6. Then, users are enforced to be
certified by submitting a password on a portal page. certified by submitting a password on a portal page.
+--------+ +-----------+ +--------+ +-----------+
| AAA | |DHCP server| | AAA | |DHCP server|
+--------+ +-----------+ +--------+ +-----------+
\/ \/
+--||---+ +--||---+
| BRAS | | BRAS |
+-------+ +-------+
|(DHCPv6) |(DHCPv6)
+-------+ +-------+
|LAPTOP | |LAPTOP |
+-------+ +-------+
Figure 7: Scenario 4 Figure 7: Scenario 4
Figure 7 shows the main elements in scenario 4. We can deploy the Figure 7 shows the main elements in scenario 4. We can deploy the
SAVI device directly and bind relationship <LAPTOP's IP Address, port, SAVI device directly and bind relationship <LAPTOP's IP Address, port,
LAPTOP's MAC>. The solution can be illustrated in figure 8. LAPTOP's MAC>. The solution can be illustrated in figure 8.
+--------+ +-----------+ +--------+ +-----------+
| AAA | |DHCP server| | AAA | |DHCP server|
+--------+ +-----------+ +--------+ +-----------+
\ / \ /
|| ||
+--||---+ +---||---+
| BRAS | | BRAS |
+-------+ +--------+
|(DHCPv6) |(DHCPv6)
| |
. . . . . . . . . . . . . . . . . . . . . .
. +---------------+ . . +---------------+ .
. | SAVI device | . . | SAVI device | .
. +---------------+ . . +---------------+ .
. . . . . . . . . . . . . . . . . . . . . .
| |
+-------+ +-------+
|LAPTOP | |LAPTOP |
+-------+ +-------+
Figure 8: SAVI solution for Scenario 4 Figure 8: SAVI solution for Scenario 4
4.5. Scenario 5: Laptop accesses Internet via C+W 4.5. Scenario 5: Laptop accesses Internet via C+W
This scenario describes that the laptop accesses the Internet via This scenario describes that the laptop accesses the Internet via
CDMA and WLAN. The general scene workflow includes the following CDMA and WLAN. The general scene workflow includes the following
skipping to change at page 11, line 21 skipping to change at page 11, line 21
+--------+ +-----------+ +--------+ +-----------+
| AAA |--| PDSN | | AAA |--| PDSN |
+--------+ +------|----+ +--------+ +------|----+
+--------+ +------|----+ +--------+ +------|----+
|AN-AAA |--| WAG | |AN-AAA |--| WAG |
+--------+ +-----------+ +--------+ +-----------+
// //
// UDP tunnel // UDP tunnel
|| ||
|| ||
+--||---+ +--||---+
| BRAS | | BRAS |
+-------+ +-------+
| |
|(DHCPv6) |(DHCPv6)
| |
+-------+ +-------+
| LAPTOP| | LAPTOP|
+-------+ +-------+
Figure 9: Scenario 5 Figure 9: Scenario 5
Figure 9 shows the main elements in scenario 5. in this scenario, we Figure 9 shows the main elements in scenario 5. in this scenario, we
also can deploy the SAVI device in places close to the LAPTOP. SAVI also can deploy the SAVI device in places close to the LAPTOP. SAVI
needs to improve to support the PPPoE protocol snooping. It also needs to improve to support the PPPoE protocol snooping. It also
binds relationship <LAPTOP's IP Address, port, LAPTOP's MAC>. The binds relationship <LAPTOP's IP Address, port, LAPTOP's MAC>. The
solution is described in figure 10. solution is described in figure 10.
+--------+ +-----------+ +--------+ +-----------+
| AAA |--| PDSN | | AAA |--| PDSN |
+--------+ +------|----+ +--------+ +------|----+
+--------+ +------|----+ +--------+ +------|----+
|AN-AAA |--| WAG | |AN-AAA |--| WAG |
+--------+ +-----------+ +--------+ +-----------+
// //
// UDP tunnel // UDP tunnel
|| ||
|| ||
+--||---+ +--||---+
| BRAS | | BRAS |
+-------+ +-------+
| |
(DHCPv6) (DHCPv6)
| |
+--------+ +--------+
| SAVI | | SAVI |
| device| | device|
| | | |
+--------+ +--------+
| |
| |
+-------+ +-------+
|LAPTOP | |LAPTOP |
+-------+ +-------+
 End of changes. 24 change blocks. 
62 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/