idnits 2.17.1 draft-ietf-savi-mix-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 6, 2011) is 4737 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 240, but no explicit reference was found in the text == Unused Reference: 'RFC2460' is defined on line 267, but no explicit reference was found in the text == Unused Reference: 'RFC3315' is defined on line 270, but no explicit reference was found in the text == Unused Reference: 'RFC3971' is defined on line 274, but no explicit reference was found in the text == Unused Reference: 'RFC3972' is defined on line 277, but no explicit reference was found in the text == Outdated reference: A later version (-34) exists of draft-ietf-savi-dhcp-09 == Outdated reference: A later version (-14) exists of draft-ietf-savi-fcfs-09 == Outdated reference: A later version (-06) exists of draft-ietf-savi-framework-04 == Outdated reference: A later version (-11) exists of draft-ietf-savi-send-05 -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Bi 3 Internet-Draft CERNET 4 Intended status: Standards Track G. Yao 5 Expires: November 7, 2011 Tsinghua University 6 J. Halpern 7 Newbridge Networks Inc 8 E. Levy-Abegnoli, Ed. 9 Cisco Systems 10 May 6, 2011 12 SAVI for Mixed Address Assignment Methods Scenario 13 draft-ietf-savi-mix-00 15 Abstract 17 This document reviews how multiple address discovery methods can 18 coexist in a single SAVI device and collisions are resolved when the 19 same binding entry is discovered by two or more methods. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on November 7, 2011. 38 Copyright Notice 40 Copyright (c) 2011 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Recommendations for preventing collisions . . . . . . . . . . . 4 58 4. Handing binding collisions . . . . . . . . . . . . . . . . . . 4 59 4.1. Same Address on Different Binding Anchors . . . . . . . . . 4 60 4.1.1. Basic preference . . . . . . . . . . . . . . . . . . . 5 61 4.1.2. Overwritten preference . . . . . . . . . . . . . . . . 5 62 4.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . . 5 63 4.2. Same Address on the Same Binding Anchor . . . . . . . . . . 6 64 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 5.1. Normative References . . . . . . . . . . . . . . . . . . . 6 66 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 67 Appendix A. Contributors and Acknowledgments . . . . . . . . . . . 7 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1. Introduction 72 There are currently several documents [I-D.ietf-savi-fcfs], 73 [I-D.ietf-savi-dhcp], [I-D.ietf-savi-send] that describe the 74 different methods by which a switch can discover and record bindings 75 between a node's layer3 address and a binding anchor and use that 76 binding to perform Source Address Validation. 78 The method used by nodes to assign the address drove the break down 79 into these multiple documents, whether StateLess Autoconfiguration 80 (SLAAC), Dynamic Host Control Protocol (DHCP), Secure Neighbor 81 Discovery (SeND) or manual. Each of these documents describes 82 separately how one particular discovery method deals with address 83 collisions (same address, different anchor). 85 While multiple assignment methods can be used in the same layer2 86 domain, a SAVI device might have to deal with a mix of binding 87 discovery methods. The purpose of this document is to provide 88 recommendations to avoid collisions and to review collisions handling 89 when two or more such methods come up with competing bindings. 91 2. Problem Scope 93 There are three address assignment methods identified and reviewed in 94 one of the SAVI document: 95 1. StateLess Address AutoConfiguration (SLAAC) - reviewed in 96 [I-D.ietf-savi-fcfs] 97 2. Dynamic Host Control Protocol address assignment (DHCP) - 98 reviewed in [I-D.ietf-savi-dhcp] 99 3. Secure Neighbor Discovery (SeND) address assignment, reviewed in 100 [I-D.ietf-savi-send] 102 Each address assignment method corresponds to a binding discovery 103 method: SAVI-FCFS, SAVI-DHCP and SAVI-SeND. In addition, there is a 104 fourth method for installing a bindings on the switch, referred to as 105 "manual". It is based on manual (address or prefix) binding 106 configuration and is reviewed in [I-D.ietf-savi-fcfs] and 107 [I-D.ietf-savi-framework] 109 All combinations of address assignment methods can coexist within a 110 layer2 domain. A SAVI device will have to implement the 111 corresponding SAVI discovery methods (referred to as a "SAVI 112 solution") to enable Source Address Validation. If more than one 113 SAVI solution is enabled on a SAVI device, the method is referred to 114 as "mix address assignment method" in this document. 116 SAVI solutions are independent from each other, each one handling its 117 own entries. In the absence of reconciliation, each solution will 118 reject packets sourced with an address it did not discovered. To 119 prevent addresses discovered by one solution to be filtered out by 120 another, the binding table should be shared by all the solutions. 121 However this could create some conflict when the same entry is 122 discovered by two different methods: the purpose of this document is 123 of two folds: provide recommendations to avoid conflicts, and resolve 124 conflicts if and when they happen. Collisions happening within a 125 given solution are outside the scope of this document. 127 3. Recommendations for preventing collisions 129 If each solution has a dedicated address space, collisions won't 130 happen. Thus, in order to avoid overlap in the address space across 131 SAVI solutions enabled on any particular SAVI device, it is 132 recommended to 134 1. DHCP/SLAAC: separate the prefix scope of DHCP and SLAAC. Set the 135 A bit in Prefix information option of Router Advertisement for 136 SLAAC prefix. And set the M bit in Router Advertisement for DHCP 137 prefix. [RFC4861] [RFC4862]. 138 2. SeND/non-SeND: avoid mixed environment (where SeND and non-SeND 139 nodes are deployed) or separate the prefixes announced to SeND 140 and non-SenD nodes. One way to separate the prefixes is to have 141 the router()s announcing different (non-overlapping) prefixes to 142 SeND and to non-SeND nodes, using unicast Router Advertisements, 143 in response to SeND/non-SeND Router Solicit. 145 4. Handing binding collisions 147 In situations where collisions could not be avoided, two cases should 148 be considered: 149 1. The same address is bound on two different binding anchors by 150 different SAVI solutions. 151 2. The same address is bound on the same binding anchor by different 152 SAVI solutions. 154 4.1. Same Address on Different Binding Anchors 156 This is the very case of collision that could not be prevented by 157 separating the assignment address spaces. For instance, an address 158 is assigned by SLAAC on node X, installed in the binding table using 159 SAVI-FCFS, anchored to "anchor-X". Later, the same address is 160 assigned by DHCP to node Y, as a potential candidate in the same 161 binding table, anchored to "anchor-Y". 163 4.1.1. Basic preference 165 Within the SAVI perimeter, one address bound to a binding anchor by 166 one SAVI solution could also be bound by another SAVI solution to a 167 different binding anchor. If the DAD procedure is not performed, the 168 same address will also be bound to the new binding anchor. Both 169 bindings are legitimate within the corresponding solution. 171 Though it is possible that the hosts and network can still work in 172 such scenario, the uniqueness of address is not insured. The SAVI 173 device must decide whom the address should be bound with. Current 174 standard documents of address assignment methods have implied the 175 prioritization relationship (first-come). In the absence of any 176 configuration or protocol hint (see Section 4.1.2) the SAVI device 177 should choose the first-come entry, whether it was learnt from SLACC, 178 SeND or DHCP. 180 4.1.2. Overwritten preference 182 There are two identified exceptions to the general prioritization 183 model, one of them being CGA addresses, another one controlled by the 184 configuration of the switch: 186 1. When CGA addresses are used, and a collision is detected, 187 preference should be given to the anchor that carries the CGA 188 credentials once they are verified, in particular the CGA 189 parameters and the RSA options. 190 2. The SAVI device should allow the configuration of a prefix or a 191 single address, together with a given anchor or constrained to be 192 discovered by a particular SAVI solution (see also "Prefix 193 Configuration" section in [I-D.ietf-savi-framework]. If a DAD 194 message for a target within a configured prefix (or equal to a 195 configured single address) is received on the SAVI device from an 196 anchor, or via a discovery method different from the one 197 configured, the switch should defend the address by responding to 198 the DAD message. It should not at this point install an entry 199 into the binding table. This is especially useful to protect 200 well known bindings such as a static address of a server over 201 anybody, even when the server is down. It is also a way to give 202 priority to a binding learnt from SAVI-DHCP over a binding for 203 the same address, learnt from SAVI-FCFS. 205 4.1.3. Multiple SAVI Device Scenario 207 A single SAVI device doesn't have the information of all bound 208 addresses on the perimeter. Therefore it is not enough to lookup 209 local bindings to identify a collision. However, assuming DAD is 210 performed throughout the security perimeter for all addresses 211 regardless of the assignment method, then DAD response will inform 212 all SAVI devices about any collision. In that case, FCFS will apply 213 the same way as in a single switch scenario. If the admin configured 214 on one the switches a prefix (or a single static binding) to defend, 215 the DAD response generated by this switch will also prevent the 216 binding to be installed on other switches of the perimeter. 218 4.2. Same Address on the Same Binding Anchor 220 A binding may be set up on the same binding anchor by multiple 221 solutions. Generally, the binding lifetimes of different solutions 222 are different. Potentially, if one solution requires to remove the 223 binding, the node using the address may be taken the use right. 225 For example, a node performs DAD procedure after being assigned an 226 address from DHCP, then the address will also be bound by SAVI-FCFS. 227 If the SAVI-FCFS lifetime is shorter than DHCP lifetime, when the 228 SAVI-FCFS lifetime expires, it will request to remove the binding. 229 If the binding is removed, the node will not be able to use the 230 address even the DHCP lease time doesn't expire. 232 The solution proposed is to keep a binding as long as possible. A 233 binding is kept until it has been required to be removed by all the 234 solutions that ever set up it. 236 5. References 238 5.1. Normative References 240 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 241 Requirement Levels", BCP 14, RFC 2119, March 1997. 243 5.2. Informative References 245 [I-D.ietf-savi-dhcp] 246 Wu, J., Yao, G., Bi, J., and F. Baker, "SAVI Solution for 247 DHCP", draft-ietf-savi-dhcp-09 (work in progress), 248 April 2011. 250 [I-D.ietf-savi-fcfs] 251 Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 252 SAVI: First-Come First-Serve Source-Address Validation for 253 Locally Assigned IPv6 Addresses", draft-ietf-savi-fcfs-09 254 (work in progress), April 2011. 256 [I-D.ietf-savi-framework] 257 Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, 258 "Source Address Validation Improvement Framework", 259 draft-ietf-savi-framework-04 (work in progress), 260 March 2011. 262 [I-D.ietf-savi-send] 263 Bagnulo, M. and A. Garcia-Martinez, "SEND-based Source- 264 Address Validation Implementation", 265 draft-ietf-savi-send-05 (work in progress), April 2011. 267 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 268 (IPv6) Specification", RFC 2460, December 1998. 270 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 271 and M. Carney, "Dynamic Host Configuration Protocol for 272 IPv6 (DHCPv6)", RFC 3315, July 2003. 274 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 275 Neighbor Discovery (SEND)", RFC 3971, March 2005. 277 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 278 RFC 3972, March 2005. 280 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 281 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 282 September 2007. 284 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 285 Address Autoconfiguration", RFC 4862, September 2007. 287 Appendix A. Contributors and Acknowledgments 289 Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun and 290 Jari Arkko for their valuable contributions. 292 Authors' Addresses 294 Jun Bi 295 CERNET 296 Network Research Center, Tsinghua University 297 Beijing 100084 298 China 300 Email: junbi@cernet.edu.cn 301 Guang Yao 302 Tsinghua University 303 Network Research Center, Tsinghua University 304 Beijing 100084 305 China 307 Email: yaoguang.china@gmail.com 309 Joel M. Halpern 310 Newbridge Networks Inc 312 Email: jmh@joelhalpern.com 314 Eric Levy-Abegnoli (editor) 315 Cisco Systems 316 Village d'Entreprises Green Side - 400, Avenue Roumanille 317 Biot-Sophia Antipolis - 06410 318 France 320 Email: elevyabe@cisco.com