idnits 2.17.1 draft-ietf-savi-mix-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 26, 2011) is 4559 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 233, but no explicit reference was found in the text == Unused Reference: 'RFC2460' is defined on line 260, but no explicit reference was found in the text == Unused Reference: 'RFC3315' is defined on line 263, but no explicit reference was found in the text == Unused Reference: 'RFC3971' is defined on line 267, but no explicit reference was found in the text == Unused Reference: 'RFC3972' is defined on line 270, but no explicit reference was found in the text == Outdated reference: A later version (-34) exists of draft-ietf-savi-dhcp-10 == Outdated reference: A later version (-14) exists of draft-ietf-savi-fcfs-09 == Outdated reference: A later version (-06) exists of draft-ietf-savi-framework-05 == Outdated reference: A later version (-11) exists of draft-ietf-savi-send-06 -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Bi 3 Internet-Draft CERNET 4 Intended status: Standards Track G. Yao 5 Expires: April 28, 2012 Tsinghua University 6 J. Halpern 7 Newbridge Networks Inc 8 E. Levy-Abegnoli, Ed. 9 Cisco Systems 10 October 26, 2011 12 SAVI for Mixed Address Assignment Methods Scenario 13 draft-ietf-savi-mix-01 15 Abstract 17 This document reviews how multiple address discovery methods can 18 coexist in a single SAVI device and collisions are resolved when the 19 same binding entry is discovered by two or more methods. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 28, 2012. 38 Copyright Notice 40 Copyright (c) 2011 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Recommendations for preventing collisions . . . . . . . . . . . 4 58 4. Handing binding collisions . . . . . . . . . . . . . . . . . . 4 59 4.1. Same Address on Different Binding Anchors . . . . . . . . . 4 60 4.1.1. Basic preference . . . . . . . . . . . . . . . . . . . 5 61 4.1.2. Overwritten preference . . . . . . . . . . . . . . . . 5 62 4.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . . 5 63 4.2. Same Address on the Same Binding Anchor . . . . . . . . . . 6 64 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 5.1. Normative References . . . . . . . . . . . . . . . . . . . 6 66 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 67 Appendix A. Contributors and Acknowledgments . . . . . . . . . . . 7 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1. Introduction 72 There are currently several documents [I-D.ietf-savi-fcfs], 73 [I-D.ietf-savi-dhcp] and [I-D.ietf-savi-send] that describe the 74 different methods by which a switch can discover and record bindings 75 between a node's layer3 address and a binding anchor and use that 76 binding to perform Source Address Validation. Each of these 77 documents specifies how to learn on-link addresses, based on the 78 method used for their assignment, respectively: StateLess 79 Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and 80 Secure Neighbor Discovery (SeND). Each of these documents describes 81 separately how one particular discovery method deals with address 82 collisions (same address, different anchor). 84 While multiple assignment methods can be used in the same layer2 85 domain, a SAVI device might have to deal with a mix of binding 86 discovery methods. The purpose of this document is to provide 87 recommendations to avoid collisions and to review collisions handling 88 when two or more such methods come up with competing bindings. 90 2. Problem Scope 92 There are three address assignment methods identified and reviewed in 93 one of the SAVI document: 94 1. StateLess Address AutoConfiguration (SLAAC) - reviewed in 95 [I-D.ietf-savi-fcfs] 96 2. Dynamic Host Control Protocol address assignment (DHCP) - 97 reviewed in [I-D.ietf-savi-dhcp] 98 3. Secure Neighbor Discovery (SeND) address assignment, reviewed in 99 [I-D.ietf-savi-send] 101 Each address assignment method corresponds to a binding discovery 102 method: SAVI-FCFS, SAVI-DHCP and SAVI-SeND. In addition, there is a 103 fourth method for installing a bindings on the switch, referred to as 104 "manual". It is based on manual (address or prefix) binding 105 configuration and is reviewed in [I-D.ietf-savi-fcfs] and 106 [I-D.ietf-savi-framework] 108 All combinations of address assignment methods can coexist within a 109 layer2 domain. A SAVI device will have to implement the 110 corresponding SAVI discovery methods (referred to as a "SAVI 111 solution") to enable Source Address Validation. If more than one 112 SAVI solution is enabled on a SAVI device, the method is referred to 113 as "mix address assignment method" in this document. 115 SAVI solutions are independent from each other, each one handling its 116 own entries. In the absence of reconciliation, each solution will 117 reject packets sourced with an address it did not discovered. To 118 prevent addresses discovered by one solution to be filtered out by 119 another, the binding table should be shared by all the solutions. 120 However this could create some conflict when the same entry is 121 discovered by two different methods: the purpose of this document is 122 of two folds: provide recommendations and method to avoid conflicts, 123 and resolve conflicts if and when they happen. Collisions happening 124 within a given solution are outside the scope of this document. 126 3. Recommendations for preventing collisions 128 If each solution has a dedicated address space, collisions won't 129 happen. Using non overlapping address space across SAVI solutions is 130 therefore recommended. To that end, one should: 132 1. DHCP/SLAAC: use non-overlapping prefix for DHCP and SLAAC. Set 133 the A bit in Prefix information option of Router Advertisement 134 for SLAAC prefix. And set the M bit in Router Advertisement for 135 DHCP prefix. For detail explanations on these bits, refer to 136 [RFC4861] [RFC4862]. 137 2. SeND/non-SeND: avoid mixed environment (where SeND and non-SeND 138 nodes are deployed) or separate the prefixes announced to SeND 139 and non-SenD nodes. One way to separate the prefixes is to have 140 the router()s announcing different (non-overlapping) prefixes to 141 SeND and to non-SeND nodes, using unicast Router Advertisements, 142 in response to SeND/non-SeND Router Solicit. 144 4. Handing binding collisions 146 In situations where collisions could not be avoided, two cases should 147 be considered: 148 1. The same address is bound on two different binding anchors by 149 different SAVI solutions. 150 2. The same address is bound on the same binding anchor by different 151 SAVI solutions. 153 4.1. Same Address on Different Binding Anchors 155 This would typically occur in case assignment address spaces could 156 not be separated. For instance,overl an address is assigned by SLAAC 157 on node X, installed in the binding table using SAVI-FCFS, anchored 158 to "anchor-X". Later, the same address is assigned by DHCP to node 159 Y, as a potential candidate in the same binding table, anchored to 160 "anchor-Y". 162 4.1.1. Basic preference 164 The SAVI device must decide whom the address should be bound with 165 (anchor-X or anchor-Y in this example). Current standard documents 166 of address assignment methods have implied the prioritization 167 relationship (first-come). In the absence of any configuration or 168 protocol hint (see Section 4.1.2) the SAVI device should choose the 169 first-come entry, whether it was learnt from SLACC, SeND or DHCP. 171 4.1.2. Overwritten preference 173 There are two identified exceptions to the general prioritization 174 model, one of them being CGA addresses, another one controlled by the 175 configuration of the switch: 177 1. When CGA addresses are used, and a collision is detected, 178 preference should be given to the anchor that carries the CGA 179 credentials once they are verified, in particular the CGA 180 parameters and the RSA options. Note that if an attacker was 181 trying to replay CGA credentials, he would then compete on the 182 base of fcfs (first-come, first-serve). 183 2. The SAVI device should allow the configuration of a triplet 184 ("prefix", "anchor", "method") or ("address", "anchor", 185 "method"). Later, if a DAD message is received for a target 186 within "prefix" (or equal "address") bound to "anchor1" 187 (different from "anchor"), or via a discovery method different 188 from "method", the switch should defend the address by responding 189 to the DAD message. It should not at this point install the 190 entry into the binding table. It will simply prevent the node to 191 assign the address, and will de-facto prioritize the configured 192 anchor or configured assignment method for that address. This is 193 especially useful to protect well known bindings such as a static 194 address of a server over anybody, even when the server is down. 195 It is also a way to give priority to a binding learnt from SAVI- 196 DHCP over a binding for the same address, learnt from SAVI-FCFS. 198 4.1.3. Multiple SAVI Device Scenario 200 A single SAVI device doesn't have the information of all bound 201 addresses on the perimeter. Therefore it is not enough to lookup 202 local bindings to identify a collision. However, assuming DAD is 203 performed throughout the security perimeter for all addresses 204 regardless of the assignment method, then DAD response will inform 205 all SAVI devices about any collision. In that case, FCFS will apply 206 the same way as in a single switch scenario. If the admin configured 207 on one the switches a prefix (or a single static binding) to defend, 208 the DAD response generated by this switch will also prevent the 209 binding to be installed on other switches of the perimeter. 211 4.2. Same Address on the Same Binding Anchor 213 A binding may be set up on the same binding anchor by multiple 214 solutions. Generally, the binding lifetimes of different solutions 215 are different. Potentially, if one solution requires to remove the 216 binding, the node using the address may be taken the use right. 218 For example, a node performs DAD procedure after being assigned an 219 address from DHCP, then the address will also be bound by SAVI-FCFS. 220 If the SAVI-FCFS lifetime is shorter than DHCP lifetime, when the 221 SAVI-FCFS lifetime expires, it will request to remove the binding. 222 If the binding is removed, the node will not be able to use the 223 address even the DHCP lease time doesn't expire. 225 The solution proposed is to keep a binding as long as possible. A 226 binding is kept until it has been required to be removed by all the 227 solutions that ever set up it. 229 5. References 231 5.1. Normative References 233 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 234 Requirement Levels", BCP 14, RFC 2119, March 1997. 236 5.2. Informative References 238 [I-D.ietf-savi-dhcp] 239 Wu, J., Yao, G., Bi, J., and F. Baker, "SAVI Solution for 240 DHCP", draft-ietf-savi-dhcp-10 (work in progress), 241 July 2011. 243 [I-D.ietf-savi-fcfs] 244 Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 245 SAVI: First-Come First-Serve Source-Address Validation for 246 Locally Assigned IPv6 Addresses", draft-ietf-savi-fcfs-09 247 (work in progress), April 2011. 249 [I-D.ietf-savi-framework] 250 Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, 251 "Source Address Validation Improvement Framework", 252 draft-ietf-savi-framework-05 (work in progress), 253 July 2011. 255 [I-D.ietf-savi-send] 256 Bagnulo, M. and A. Garcia-Martinez, "SEND-based Source- 257 Address Validation Implementation", 258 draft-ietf-savi-send-06 (work in progress), October 2011. 260 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 261 (IPv6) Specification", RFC 2460, December 1998. 263 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 264 and M. Carney, "Dynamic Host Configuration Protocol for 265 IPv6 (DHCPv6)", RFC 3315, July 2003. 267 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 268 Neighbor Discovery (SEND)", RFC 3971, March 2005. 270 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 271 RFC 3972, March 2005. 273 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 274 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 275 September 2007. 277 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 278 Address Autoconfiguration", RFC 4862, September 2007. 280 Appendix A. Contributors and Acknowledgments 282 Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun and 283 Jari Arkko for their valuable contributions. 285 Authors' Addresses 287 Jun Bi 288 CERNET 289 Network Research Center, Tsinghua University 290 Beijing 100084 291 China 293 Email: junbi@cernet.edu.cn 295 Guang Yao 296 Tsinghua University 297 Network Research Center, Tsinghua University 298 Beijing 100084 299 China 301 Email: yaoguang.china@gmail.com 302 Joel M. Halpern 303 Newbridge Networks Inc 305 Email: jmh@joelhalpern.com 307 Eric Levy-Abegnoli (editor) 308 Cisco Systems 309 Village d'Entreprises Green Side - 400, Avenue Roumanille 310 Biot-Sophia Antipolis - 06410 311 France 313 Email: elevyabe@cisco.com