idnits 2.17.1 draft-ietf-savi-mix-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 18, 2016) is 2739 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Downref: Normative reference to an Informational RFC: RFC 7039 Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SAVI J. Bi 3 Internet-Draft THU 4 Intended status: Standards Track G. Yao 5 Expires: April 21, 2017 Baidu/THU 6 J. Halpern 7 Newbridge 8 E. Levy-Abegnoli, Ed. 9 Cisco 10 October 18, 2016 12 SAVI for Mixed Address Assignment Methods Scenario 13 draft-ietf-savi-mix-12 15 Abstract 17 In networks that use multiple techniques for address assignment, the 18 appropriate Source Address Validation Improvement (SAVI) methods must 19 be used to prevent spoofing of addresses assigned by each such 20 technique. This document reviews how multiple SAVI methods can 21 coexist in a single SAVI device and collisions are resolved when the 22 same binding entry is discovered by two or more methods. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on April 21, 2017. 41 Copyright Notice 43 Copyright (c) 2016 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 60 3. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. Recommendations for preventing collisions . . . . . . . . . . 5 63 6. Resolving binding collisions . . . . . . . . . . . . . . . . 6 64 6.1. Same Address on Different Binding Anchors . . . . . . . . 6 65 6.1.1. Basic preference . . . . . . . . . . . . . . . . . . 6 66 6.1.2. Overwritten preference . . . . . . . . . . . . . . . 7 67 6.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . 8 68 6.2. Same Address on the Same Binding Anchor . . . . . . . . . 8 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 70 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 71 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 9 73 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 75 11.2. Informative References . . . . . . . . . . . . . . . . . 10 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 There are currently several Source Address Validaiton Improvement 81 (SAVI) documents ([RFC6620], [RFC7513] and [RFC7219]) that describe 82 the different methods by which a switch can discover and record 83 bindings between a node's IP address and a binding anchor and use 84 that binding to perform source address validation. Each of these 85 documents specifies how to learn on-link addresses, based on the 86 technique used for their assignment, respectively: StateLess 87 Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and 88 Secure Neighbor Discovery (SeND). Each of these documents describes 89 separately how one particular SAVI method deals with address 90 collisions (same address, different binding anchor). 92 While multiple IP assignment techniques can be used in the same 93 layer-2 domain, this means that a single SAVI device might have to 94 deal with a combination or mix of SAVI methods. The purpose of this 95 document is to provide recommendations to avoid collisions and to 96 review collisions handling when two or more such methods come up with 97 competing bindings. 99 2. Requirements Language 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 3. Problem Scope 107 Three different IP address assignment techniques have been analyzed 108 for SAVI: 110 1. StateLess Address AutoConfiguration (SLAAC) - analyzed in SAVI- 111 FCFS[RFC6620] 113 2. Dynamic Host Control Protocol address assignment (DHCP) - 114 analyzed in SAVI-DHCP[RFC7513] 116 3. Secure Neighbor Discovery (SeND) address assignment, analyzed in 117 SAVI-SEND[RFC7219] 119 In addition, there is a fourth technique for managing (i.e., 120 creation, management, deletion) a binding on the switch, referred to 121 as "manual". It is based on manual binding configuration and is 122 analyzed in [RFC6620] and [RFC7039]. 124 All combinations of address assignment techniques can coexist within 125 a layer-2 domain. A SAVI device MUST implement the corresponding 126 binding setup methods (referred to as a "SAVI method") for each such 127 technique that is in use if it is to provide Source Address 128 Validation. 130 SAVI methods are normally viewed as independent from each other, each 131 one handling its own entries. If multiple methods are used in the 132 same device without coordination, each method will attempt to reject 133 packets sourced with any addresses that method did not discover. To 134 prevent addresses discovered by one SAVI method from being filtered 135 out by another method, the SAVI binding table should be shared by all 136 the SAVI methods in use in the device. This in turn could create 137 some conflict when the same entry is discovered by two different 138 methods. The purpose of this document is of two folds: provide 139 recommendations and methods to avoid conflicts, and to resolve 140 conflicts when they happen. Collisions happening within a given 141 method are outside the scope of this document. 143 4. Architecture 145 A SAVI device may implement ant use multiple SAVI methods. This 146 mechanism, called SAVI-MIX, is proposed as a arbiter of the binding 147 generation algorithms from these multiple methods, generating the 148 final binding entries as illustrated in Figure 1. Once a SAVI method 149 generates a candidate binding, it will request SAVI-MIX to set up a 150 corresponding entry in the binding table. Then SAVI-MIX will check 151 if there is any conflict in the binding table. A new binding will be 152 generated if there is no conflict. If there is a conflict, SAVI-MIX 153 will determine whether to replace the existing binding or reject the 154 candidate binding based on the policies specified in Section 6. 156 As a result of this, the packet filtering in the SAVI device will not 157 be performed by each SAVI method separately. Instead, the table 158 resulting from applying SAVI-MIX will be used to perform filtering. 159 Thus the filtering is based on the combined results of the differents 160 SAVI mechanisms. It is beyond the scope of this document to describe 161 the details of the filtering mechanism and its use of the combined 162 SAVI binding table. 164 +--------------------------------------------------------+ 165 | | 166 | SAVI Device | 167 | | 168 | | 169 | +------+ +------+ +------+ | 170 | | SAVI | | SAVI | | SAVI | | 171 | | | | | | | | 172 | | FCFS | | DHCP | | SEND | | 173 | +------+ +------+ +------+ | 174 | | | | Binding | 175 | | | | setup | 176 | v v v requests | 177 | +------------------------------+ | 178 | | | | 179 | | SAVI-MIX | | 180 | | | | 181 | +------------------------------+ | 182 | | | 183 | v Final Binding | 184 | +--------------+ | 185 | | Binding | | 186 | | | | 187 | | Table | | 188 | +--------------+ | 189 | | 190 +--------------------------------------------------------+ 192 Figure 1: SAVI-Mix Architecture 194 Each entry in the binding table will contain the following fields: 196 1. IP source address 198 2. Binding anchor 200 3. Lifetime 202 4. Creation time 204 5. Binding methods: the SAVI method used for this entry. 206 5. Recommendations for preventing collisions 208 If each address assignment technique uses a separate portion of the 209 IP address space, collisions won't happen. Using non overlapping 210 address space across address assignment techniques, and thus across 211 SAVI methods is therefore recommended. To that end, one should: 213 1. DHCP/SLAAC: use non-overlapping prefix for DHCP and SLAAC. Set 214 the A bit in Prefix information option of Router Advertisement 215 for SLAAC prefix, and set the M bit in Router Advertisement for 216 DHCP prefix. For detail explanations on these bits, refer to 217 [RFC4861][RFC4862]. 219 2. SeND/non-SeND: avoid mixed environment (where SeND and non-SeND 220 nodes are deployed) or separate the prefixes announced to SeND 221 and non-SenD nodes. One way to separate the prefixes is to have 222 the router(s) announcing different (non-overlapping) prefixes to 223 SeND and to non-SeND nodes, using unicast Router 224 Advertisements[RFC6085], in response to SeND/non-SeND Router 225 Solicit. 227 6. Resolving binding collisions 229 In situations where collisions can not be avoided by assignment 230 separation, two cases should be considered: 232 1. The same address is bound on two different binding anchors by 233 different SAVI methods. 235 2. The same address is bound on the same binding anchor by different 236 SAVI methods. 238 6.1. Same Address on Different Binding Anchors 240 This would typically occur in case assignment address spaces could 241 not be separated. For instance, an address is assigned by SLAAC on 242 node X, installed in the binding table using SAVI-FCFS, anchored to 243 "anchor-X". Later, the same address is assigned by DHCP to node Y, 244 and SAVI-DHCP will generate a candidate binding entry, anchored to 245 "anchor-Y". 247 6.1.1. Basic preference 249 The SAVI device must decide to whom the address should be bound 250 (anchor-X or anchor-Y in this example). Current standard documents 251 of address assignment methods have implied the prioritization 252 relationship based on order in time, i.e., first-come first-served. 254 1. SLAAC: s5.4.5 of [RFC4862] 256 2. DHCPv4: s3.1-p5 of [RFC2131] 257 3. DHCPv6: s18.1.8 of [RFC3315] 259 4. SeND: s8 of [RFC3971] 261 In the absence of any configuration or protocol hint (see 262 Section 6.1.2) the SAVI device should choose the first-come binding 263 anchor, whether it was learnt from SLAAC, SeND or DHCP. 265 6.1.2. Overwritten preference 267 There are two identified exceptions to the general prioritization 268 model, one of them being CGA addresses, another one controlled by the 269 configuration of the switch. 271 6.1.2.1. CGA preference 273 When CGA addresses are used, and a collision is detected, preference 274 should be given to the anchor that carries the CGA credentials once 275 they are verified, in particular the CGA parameters and the RSA 276 options. Note that if an attacker was trying to replay CGA 277 credentials, he would then compete on the base of "First-Come, First- 278 Served" (FCFS) principle. 280 6.1.2.2. configuration preference 282 For configuration driven exceptions, the SAVI device may allow the 283 configuration of a triplet ("prefix", "anchor", "method") or 284 ("address", "anchor", "method"). The "prefix" or "address" 285 represents the address or address prefix to which this preference 286 entry applies. The "anchor" is the value of a know binding anchor 287 that this device expects to see using this address or addresses from 288 this prefix. The "method" is the SAVI method that this device 289 expects to use in validating address binding entries from the address 290 or prefix. At least one of "anchor" and "method" MUST be specified. 291 Later, if a DAD message is received with the following conditions 292 verified: 294 1. The target in the DAD message does not exist in the binding table 296 2. The target is within configured "prefix" (or equal to "address") 298 3. The anchor bound to target is different from the configured 299 anchor, when specified 301 4. The configured method, if any, is different from SAVI-FCFS 303 The switch should defend the address by responding to the DAD 304 message, with a NA message, on behalf of the target node. The DAD 305 message should be discarded and not forwarded. Forwarding it may 306 cause other SAVI devices to send additional defense NAs. SeND nodes 307 in the network MUST disable the option to ignore unsecured 308 advertisements (see s8 of [RFC3971]). If the option is enabled, the 309 case is outside the scope of this document. It is suggested to limit 310 the rate of defense NAs to reduce security threats to the switch. 312 It should not install the entry into the binding table. It will 313 simply prevent the node to assign the address, and will de-facto 314 prioritize the configured anchor. This is especially useful to 315 protect well known bindings such as a static address of a server over 316 anybody, even when the server is down. It is also a way to give 317 priority to a binding learnt from SAVI-DHCP over a binding for the 318 same address, learnt from SAVI-FCFS. 320 6.1.3. Multiple SAVI Device Scenario 322 A single SAVI device doesn't have the information of all bound 323 addresses on the perimeter. Therefore it is not enough to lookup 324 local bindings to identify a collision. However, assuming DAD is 325 performed throughout the security perimeter for all addresses 326 regardless of the assignment method, then DAD response will inform 327 all SAVI devices about any collision. In that case, FCFS will apply 328 the same way as in a single switch scenario. If the admin configured 329 on one the switches a prefix (or a single static binding) to defend, 330 the DAD response generated by this switch will also prevent the 331 binding to be installed on other switches of the perimeter. 333 6.2. Same Address on the Same Binding Anchor 335 A binding may be set up on the same binding anchor by multiple 336 methods, typically SAVI-FCFS and SAVI-DHCP. If the binding lifetimes 337 obtained from the two methods are different, priority should be given 338 to 1) Manual configuration 2) SAVI-DHCP 3) SAVI-FCFS as the least 339 authoritative. The binding will be removed when the prioritized 340 lifetime expires, even if a less authoritative method had a longer 341 lifetime. 343 7. Security Considerations 345 SAVI MIX does not eliminate the security problems of each SAVI 346 method. Thus, the potential attacks, e.g., the DoS attack against 347 the SAVI device resource, can still happen. In deployment, the 348 security threats from each enabled SAVI methods should be prevented 349 by the corresponding proposed solutions in each document. 351 SAVI MIX is only a binding setup/removal arbitration mechanism. It 352 does not introduce additional security threats if the arbitration is 353 reasonable. However, there is a slight problem. SAVI MIX is more 354 tolerant about binding establishment than each SAVI method alone. As 355 long as one of the enabled SAVI methods generates a binding, the 356 binding will be applied. As a result, the allowed number of SAVI 357 bindings or allowed SAVI binding setup rate will be the sum of that 358 of all the enabled SAVI methods. In deployment, whether a SAVI 359 device is capable of supporting the resulting resource requirements 360 should be evaluated. 362 The SAVI MIX preferences of all the SAVI devices in the same layer-2 363 domain should be consistent. Inconsistent configurations may cause 364 network breaks. 366 8. Privacy Considerations 368 When implementing multiple SAVI methods, privacy considerations of 369 all methods apply cumulatively. In addition, there is a minor 370 additional loss of privacy in that the SAVI device can correlate 371 information from different SAVI methods. 373 9. IANA Considerations 375 This memo asks the IANA for no new parameters. 377 10. Acknowledgment 379 Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun, David 380 Lamparter and Jari Arkko for their valuable contributions. 382 11. References 384 11.1. Normative References 386 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 387 Requirement Levels", BCP 14, RFC 2119, 388 DOI 10.17487/RFC2119, March 1997, 389 . 391 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 392 RFC 2131, DOI 10.17487/RFC2131, March 1997, 393 . 395 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 396 C., and M. Carney, "Dynamic Host Configuration Protocol 397 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 398 2003, . 400 [RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, 401 "SEcure Neighbor Discovery (SEND)", RFC 3971, 402 DOI 10.17487/RFC3971, March 2005, 403 . 405 [RFC6085] Gundavelli, S., Townsley, M., Troan, O., and W. Dec, 406 "Address Mapping of IPv6 Multicast Packets on Ethernet", 407 RFC 6085, DOI 10.17487/RFC6085, January 2011, 408 . 410 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 411 SAVI: First-Come, First-Served Source Address Validation 412 Improvement for Locally Assigned IPv6 Addresses", 413 RFC 6620, DOI 10.17487/RFC6620, May 2012, 414 . 416 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., 417 "Source Address Validation Improvement (SAVI) Framework", 418 RFC 7039, DOI 10.17487/RFC7039, October 2013, 419 . 421 [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor 422 Discovery (SEND) Source Address Validation Improvement 423 (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014, 424 . 426 [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address 427 Validation Improvement (SAVI) Solution for DHCP", 428 RFC 7513, DOI 10.17487/RFC7513, May 2015, 429 . 431 11.2. Informative References 433 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 434 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 435 DOI 10.17487/RFC4861, September 2007, 436 . 438 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 439 Address Autoconfiguration", RFC 4862, 440 DOI 10.17487/RFC4862, September 2007, 441 . 443 Authors' Addresses 444 Jun Bi 445 Tsinghua University 446 Network Research Center, Tsinghua University 447 Beijing 100084 448 China 450 EMail: junbi@tsinghua.edu.cn 452 Guang Yao 453 Baidu/Tsinghua University 454 Baidu Science and Technology Park, Building 1 455 Beijing 100193 456 China 458 EMail: yaoguang.china@gmail.com 460 Joel M. Halpern 461 Newbridge Networks Inc 463 EMail: jmh@joelhalpern.com 465 Eric Levy-Abegnoli (editor) 466 Cisco Systems 467 Village d'Entreprises Green Side - 400, Avenue Roumanille 468 Biot-Sophia Antipolis 06410 469 France 471 EMail: elevyabe@cisco.com