idnits 2.17.1 draft-ietf-savi-mix-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 1, 2017) is 2672 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SAVI J. Bi 3 Internet-Draft Tsinghua University 4 Intended status: Standards Track G. Yao 5 Expires: July 5, 2017 Tsinghua University/Baidu 6 J. Halpern 7 Ericsson 8 E. Levy-Abegnoli, Ed. 9 Cisco 10 January 1, 2017 12 SAVI for Mixed Address Assignment Methods Scenario 13 draft-ietf-savi-mix-15 15 Abstract 17 In networks that use multiple techniques for address assignment, the 18 spoofing of addresses assigned by each technique can be prevented 19 using the appropriate Source Address Validation Improvement (SAVI) 20 methods. This document reviews how multiple SAVI methods can coexist 21 in a single SAVI device and collisions are resolved when the same 22 binding entry is discovered by two or more methods. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on July 5, 2017. 41 Copyright Notice 43 Copyright (c) 2017 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 60 3. Problem Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. Recommendations for assignment separation . . . . . . . . . . 5 63 6. Resolving binding collisions . . . . . . . . . . . . . . . . 6 64 6.1. Same Address on Different Binding Anchors . . . . . . . . 6 65 6.1.1. Basic preference . . . . . . . . . . . . . . . . . . 6 66 6.1.2. Exceptions . . . . . . . . . . . . . . . . . . . . . 7 67 6.1.3. Multiple SAVI Device Scenario . . . . . . . . . . . . 8 68 6.2. Same Address on the Same Binding Anchor . . . . . . . . . 8 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 70 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 71 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 9 73 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 75 11.2. Informative References . . . . . . . . . . . . . . . . . 10 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 There are currently several Source Address Validation Improvement 81 (SAVI) documents ([RFC6620], [RFC7513] and [RFC7219]) that describe 82 the different methods by which a switch can discover and record 83 bindings between a node's IP address and a binding anchor and use 84 that binding to perform source address validation. Each of these 85 documents specifies how to learn on-link addresses, based on the 86 technique used for their assignment, respectively: StateLess 87 Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and 88 Secure Neighbor Discovery (SeND). Each of these documents describes 89 separately how one particular SAVI method deals with address 90 collisions (same address, different binding anchor). 92 While multiple IP assignment techniques can be used in the same 93 layer-2 domain, this means that a single SAVI device might have to 94 deal with a combination or mix of SAVI methods. The purpose of this 95 document is to provide recommendations to avoid collisions and to 96 review collisions handling when two or more such methods come up with 97 competing bindings. 99 2. Requirements Language 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 3. Problem Scope 107 Three different IP address assignment techniques have been analyzed 108 for SAVI: 110 1. StateLess Address AutoConfiguration (SLAAC) - analyzed in SAVI- 111 FCFS[RFC6620] 113 2. Dynamic Host Control Protocol address assignment (DHCP) - 114 analyzed in SAVI-DHCP[RFC7513] 116 3. Secure Neighbor Discovery (SeND) address assignment, analyzed in 117 SAVI-SEND[RFC7219] 119 In addition, there is a fourth technique for managing (i.e., 120 creation, management, deletion) a binding on the switch, referred to 121 as "manual". It is based on manual binding configuration. Because 122 how to manage manual bindings is determined by operators, there is 123 not a new SAVI method for manual addresses. 125 All combinations of address assignment techniques can coexist within 126 a layer-2 domain. A SAVI device MUST implement the corresponding 127 binding setup methods (referred to as a "SAVI method") for each such 128 technique that is in use if it is to provide Source Address 129 Validation. 131 SAVI methods are normally viewed as independent from each other, each 132 one handling its own entries. If multiple methods are used in the 133 same device without coordination, each method will attempt to reject 134 packets sourced with any addresses that method did not discover. To 135 prevent addresses discovered by one SAVI method from being filtered 136 out by another method, the SAVI binding table SHOULD be shared by all 137 the SAVI methods in use in the device. This in turn could create 138 some conflict when the same entry is discovered by two different 139 methods. The purpose of this document is of two folds: provide 140 recommendations and methods to avoid conflicts, and to resolve 141 conflicts when they happen. Collisions happening within a given 142 method are outside the scope of this document. 144 4. Architecture 146 A SAVI device may implement and use multiple SAVI methods. This 147 mechanism, called SAVI-MIX, is proposed as a arbiter of the binding 148 generation algorithms from these multiple methods, generating the 149 final binding entries as illustrated in Figure 1. Once a SAVI method 150 generates a candidate binding, it will request SAVI-MIX to set up a 151 corresponding entry in the binding table. Then SAVI-MIX will check 152 if there is any conflict in the binding table. A new binding will be 153 generated if there is no conflict. If there is a conflict, SAVI-MIX 154 will determine whether to replace the existing binding or reject the 155 candidate binding based on the policies specified in Section 6. 157 As a result of this, the packet filtering in the SAVI device will not 158 be performed by each SAVI method separately. Instead, the table 159 resulting from applying SAVI-MIX will be used to perform filtering. 160 Thus the filtering is based on the combined results of the differents 161 SAVI mechanisms. It is beyond the scope of this document to describe 162 the details of the filtering mechanism and its use of the combined 163 SAVI binding table. 165 +--------------------------------------------------------+ 166 | | 167 | SAVI Device | 168 | | 169 | | 170 | +------+ +------+ +------+ | 171 | | SAVI | | SAVI | | SAVI | | 172 | | | | | | | | 173 | | FCFS | | DHCP | | SEND | | 174 | +------+ +------+ +------+ | 175 | | | | Binding | 176 | | | | setup | 177 | v v v requests | 178 | +------------------------------+ | 179 | | | | 180 | | SAVI-MIX | | 181 | | | | 182 | +------------------------------+ | 183 | | | 184 | v Final Binding | 185 | +--------------+ | 186 | | Binding | | 187 | | | | 188 | | Table | | 189 | +--------------+ | 190 | | 191 +--------------------------------------------------------+ 193 Figure 1: SAVI-Mix Architecture 195 Each entry in the binding table will contain the following fields: 197 1. IP source address 199 2. Binding anchor[RFC7039] 201 3. Lifetime 203 4. Creation time 205 5. Binding methods: the SAVI method used for this entry. 207 5. Recommendations for assignment separation 209 If each address assignment technique uses a separate portion of the 210 IP address space, collisions won't happen. Using non overlapping 211 address space across address assignment techniques, and thus across 212 SAVI methods is therefore recommended. To that end, one should: 214 1. DHCP and SLAAC: use non-overlapping prefix for DHCP and SLAAC. 215 Set the A bit in Prefix information option of Router 216 Advertisement for SLAAC prefix, and set the M bit in Router 217 Advertisement for DHCP prefix. For detail explanations on these 218 bits, refer to [RFC4861][RFC4862]. 220 2. SeND and non-SeND: avoid mixed environment (where SeND and non- 221 SeND nodes are deployed) or separate the prefixes announced to 222 SeND and non-SenD nodes. One way to separate the prefixes is to 223 have the router(s) announcing different (non-overlapping) 224 prefixes to SeND and to non-SeND nodes, using unicast Router 225 Advertisements[RFC6085], in response to SeND/non-SeND Router 226 Solicit. 228 6. Resolving binding collisions 230 In situations where collisions can not be avoided by assignment 231 separation, two cases should be considered: 233 1. The same address is bound on two different binding anchors by 234 different SAVI methods. 236 2. The same address is bound on the same binding anchor by different 237 SAVI methods. 239 6.1. Same Address on Different Binding Anchors 241 This would typically occur in case assignment address spaces could 242 not be separated. For instance, an address is assigned by SLAAC on 243 node X, installed in the binding table using SAVI-FCFS, anchored to 244 "anchor-X". Later, the same address is assigned by DHCP to node Y, 245 and SAVI-DHCP will generate a candidate binding entry, anchored to 246 "anchor-Y". 248 6.1.1. Basic preference 250 If there is any manually configured binding, the SAVI device SHOULD 251 choose the manual configured binding acnhor. 253 For an address not covered by any manual bindings, the SAVI device 254 must decide to which binding anchor the address should be bound 255 (anchor-X or anchor-Y in this example). Current standard documents 256 of address assignment methods have implied the prioritization 257 relationship based on order in time, i.e., first-come first-served. 259 o SLAAC: s5.4.5 of [RFC4862] 261 o DHCPv4: s3.1-p5 of [RFC2131] 263 o DHCPv6: s18.1.8 of [RFC3315] 265 o SeND: s8 of [RFC3971] 267 In the absence of any configuration or protocol hint (see 268 Section 6.1.2) the SAVI device SHOULD choose the first-come binding 269 anchor, whether it was learnt from SLAAC, SeND or DHCP. 271 6.1.2. Exceptions 273 There are two identified exceptions to the general prioritization 274 model, one of them being CGA addresses[RFC3971], another one 275 controlled by the configuration of the switch. 277 6.1.2.1. CGA preference 279 When CGA addresses are used, and a collision is detected, preference 280 should be given to the anchor that carries the CGA credentials once 281 they are verified, in particular the CGA parameters and the RSA 282 options. Note that if an attacker was trying to replay CGA 283 credentials, he would then compete on the base of "First-Come, First- 284 Served" (FCFS) principle. 286 6.1.2.2. configuration preference 288 For configuration driven exceptions, the SAVI device may allow the 289 configuration of a triplet ("prefix", "anchor", "method") or 290 ("address", "anchor", "method"). The "prefix" or "address" 291 represents the address or address prefix to which this preference 292 entry applies. The "anchor" is the value of a known binding anchor 293 that this device expects to see using this address or addresses from 294 this prefix. The "method" is the SAVI method that this device 295 expects to use in validating address binding entries from the address 296 or prefix. At least one of "anchor" and "method" MUST be specified. 297 Later, if a DAD message [RFC4861] is received with the following 298 conditions verified: 300 1. The target in the DAD message does not exist in the binding table 302 2. The target is within the configured "prefix" (or equal to 303 "address") 305 3. The anchor bound to target is different from the configured 306 anchor, when specified 308 4. The configured method, if any, is different from SAVI-FCFS 310 The switch SHOULD defend the address by responding to the DAD 311 message, with a NA message, on behalf of the target node. It SHOULD 312 NOT install the entry into the binding table. The DAD message SHOULD 313 be discarded and not forwarded. Forwarding it may cause other SAVI 314 devices to send additional defense NAs. SeND nodes in the network 315 MUST disable the option to ignore unsecured advertisements (see s8 of 316 [RFC3971]). If the option is enabled, the case is outside the scope 317 of this document. It is suggested to limit the rate of defense NAs 318 to reduce security threats to the switch. Or else, a malicious host 319 could consume the resource of the switch heavily with flooding DAD 320 messages. 322 This will simply prevent the node from assigning the address, and 323 will de-facto prioritize the configured anchor. It is especially 324 useful to protect well known bindings such as a static address of a 325 server over anybody, even when the server is down. It is also a way 326 to give priority to a binding learnt from SAVI-DHCP over a binding 327 for the same address, learnt from SAVI-FCFS. 329 6.1.3. Multiple SAVI Device Scenario 331 A single SAVI device doesn't have the information of all bound 332 addresses on the perimeter. Therefore it is not enough to lookup 333 local bindings to identify a collision. However, assuming DAD is 334 performed throughout the security perimeter for all addresses 335 regardless of the assignment method, then DAD response will inform 336 all SAVI devices about any collision. In that case, "First-Come, 337 First- Served" will apply the same way as in a single switch 338 scenario. If the admin configured on one the switches a prefix (or a 339 single static binding) to defend, the DAD response generated by this 340 switch will also prevent the binding to be installed on other 341 switches of the perimeter. The SAVI MIX preferences of all the SAVI 342 devices in the same layer-2 domain should be consistent. 343 Inconsistent configurations may cause network breaks. 345 6.2. Same Address on the Same Binding Anchor 347 A binding may be set up on the same binding anchor by multiple 348 methods, typically SAVI-FCFS and SAVI-DHCP. If the binding lifetimes 349 obtained from the two methods are different, priority should be given 350 to 1) Manual configuration 2) SAVI-DHCP 3) SAVI-FCFS as the least 351 authoritative. The binding will be removed when the prioritized 352 lifetime expires, even if a less authoritative method had a longer 353 lifetime. 355 7. Security Considerations 357 Combining SAVI methods (as in SAVI MIX) does not improve on or 358 eliminate the security considerations associated with each individual 359 SAVI method. Therefore, security considerations for each enabled 360 SAVI method should be addressed as described in that method's 361 associated RFC. Moreover, combining methods (as in SAVI MIX) has two 362 additional implications for security. First, it may increase 363 susceptibility to DoS attacks, because the SAVI binding setup rate 364 will be the sum of the rates of all enabled SAVI methods. 365 Implementers must take these added resource requirements into 366 account. Second, because SAVI MIX supports multiple binding 367 mechanisms, it potentially reduces the security level to that of the 368 weakest supported method, unless additional steps (e.g. requiring 369 non-overlapping address spaces for different methods) are taken. 371 8. Privacy Considerations 373 When implementing multiple SAVI methods, privacy considerations of 374 all methods apply cumulatively. 376 9. IANA Considerations 378 This memo asks the IANA for no new parameters. 380 10. Acknowledgment 382 Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun, David 383 Lamparter, Scott G. Kelly and Jari Arkko for their valuable 384 contributions. 386 11. References 388 11.1. Normative References 390 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 391 Requirement Levels", BCP 14, RFC 2119, 392 DOI 10.17487/RFC2119, March 1997, 393 . 395 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 396 RFC 2131, DOI 10.17487/RFC2131, March 1997, 397 . 399 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 400 C., and M. Carney, "Dynamic Host Configuration Protocol 401 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 402 2003, . 404 [RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, 405 "SEcure Neighbor Discovery (SEND)", RFC 3971, 406 DOI 10.17487/RFC3971, March 2005, 407 . 409 [RFC6085] Gundavelli, S., Townsley, M., Troan, O., and W. Dec, 410 "Address Mapping of IPv6 Multicast Packets on Ethernet", 411 RFC 6085, DOI 10.17487/RFC6085, January 2011, 412 . 414 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 415 SAVI: First-Come, First-Served Source Address Validation 416 Improvement for Locally Assigned IPv6 Addresses", 417 RFC 6620, DOI 10.17487/RFC6620, May 2012, 418 . 420 [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor 421 Discovery (SEND) Source Address Validation Improvement 422 (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014, 423 . 425 [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address 426 Validation Improvement (SAVI) Solution for DHCP", 427 RFC 7513, DOI 10.17487/RFC7513, May 2015, 428 . 430 11.2. Informative References 432 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 433 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 434 DOI 10.17487/RFC4861, September 2007, 435 . 437 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 438 Address Autoconfiguration", RFC 4862, 439 DOI 10.17487/RFC4862, September 2007, 440 . 442 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., 443 "Source Address Validation Improvement (SAVI) Framework", 444 RFC 7039, DOI 10.17487/RFC7039, October 2013, 445 . 447 Authors' Addresses 448 Jun Bi 449 Tsinghua University 450 Network Research Center, Tsinghua University 451 Beijing 100084 452 China 454 EMail: junbi@tsinghua.edu.cn 456 Guang Yao 457 Tsinghua University/Baidu 458 Baidu Science and Technology Park, Building 1 459 Beijing 100193 460 China 462 EMail: yaoguang.china@gmail.com 464 Joel M. Halpern 465 Ericsson 467 EMail: joel.halpern@ericsson.com 469 Eric Levy-Abegnoli (editor) 470 Cisco Systems 471 Village d'Entreprises Green Side - 400, Avenue Roumanille 472 Biot-Sophia Antipolis 06410 473 France 475 EMail: elevyabe@cisco.com