idnits 2.17.1 draft-shi-savi-access-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 14) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 3 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (December 2, 2015) is 3039 days in the past. Is this intentional? Checking references for intended status: None ---------------------------------------------------------------------------- == Missing Reference: 'I-D.ietf-savi-mix' is mentioned on line 121, but not defined == Missing Reference: 'RFC2119' is mentioned on line 134, but not defined == Unused Reference: 'RFC 2119' is defined on line 511, but no explicit reference was found in the text == Outdated reference: A later version (-34) exists of draft-ietf-savi-dhcp-10 == Outdated reference: A later version (-14) exists of draft-ietf-savi-fcfs-09 == Outdated reference: A later version (-11) exists of draft-ietf-savi-send-06 == Outdated reference: A later version (-06) exists of draft-ietf-savi-framework-05 Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 SAVI F.Shi 2 Internet Draft China Telecom 3 Intended status: Standard Tracks K.Xu, L.Zhu, G.Hu, Y.Bo 4 Expires: May 2016 Tsinghua Univ. 5 December 2, 2015 7 SAVI Requirements and Solutions for ISP IPv6 Access Network 8 draft-shi-savi-access-08.txt 10 Abstract 12 Internet is always confronted with many security threats based on IP 13 address spoofing which can enable impersonation and malicious traffic 14 redirection. Unfortunately, the Internet architecture fails to 15 provide the defense mechanism. Source Address Validation Improvement 16 (SAVI) was developed to prevent IP source address spoofing. 17 Especially, the mechanism is essential for ISPs. However, due to the 18 diversity of address assignment methods, SAVI solution is also 19 different accordingly. This document describes five scenarios of 20 ISPs'IPv6 access network, and moreover, states its SAVI requirements 21 and tentative solutions accordingly. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on May 2, 2016. 40 Copyright Notice 42 Copyright (c) 2014 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents carefully, 49 as they describe your rights and restrictions with respect to this 50 document. Code Components extracted from this document must include 51 Simplified BSD License text as described in Section 4.e of the Trust 52 Legal Provisions and are provided without warranty as described in 53 the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 10 57 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction ................................................. 3 70 2. Conventions used in this document ............................ 4 71 3. Terminology .................................................. 4 72 4. Scenarios for ISPs'IPv6 Access Network ....................... 4 73 4.1. Scenario 1: HRG acts as DHCPv6 proxy .................... 5 74 4.2. Scenario 2: STB gets IP address via DHCPv6 .............. 7 75 4.3. Scenario 3: PC gets IP address via PPPoE & RA ........... 8 76 4.4. Scenario 4: Laptop accesses Internet via WLAN ........... 9 77 4.5. Scenario 5: Laptop accesses Internet via C+W ........... 10 78 5. Conclusions ................................................. 12 79 6. References .................................................. 13 80 6.1. Normative References ................................... 13 81 7. Acknowledgments ............................................. 14 83 1. Introduction 85 Spoofing of IP source addresses can jeopardize people's privacy, 86 enable malicious traffic redirection which causes the network 87 topology and traffic information to be leaked out. Further, it will 88 be difficult to trace the source host which has forged the packet. 89 The Source Address Validation Improvement (SAVI) method was designed 90 to prevent hosts attached to the same link from spoofing each other's 91 IP address. It is developed to complement ingress filtering with 92 finer-grained, standardized IP source address validation. It is also 93 can be deployed easily in networks due to its modularization and 94 extensibility. 96 ISPs that provide Internet access services, information services and 97 value-added services to the customers always have to be confronted 98 with many threats enabled by IP source address spoofing, while the 99 Internet architecture fails to prevent IP source address spoofing 100 [draft-ietf-savi-threat-scope]. So they have an imperative demand to 101 apply the mechanism in order to defend the attack and ensure the 102 security of its network and customers' privacy. 104 Internet Service Provider has multiple access scenarios not limited 105 to Ethernet, and usually is deployed with DHCP. Other scenarios such 106 as ADSL with PPP and Ethernet with PPP are also popular in the real 107 world. Unfortunately, SAVI Switch only works in the scenarios of wire 108 or wireless Ethernet and does not support all address assignment 109 methods that can be used in access network. There are four address 110 assigned methods identified in one of the SAVI documents: 112 1. Stateless Address Auto Configuration (SLACC) [I-D.ietf-savi-fcfs] 114 2. Dynamic Host Control Protocol address assignment (DHCP) 115 [I-D.ietf-savi-dhcp] 117 3. Secure Neighbor Discovery (SeND) address assignment 118 [I-D.ietf-savi-send] 120 4. Mix Address assignment methods 121 [I-D.ietf-savi-mix] 123 Thus, According to different access network scenarios, SAVI should 124 adjust its deployment and make improvement to adapt to the real 125 situation. This note analyzes five scenarios of ISPs' IPv6 access 126 network, and on this basis, gives tentative SAVI solutions 127 accordingly. 129 2. Conventions used in this document 131 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 132 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 133 document are to be interpreted as described in RFC-2119 [RFC2119]. 135 In this document, these words will appear with that interpretation 136 only when in ALL CAPS. Lower case uses of these words are not to be 137 interpreted as carrying RFC-2119 significance. 139 3. Terminology 141 The following acronyms and terms are used throughout this document. 143 HRG: Home Residential Gateway, an intelligent gateway between network 144 devices and external network in a family. 146 BRAS: Broadband Remote Access Server, a network switch that funnels 147 traffic from DSL and/or cable modem aggregation devices to various 148 carriers' networks based on the type of an application or that of 149 a service required. 151 STB: Set Top Box, a device which can provide value-added services 152 used to enhance or extend the function of TV. 154 AAA: Authentication, Authorization, Accounting. AAA server can 155 provide verification and authority service. 157 C+W: CDMA (CDMA2000) + WLAN, an integrated wireless broadband network 158 business of China telecom. 160 WAG: Wireless Access Gateway. 162 PDSN: Packet Data Serving Node, responsible for the establishment and 163 terminating point-to-point protocol (PPP) connection and assign 164 dynamic address for nodes. 166 4. Scenarios for ISPs'IPv6 Access Network 168 There are various access methods for ISPs'IPv6 access network. To 169 facilitate the deployment of the SAVI method in networks of various 170 kinds, the SAVI method is designed to support different IP address 171 assignment methods [I-D.ietf-savi-framework]. However, there are 172 still some mixed address assignment methods which cannot be supported. 173 It is important to note that the deployment of SAVI device has been 174 impacted greatly by access network scenarios and its address 175 assignment methods. In order to meet different IP Source Address 176 Validation requirements, SAVI solutions may need to be improved to 177 adapt to the real situation. 179 From the perspective of SAVI deployment, there are five typical 180 scenarios of ISPs'IPv6 access network: 182 1. Home Residential gateway (HRG) acts as DHCPv6 proxy. 184 2. Set Top-box (STB) gets an IP address via DHCPv6. 186 3. Host gets IP address via PPPoE & RA. 188 4. Laptop accesses Internet via WLAN. 190 5. Laptop accesses Internet via C+W. 192 We will discuss the SAVI solution for each scenario in detail in the 193 next section. 195 4.1. Scenario 1: Home Residential gateway (HRG) acts as DHCPv6 proxy 197 +--------+ 198 | BRAS | 199 +-------,+ 200 (PPPoE/ND/RA)|| (DHCPv6-PD) 201 || 202 +--||---+ 203 | HRG | 204 +--/----/+ 205 (DHCPv6)| |(DHCPv6) 206 +----\-+ +\-----+ 207 | PC | | STB | 208 | | | | 209 +------+ +------+ 211 Figure 1: Scenario 1 213 Figure 1 shows the main elements in scenario 1. PC and STB connect to 214 the Internet via HRG. Its address assignment mechanism can be 215 described as follows: First, HRG gets a link-local IPv6-IPv6 address 216 from BRAS via PPPoE and ND/RA. Then, HRG gets an IPv6 address from 217 BRAS via DHCPv6-PD. At last, PC and STB get IPv6 addresses from HRG 218 via DHCPv6. Of course, PC and STB can also get IPv6 addresses via 219 ND/RA, but the DHCPv6 is much more popular. 221 According to the SAVI mechanism, in order to achieve Source Address 222 Validation, the SAVI device must snoop the whole procedure of Address 223 assignment. In addition, the preferred location of SAVI instances is 224 close to hosts, such as in access switches that directly attach to 225 the hosts where host IP addresses are being validated [I-D.ietf-savi- 226 framework]. So we can deploy the SAVI device in places close to the 227 HRG, such as the first hop access device. It can be illustrated in 228 figure 2. 230 +--------+ 231 | BRAS | 232 +-------,+ 233 (PPPoE/ND/RA)|| (DHCPv6-PD) 234 || 235 . . . . . .|| . . . . . . . 236 . || Protection. 237 . +-------+ Perimeter. 238 . | SAVI | . 239 . | Device| . 240 . +-------+ . 241 . || . 242 . . . . . .|| . . . . . . . 243 +--||---+ 244 | HRG | 245 +-/----/+ 246 (DHCPv6) | |(DHCPv6) 247 +----\-+ +\-----+ 248 | PC | | STB | 249 | | | | 250 +------+ +------+ 252 Figure 2: SAVI solution for Scenario 1 254 Figure 2 shows the deployment of SAVI device. It also allows multiple 255 SAVI devices and non-SAVI devices co-existing on a link. In addition, 256 for this solution, the SAVI mechanism needs to improve to snoop the 257 procedure of DHCPv6-PD, so as to bind the relationship . 260 4.2. Scenario 2: STB gets an IP address via DHCPv6 262 The difference between scenario 1 and scenario 2 is the absence of HG 263 which acts as DHCPv6 proxy. In scenario 2, STB, having its internal 264 account and password gets IPv6 prefix by DHCPv6. The general scene 265 workflow includes the following steps: STB sends requests to all 266 routers on a local link by using a link-local address based on its 267 MAC address. The BRAS gives a message to STB to adopt DHCPv6 address 268 assignment method as a response. STB initiates the DHCPv6 procedure 269 and BRAS acts as a DHCP Relay to add some authorities' messages. An 270 AAA server decides whether assign address parameters depend on the 271 result of authentication. At last, BRAS receives IPv6 parameters from 272 AAA server, and then, informs STB via DHCPv6 protocol. It can be 273 illustrated in figure 3. 275 +--------+ +-----------+ 276 | AAA | |DHCP server| 277 +--------+ +-----------+ 278 \ / 279 || 280 || 281 +---||--+ 282 | BRAS | 283 +-------+ 284 | 285 (DHCPv6) 286 | 287 +-------+ 288 | STB | 289 +-------+ 291 Figure 3: Scenario2 293 Figure 3 shows the main elements in scenario 2. Due to the pure 294 DHCPv6 address assignment method in this scenario, we can deploy SAVI 295 device in places close to STB directly and SAVI mechanism need not 296 make any improvement. It just needs to bind relationship which is supported in the existing 298 SAVI function. The solution can be illustrated in figure 4. 300 +--------+ +-----------+ 301 | AAA | |DHCP server| 302 +--------+ +-----------+ 303 \ / 304 +--||---+ 305 | BRAS | 306 +-------+ 307 | 308 (DHCPv6) 309 | 310 . . . . . . . . . . . 311 . +---------------+ . 312 . | SAVI device | . 313 . +---------------+ . 314 . . . . . . . . . . . 315 | 316 +-------+ 317 | STB | 318 +-------+ 320 Figure 4: SAVI solution for Scenario 2 322 4.3. Scenario 3: PC gets an IP address via PPPoE & RA 324 In this scenario, first of all, PC gets a link-local address from 325 BRAS via PPPoE. BRAS broadcasts IPv6 prefix via RA. Finally, PC 326 configures its address automatically and gets some additional 327 messages from BRAS. 329 +--------+ 330 | AAA | 331 +--------+ 332 \ 333 | 334 +---|---+ 335 | BRAS | 336 +-------+ 337 |(ND) 338 +-------+ 339 | PC | 340 +-------+ 342 Figure 5: Scenario3 344 Figure 5 shows the main elements in scenario 3. As the function of ND 345 snooping has already been designed, we only take PPPoE snooping into 346 account. Thus, the solution to this scenario which is illustrated in 347 figure 6 is to deploy the SAVI device directly and binding 348 relationship . In this scenario, 349 SAVI needs to improve in order to realize PPPoE snooping. 351 +--------+ 352 | AAA | 353 +--------+ 354 \ 355 +-- |---+ 356 | BRAS | 357 +-------+ 358 (ND)| 359 . . . . . . . . . . . 360 . +---------------+ . 361 . | SAVI device | . 362 . +---------------+ . 363 . . . . . . . . . . . 364 | 365 +-------+ 366 | PC | 367 +-------+ 369 Figure 6: SAVI solution for Scenario 3 371 4.4. Scenario 4: Laptop accesses Internet via public WLAN 373 The interaction in this scenario is relatively simple. The laptop 374 gets an IPv6 address via DHCPv6. Then, users are enforced to be 375 certified by submitting a password on a portal page. 377 +--------+ +-----------+ 378 | AAA | |DHCP server| 379 +--------+ +-----------+ 380 \/ 381 +--||---+ 382 | BRAS | 383 +-------+ 384 |(DHCPv6) 385 +-------+ 386 |LAPTOP | 387 +-------+ 389 Figure 7: Scenario 4 391 Figure 7 shows the main elements in scenario 4. We can deploy the 392 SAVI device directly and bind relationship . The solution can be illustrated in figure 8. 395 +--------+ +-----------+ 396 | AAA | |DHCP server| 397 +--------+ +-----------+ 398 \ / 399 || 400 +--||---+ 401 | BRAS | 402 +-------+ 403 |(DHCPv6) 404 | 405 . . . . . . . . . . . 406 . +---------------+ . 407 . | SAVI device | . 408 . +---------------+ . 409 . . . . . . . . . . . 410 | 411 +-------+ 412 |LAPTOP | 413 +-------+ 415 Figure 8: SAVI solution for Scenario 4 417 4.5. Scenario 5: Laptop accesses Internet via C+W 419 This scenario describes that the laptop accesses the Internet via 420 CDMA and WLAN. The general scene workflow includes the following 421 steps: The laptop gets a temporary IPv6 address from BARS via DHCPv6, 422 and then, obtains the WAG address from a DNS server. The laptop 423 establishes a UDP tunnel to WAG by sending register request. If the 424 tunnel is established successfully, the laptop can get IPv6 prefix 425 from PDSN via PPP and RA, whereas PDSN acts as the PPP terminal. At 426 last, the laptop gets some additional information such as the DNS 427 address. When the above steps are all accomplished, the laptop 428 acquires the ability to access the Internet. 430 +--------+ +-----------+ 431 | AAA |--| PDSN | 432 +--------+ +------|----+ 433 +--------+ +------|----+ 434 |AN-AAA |--| WAG | 435 +--------+ +-----------+ 436 // 437 // UDP tunnel 438 || 439 || 440 +--||---+ 441 | BRAS | 442 +-------+ 443 | 444 |(DHCPv6) 445 | 446 +-------+ 447 | LAPTOP| 448 +-------+ 450 Figure 9: Scenario 5 452 Figure 9 shows the main elements in scenario 5. in this scenario, we 453 also can deploy the SAVI device in places close to the LAPTOP. SAVI 454 needs to improve to support the PPPoE protocol snooping. It also 455 binds relationship . The 456 solution is described in figure 10. 458 +--------+ +-----------+ 459 | AAA |--| PDSN | 460 +--------+ +------|----+ 461 +--------+ +------|----+ 462 |AN-AAA |--| WAG | 463 +--------+ +-----------+ 464 // 465 // UDP tunnel 466 || 467 || 468 +--||---+ 469 | BRAS | 470 +-------+ 471 | 472 (DHCPv6) 473 | 474 +--------+ 475 | SAVI | 476 | device| 477 | | 478 +--------+ 479 | 480 | 481 +-------+ 482 |LAPTOP | 483 +-------+ 485 Figure 10: SAVI solution for Scenario 5 487 5. Conclusions 489 For ISPs, SAVI can defend against many security attacks effectively 490 which are based on IP address spoofing. There are various scenarios 491 of ISPs'IPv6 Access Network. As each scenario uses a different 492 address assignment method and protocol, there are a variety of 493 requirements to validate the source address for ISPs' IPv6 access 494 network. Though SAVI cannot support all protocols and methods right 495 now, due to expansibility of SAVI, the mechanism can satisfy various 496 demands with a small improvement. This document presents five typical 497 scenarios of ISPs'IPv6 access network, and proposes tentative SAVI 498 solutions. 500 Moreover, for functional verification, we conducted an experiment on 501 China Telecom's access network in Hunan province. The experimental 502 results show that source addresses can be validated effectively as we 503 expected in most access scenarios. Next, we will deploy more SAVI 504 devices on a large-scale network in order to form a complete 505 architecture. 507 6. References 509 6.1. Normative References 511 [RFC 2119] Bradner, S., "Key words for use in RFCs to 512 Indicate Requirement Levels", BCP 14, RFC 513 2119, March 1997. 515 [draft-ietf-savi-threat-scope] 517 McPherson, D., Baker, F., and J. Halpern, 518 "SAVI Threat Scope", draft-ietf-savi- 519 threat-scope-05, April 2011. 521 [I-D.ietf-savi-dhcp] Wu, J., Yao, G., Bi, J., and F. Baker, 522 "SAVI Solution for DHCP", draft-ietf-savi- 523 dhcp-10 (work in progress), July 2011. 525 [I-D.ietf-savi-fcfs] Nordmark, E., Bagnulo, M., and E. Levy- 526 Abegnoli, "FCFSSAVI: First-Come First-Serve 527 Source-Address Validation for Locally 528 Assigned IPv6 Addresses", draft-ietf-savi- 529 fcfs-09(work in progress), April 2011. 531 [I-D.ietf-savi-send] Bagnulo, M. and A. Garcia-Martinez, "SEND- 532 based Source-Address Validation 533 Implementation", draft-ietf-savi-send-06 534 (work in progress), October 2011. 536 [I-D.ietf-savi-framework] Wu, J., Bi, J., Bagnulo, M., Baker, F., and 537 C. Vogt, "Source Address Validation 538 Improvement Framework",draft-ietf-savi- 539 framework-05 (work in progress), July 2011. 541 7. Acknowledgments 543 This document was prepared using 2-Word-v2.0.template.dot. 545 Authors' Addresses 547 Fan Shi 548 China Telecom 549 Beijing Research Institute, China Telecom 550 Beijing, 100035 551 China 552 Email: shifan@ctbri.com.cn 554 Ke Xu 555 Tsinghua University 556 Department of Computer Science, Tsinghua University 557 Beijing, 100084 558 China 559 Email: xuke@mail.tsinghua.edu.cn 561 Liang Zhu 562 Tsinghua University 563 Department of Computer Science, Tsinghua University 564 Beijing, 100084 565 China 566 Email: tshbruce@gmail.com 568 Guangwu Hu 569 Tsinghua University 570 Department of Computer Science, Tsinghua University 571 Beijing, 100084 572 China 573 Email: hgw09@mails.tsinghua.edu.cn 575 Yang Bo 576 Huawei Technology 577 Switch Communication Telepresence Product Dept, Huawei Techonolgy 578 Beijing, 100085 579 China 580 Email: boyang.bo@huawei.com