summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6620.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6620.txt')
-rw-r--r--doc/rfc/rfc6620.txt1963
1 files changed, 1963 insertions, 0 deletions
diff --git a/doc/rfc/rfc6620.txt b/doc/rfc/rfc6620.txt
new file mode 100644
index 0000000..b68de00
--- /dev/null
+++ b/doc/rfc/rfc6620.txt
@@ -0,0 +1,1963 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) E. Nordmark
+Request for Comments: 6620 Cisco Systems
+Category: Standards Track M. Bagnulo
+ISSN: 2070-1721 UC3M
+ E. Levy-Abegnoli
+ Cisco Systems
+ May 2012
+
+
+ FCFS SAVI: First-Come, First-Served Source Address Validation
+ Improvement for Locally Assigned IPv6 Addresses
+
+Abstract
+
+ This memo describes First-Come, First-Served Source Address
+ Validation Improvement (FCFS SAVI), a mechanism that provides source
+ address validation for IPv6 networks using the FCFS principle. The
+ proposed mechanism is intended to complement ingress filtering
+ techniques to help detect and prevent source address spoofing.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6620.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 1]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+Copyright Notice
+
+ Copyright (c) 2012 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 2]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 1.1. Terminology ................................................4
+ 2. Background to FCFS SAVI .........................................4
+ 2.1. Scope of FCFS SAVI .........................................4
+ 2.2. Constraints for FCFS SAVI Design ...........................5
+ 2.3. Address Ownership Proof ....................................5
+ 2.4. Binding Anchor Considerations ..............................6
+ 2.5. FCFS SAVI Protection Perimeter .............................6
+ 2.6. Special Cases .............................................10
+ 3. FCFS SAVI Specification ........................................11
+ 3.1. FCFS SAVI Data Structures .................................12
+ 3.2. FCFS SAVI Algorithm .......................................12
+ 3.2.1. Discovering On-Link Prefixes .......................12
+ 3.2.2. Processing of Transit Traffic ......................13
+ 3.2.3. Processing of Local Traffic ........................13
+ 3.2.4. FCFS SAVI Port Configuration Guidelines ............21
+ 3.2.5. VLAN Support .......................................22
+ 3.3. Default Protocol Values ...................................22
+ 4. Security Considerations ........................................22
+ 4.1. Denial-of-Service Attacks .................................22
+ 4.2. Residual Threats ..........................................23
+ 4.3. Privacy Considerations ....................................24
+ 4.4. Interaction with Secure Neighbor Discovery ................25
+ 5. Contributors ...................................................25
+ 6. Acknowledgments ................................................25
+ 7. References .....................................................26
+ 7.1. Normative References ......................................26
+ 7.2. Informative References ....................................26
+ Appendix A. Implications of Not Following the Recommended
+ Behavior .............................................28
+ A.1. Implications of Not Generating DAD_NS Packets upon the
+ Reception of Non-Compliant Data Packets ...................28
+ A.1.1. Lack of Binding State due to Packet Loss...............28
+ A.1.2. Lack of Binding State due to a Change in the
+ Topology ..............................................31
+ A.1.3. Lack of Binding State due to State Loss ...............31
+ A.2. Implications of Not Discarding Non-Compliant Data
+ Packets ...................................................35
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 3]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+1. Introduction
+
+ This memo describes FCFS SAVI, a mechanism that provides source
+ address validation for IPv6 networks using the FCFS principle. The
+ proposed mechanism is intended to complement ingress filtering
+ techniques to help detect and prevent source address spoofing.
+ Section 2 gives the background and description of FCFS SAVI, and
+ Section 3 specifies the FCFS SAVI protocol.
+
+1.1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+2. Background to FCFS SAVI
+
+2.1. Scope of FCFS SAVI
+
+ The application scenario for FCFS SAVI is limited to the local link.
+ Hence, the goal of FCFS SAVI is to verify that the source address of
+ the packets generated by the hosts attached to the local link have
+ not been spoofed.
+
+ In a link, hosts and routers are usually attached. Hosts generate
+ packets with their own address as the source address. This is called
+ "local traffic". Routers send packets containing a source IP address
+ other than their own, since they are forwarding packets generated by
+ other hosts (usually located in a different link). This is called
+ "transit traffic".
+
+ The applicability of FCFS SAVI is limited to the local traffic, i.e.,
+ to verify if the traffic generated by the hosts attached to the local
+ link contains a valid source address. The verification of the source
+ address of the transit traffic is out of the scope of FCFS SAVI.
+ Other techniques, like ingress filtering [RFC2827], are recommended
+ to validate transit traffic. In that sense, FCFS SAVI complements
+ ingress filtering, since it relies on ingress filtering to validate
+ transit traffic, but it provides validation of local traffic, which
+ is not provided by ingress filtering. Hence, the security level is
+ increased by using these two techniques.
+
+ In addition, FCFS SAVI is designed to be used with locally assigned
+ IPv6 addresses, in particular with IPv6 addresses configured through
+ Stateless Address Autoconfiguration (SLAAC) [RFC4862]. Manually
+ configured IPv6 addresses can be supported by FCFS SAVI, but manual
+ configuration of the binding on the FCFS SAVI device provides higher
+ security and seems compatible with manual address management. FCFS
+
+
+
+Nordmark, et al. Standards Track [Page 4]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ SAVI can also be used with IPv6 addresses assigned via DHCPv6, since
+ they ought to perform the Duplicate Address Detection (DAD)
+ procedure, but there is a specific mechanism tailored for dealing
+ with DHCP-assigned addresses defined in [SAVI-DHCP]. Additional
+ considerations about how to use FCFS SAVI depending on the type of
+ address management used and the nature of the addresses are discussed
+ in the framework document [SAVI-FRAMEWORK].
+
+2.2. Constraints for FCFS SAVI Design
+
+ FCFS SAVI is designed to be deployed in existing networks requiring a
+ minimum set of changes. For that reason, FCFS SAVI does not require
+ any changes in the host whose source address is to be verified. Any
+ verification solely relies on the usage of already available
+ protocols. That is, FCFS SAVI does not define a new protocol, define
+ any new message on existing protocols, or require that a host use an
+ existent protocol message in a different way. In other words, no
+ host changes are required.
+
+ FCFS SAVI validation is performed by the FCFS SAVI function. The
+ function can be placed in different types of devices, including a
+ router or a Layer 2 (L2) bridge. The basic idea is that the FCFS
+ SAVI function is located in the points of the topology that can
+ enforce the correct usage of the source address by dropping the non-
+ compliant packets.
+
+2.3. Address Ownership Proof
+
+ The main function performed by FCFS SAVI is to verify that the source
+ address used in data packets actually belongs to the originator of
+ the packet. Since the FCFS SAVI scope is limited to the local link,
+ the originator of the packet is attached to the local link. In order
+ to define a source address validation solution, we need to define the
+ meaning of "address ownership", i.e., what it means that a given host
+ owns a given address in the sense that the host is entitled to send
+ packets with that source address. With that definition, we can
+ define how a device can confirm that the source address in a datagram
+ is owned by the originator of the datagram.
+
+ In FCFS SAVI, proof of address ownership is based on the First-Come,
+ First-Served principle. The first host that claims a given source
+ address is the owner of the address until further notice. Since no
+ host changes are acceptable, we need to find the means to confirm
+ address ownership without requiring a new protocol. So, whenever a
+ source address is used for the first time, a state is created in the
+ device that is performing the FCFS SAVI function binding the source
+ address to a binding anchor that consists of Layer 2 information that
+ the FCFS SAVI box has available (e.g., the port in a switched LAN).
+
+
+
+Nordmark, et al. Standards Track [Page 5]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ Subsequent data packets containing that IP source address can be
+ checked against the same binding anchor to confirm that the
+ originator owns the source IP address.
+
+ There are, however, additional considerations to be taken into
+ account. For instance, consider the case of a host that moves from
+ one segment of a LAN to another segment of the same subnetwork and
+ keeps the same IP address. In this case, the host is still the owner
+ of the IP address, but the associated binding anchor may have
+ changed. In order to cope with this case, the defined FCFS SAVI
+ behavior implies verification of whether or not the host is still
+ reachable using the previous binding anchor. In order to do that,
+ FCFS SAVI uses the Neighbor Discovery (ND) protocol. If the host is
+ no longer reachable at the previously recorded binding anchor, FCFS
+ SAVI assumes that the new location is valid and creates a new binding
+ using the new binding anchor. In case the host is still reachable
+ using the previously recorded binding anchor, the packets coming from
+ the new binding anchor are dropped.
+
+ Note that this only applies to local traffic. Transit traffic
+ generated by a router would be verified using alternative techniques,
+ such as ingress filtering. FCFS SAVI checks would not be fulfilled
+ by the transit traffic, since the router is not the owner of the
+ source address contained in the packets.
+
+2.4. Binding Anchor Considerations
+
+ Any SAVI solution is not stronger than the binding anchor it uses.
+ If the binding anchor is easily spoofable (e.g., a Media Access
+ Control (MAC) address), then the resulting solution will be weak.
+ The treatment of non-compliant packets needs to be tuned accordingly.
+ In particular, if the binding anchor is easily spoofable and the FCFS
+ SAVI device is configured to drop non-compliant packets, then the
+ usage of FCFS SAVI may open a new vector of Denial-of-Service (DoS)
+ attacks, based on spoofed binding anchors. For that reason, in this
+ specification, only switch ports MUST be used as binding anchors.
+ Other forms of binding anchors are out of the scope of this
+ specification, and proper analysis of the implications of using them,
+ should be performed before their usage.
+
+2.5. FCFS SAVI Protection Perimeter
+
+ FCFS SAVI provides perimetrical security. FCFS SAVI devices form
+ what can be called an FCFS SAVI protection perimeter, and they verify
+ that any packet that crosses the perimeter is compliant (i.e., the
+ source address is validated). Once the packet is inside the
+ perimeter, no further validations are performed on the packet. This
+
+
+
+
+Nordmark, et al. Standards Track [Page 6]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ model has implications both on how FCFS SAVI devices are deployed in
+ the topology and on the configuration of the FCFS SAVI boxes.
+
+ The implication of this perimetrical security approach is that there
+ is part of the topology that is inside the perimeter and part of the
+ topology that is outside the perimeter. So, while packets coming
+ from interfaces connected to the external part of the topology need
+ to be validated by the FCFS SAVI device, packets coming from
+ interfaces connected to the internal part of the topology do not need
+ to be validated. This significantly reduces the processing
+ requirements of the FCFS SAVI device. It also implies that each FCFS
+ SAVI device that is part of the perimeter must be able to verify the
+ source addresses of the packets coming from the interfaces connected
+ to the external part of the perimeter. In order to do so, the FCFS
+ SAVI device binds the source address to a binding anchor.
+
+ One possible approach would be for every FCFS SAVI device to store
+ binding information about every source address in the subnetwork. In
+ this case, every FCFS SAVI device would store a binding for each
+ source address of the local link. The problem with this approach is
+ that it imposes a significant memory burden on the FCFS SAVI devices.
+ In order to reduce the memory requirements imposed on each device,
+ the FCFS SAVI solution described in this specification distributes
+ the storage of FCFS SAVI binding information among the multiple FCFS
+ SAVI devices of a subnetwork. The FCFS SAVI binding state is
+ distributed across the FCFS SAVI devices according to the following
+ criterion: each FCFS SAVI device only stores binding information
+ about the source addresses bound to anchors corresponding to the
+ interfaces that connect to the part of the topology that is outside
+ of the FCFS SAVI protection perimeter. Since all the untrusted
+ packet sources are by definition in the external part of the
+ perimeter, packets generated by each of the untrusted sources will
+ reach the perimeter through an interface of an FCFS SAVI device. The
+ binding information for that particular source address will be stored
+ in the first FCFS SAVI device the packet reaches.
+
+ The result is that the FCFS SAVI binding information will be
+ distributed across multiple devices. In order to provide proper
+ source address validation, it is critical that the information
+ distributed among the different FCFS SAVI devices be coherent. In
+ particular, it is important to avoid having the same source address
+ bound to different binding anchors in different FCFS SAVI devices.
+ Should that occur, then it would mean that two hosts are allowed to
+ send packets with the same source address, which is what FCFS SAVI is
+ trying to prevent. In order to preserve the coherency of the FCFS
+ SAVI bindings distributed among the FCFS SAVI devices within a realm,
+ the Neighbor Discovery (ND) protocol [RFC4861] is used, in particular
+ the Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
+
+
+
+Nordmark, et al. Standards Track [Page 7]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ messages. Following is a simplified example of how this might work.
+ Before creating an FCFS SAVI binding in the local FCFS SAVI database,
+ the FCFS SAVI device will send an NS message querying for the address
+ involved. Should any host reply to that message with an NA message,
+ the FCFS SAVI device that sent the NS will infer that a binding for
+ that address exists in another FCFS SAVI device and will not create a
+ local binding for it. If no NA message is received as a reply to the
+ NS, then the local FCFS SAVI device will infer that no binding for
+ that address exists in other FCFS SAVI device and will create the
+ local FCFS SAVI binding for that address.
+
+ To summarize, the proposed FCFS SAVI approach relies on the following
+ design choices:
+
+ o An FCFS SAVI provides perimetrical security, so some interfaces of
+ an FCFS SAVI device will connect to the internal (trusted) part of
+ the topology, and other interfaces will connect to the external
+ (untrusted) part of the topology.
+
+ o An FCFS SAVI device only verifies packets coming through an
+ interface connected to the untrusted part of the topology.
+
+ o An FCFS SAVI device only stores binding information for the source
+ addresses that are bound to binding anchors that correspond to
+ interfaces that connect to the untrusted part of the topology.
+
+ o An FCFS SAVI uses NS and NA messages to preserve the coherency of
+ the FCFS SAVI binding state distributed among the FCFS SAVI
+ devices within a realm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 8]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ So, in a link that is constituted of multiple L2 devices, some of
+ which are FCFS SAVI capable and some of which are not, the FCFS-SAVI-
+ capable devices MUST be deployed forming a connected perimeter (i.e.,
+ no data packet can get inside the perimeter without passing through
+ an FCFS SAVI device). Packets that cross the perimeter will be
+ validated while packets that do not cross the perimeter are not
+ validated (hence, FCFS SAVI protection is not provided for these
+ packets). Consider the deployment of FCFS SAVI in the topology
+ depicted in the following figure:
+
+ +--------+
+ +--+ +--+ +--+ | +--+ |
+ |H1| |H2| |H3| | |R1| |
+ +--+ +--+ +--+ | +--+ |
+ | | | | | |
+ +-------------SAVI-PROTECTION-PERIMETER------+ | |
+ | | | | | |
+ | +-1-----2-+ +-1-----2-+ |
+ | | SAVI1 | | SAVI2 | |
+ | +-3--4----+ +--3------+ |
+ | | | +--------------+ | |
+ | | +----------| |--------+ |
+ | | | SWITCH-A | |
+ | | +----------| |--------+ |
+ | | | +--------------+ | |
+ | +-1--2----+ +--1------+ |
+ | | SAVI3 | | SAVI4 | |
+ | +-3-----4-+ +----4----+ |
+ | | | | |
+ | +------SAVI-PROTECTION-PERIMETER---------------+
+ | | | | |
+ | +--+| +--+ +---------+
+ | |R2|| |H4| |SWITCH-B |
+ | +--+| +--+ +---------+
+ +------+ | |
+ +--+ +--+
+ |H5| |H6|
+ +--+ +--+
+
+ Figure 1: SAVI Protection Perimeter
+
+ In Figure 1, the FCFS SAVI protection perimeter is provided by four
+ FCFS SAVI devices, namely SAVI1, SAVI2, SAVI3, and SAVI4. These
+ devices verify the source address and filter packets accordingly.
+
+ FCFS SAVI devices then have two types of ports: Trusted Ports and
+ Validating Ports.
+
+
+
+
+Nordmark, et al. Standards Track [Page 9]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ o Validating Ports (VPs) are those in which FCFS SAVI processing is
+ performed. When a packet is received through one of the
+ Validating Ports, FCFS SAVI processing and filtering will be
+ executed.
+
+ o Trusted Ports (TPs) are those in which FCFS SAVI processing is not
+ performed. So, packets received through Trusted Ports are not
+ validated, and no FCFS SAVI processing is performed on them.
+
+ Trusted Ports are used for connections with trusted infrastructure,
+ including the communication between FCFS SAVI devices, the
+ communication with routers, and the communication of other switches
+ that, while not FCFS SAVI devices, only connect to trusted
+ infrastructure (i.e., other FCFS SAVI devices, routers, or other
+ trusted nodes). So, in Figure 1, Port 3 of SAVI1 and Port 1 of SAVI3
+ are trusted because they connect two FCFS SAVI devices. Port 4 of
+ SAVI1, Port 3 of SAVI2, Port 2 of SAVI3, and Port 1 of SAVI4 are
+ trusted because they connect to SWITCH-A, to which only trusted nodes
+ are connected. In Figure 1, Port 2 of SAVI2 and Port 3 of SAVI3 are
+ Trusted Ports because they connect to routers.
+
+ Validating Ports are used for connection with non-trusted
+ infrastructure. In particular, hosts are normally connected to
+ Validating Ports. Non-SAVI switches that are outside of the FCFS
+ SAVI protection perimeter also are connected through Validating
+ Ports. In particular, non-SAVI devices that connect directly to
+ hosts or that have no SAVI-capable device between themselves and the
+ hosts are connected through a Validating Port. So, in Figure 1,
+ Ports 1 and 2 of SAVI1, Port 1 of SAVI2, and Port 4 of SAVI 3 are
+ Validating Ports because they connect to hosts. Port 4 of SAVI4 is
+ also a Validating Port because it is connected to SWITCH-B, which is
+ a non-SAVI-capable switch that is connected to hosts H5 and H6.
+
+2.6. Special Cases
+
+ Multi-subnet links: In some cases, a given subnet may have several
+ prefixes. This is directly supported by SAVI as any port can support
+ multiple prefixes. Forwarding of packets between different prefixes
+ involving a router is even supported, as long as the router is
+ connected to a Trusted Port, as recommended for all the routers.
+
+ Multihomed hosts: A multihomed host is a host with multiple
+ interfaces. The interaction between SAVI and multihomed hosts is as
+ follows. If the different interfaces of the host are assigned
+ different IP addresses and packets sent from each interface always
+ carry the address assigned to that interface as the source address,
+ then from the perspective of a SAVI device, this is equivalent to two
+ hosts with a single interface, each with an IP address. This is
+
+
+
+Nordmark, et al. Standards Track [Page 10]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ supported by SAVI without the need for additional considerations. If
+ the different interfaces share the same IP address or if the
+ interfaces have different addresses but the host sends packets using
+ the address of one of the interfaces through any of the interfaces,
+ then SAVI does not directly support it. It would require either
+ connecting at least one interface of the multihomed host to a Trusted
+ Port or manually configuring the SAVI bindings to allow binding the
+ address of the multihomed host to multiple anchors simultaneously.
+
+ Untrusted routers: One can envision scenarios where routers are
+ dynamically attached to an FCFS SAVI network. A typical example
+ would be a mobile phone connecting to an FCFS SAVI switch where the
+ mobile phone is acting as a router for other personal devices that
+ are accessing the network through it. In this case, the router does
+ not seem to directly fall in the category of trusted infrastructure
+ (if this was the case, it is likely that all devices would be
+ trusted); hence, it cannot be connected to a Trusted Port and if it
+ is connected to a Validating Port, the FCFS SAVI switch would discard
+ all the packets containing an off-link source address coming from
+ that device. As a result, the default recommendation specified in
+ this specification does not support such a scenario.
+
+3. FCFS SAVI Specification
+
+3.1. FCFS SAVI Data Structures
+
+ The FCFS SAVI function relies on state information binding the source
+ address used in data packets to the binding anchor that contained the
+ first packet that used that source IP address. Such information is
+ stored in an FCFS SAVI database (DB). The FCFS SAVI DB will contain
+ a set of entries about the currently used IP source addresses. Each
+ entry will contain the following information:
+
+ o IP source address
+
+ o Binding anchor: port through which the packet was received
+
+ o Lifetime
+
+ o Status: either TENTATIVE, VALID, TESTING_VP, or TESTING_TP-LT
+
+ o Creation time: the value of the local clock when the entry was
+ firstly created
+
+ In addition, FCFS SAVI needs to know what prefixes are directly
+ connected, so it maintains a data structure called the FCFS SAVI
+ Prefix List, which contains:
+
+
+
+
+Nordmark, et al. Standards Track [Page 11]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ o Prefix
+
+ o Interface where prefix is directly connected
+
+3.2. FCFS SAVI Algorithm
+
+3.2.1. Discovering On-Link Prefixes
+
+ In order to distinguish local traffic from transit traffic, the FCFS
+ SAVI device relies on the FCFS SAVI Prefix List, which contains the
+ set of on-link IPv6 prefixes. An FCFS SAVI device MUST support the
+ following two methods for populating the Prefix List: manual
+ configuration and Router Advertisement, as detailed next.
+
+ Manual configuration: An FCFS SAVI device MUST support manual
+ configuration of the on-link prefixes included in the Prefix List.
+ For example, this can be used when there are no prefixes being
+ advertised on the link.
+
+ Router Advertisement: An FCFS SAVI device MUST support discovery of
+ on-link prefixes through Router Advertisement messages in Trusted
+ Ports. For Trusted Ports, the FCFS SAVI device will learn the on-
+ link prefixes following the procedure defined for a host to process
+ the Prefix Information options described in Section 6.3.4 of
+ [RFC4861] with the difference that the prefixes will be configured in
+ the FCFS SAVI Prefix List rather than in the ND Prefix List. In
+ addition, when the FCFS SAVI device boots, it MUST send a Router
+ Solicitation message as described in Section 6.3.7 of [RFC4861],
+ using the unspecified source address.
+
+3.2.2. Processing of Transit Traffic
+
+ The FCFS SAVI function is located in a forwarding device, such as a
+ router or a Layer 2 switch. The following processing is performed
+ depending on the type of port through which the packet has been
+ received:
+
+ o If the data packet is received through a Trusted Port, the data
+ packet is forwarded, and no SAVI processing performed on the
+ packet.
+
+ o If the data packet is received through a Validating Port, then the
+ FCFS SAVI function checks whether the received data packet is
+ local traffic or transit traffic. It does so by verifying if the
+ source address of the packet belongs to one of the directly
+ connected prefixes available in the receiving interface. It does
+ so by searching the FCFS SAVI Prefix List.
+
+
+
+
+Nordmark, et al. Standards Track [Page 12]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ * If the IP source address does not belong to one of the on-link
+ prefixes of the receiving interface, the data packet is transit
+ traffic, and the packet SHOULD be discarded. (If for some
+ reason, discarding the packets is not acceptable, logging or
+ triggering of alarms MAY be used). The FCFS SAVI function MAY
+ send an ICMP Destination Unreachable Error back to the source
+ address of the data packet, and ICMPv6, code 5 (Source address
+ failed ingress/egress policy), should be used.
+
+ * If the source address of the packet does belong to one of the
+ prefixes available in the receiving port, then the FCFS SAVI
+ local traffic validation process is executed as described
+ below.
+
+ * If the source address of the packet is an unspecified address,
+ the packet is forwarded, and no SAVI processing is performed
+ except for the case of the Neighbor Solicitation messages
+ involved in the Duplicate Address Detection, which are treated
+ as described in Section 3.2.3.
+
+3.2.3. Processing of Local Traffic
+
+ We next describe how local traffic, including both control and data
+ packets, is processed by the FCFS SAVI device using a state machine
+ approach.
+
+ The state machine described is for the binding of a given source IP
+ address (called IPAddr) in a given FCFS SAVI device. This means that
+ all the packets described as inputs in the state machine above refer
+ to that given IP address. In the case of data packets, the source
+ address of the packet is IPAddr. In the case of the DAD_NS packets,
+ the Target Address is IPAddr. The key attribute is the IP address.
+ The full state information is as follows:
+
+ o IP ADDRESS: IPAddr
+
+ o BINDING ANCHOR: P
+
+ o LIFETIME: LT
+
+ The possible states are as follows:
+
+ o NO_BIND
+
+ o TENTATIVE
+
+ o VALID
+
+
+
+
+Nordmark, et al. Standards Track [Page 13]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ o TESTING_TP-LT
+
+ o TESTING_VP
+
+ We will use VP for Validating Port and TP for Trusted Port.
+
+ After bootstrapping (when no binding exists), the state for all
+ source IP addresses is NO-BIND, i.e., there is no binding for the IP
+ address to any binding anchor.
+
+ NO_BIND: The binding for a source IP address entry is in this state
+ when it does not have any binding to an anchor. All addresses are in
+ this state by default after bootstrapping, unless bindings were
+ created for them.
+
+ TENTATIVE: The binding for a source address for which a data packet
+ or an NS generated by the Duplicate Address Detection (DAD) procedure
+ has been received is in this state during the waiting period during
+ which the DAD procedure is being executed (either by the host itself
+ or the FCFS SAVI device on its behalf).
+
+ VALID: The binding for the source address is in this state after it
+ has been verified. It means that it is valid and usable for
+ filtering traffic.
+
+ TESTING_TP-LT: A binding for a source address enters this state due
+ to one of two reasons:
+
+ o When a Duplicate Address Detection Neighbor Solicitation has been
+ received through a Trusted Port. This implies that a host is
+ performing the DAD procedure for that source address in another
+ switch. This may be due to an attack or to the fact that the host
+ may have moved. The binding in this state is then being tested to
+ determine which is the situation.
+
+ o The lifetime of the binding entry is about to expire. This is due
+ to the fact that no packets have been seen by the FCFS SAVI device
+ for the LIFETIME period. This may be due to the host simply being
+ silent or because the host has left the location. In order to
+ determine which is the case, a test is performed to determine if
+ the binding information should be discarded.
+
+ TESTING_VP: A binding for a source address enters this state when a
+ Duplicate Address Detection Neighbor Solicitation or a data packet
+ has been received through a Validating Port other than the one
+ address to which it is currently bound. This implies that a host is
+ performing the DAD procedure for that source address through a
+ different port. This may be due to an attack, the fact that the host
+
+
+
+Nordmark, et al. Standards Track [Page 14]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ may have moved, or just because another host tries to configure an
+ address already used. The binding in this state is then being tested
+ to determine which is the situation.
+
+ Next, we describe how the different inputs are processed depending on
+ the state of the binding of the IP address (IPAddr).
+
+ A simplified figure of the state machine is included in Figure 2
+ below.
+
+ NO_BIND
+
+ o Upon the reception through a Validating Port (VP) of a Neighbor
+ Solicitation (NS) generated by the Duplicate Address Detection
+ (DAD) procedure (hereafter named DAD_NS) containing Target Address
+ IPAddr, the FCFS SAVI device MUST forward the NS, and T_WAIT
+ milliseconds later, it MUST send a copy of the same message.
+ These DAD_NS messages are not sent through any of the ports
+ configured as Validating Ports. The DAD_NS messages are sent
+ through the Trusted Ports (but, of course, subject to usual switch
+ behavior and possible Multicast Listener Discovery (MLD) snooping
+ optimizations). The state is moved to TENTATIVE. The LIFETIME is
+ set to TENT_LT (i.e., LT:=TENT_LT), the BINDING ANCHOR is set to
+ VP (i.e., P:=VP), and the Creation time is set to the current
+ value of the local clock.
+
+ o Upon the reception through a Validating Port (VP) of a DATA packet
+ containing IPAddr as the source address, the SAVI device SHOULD
+ execute the process of sending Neighbor Solicitation messages of
+ the Duplicate Address Detection process as described in Section
+ 5.4.2 of [RFC4862] for the IPAddr using the following default
+ parameters: DupAddrDetectTransmits set to 2 (i.e., 2 Neighbor
+ Solicitation messages for that address will be sent by the SAVI
+ device) and RetransTimer set to T_WAIT milliseconds (i.e., the
+ time between two Neighbor Solicitation messages is T_WAIT
+ milliseconds). The implications of not following the recommended
+ behavior are described in Appendix A. The DAD_NS messages are not
+ sent through any of the ports configured as Validating Ports. The
+ DAD_NSOL messages are sent through Trusted Ports (but, of course,
+ subject to usual switch behavior and possible MLD snooping
+ optimizations). The SAVI device MAY discard the data packets
+ while the DAD procedure is being executed, or it MAY store them
+ until the binding is created. In any case, it MUST NOT forward
+ the data packets until the binding has been verified. The state
+ is moved to TENTATIVE. The LIFETIME is set to TENT_LT (i.e., LT:
+ =TENT_LT), the BINDING ANCHOR is set to VP (i.e., P:=VP), and the
+ Creation time is set to the current value of the local clock.
+
+
+
+
+Nordmark, et al. Standards Track [Page 15]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ o Data packets containing IPAddr as the source address received
+ through Trusted Ports are processed and forwarded as usual (i.e.,
+ no special SAVI processing).
+
+ o DAD_NS packets containing IPAddr as the Target Address that are
+ received through a Trusted Port MUST NOT be forwarded through any
+ of the Validating Ports, but they are sent through the Trusted
+ Ports (but, of course, subject to usual switch behavior and
+ possible MLD snooping optimizations).
+
+ o Neighbor Advertisement packets sent to all nodes as a reply to the
+ DAD_NS (hereafter called DAD_NA) containing IPAddr as the Target
+ Address coming through a Validating Port are discarded.
+
+ o Other signaling packets are processed and forwarded as usual
+ (i.e., no SAVI processing).
+
+ TENTATIVE
+
+ o If the LIFETIME times out, the state is moved to VALID. The
+ LIFETIME is set to DEFAULT_LT (i.e., LT:= DEFAULT_LT). Stored
+ data packets (if any) are forwarded.
+
+ o If a Neighbor Advertisement (NA) is received through a Trusted
+ Port with the Target Address set to IPAddr, then the message is
+ forwarded through port P, the state is set to NO_BIND, and the
+ BINDING ANCHOR and the LIFETIME are cleared. Data packets stored
+ corresponding to this binding are discarded.
+
+ o If an NA is received through a Validating Port with the Target
+ Address set to IPAddr, the NA packet is discarded
+
+ o If a data packet with source address IPAddr is received with
+ binding anchor equal to P, then the packet is either stored or
+ discarded.
+
+ o If a data packet with source address IPAddr is received through a
+ Trusted Port, the data packet is forwarded. The state is
+ unchanged.
+
+ o If a data packet with source address IPAddr is received through a
+ Validating Port other than P, the data packet is discarded.
+
+ o If a DAD_NS is received from a Trusted Port, with the Target
+ Address set to IPAddr, then the message is forwarded to the
+ Validating Port P, the state is set to NO_BIND, and the BINDING
+ ANCHOR and LIFETIME are cleared. Data packets stored
+ corresponding to this binding are discarded.
+
+
+
+Nordmark, et al. Standards Track [Page 16]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ o If a DAD_NS with the Target Address set to IPAddr is received from
+ a Validating Port P' other than P, the message is forwarded to the
+ Validating Port P and to the Trusted Ports, and the state remains
+ in TENTATIVE; however, the BINDING ANCHOR is changed from P to P',
+ and LIFETIME is set to TENT_LT. Data packets stored corresponding
+ to the binding with P are discarded.
+
+ o Other signaling packets are processed and forwarded as usual
+ (i.e., no SAVI processing).
+
+ VALID
+
+ o If a data packet containing IPAddr as the source address arrives
+ from Validating Port P, then the LIFETIME is set to DEFAULT_LT and
+ the packet is forwarded as usual.
+
+ o If a DAD_NS is received from a Trusted Port, then the DAD_NS
+ message is forwarded to port P and is also forwarded to the
+ Trusted Ports (but, of course, subject to usual switch behavior
+ and possible MLD snooping optimizations). The state is changed to
+ TESTING_TP-LT. The LIFETIME is set to TENT_LT.
+
+ o If a data packet containing source address IPAddr or a DAD_NA
+ packet with the Target Address set to IPAddr is received through a
+ Validating Port P' other than P, then the SAVI device will execute
+ the process of sending DAD_NS messages as described in Section
+ 5.4.2 of [RFC4862] for the IPAddr using the following default
+ parameters: DupAddrDetectTransmits set to 2 (i.e., two NS messages
+ for that address will be sent by the SAVI device) and RetransTimer
+ set to T_WAIT milliseconds (i.e., the time between two NS messages
+ is T_WAIT milliseconds). The DAD_NS message will be forwarded to
+ the port P. The state is moved to TESTING_VP. The LIFETIME is
+ set to TENT_LT. The SAVI device MAY discard the data packet while
+ the DAD procedure is being executed, or it MAY store them until
+ the binding is created. In any case, it MUST NOT forward the data
+ packets until the binding has been verified.
+
+ o If a DAD_NS packet with the Target Address set to IPAddr is
+ received through a Validating Port P' other than P, then the SAVI
+ device will forward the DAD_NS packet, and T_WAIT milliseconds
+ later, it will execute the process of sending DAD_NS messages as
+ described in Section 5.4.2 of [RFC4862] for the IPAddr using the
+ following default parameters: DupAddrDetectTransmits set to 1 and
+ RetransTimer set to T_WAIT milliseconds. The DAD_NS messages will
+ be forwarded to the port P. The state is moved to TESTING_VP.
+ The LIFETIME is set to TENT_LT. The SAVI device MAY discard the
+ data packets while the DAD procedure is being executed, or it MAY
+
+
+
+
+Nordmark, et al. Standards Track [Page 17]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ store them until the binding is created. In any case, it MUST NOT
+ forward the data packets until the binding has been verified.
+
+ o If the LIFETIME expires, then the SAVI device will execute the
+ process of sending DAD_NS messages as described in Section 5.4.2
+ of [RFC4862] for the IPAddr using the following default
+ parameters: DupAddrDetectTransmits set to 2 (i.e., two NS messages
+ for that address will be sent by the SAVI device) and RetransTimer
+ set to T_WAIT milliseconds (i.e., the time between two NS messages
+ is T_WAIT milliseconds). The DAD_NS messages will be forwarded to
+ the port P. The state is changed to TESTING_TP-LT, and the
+ LIFETIME is set to TENT_LT.
+
+ o If a data packet containing IPAddr as a source address arrives
+ from Trusted Port, the packet MAY be discarded. The event MAY be
+ logged.
+
+ o Other signaling packets are processed and forwarded as usual
+ (i.e., no SAVI processing). In particular, a DAD_NA coming from
+ port P and containing IPAddr as the Target Address is forwarded as
+ usual.
+
+ TESTING_TP-LT
+
+ o If the LIFETIME expires, the BINDING ANCHOR is cleared, and the
+ state is changed to NO_BIND.
+
+ o If an NA message containing the IPAddr as the Target Address is
+ received through the Validating Port P as a reply to the DAD_NS
+ message, then the NA is forwarded as usual, and the state is
+ changed to VALID. The LIFETIME is set to DEFAULT_LT
+
+ o If a data packet containing IPAddr as the source address is
+ received through port P, then the packet is forwarded and the
+ state is changed to VALID. The LIFETIME is set to DEFAULT_LT.
+
+ o If a DAD_NS is received from a Trusted Port, the DAD_NS is
+ forwarded as usual.
+
+ o If a DAD_NS is received from a Validating Port P' other than P,
+ the DAD_NS is forwarded as usual, and the state is moved to
+ TESTING_VP.
+
+ o If a data packet is received through a Validating Port P' that is
+ other than port P, then the packet is discarded.
+
+ o If a data packet is received through a Trusted Port, then the
+ packet MAY be discarded. The event MAY be logged.
+
+
+
+Nordmark, et al. Standards Track [Page 18]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ TESTING_VP
+
+ o If the LIFETIME expires, the BINDING ANCHOR is modified from P to
+ P', the LIFETIME is set to DEFAULT_LT, and the state is changed to
+ VALID. Stored data packet coming from P' are forwarded.
+
+ o If an NA message containing the IPAddr as the Target Address is
+ received through the Validating Port P as a reply to the DAD_NS
+ message, then the NA is forwarded as usual and the state is
+ changed to VALID. The LIFETIME is set to DEFAULT_LT.
+
+ o If a data packet containing IPAddr as the source address is
+ received through port P, then the packet is forwarded.
+
+ o If a data packet containing IPAddr as the source address is
+ received through a Validating Port P'' that is other than port P
+ or P', then the packet is discarded.
+
+ o If a data packet containing IPAddr as the source address is
+ received through a Trusted Port (i.e., other than port P), the
+ state is moved to TESTING_TP-LT, and the packet MAY be discarded.
+
+ o If a DAD_NS is received through a Trusted Port, the packet is
+ forwarded as usual, and the state is moved to TESTING_TP-LT.
+
+ o If a DAD_NS is received through Validating Port P'' other than P
+ or P', the packet is forwarded as usual, and P'' is stored as the
+ tentative port, i.e., P':=P''. The state remains the same.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 19]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ +---------+ VP_NS, VP_DATA/2xNS +-----------+
+ | |---------------------------------------->| |
+ | NO_BIND | | TENTATIVE |
+ | |<----------------------------------------| |
+ +---------+ TP_NA, TP_NS/- +-----------+
+ ^ |
+ | | TimeOut
+ Timeout| |
+ | v
+ +---------+ VP_NA/- +-----------+
+ | |---------------------------------------->| |
+ | TESTING | TP_NS/- | |
+ | TP-LT |<----------------------------------------| VALID |
+ | | TimeOut/2xNS | |
+ | |<----------------------------------------| |
+ +---------+ +-----------+
+ ^ | ^ |
+ | | | |
+ | +--------------------- ---------------------+ |
+ | VP_NS/- | | NP_NA, TimeOut/- |
+ | v | |
+ | +-----------+ |
+ | | | |
+ +---------------------| TESTING |<----------------------+
+ VP_NS, VP_DATA/- | VP | VP_DATA, VP_NS,
+ +-----------+ VP_NA/2xNS
+
+ Figure 2: Simplified State Machine
+
+ MLD Considerations
+
+ The FCFS SAVI device MUST join the solicited node multicast group for
+ all the addresses with a state other than NO_BIND. This is needed to
+ make sure that the FCFS SAVI device will receive the DAD_NS for those
+ addresses. Please note that it may not be enough to rely on the host
+ behind the Validating Port to do so, since the node may move, and
+ after a while, the packets for that particular solicited node
+ multicast group will no longer be forwarded to the FCFS SAVI device.
+ Therefore, the FCFS SAVI device MUST join the solicited node
+ multicast groups for all the addresses that are in a state other than
+ NO_BIND.
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 20]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+3.2.4. FCFS SAVI Port Configuration Guidelines
+
+ The guidelines for port configuration in FCFS SAVI devices are as
+ follows:
+
+ o The FCFS SAVI realm (i.e., the realm that is inside the FCFS SAVI
+ protection perimeter) MUST be connected. If this is not the case,
+ legitimate transit traffic may be dropped.
+
+ o Ports that are connected to another FCFS SAVI device MUST be
+ configured as Trusted Ports. Not doing so will significantly
+ increase the memory consumption in the FCFS SAVI devices and may
+ result in legitimate transit traffic being dropped.
+
+ o Ports connected to hosts SHOULD be configured as Validating Ports.
+ Not doing so will allow the host connected to that port to send
+ packets with spoofed source addresses. A valid exception is the
+ case of a trusted host (e.g., a server) that could be connected to
+ a Trusted Port, but untrusted hosts MUST be connected to
+ Validating Ports.
+
+ o Ports connected to routers MUST be configured as Trusted Ports.
+ Configuring them as Validating Ports should result in transit
+ traffic being dropped.
+
+ o Ports connected to a chain of one or more legacy switches that
+ have hosts connected SHOULD be configured as Validating Ports.
+ Not doing so will allow the host connected to any of these
+ switches to send packets with spoofed source addresses. A valid
+ exception is the case where the legacy switch only has trusted
+ hosts attached, in which case it could be connected to a Trusted
+ Port, but if there is at least one untrusted hosts connected to
+ the legacy switch, then it MUST be connected to Validating Ports.
+
+ o Ports connected to a chain of one or more legacy switches that
+ have other FCFS SAVI devices and/or routers connected but had no
+ hosts attached to them MUST be configured as Trusted Ports. Not
+ doing so will at least significantly increase the memory
+ consumption in the FCFS SAVI devices, increase the signaling
+ traffic due to FCFS SAVI validation, and may result in legitimate
+ transit traffic being dropped.
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 21]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+3.2.5. VLAN Support
+
+ If the FCFS SAVI device is a switch that supports customer VLANs
+ [IEEE.802-1Q.2005], the FCFS SAVI implementation MUST behave as if
+ there was one FCFS SAVI process per customer VLAN. The FCFS SAVI
+ process of each customer VLAN will store the binding information
+ corresponding to the nodes attached to that particular customer VLAN.
+
+3.3. Default Protocol Values
+
+ Following are the default values used in the FCFS SAVI specification.
+
+ TENT_LT is 500 milliseconds
+
+ DEFAULT_LT is 5 minutes
+
+ T_WAIT is 250 milliseconds
+
+ An implementation MAY allow these values to be modified, but tuning
+ them precisely is considered out of the scope of this document.
+
+4. Security Considerations
+
+4.1. Denial-of-Service Attacks
+
+ There are two types of Denial-of-Service (DoS) attacks [RFC4732] that
+ can be envisaged in an FCFS SAVI environment. On one hand, we can
+ envision attacks against the FCFS SAVI device resources. On the
+ other hand, we can envision DoS attacks against the hosts connected
+ to the network where FCFS SAVI is running.
+
+ The attacks against the FCFS SAVI device basically consist of making
+ the FCFS SAVI device consume its resources until it runs out of them.
+ For instance, a possible attack would be to send packets with
+ different source addresses, making the FCFS SAVI device create state
+ for each of the addresses and waste memory. At some point, the FCFS
+ SAVI device runs out of memory and needs to decide how to react. The
+ result is that some form of garbage collection is needed to prune the
+ entries. When the FCFS SAVI device runs out of the memory allocated
+ for the FCFS SAVI DB, it is RECOMMENDED that it create new entries by
+ deleting the entries with a higher Creation time. This implies that
+ older entries are preserved and newer entries overwrite each other.
+ In an attack scenario where the attacker sends a batch of data
+ packets with different source addresses, each new source address is
+ likely to rewrite another source address created by the attack
+ itself. It should be noted that entries are also garbage collected
+ using the LIFETIME, which is updated using data packets. The result
+ is that in order for an attacker to actually fill the FCFS SAVI DB
+
+
+
+Nordmark, et al. Standards Track [Page 22]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ with false source addresses, it needs to continuously send data
+ packets for all the different source addresses so that the entries
+ grow old and compete with the legitimate entries. The result is that
+ the cost of the attack is highly increased for the attacker.
+
+ In addition, it is RECOMMENDED that an FCFS SAVI device reserves a
+ minimum amount of memory for each available port (in the case where
+ the port is used as part of the L2 anchor). The recommended minimum
+ is the memory needed to store four bindings associated with the port.
+ The motivation for this recommendation is as follows. An attacker
+ attached to a given port of an FCFS SAVI device may attempt to launch
+ a DoS attack towards the FCFS SAVI device by creating many bindings
+ for different addresses. It can do so by sending DAD_NS for
+ different addresses. The result is that the attack will consume all
+ the memory available in the FCFS SAVI device. The above
+ recommendation aims to reserve a minimum amount of memory per port,
+ so that hosts located in different ports can make use of the reserved
+ memory for their port even if a DoS attack is occurring in a
+ different port.
+
+ As the FCFS SAVI device may store data packets while the address is
+ being verified, the memory for data packet storage may also be a
+ target of DoS attacks. The effects of such attacks may be limited to
+ the lack of capacity to store new data packets. The effect of such
+ attacks will be that data packets will be dropped during the
+ verification period. An FCFS SAVI device MUST limit the amount of
+ memory used to store data packets, allowing the other functions to
+ have available memory even in the case of attacks such those
+ described above.
+
+ The FCFS SAVI device generates two DAD_NS packets upon the reception
+ of a DAD_NS or a data packet. As such, the FCFS SAVI device can be
+ used as an amplifier by attackers. In order to limit this type of
+ attack, the FCFS SAVI device MUST perform rate limiting of the
+ messages it generates. Rate limiting is performed on a per-port
+ basis, since having an attack on a given port should not prevent the
+ FCFS SAVI device from functioning normally in the rest of the ports.
+
+4.2. Residual Threats
+
+ FCFS SAVI performs its function by binding an IP source address to a
+ binding anchor. If the attacker manages to send packets using the
+ binding anchor associated to a given IP address, FCFS SAVI validation
+ will be successful, and the FCFS SAVI device will allow the packet
+ through. This can be achieved by spoofing the binding anchor or by
+ sharing of the binding anchor between the legitimate owner of the
+ address and the attacker. An example of the latter is the case where
+ the binding anchor is a port of a switched network and a legacy
+
+
+
+Nordmark, et al. Standards Track [Page 23]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ switch (i.e., not a SAVI-capable switch) is connected to that port.
+ All the source addresses of the hosts connected to the legacy switch
+ will share the same binding anchor (i.e., the switch port). This
+ means that hosts connected to the legacy switch can spoof each
+ other's IP address and will not be detected by the FCFS SAVI device.
+ This can be prevented by not sharing binding anchors among hosts.
+
+ FCFS SAVI assumes that a host will be able to defend its address when
+ the DAD procedure is executed for its addresses. This is needed,
+ among other things, to support mobility within a link (i.e., to allow
+ a host to detach and reconnect to a different Layer 2 anchor of the
+ same IP subnetwork without changing its IP address). So, when a
+ DAD_NS is issued for a given IP address for which a binding exists in
+ an FCFS SAVI device, the FCFS SAVI device expects to see a DAD_NA
+ coming from the binding anchor associated to that IP address in order
+ to preserve the binding. If the FCFS SAVI device does not see the
+ DAD_NA, it may grant the binding to a different binding anchor. This
+ means that if an attacker manages to prevent a host from defending
+ its source address, it will be able to destroy the existing binding
+ and create a new one, with a different binding anchor. An attacker
+ may do so, for example, by intercepting the DAD_NA or launching a DoS
+ attack to the host that will prevent it from issuing proper DAD
+ replies.
+
+ Even if routers are considered trusted, nothing can prevent a router
+ from being compromised and sending traffic with spoofed IP source
+ addresses. Such traffic would be allowed with the present FCFS SAVI
+ specification. A way to mitigate this issue could be to specify a
+ new port type (e.g., Router Port (RP)) that would act as Trusted Port
+ for the transit traffic and as Validating Port for the local traffic.
+ A detailed solution about this issue is outside the scope of this
+ document.
+
+4.3. Privacy Considerations
+
+ Personally identifying information MUST NOT be included in the FCFS
+ SAVI DB with the MAC address as the canonical example, except when
+ there is an attack attempt involved. Moreover, compliant
+ implementations MUST NOT log binding anchor information except where
+ there is an identified reason why that information is likely to be
+ involved in detection, prevention, or tracing of actual source
+ address spoofing. Information that is not logged MUST be deleted as
+ soon as possible (i.e., as soon as the state for a given address is
+ back to NO_BIND). Information about the majority of hosts that never
+ spoof SHOULD NOT be logged.
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 24]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+4.4. Interaction with Secure Neighbor Discovery
+
+ Even if the FCFS SAVI could get information from ND messages secured
+ with Secure Neighbor Discovery (SEND) [RFC3971], in some case, the
+ FCFS SAVI device must spoof DAD_NS messages but doesn't know the
+ security credentials associated with the IPAddr (i.e., the private
+ key used to sign the DAD_NS messages). So, when SEND is deployed, it
+ is recommended to use SEND SAVI [SAVI-SEND] rather than FCFS SAVI.
+
+5. Contributors
+
+ Jun Bi
+ CERNET
+ Network Research Center, Tsinghua University
+ Beijing 100084
+ China
+ EMail: junbi@cernet.edu.cn
+
+ Guang Yao
+ CERNET
+ Network Research Center, Tsinghua University
+ Beijing 100084
+ China
+ EMail: yaog@netarchlab.tsinghua.edu.cn
+
+ Fred Baker
+ Cisco Systems
+ EMail: fred@cisco.com
+
+ Alberto Garcia Martinez
+ University Carlos III of Madrid
+ EMail: alberto@it.uc3m.es
+
+6. Acknowledgments
+
+ This document benefited from the input of the following individuals:
+ Joel Halpern, Christian Vogt, Dong Zhang, Frank Xia, Jean-Michel
+ Combes, Jari Arkko, Stephen Farrel, Dan Romascanu, Russ Housley, Pete
+ Resnick, Ralph Droms, Wesley Eddy, Dave Harrington, and Lin Tao.
+
+ Marcelo Bagnulo is partly funded by Trilogy, a research project
+ supported by the European Commission under its Seventh Framework
+ Program.
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 25]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+7. References
+
+7.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
+ Defeating Denial of Service Attacks which employ IP
+ Source Address Spoofing", BCP 38, RFC 2827, May 2000.
+
+ [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
+ "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
+ September 2007.
+
+ [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
+ Address Autoconfiguration", RFC 4862, September 2007.
+
+7.2. Informative References
+
+ [SAVI-FRAMEWORK]
+ Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt,
+ "Source Address Validation Improvement Framework", Work
+ in Progress, December 2011.
+
+ [SAVI-DHCP] Bi, J., Wu, J., Yao, G., and F. Baker, "SAVI Solution for
+ DHCP", Work in Progress, February 2012.
+
+ [SAVI-SEND] Bagnulo, M. and A. Garcia-Martinez, "SEND-based Source-
+ Address Validation Implementation", Work in Progress,
+ March 2012.
+
+ [RFC1958] Carpenter, B., "Architectural Principles of the
+ Internet", RFC 1958, June 1996.
+
+ [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
+ Neighbor Discovery (SEND)", RFC 3971, March 2005.
+
+ [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
+ Service Considerations", RFC 4732, December 2006.
+
+ [IEEE.802-1D.1998]
+ Institute of Electrical and Electronics Engineers, "IEEE
+ Standard for Local and Metropolitan Area Networks Media
+ Access Control (MAC) Bridges", IEEE Standard 802.1D,
+ 1998.
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 26]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ [IEEE.802-1D.2004]
+ Institute of Electrical and Electronics Engineers, "IEEE
+ Standard for Local and Metropolitan Area Networks Media
+ Access Control (MAC) Bridges", IEEE Standard 802.1D,
+ 2004.
+
+ [IEEE.802-1Q.2005]
+ Institute of Electrical and Electronics Engineers, "IEEE
+ Standard for Local and metropolitan area networks -
+ Virtual Bridged Local Area Networks", IEEE Standard
+ 802.1Q, May 2005.
+
+ [IEEE.802-1X.2004]
+ Institute of Electrical and Electronics Engineers, "IEEE
+ Standard for Local and metropolitan area networks - Port-
+ Based Network Access Control", IEEE Standard 802.1X,
+ 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 27]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+Appendix A. Implications of Not Following the Recommended Behavior
+
+ This section qualifies some of the SHOULDs that are included in this
+ specification by explaining the implications of not following the
+ recommended behavior. We start by describing the implication of not
+ following the recommendation of generating DAD_NS upon the reception
+ of a data packet for which there is no binding, and then we describe
+ the implications of not discarding the non-compliant packets.
+
+A.1. Implications of Not Generating DAD_NS Packets upon the Reception
+ of Non-Compliant Data Packets
+
+ This specification recommends that SAVI implementations generate a
+ DAD_NS message upon the reception of a data packet for which they
+ have no binding. In this section, we describe the implications of
+ not doing so and simply discarding the data packet instead.
+
+ The main argument against discarding the data packet is the overall
+ robustness of the resulting network. The main concern that has been
+ stated is that a network running SAVI that discards data packets in
+ this case may end up disconnecting legitimate users from the network,
+ by filtering packets coming from them. The net result would be a
+ degraded robustness of the network as a whole, since legitimate users
+ would perceive this as a network failure. There are three different
+ causes that resulted in the lack of state in the binding device for a
+ legitimate address, namely, packet loss, state loss, and topology
+ change. We will next perform an analysis for each of them.
+
+A.1.1. Lack of Binding State due to Packet Loss
+
+ The DAD procedure is inherently unreliable. It consists of sending
+ an NS packet, and if no NA packet is received back, success is
+ assumed, and the host starts using the address. In general, the lack
+ of response is because no other host has that particular address
+ configured in its interface, but it may also be the case that the NS
+ packet or the NA packet has been lost. From the perspective of the
+ sending host, there is no difference, and the host assumes that it
+ can use the address. In other words, the default action is to allow
+ the host to obtain network connectivity.
+
+ It should be noted that the loss of a DAD packet has little impact on
+ the network performance, since address collision is very rare, and
+ the host assumes success in that case. By designing a SAVI solution
+ that would discard packets for which there is no binding, we are
+ diametrically changing the default behavior in this respect, since
+ the default would be that if the DAD packets are lost, then the node
+ is disconnected from the network (as its packets are filtered). What
+ is worse, the node has little clue of what is going wrong, since it
+
+
+
+Nordmark, et al. Standards Track [Page 28]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ has successfully configured an address, but it has no connectivity.
+ The net result is that the overall reliability of the network has
+ significantly decreased as the loss of a single packet would imply
+ that a host is disconnected from the network.
+
+ The only mechanism that the DAD has to improve its reliability is
+ sending multiple NSs. However, [RFC4862] defines a default value of
+ 1 NS message for the DAD procedure, so requiring any higher value
+ would imply manual configuration of all the hosts connected to the
+ SAVI domain.
+
+A.1.1.1. Why Initial Packets May Be (Frequently) Lost
+
+ The Case of LANs
+
+ Devices connecting to a network may experience periods of packet loss
+ after the link-layer becomes available for two reasons: Invalid
+ Authentication state and incomplete topology assessment. In both
+ cases, physical-layer connection occurs initially and presents a
+ medium where packets are transmissible, but frame forwarding is not
+ available across the LAN.
+
+ For the authentication system, devices on a controlled port are
+ forced to complete 802.1X authentication, which may take multiple
+ round trips and many milliseconds to complete (see
+ [IEEE.802-1X.2004]). In this time, initial DHCP, IPv6 Neighbor
+ Discovery, Multicast Listener, or Duplicate Address Detection
+ messages may be transmitted. However, it has also been noted that
+ some devices have the ability for the IP stack to not see the port as
+ up until 802.1X has completed. Hence, that issue needs investigation
+ to determine how common it is now.
+
+ Additionally, any system that requires user input at this stage can
+ extend the authentication time and thus the outage. This is
+ problematic where hosts relying upon DHCP for address configuration
+ time out.
+
+ Upon completion of authentication, it is feasible to signal upper-
+ layer protocols as to LAN forwarding availability. This is not
+ typical today, so it is necessary to assume that protocols are not
+ aware of the preceding loss period.
+
+ For environments that do not require authentication, addition of a
+ new link can cause loops where LAN frames are forwarded continually.
+ In order to prevent loops, all LANs today run a spanning tree
+ protocol, which selectively disables redundant ports. Devices that
+ perform spanning tree calculations are either traditional Spanning
+ Tree Protocol (STP) (see [IEEE.802-1D.1998]) or rapidly converging
+
+
+
+Nordmark, et al. Standards Track [Page 29]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ versions of the same (Rapid Spanning Tree Protocol (RSTP) / Multiple
+ Spanning Tree Protocol (RSTP)) (see [IEEE.802-1D.2004] and
+ [IEEE.802-1Q.2005]).
+
+ Until a port is determined to be an edge port (RSTP/MSTP), the rapid
+ protocol speaker has identified its position within the spanning tree
+ (RSTP/MSTP) or completed a Listening phase (STP), its packets are
+ discarded.
+
+ For ports that are not connected to rapid protocol switches, it takes
+ a minimum of three seconds to perform edge port determination (see
+ [IEEE.802-1D.2004]). Alternatively, completion of the Listening
+ phase takes 15 seconds (see [IEEE.802-1D.1998]). During this period,
+ the link-layer appears available, but initial packet transmissions
+ into and out of this port will fail.
+
+ It is possible to pre-assess ports as edge ports using manual
+ configuration of all the involved devices and thus make them
+ immediately transmissible. This is never default behavior though.
+
+ The Case of Fixed Access Networks
+
+ In fixed access networks such as DSL and cable, the end hosts are
+ usually connected to the access network through a residential gateway
+ (RG). If the host interface is initialized prior to the RG getting
+ authenticated and connected to the access network, the access network
+ is not aware of the DAD packets that the host sent out. As an
+ example, in DSL networks, the Access Node (Digital Subscriber Link
+ Access Multiplexer (DSLAM)) that needs to create and maintain binding
+ state will never see the DAD message that is required to create such
+ a state.
+
+A.1.1.1.1. Special Sub-Case: SAVI Device Rate-Limiting Packets
+
+ A particular sub-case is the one where the SAVI device itself "drops"
+ ND packets. In order to protect itself against DoS attacks and
+ flash-crowds, the SAVI device will have to rate limit the processing
+ of packets triggering the state-creation process (which requires
+ processing from the SAVI device). This implies that the SAVI device
+ may not process all the ND packets if it is under heavy conditions.
+ The result is that the SAVI device will fail to create a binding for
+ a given DAD_NS packet, which implies that the data packets coming
+ from the host that sent the DAD_NS packet will be filtered if this
+ approach is adopted. The problem is that the host will assume that
+ the DAD procedure was successful and will not perform the DAD
+ procedure again, which in turn will imply that the host will be
+ disconnected from the network. While it is true that the SAVI device
+ will also have to rate limit the processing of the data packets, the
+
+
+
+Nordmark, et al. Standards Track [Page 30]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ host will keep on sending data packets, so it is possible to recover
+ from the alternative approach where data packets trigger the binding-
+ creation procedure.
+
+A.1.2. Lack of Binding State due to a Change in the Topology
+
+ If SAVI is deployed in a switched Ethernet network, topology changes
+ may result in a SAVI device receiving packets from a legitimate user
+ for which the SAVI device does not have a binding. Consider the
+ following example:
+
+ +------+ +--------+ +---------------+
+ |SAVI I|-------------|SWITCH I|-------|rest of the net|
+ +------+ +--------+ +---------------+
+ | |
+ | +--------+
+ | | SAVI II|
+ | +--------+
+ | +----------+ |
+ +---|SWITCH II |-----+
+ +----------+
+ |
+ +-----+
+ | Host|
+ +-----+
+
+ Figure 3: Topology Example
+
+ Suppose that after bootstrapping, all the elements are working
+ properly and the spanning tree is rooted in the router and includes
+ one branch that follows the path SWITCH I - SAVI I - SWITCH II, and
+ another branch that follows SWITCH I-SAVI II.
+
+ Suppose that the host boots at this moment and sends the DAD_NS. The
+ message is propagated through the spanning tree and is received by
+ SAVI I but not by SAVI II. SAVI I creates the binding.
+
+ Suppose that SAVI I fails and the spanning tree reconverges to SWITCH
+ I - SAVI II - SWITCH II. Now, data packets coming from the host will
+ be coursed through SAVI II, which does not have binding state and
+ will drop the packets.
+
+A.1.3. Lack of Binding State due to State Loss
+
+ The other reason a SAVI device may not have state for a legitimate
+ address is simply because it lost it. State can be lost due to a
+ reboot of the SAVI device or other reasons such as memory corruption.
+ So, the situation would be as follows. The host performs the DAD
+
+
+
+Nordmark, et al. Standards Track [Page 31]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ procedure, and the SAVI device creates a binding for the host's
+ address. The host successfully communicates for a while. The SAVI
+ device reboots and loses the binding state. The packets coming from
+ the host are now discarded as there is no binding state for that
+ address. It should be noted that in this case, the host has been
+ able to use the address successfully for a certain period of time.
+
+ Architecturally, the degradation of the network robustness in this
+ case can be easily explained by observing that this approach to SAVI
+ implementation breaks the fate-sharing principle. [RFC1958] reads:
+
+ An end-to-end protocol design should not rely on the maintenance
+ of state (i.e. information about the state of the end-to-end
+ communication) inside the network. Such state should be
+ maintained only in the endpoints, in such a way that the state can
+ only be destroyed when the endpoint itself breaks (known as fate-
+ sharing).
+
+ By binding the fate of the host's connectivity to the state in the
+ SAVI device, we are breaking this principle, and the result is
+ degraded network resilience.
+
+ Moving on to more practical matters, we can dig deeper into the
+ actual behavior by considering two scenarios, namely, the case where
+ the host is directly connected to the SAVI device and the case where
+ there is an intermediate device between the two.
+
+A.1.3.1. The Case of a Host Directly Connected to the SAVI Device
+
+ The considered scenario is depicted in the following diagram:
+
+ +------+ +-----------+ +---------------+
+ | Host |-------------|SAVI device|-------|rest of the net|
+ +------+ +-----------+ +---------------+
+
+ Figure 4: Host Attached Directly to SAVI Device
+
+ The key distinguishing element of this scenario is that the host is
+ directly connected to the SAVI device. As a result, if the SAVI
+ device reboots, the host will see the carrier disappear and appear
+ again.
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 32]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ [RFC4862] requires that the DAD procedure is performed when the IP
+ address is assigned to the interface (see [RFC4862], Section 5.4):
+
+ Duplicate Address Detection:
+
+ Duplicate Address Detection MUST be performed on all unicast
+ addresses prior to assigning them to an interface, regardless of
+ whether they are obtained through stateless autoconfiguration,
+ DHCPv6, or manual configuration, with the following exceptions:
+ ...
+
+ However, it has been stated that some of the widely used OSs actually
+ do perform DAD each time the link is up, but further data would be
+ required for this to be taken for granted. Assuming that behavior,
+ this implies that if the loss of state in the SAVI device also
+ results in the link to the host going down, then the host using the
+ tested OSs would redo the DAD procedure allowing the recreation of
+ the binding state in the SAVI device and preserving the connectivity
+ of the host. This would be the case if the SAVI device reboots. It
+ should be noted, however, that it is also possible that the binding
+ state is lost because of an error in the SAVI process and that the
+ SAVI link does not goes down. In this case, the host would not redo
+ the DAD procedure. However, it has been pointed out that it would be
+ possible to require the SAVI process to flap the links of the device
+ it is running, in order to make sure that the link goes down each
+ time the SAVI process restarts and to improve the chances the host
+ will redo the DAD procedure when the SAVI process is rebooted.
+
+A.1.3.2. The Case of a Host Connected to the SAVI Device through One or
+ More Legacy Devices
+
+ The considered scenario is depicted in the following diagram:
+
+ +------+ +-------------+ +-----------+ +---------------+
+ | Host |----|Legacy device|-----|SAVI device|----|rest of the net|
+ +------+ +-------------+ +-----------+ +---------------+
+
+ Figure 5: Host Attached to a Legacy Device
+
+ The key distinguishing element of this scenario is that the host is
+ not directly connected to the SAVI device. As a result, if the SAVI
+ device reboots, the host will not see any changes.
+
+ In this case, the host would get disconnected from the rest of the
+ network since the SAVI device would filter all its packets once the
+ state has gone. As the node will not perform the DAD procedure
+ again, it will remain disconnected until it reboots.
+
+
+
+
+Nordmark, et al. Standards Track [Page 33]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ As a final comment, it should be noted that it may not be obvious to
+ the network admin which scenario its network is running. Consider
+ the case of a campus network where all the switches in the network
+ are SAVI capable. A small hub connected in the office would turn
+ this into the scenario where the host is not directly connected to
+ the SAVI device. Moreover, consider the case of a host running
+ multiple virtual machines connected through a virtual hub. Depending
+ on the implementation of such a virtual hub, this may turn a directly
+ connected host scenario to the scenario where the multiple (virtual)
+ hosts are connected through a legacy (virtual) hub.
+
+A.1.3.2.1. Enforcing Direct Connectivity between the SAVI Device and
+ the Host
+
+ It has been argued that enforcing direct connectivity between the
+ SAVI device and the end host is actually a benefit. There are
+ several comments that can be made in this respect:
+
+ o First, it may well be the case in some scenarios that this is
+ desirable, but it is certainly not the case in most scenarios.
+ Because of that, the issue of enforcing direct connectivity must
+ be treated as orthogonal to how data packets for which there is no
+ binding are treated, since a general solution must support
+ directly connected nodes and nodes connected through legacy
+ switches.
+
+ o Second, as a matter of fact, the resulting behavior described
+ above would not actually enforce direct connectivity between the
+ end host and the SAVI device as it would work as long as the SAVI
+ device does not reboot. So, the argument being made is that this
+ approach is not good enough to provide a robust network service,
+ but it is not bad enough to enforce the direct connectivity of the
+ host to the SAVI switch.
+
+ o Third, it should be noted that topology enforcement is not part of
+ the SAVI problem space and that the SAVI problem by itself is
+ complex enough without adding additional requirements.
+
+A.2. Implications of Not Discarding Non-Compliant Data Packets
+
+ The FCFS SAVI mechanism is composed of two main functions, namely,
+ the mechanisms for tracking compliant and non-compliant data packets
+ and the actions to be performed upon the detection of a non-compliant
+ packet. Throughout this specification, we recommend discarding non-
+ compliant data packets. This is because forwarding non-compliant
+ data packets is essentially allowing packets with spoofed source
+ addresses to flow throughout the network. However, there are
+ alternative actions that can be taken with respect to these packets.
+
+
+
+Nordmark, et al. Standards Track [Page 34]
+
+RFC 6620 FCFS SAVI May 2012
+
+
+ For instance, it would be possible to forward the packets and trigger
+ an alarm to network administrators to make them aware of the
+ situation. Similarly, it would be possible to log these events and
+ allow the tracking down cases where packets with spoofed addresses
+ were used for malicious purposes. The reason a site deploying SAVI
+ may not want to take milder actions like the ones mentioned above
+ instead of discarding packets is because there may be cases where the
+ non-compliant packets may be legitimate packets (for example, in the
+ case that the SAVI device is malfunctioning and has failed to create
+ the appropriate bindings upon the reception of a DAD packet).
+
+Authors' Addresses
+
+ Erik Nordmark
+ Cisco Systems
+ 510 McCarthy Blvd.
+ Milpitas, CA 95035
+ United States
+
+ EMail: nordmark@acm.org
+
+
+ Marcelo Bagnulo
+ Universidad Carlos III de Madrid
+ Av. Universidad 30
+ Leganes, Madrid 28911
+ Spain
+
+ Phone: 34 91 6248814
+ EMail: marcelo@it.uc3m.es
+ URI: http://www.it.uc3m.es
+
+
+ Eric Levy-Abegnoli
+ Cisco Systems
+ Village d'Entreprises Green Side - 400, Avenue Roumanille
+ Biot-Sophia Antipolis - 06410
+ France
+
+ EMail: elevyabe@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+Nordmark, et al. Standards Track [Page 35]
+