summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7513.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7513.txt')
-rw-r--r--doc/rfc/rfc7513.txt3027
1 files changed, 3027 insertions, 0 deletions
diff --git a/doc/rfc/rfc7513.txt b/doc/rfc/rfc7513.txt
new file mode 100644
index 0000000..03e04a2
--- /dev/null
+++ b/doc/rfc/rfc7513.txt
@@ -0,0 +1,3027 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) J. Bi
+Request for Comments: 7513 J. Wu
+Category: Standards Track G. Yao
+ISSN: 2070-1721 Tsinghua Univ.
+ F. Baker
+ Cisco
+ May 2015
+
+
+ Source Address Validation Improvement (SAVI) Solution for DHCP
+
+Abstract
+
+ This document specifies the procedure for creating a binding between
+ a DHCPv4/DHCPv6-assigned IP address and a binding anchor on a Source
+ Address Validation Improvement (SAVI) device. The bindings set up by
+ this procedure are used to filter packets with forged source IP
+ addresses. This mechanism complements BCP 38 (RFC 2827) ingress
+ filtering, providing finer-grained source IP address validation.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7513.
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+Bi, et al. Standards Track [Page 1]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
+ 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 4. Deployment Scenario and Configuration . . . . . . . . . . . . 8
+ 4.1. Elements and Scenario . . . . . . . . . . . . . . . . . . 8
+ 4.2. SAVI Binding Type Attributes . . . . . . . . . . . . . . 10
+ 4.2.1. Trust Attribute . . . . . . . . . . . . . . . . . . . 10
+ 4.2.2. DHCP-Trust Attribute . . . . . . . . . . . . . . . . 11
+ 4.2.3. DHCP-Snooping Attribute . . . . . . . . . . . . . . . 11
+ 4.2.4. Data-Snooping Attribute . . . . . . . . . . . . . . . 11
+ 4.2.5. Validating Attribute . . . . . . . . . . . . . . . . 12
+ 4.2.6. Table of Mutual Exclusions . . . . . . . . . . . . . 13
+ 4.3. Perimeter . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.3.1. SAVI-DHCP Perimeter Overview . . . . . . . . . . . . 13
+ 4.3.2. SAVI-DHCP Perimeter Configuration Guideline . . . . . 14
+ 4.3.3. On the Placement of the DHCP Server and Relay . . . . 15
+ 4.3.4. An Alternative Deployment . . . . . . . . . . . . . . 15
+ 4.3.5. Considerations regarding Binding Anchors . . . . . . 16
+ 4.4. Other Device Configuration . . . . . . . . . . . . . . . 17
+ 5. Binding State Table (BST) . . . . . . . . . . . . . . . . . . 17
+ 6. DHCP Snooping Process . . . . . . . . . . . . . . . . . . . . 18
+ 6.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 18
+ 6.2. Binding States Description . . . . . . . . . . . . . . . 19
+ 6.3. Events . . . . . . . . . . . . . . . . . . . . . . . . . 19
+ 6.3.1. Timer Expiration Event . . . . . . . . . . . . . . . 19
+ 6.3.2. Control Message Arriving Events . . . . . . . . . . . 19
+ 6.4. The State Machine of DHCP Snooping Process . . . . . . . 21
+ 6.4.1. Initial State: NO_BIND . . . . . . . . . . . . . . . 21
+ 6.4.2. Initial State: INIT_BIND . . . . . . . . . . . . . . 24
+ 6.4.3. Initial State: BOUND . . . . . . . . . . . . . . . . 27
+ 6.4.4. Table of State Machine . . . . . . . . . . . . . . . 30
+ 7. Data Snooping Process . . . . . . . . . . . . . . . . . . . . 31
+ 7.1. Scenario . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 7.2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 32
+ 7.3. Additional Binding States Description . . . . . . . . . . 33
+ 7.4. Events . . . . . . . . . . . . . . . . . . . . . . . . . 33
+ 7.5. Message Sender Functions . . . . . . . . . . . . . . . . 35
+ 7.5.1. Duplicate Detection Message Sender . . . . . . . . . 35
+ 7.5.2. Leasequery Message Sender . . . . . . . . . . . . . . 36
+ 7.5.3. Address Verification Message Sender . . . . . . . . . 36
+ 7.6. Initial State: NO_BIND . . . . . . . . . . . . . . . . . 37
+ 7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a
+ matched binding is received . . . . . . . . . . . . . 37
+ 7.6.2. Events Not Observed in NO_BIND for Data Snooping . . 38
+
+
+
+
+
+Bi, et al. Standards Track [Page 2]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ 7.7. Initial State: DETECTION . . . . . . . . . . . . . . . . 39
+ 7.7.1. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 39
+ 7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply / NA Message
+ Received from Unexpected System . . . . . . . . . . . 39
+ 7.7.3. Events Not Observed in DETECTION . . . . . . . . . . 39
+ 7.8. Initial State: RECOVERY . . . . . . . . . . . . . . . . . 40
+ 7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE
+ or successful LEASEQUERY-REPLY is received . . . . . 40
+ 7.8.2. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 41
+ 7.8.3. Events Not Observed in RECOVERY . . . . . . . . . . . 41
+ 7.9. Initial State: VERIFY . . . . . . . . . . . . . . . . . . 41
+ 7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE
+ or successful LEASEQUERY-REPLY is received . . . . . 41
+ 7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is
+ received from the device attached via the binding
+ anchor . . . . . . . . . . . . . . . . . . . . . . . 42
+ 7.9.3. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 42
+ 7.9.4. Event: EVE_DATA_EXPIRE . . . . . . . . . . . . . . . 43
+ 7.9.5. Events Not Observed in VERIFY . . . . . . . . . . . . 43
+ 7.10. Initial State: BOUND . . . . . . . . . . . . . . . . . . 43
+ 7.11. Table of State Machine . . . . . . . . . . . . . . . . . 44
+ 8. Filtering Specification . . . . . . . . . . . . . . . . . . . 45
+ 8.1. Data Packet Filtering . . . . . . . . . . . . . . . . . . 46
+ 8.2. Control Packet Filtering . . . . . . . . . . . . . . . . 46
+ 9. State Restoration . . . . . . . . . . . . . . . . . . . . . . 47
+ 9.1. Attribute Configuration Restoration . . . . . . . . . . . 47
+ 9.2. Binding State Restoration . . . . . . . . . . . . . . . . 47
+ 10. Constants . . . . . . . . . . . . . . . . . . . . . . . . . . 48
+ 11. Security Considerations . . . . . . . . . . . . . . . . . . . 48
+ 11.1. Security Problems with the Data Snooping Process . . . . 48
+ 11.2. Securing Leasequery Operations . . . . . . . . . . . . . 49
+ 11.3. Client Departure Issues . . . . . . . . . . . . . . . . 49
+ 11.4. Compatibility with Detecting Network Attachment (DNA) . 50
+ 11.5. Binding Number Limitation . . . . . . . . . . . . . . . 51
+ 11.6. Privacy Considerations . . . . . . . . . . . . . . . . . 51
+ 11.7. Fragmented DHCP Messages . . . . . . . . . . . . . . . . 51
+ 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
+ 12.1. Normative References . . . . . . . . . . . . . . . . . . 52
+ 12.2. Informative References . . . . . . . . . . . . . . . . . 53
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 54
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 3]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+1. Introduction
+
+ This document describes a fine-grained source address validation
+ mechanism for IPv4 and IPv6 packets. This mechanism creates bindings
+ between IP addresses assigned to network interfaces by DHCP and
+ suitable binding anchors (Section 4.3.5). As discussed in Section 3
+ and [RFC7039], a "binding anchor" is an attribute that is immutable
+ or difficult to change that may be used to identify the system an IP
+ address has been assigned to; common examples include a Media Access
+ Control (MAC) address found on an Ethernet switch port or Wi-Fi
+ security association. The bindings are used to identify and filter
+ packets originated by these interfaces using forged source IP
+ addresses. In this way, this mechanism can prevent hosts from using
+ IP addresses assigned to any other attachment point in or not
+ associated with the network. This behavior is referred to as
+ "spoofing" and is key to amplification attacks, in which a set of
+ systems send messages to another set of systems claiming to be from a
+ third set of systems, and sending the replies to systems that don't
+ expect them. Whereas BCP 38 [RFC2827] protects a network from a
+ neighboring network by providing prefix granularity source IP address
+ validity, this mechanism protects a network, including a Local Area
+ Network, from itself by providing address granularity source IP
+ validity when DHCP/DHCPv6 is used to assign IPv4/IPv6 addresses.
+ Both provide a certain level of traceability, in that packet drops
+ indicate the presence of a system that is producing packets with
+ spoofed IP addresses.
+
+ SAVI-DHCP snoops DHCP address assignments to set up bindings between
+ IP addresses assigned by DHCP and corresponding binding anchors. It
+ includes the DHCPv4 and DHCPv6 Snooping Process (Section 6) and the
+ Data Snooping Process (Section 7), as well as a number of other
+ technical details. The Data Snooping Process is a data-triggered
+ procedure that snoops the IP header of data packets to set up
+ bindings. It is designed to avoid a permanent blockage of valid
+ addresses in the case that DHCP snooping is insufficient to set up
+ all the valid bindings.
+
+ This mechanism is designed for the stateful DHCP scenario [RFC2131]
+ [RFC3315]. Stateless DHCP [RFC3736] is out of scope for this
+ document, as it has nothing to do with IP address allocation. An
+ alternative SAVI method would have be used in those cases. For hosts
+ using Stateless Address Autoconfiguration (SLAAC) to allocate
+ addresses, First-Come, First-Served Source Address Validation
+ Improvement (FCFS SAVI) [RFC6620] should be enabled. SAVI-DHCP is
+ primarily designed for pure DHCP scenarios in which only addresses
+ assigned through DHCP are allowed. However, it does not block link-
+
+
+
+
+
+Bi, et al. Standards Track [Page 4]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ local addresses, as they are not assigned using DHCP. It is
+ RECOMMENDED that the administration deploy a SAVI solution for link-
+ local addresses, e.g., FCFS SAVI [RFC6620].
+
+ This mechanism works for networks that use DHCPv4 only, DHCPv6 only,
+ or both DHCPv4 and DHCPv6. However, the DHCP address assignment
+ mechanism in IPv4/IPv6 transition scenarios, e.g., [RFC7341], are
+ beyond the scope of this document.
+
+2. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+3. Terminology
+
+ Binding anchor: A "binding anchor" is defined to be a physical and/or
+ link-layer property of an attached device, as in [RFC7039]. A list
+ of sample binding anchors can be found in Section 3.2 of that
+ document. To the degree possible, a binding anchor associates an IP
+ address with something unspoofable that identifies a single-client
+ system or one of its interfaces. See Section 4.3.5 for more detail.
+
+ Attribute: A configurable property of each binding anchor (port, MAC
+ address, or other information) that indicates the actions to be
+ performed on packets received from the attached network device.
+
+ DHCP address: An IP address assigned via DHCP.
+
+ SAVI-DHCP: The name of this SAVI function for DHCP-assigned
+ addresses.
+
+ SAVI device: A network device on which SAVI-DHCP is enabled.
+
+ Non-SAVI device: A network device on which SAVI-DHCP is not enabled.
+
+ DHCP Client-to-Server message: A message that is sent from a DHCP
+ client to a DHCP server or DHCP servers and is one of the following
+ types:
+
+ o DHCPv4 Discover: DHCPDISCOVER [RFC2131].
+
+ o DHCPv4 Request: DHCPREQUEST generated during SELECTING state
+ [RFC2131].
+
+ o DHCPv4 Renew: DHCPREQUEST generated during RENEWING state
+ [RFC2131].
+
+
+
+Bi, et al. Standards Track [Page 5]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ o DHCPv4 Rebind: DHCPREQUEST generated during REBINDING state
+ [RFC2131].
+
+ o DHCPv4 Reboot: DHCPREQUEST generated during INIT-REBOOT state
+ [RFC2131].
+
+ o Note: DHCPv4 Request/Renew/Rebind/Reboot messages can be
+ identified based on Table 4 of [RFC2131].
+
+ o DHCPv4 Decline: DHCPDECLINE [RFC2131].
+
+ o DHCPv4 Release: DHCPRELEASE [RFC2131].
+
+ o DHCPv4 Inform: DHCPINFORM [RFC2131].
+
+ o DHCPv4 DHCPLEASEQUERY: A message sent to inquire about the lease
+ that might exist for an IPv4 address [RFC4388].
+
+ o DHCPv6 Request: REQUEST [RFC3315].
+
+ o DHCPv6 Solicit: SOLICIT [RFC3315].
+
+ o DHCPv6 Confirm: CONFIRM [RFC3315].
+
+ o DHCPv6 Decline: DECLINE [RFC3315].
+
+ o DHCPv6 Release: RELEASE [RFC3315].
+
+ o DHCPv6 Rebind: REBIND [RFC3315].
+
+ o DHCPv6 Renew: RENEW [RFC3315].
+
+ o DHCPv6 Information-Request: INFORMATION-REQUEST [RFC3315].
+
+ o DHCPv6 LEASEQUERY: A message sent to inquire about the lease that
+ might exist for an IPv6 address [RFC5007].
+
+ DHCP Server-to-Client message: A message that is sent from a DHCP
+ server to a DHCP client and is one of the following types:
+
+ o DHCPv4 ACK: DHCPACK [RFC2131].
+
+ o DHCPv4 NAK: DHCPNAK [RFC2131].
+
+ o DHCPv4 Offer: DHCPOFFER [RFC2131].
+
+ o DHCPv4 DHCPLEASEACTIVE: A response to a DHCPLEASEQUERY request
+ containing lease information [RFC4388].
+
+
+
+Bi, et al. Standards Track [Page 6]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ o DHCPv4 DHCPLEASEUNKNOWN: A response to a DHCPLEASEQUERY request
+ indicating that the server does not manage the address [RFC4388].
+
+ o DHCPv4 DHCPLEASEUNASSIGNED: A response to a DHCPLEASEQUERY request
+ indicating that the server manages the address and there is no
+ current lease [RFC4388].
+
+ o DHCPv6 Reply: REPLY [RFC3315].
+
+ o DHCPv6 Advertise: ADVERTISE [RFC3315].
+
+ o DHCPv6 Reconfigure: RECONFIGURE [RFC3315].
+
+ o DHCPv6 LEASEQUERY-REPLY: A response to a LEASEQUERY request
+ [RFC5007].
+
+ Lease time: The lease time in IPv4 [RFC2131] or the valid lifetime in
+ IPv6 [RFC3315].
+
+ Binding entry: A rule that associates an IP address with a binding
+ anchor.
+
+ Binding State Table (BST): The data structure that contains the
+ binding entries.
+
+ Binding entry limit: The maximum number of binding entries that may
+ be associated with a binding anchor. Limiting the number of binding
+ entries per binding anchor prevents a malicious or malfunctioning
+ node from overloading the binding table on a SAVI device.
+
+ Direct attachment: Ideally, a SAVI device is an access device that
+ hosts are attached to directly. In such a case, the hosts are direct
+ attachments (i.e., they attach directly) to the SAVI device.
+
+ Indirect attachment: A SAVI device MAY be an aggregation device that
+ other access devices are attached to and that hosts in turn attach
+ to. In such a case, the hosts are indirect attachments (i.e., they
+ attach indirectly) to the SAVI device.
+
+ Unprotected link: Unprotected links are links that connect to hosts
+ or networks of hosts that receive their DHCP traffic by another path
+ and are therefore outside the SAVI perimeter.
+
+ Unprotected device: An unprotected device is a device associated with
+ an unprotected link. One example might be the gateway router of a
+ network.
+
+
+
+
+
+Bi, et al. Standards Track [Page 7]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ Protected link: If DHCP messages for a given attached device always
+ use a given link, the link is considered to be "protected" by the
+ SAVI device and is therefore within the SAVI perimeter.
+
+ Protected device: A protected device is a device associated with a
+ protected link. One example might be a desktop switch in the
+ network, or a host.
+
+ Cut vertex: A cut vertex is any vertex whose removal increases the
+ number of connected components in a (network) graph. This is a
+ concept in graph theory. This term is used in Section 6.1 to
+ accurately specify the required deployment location of SAVI devices
+ when they only perform the DHCP Snooping Process.
+
+ Identity Association (IA): "A collection of addresses assigned to a
+ client" [RFC3315].
+
+ Detection message: A Neighbor Solicitation or ARP message intended by
+ the Data Snooping Process to detect a duplicate address.
+
+ DHCP_DEFAULT_LEASE: Default lifetime for a DHCPv6 address when the
+ binding is triggered by a DHCPv6 Confirm message but a DHCPv6
+ Leasequery exchange [RFC5007] cannot be performed by the SAVI device
+ to fetch the lease.
+
+4. Deployment Scenario and Configuration
+
+4.1. Elements and Scenario
+
+ The essential elements in a SAVI-DHCP deployment scenario include at
+ least one DHCP server (which may or may not be assigned an address
+ using DHCP and therefore may or may not be protected), zero or more
+ protected DHCP clients, and one or more SAVI devices. It may also
+ include DHCP relays, when the DHCP server is not co-located with a
+ set of clients, and zero or more protected non-SAVI devices. Outside
+ the perimeter, via unprotected links, there may be many unprotected
+ devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 8]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ +-------------+
+ | Unprotected |
+ | Device |
+ +------+------+
+ |
+ +--------+ +-----+------+ +----------+
+ |DHCP +-----+ Non-SAVI +----+Bogus DHCP|
+ |Server A| | Device 1 | |Server |
+ +--------+ +-----+------+ +----------+
+ |trusted, unprotected link
+ . . . . . . . . . . . . . . . . .|. . . . . . . . . . . . . .
+ . | .
+ . Protection +---+------+ trusted link .
+ . Perimeter | SAVI +--------------+ .
+ . | Device C | | .
+ . +---+------+ | .
+ . | | .
+ . untrusted, +----------+ +---+------+ +------+---+ .
+ . protected | SAVI | | Non-SAVI | | SAVI | .
+ . link+------+ Device A +----+ Device 3 +-------+ Device B | .
+ . | +----+--+--+ +----------+ +-+---+----+ .
+ . | | +----------+ . . . . . | | .
+ . | . . . . . . | . . | | .
+ . | . | . | . +--------+ | .
+ . +----+-----+. +--+---+ . +----+-+ . +--+---+ . +---+----+ .
+ . | Non-SAVI |. |Client| . |DHCP | . |Client| . |DHCP | .
+ . | Device 2 |. |A | . |Relay | . |B | . |Server B| .
+ . +----------+. +------+ . +------+ . +------+ . +--------+ .
+ . . . . . . . . . . . . . . . . . . .
+
+ Figure 1: SAVI-DHCP Scenario
+
+ Figure 1 shows a deployment scenario that contains these elements.
+ Note that a physical device can instantiate multiple elements, e.g.,
+ a switch can be both a SAVI device and a DHCP relay, or in a cloud-
+ computing environment, a physical host may contain a virtual switch
+ plus some number of virtual hosts. In such cases, the links are
+ logical links rather than physical links.
+
+ Networks are not usually isolated. As a result, traffic from other
+ networks, including transit traffic as specified in [RFC6620] (e.g.,
+ traffic from another SAVI switch or a router) may enter a SAVI-DHCP
+ network through the unprotected links. Since SAVI solutions are
+ limited to validating traffic generated from a local link, SAVI-DHCP
+ does not set up bindings for addresses assigned in other networks and
+ cannot validate them. Traffic from unprotected links should be
+ checked by an unprotected device or mechanisms described in
+
+
+
+
+Bi, et al. Standards Track [Page 9]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ [RFC2827]. The generation and deployment of such a mechanism is
+ beyond the scope of this document.
+
+ Traffic from protected links is, however, locally generated and
+ should have its source addresses validated by SAVI-DHCP if possible.
+ In the event that there is an intervening protected non-SAVI device
+ between the host and the SAVI device, however, use of the physical
+ attachment point alone as a binding anchor is insufficiently secure,
+ as several devices on a port or other point of attachment can spoof
+ each other. Hence, additional information such as a MAC address
+ SHOULD be used to disambiguate them.
+
+4.2. SAVI Binding Type Attributes
+
+ As illustrated in Figure 1, a system attached to a SAVI device can be
+ a DHCP client, a DHCP relay/server, a SAVI device, or a non-SAVI
+ device. Different actions are performed on traffic originated from
+ different elements. To distinguish among their requirements, several
+ properties are associated with their point of attachment on the SAVI
+ device.
+
+ When a binding association is uninstantiated, e.g., when no host is
+ attached to the SAVI device using a given port or other binding
+ anchor, the binding port attributes take default values unless
+ overridden by configuration. By default, a SAVI switch does not
+ filter DHCP messages, nor does it attempt to validate source
+ addresses, which is to say that the binding attributes are ignored
+ until SAVI-DHCP is itself enabled. This is because a SAVI switch
+ that depends on DHCP cannot tell, a priori, which ports have valid
+ DHCP servers attached, or which have routers or other equipment that
+ would validly appear to use an arbitrary set of source addresses.
+ When SAVI has been enabled, the attributes take effect.
+
+4.2.1. Trust Attribute
+
+ The "Trust Attribute" is a Boolean value. If TRUE, it indicates that
+ the packets from the corresponding attached device need not have
+ their source addresses validated. Examples of a trusted attachment
+ would be a port to another SAVI device, or to an IP router, as shown
+ in Figure 1. In both cases, traffic using many source IP addresses
+ will be seen. By default, the Trust attribute is FALSE, indicating
+ that any device found on that port will seek an address using DHCP
+ and be limited to using such addresses.
+
+ SAVI devices will not set up bindings for points of attachment with
+ the Trust attribute set TRUE; no packets, including DHCP messages,
+ from devices with this attribute on their attachments will be
+ validated. However, DHCP Server-to-Client messages will be snooped
+
+
+
+Bi, et al. Standards Track [Page 10]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ on attachment points with the Trust attribute set TRUE in the same
+ way as if they had the DHCP-Trust attribute set (see Section 4.2.2).
+
+4.2.2. DHCP-Trust Attribute
+
+ The "DHCP-Trust Attribute" is similarly a Boolean attribute. It
+ indicates whether the attached device is permitted to initiate DHCP
+ Server-to-Client messages. In Figure 1, the points of attachment of
+ the DHCP server and the DHCP relay would have this attribute set
+ TRUE, and attachment points that have Trust set TRUE are implicitly
+ treated as if DHCP-Trust is TRUE.
+
+ If the DHCP-Trust attribute is TRUE, SAVI devices will forward DHCP
+ Server-to-Client messages from the points of attachment with this
+ attribute. If the DHCP Server-to-Client messages can trigger the
+ state transitions, the binding setup processes specified in Sections
+ 6 and 7 will handle them. By default, the DHCP-Trust attribute is
+ FALSE, indicating that the attached system is not a DHCP server.
+
+ A DHCPv6 implementor can refer to [DHCPv6-SHIELD] for more details.
+
+4.2.3. DHCP-Snooping Attribute
+
+ The "DHCP-Snooping Attribute" is similarly a Boolean attribute. It
+ indicates whether bindings will be set up based on DHCP snooping.
+
+ If this attribute is TRUE, DHCP Client-to-Server messages to points
+ of attachment with this attribute will trigger creation of bindings
+ based on the DHCP Snooping Process described in Section 6. If it is
+ FALSE, either the Trust attribute must be TRUE (so that bindings
+ become irrelevant) or another SAVI mechanism such as FCFS SAVI must
+ be used on the point of attachment.
+
+ The DHCP-Snooping attribute is configured on the DHCP client's point
+ of attachment. This attribute can be also used on the attachments to
+ protected non-SAVI devices that are used by DHCP clients. In
+ Figure 1, the attachment from Client A to SAVI Device A, the
+ attachment from Client B to SAVI Device B, and the attachment from
+ Non-SAVI Device 2 to SAVI Device A can be configured with this
+ attribute.
+
+4.2.4. Data-Snooping Attribute
+
+ The "Data-Snooping Attribute" is a Boolean attribute. It indicates
+ whether data packets from the corresponding point of attachment may
+ trigger the binding setup procedure.
+
+
+
+
+
+Bi, et al. Standards Track [Page 11]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ Data packets from points of attachment with this attribute may
+ trigger the setup of bindings. SAVI devices will set up bindings on
+ points of attachment with this attribute based on the data-triggered
+ process described in Section 7.
+
+ If the DHCP-Snooping attribute is configured on a point of
+ attachment, the bindings on this attachment are set up based on DHCP
+ message snooping. However, in some scenarios, a DHCP client may use
+ a DHCP address without the DHCP address assignment procedure being
+ performed on its current attachment. For such attached devices, the
+ Data Snooping Process, which is described in Section 7, is necessary.
+ This attribute is configured on such attachments. The usage of this
+ attribute is further discussed in Section 7.
+
+ Since some networks require DHCP deployment and others avoid it,
+ there is no obvious universal default value for the Data-Snooping
+ attribute. Hence, the Data-Snooping attribute should default to
+ FALSE, and a mechanism should be implemented to conveniently set it
+ to TRUE on all points of attachment for which the Trust attribute is
+ FALSE.
+
+4.2.5. Validating Attribute
+
+ The "Validating Attribute" is a Boolean attribute. It indicates
+ whether packets from the corresponding attachment will have their IP
+ source addresses validated based on binding entries on the
+ attachment.
+
+ If it is TRUE, packets coming from attachments with this attribute
+ will be validated based on binding entries on the attachment as
+ specified in Section 8. If it is FALSE, they will not. Since the
+ binding table is used in common with other SAVI algorithms, it merely
+ signifies whether the check will be done, not whether it will be done
+ for SAVI-DHCP originated bindings.
+
+ This attribute is by default the inverse of the Trust attribute;
+ source addresses on untrusted links are validated by default. It MAY
+ be set FALSE by the administration.
+
+ The expected use case is when SAVI is used to monitor but not block
+ forged transmissions. The network manager, in that case, may set the
+ DHCP-Snooping and/or Data-Snooping attribute TRUE but the Validating
+ attribute FALSE.
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 12]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+4.2.6. Table of Mutual Exclusions
+
+ Different types of attributes may indicate mutually exclusive actions
+ on a packet. Mutually exclusive attributes MUST NOT be set TRUE on
+ the same attachment. The compatibility of different attributes is
+ listed in Figure 2. Note that although Trust and DHCP-Trust are
+ compatible, there is no need to configure DHCP-Trust to TRUE on an
+ attachment with Trust attribute TRUE.
+
+ +----------+----------+----------+----------+----------+----------+
+ | | | | DHCP- | Data- | |
+ | | Trust |DHCP-Trust| Snooping | Snooping |Validating|
+ +----------+----------+----------+----------+----------+----------+
+ | | | | mutually | mutually | mutually |
+ | Trust | - |compatible| exclusive| exclusive| exclusive|
+ +----------+----------+----------+----------+----------+----------+
+ | | | | | | |
+ |DHCP-Trust|compatible| - |compatible|compatible|compatible|
+ +----------+----------+----------+----------+----------+----------+
+ |DHCP- |mutually | | | | |
+ |Snooping |exclusive |compatible| - |compatible|compatible|
+ +----------+----------+----------+----------+----------+----------+
+ |Data- |mutually | | | | |
+ |Snooping |exclusive |compatible|compatible| - |compatible|
+ +----------+----------+----------+----------+----------+----------+
+ | |mutually | | | | |
+ |Validating|exclusive |compatible|compatible|compatible| - |
+ +----------+----------+----------+----------+----------+----------+
+
+ Figure 2: Table of Mutual Exclusions
+
+4.3. Perimeter
+
+4.3.1. SAVI-DHCP Perimeter Overview
+
+ SAVI devices form a perimeter separating trusted and untrusted
+ regions of a network, as FCFS SAVI does (Section 2.5 of [RFC6620]).
+ The perimeter is primarily designed for scalability. It has two
+ implications.
+
+ o SAVI devices only need to establish bindings for directly attached
+ clients, or clients indirectly attached through a non-SAVI
+ protected device, rather than all of the clients in the network.
+
+ o Each SAVI device only needs to validate the source addresses in
+ traffic from clients attached to it, without checking all the
+ traffic passing by.
+
+
+
+
+Bi, et al. Standards Track [Page 13]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ Consider the example in Figure 1. The protection perimeter is formed
+ by SAVI Devices A, B, and C. In this case, SAVI Device B does not
+ create a binding for Client A. However, because SAVI Device A
+ filters spoofed traffic from Client A, SAVI Device B can avoid
+ receiving spoofed traffic from Client A.
+
+ The perimeter in SAVI-DHCP is not only a perimeter for data packets
+ but also a perimeter for DHCP messages. DHCP server response
+ messages incoming across the perimeter will be dropped (Section 8).
+ The placement of the DHCP relay and DHCP server, which are not
+ involved in [RFC6620], is related to the construction of the
+ perimeter. The requirement on the placement and configuration of the
+ DHCP relay and DHCP server is discussed in Section 4.3.3.
+
+4.3.2. SAVI-DHCP Perimeter Configuration Guideline
+
+ A perimeter separating trusted and untrusted regions of the network
+ is formed as follows:
+
+ (1) Configure the Validating and DHCP-Snooping attributes TRUE on
+ the direct attachments of all DHCP clients.
+
+ (2) Configure the Validating and DHCP-Snooping attributes TRUE on
+ the indirect attachments of all DHCP clients (i.e., DHCP clients
+ on protected links).
+
+ (3) Configure the Trust attribute TRUE on the attachments to other
+ SAVI devices.
+
+ (4) If a non-SAVI device, or a number of connected non-SAVI devices,
+ are attached only to SAVI devices, set the Trust attribute TRUE
+ on their attachments.
+
+ (5) Configure the DHCP-Trust attribute TRUE on the direct
+ attachments to trusted DHCP relays and servers.
+
+ In this way, the points of attachments with the Validating attribute
+ TRUE (and generally together with attachments of unprotected devices)
+ on SAVI devices can form a perimeter separating DHCP clients and
+ trusted devices. Data packet checks are only performed on the
+ perimeter. The perimeter is also a perimeter for DHCP messages. The
+ DHCP-Trust attribute is only TRUE on links inside the perimeter.
+ Only DHCP Server-to-Client messages originated within the perimeter
+ are trusted.
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 14]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+4.3.3. On the Placement of the DHCP Server and Relay
+
+ As a result of the configuration guidelines, SAVI devices only trust
+ DHCP Server-to-Client messages originated inside the perimeter.
+ Thus, the trusted DHCP relays and DHCP servers must be placed within
+ the perimeter. DHCP Server-to-Client messages will be filtered on
+ the perimeter. Server-to-Relay messages will not be filtered, as
+ they are within the perimeter. In this way, DHCP Server-to-Client
+ messages from bogus DHCP servers are filtered on the perimeter,
+ having entered through untrusted points of attachment. The SAVI
+ devices are protected from forged DHCP messages.
+
+ DHCP Server-to-Client messages arriving at the perimeter from outside
+ the perimeter are not trusted. There is no distinction between a
+ DHCP server owned and operated by the correct administration but
+ outside the SAVI perimeter and a bogus DHCP server. For example, in
+ Figure 1, DHCP Server A is valid, but it is attached to Non-SAVI
+ Device 1. A bogus DHCP server is also attached to Non-SAVI Device 1.
+ While one could imagine a scenario in which the valid one had a
+ statistically configured port number and MAC address, and therefore a
+ binding, by default SAVI-DHCP cannot distinguish whether a message
+ received from the port of Non-SAVI Device 1 is from DHCP Server A or
+ the bogus DHCP server. If DHCP Server A is contained in the
+ perimeter, Non-SAVI Device 1 will also be contained in the perimeter.
+ Thus, DHCP Server A cannot be contained within the perimeter apart
+ from manual configuration of the binding anchor.
+
+ Another consideration on the placement is that if the DHCP server/
+ relay is not inside the perimeter, the SAVI devices may not be able
+ to set up bindings correctly because the SAVI devices may not be on
+ the path between the clients and the server/relay, or the DHCP
+ messages are encapsulated (e.g., Relay-reply and Relay-forward).
+
+4.3.4. An Alternative Deployment
+
+ In common deployment practice, the traffic from the unprotected
+ network is treated as trustworthy, which is to say that it is not
+ filtered. In such a case, the Trust attribute can be set TRUE on the
+ unprotected link. If non-SAVI devices, or a number of connected non-
+ SAVI devices, are only attached to SAVI devices and unprotected
+ devices, their attachment to SAVI devices can have the Trust
+ attribute set TRUE. Then an unclosed perimeter will be formed, as
+ illustrated in Figure 3.
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 15]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ | . . Protection |
+ | | | Perimeter |
+ | | | |
+ | Unprotected | | Unprotected |
+ | Link | | Link |
+ | | | |
+ | | | |
+ | +----+---+ +----+---+ +--------+ |
+ | |SAVI +----+Non-SAVI+----+SAVI | |
+ | |Device | |Device | |Device | |
+ | +----+---+ +--------+ +----+---+ |
+ | | | |
+ \_____________+___________________________+________/
+ | |
+ | |
+ +--------+ +--------+
+ |DHCP | |DHCP |
+ |Client | |Client |
+ +--------+ +--------+
+
+ Figure 3: Alternative Perimeter Configuration
+
+4.3.5. Considerations regarding Binding Anchors
+
+ The strength of this binding-based mechanism depends on the strength
+ of the binding anchor. The sample binding anchors in [RFC7039] have
+ the property in which they associate an IP address with a direct
+ physical or secure virtual interface such as a switch port, a
+ subscriber association, or a security association. In addition,
+ especially in the case where a protected non-SAVI device such as a
+ desktop switch or a hub is between the client and SAVI devices, they
+ MAY be extended to also include a MAC address or other link-layer
+ attribute. In short, a binding anchor is intended to associate an IP
+ address with something unspoofable that identifies a single-client
+ system or one of its interfaces; this may be a physical or virtual
+ interface or that plus disambiguating link-layer information.
+
+ If the binding anchor is spoofable, such as a plain MAC address, or
+ non-exclusive, such as a switch port extended using a non-SAVI
+ device, an attacker can use a forged binding anchor to evade
+ validation. Indeed, using a binding anchor that can be easily
+ spoofed can lead to worse outcomes than allowing spoofed IP traffic.
+ Thus, a SAVI device MUST use a non-spoofable and exclusive binding
+ anchor.
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 16]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+4.4. Other Device Configuration
+
+ In addition to a possible binding anchor configuration specified in
+ Section 4.2, an implementation has the following configuration
+ requirements:
+
+ (1) Address configuration. For DHCPv4: the SAVI device MUST have an
+ IPv4 address. For DHCPv6: the client of a SAVI device MUST have
+ a link-local address; when the DHCPv6 server is not on the same
+ link as the SAVI device, the SAVI device MUST also have an IPv6
+ address of at least the same scope as the DHCPv6 Server.
+
+ (2) DHCP server address configuration: a SAVI device MUST store the
+ list of the DHCP server addresses that it could contact during a
+ leasequery process.
+
+ (3) A SAVI device may also require security parameters, such as
+ preconfigured keys to establish a secure connection for the
+ leasequery process [RFC4388] [RFC5007] connection.
+
+5. Binding State Table (BST)
+
+ The Binding State Table, which may be implemented centrally in the
+ switch or distributed among its ports, is used to contain the
+ bindings between the IP addresses assigned to the attachments and the
+ corresponding binding anchors of the attachments. Note that in this
+ description, there is a binding entry for each IPv4 or IPv6 address
+ associated with each binding anchor, and there may be several of each
+ such address, especially if the port is extended using a protected
+ non-SAVI device. Each binding entry has six fields:
+
+ o Binding Anchor (listed as "Anchor" in subsequent figures): the
+ binding anchor, i.e., one or more physical and/or link-layer
+ properties of the attachment.
+
+ o IP Address (listed as "Address" in subsequent figures): the IPv4
+ or IPv6 address assigned to the attachment by DHCP.
+
+ o State: the state of the binding. Possible values of this field
+ are listed in Sections 6.2 and 7.3.
+
+ o Lifetime: the remaining seconds of the binding. Internally, this
+ MAY be stored as the timestamp value at which the lifetime
+ expires.
+
+ o Transaction ID (TID): the Transaction ID [RFC2131] [RFC3315] of
+ the corresponding DHCP transaction. The TID field is used to
+
+
+
+
+Bi, et al. Standards Track [Page 17]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ associate DHCP Server-to-Client messages with corresponding
+ binding entries.
+
+ o Timeouts: the number of timeouts that expired in the current state
+ (only used in the Data Snooping Process; see Section 7).
+
+ The IA is not present in the BST for three reasons:
+
+ o The lease of each address in one IA is assigned separately.
+
+ o When the binding is set up based on data snooping, the IA cannot
+ be recovered from the leasequery protocol.
+
+ o DHCPv4 does not define an IA.
+
+ An example of such a table is shown in Figure 4.
+
+ +---------+----------+-----------+-----------+--------+----------+
+ | Anchor | Address | State | Lifetime | TID | Timeouts |
+ +---------+----------+-----------+-----------+--------+----------+
+ | Port_1 | IP_1 | BOUND | 65535 | TID_1 | 0 |
+ +---------+----------+-----------+-----------+--------+----------+
+ | Port_1 | IP_2 | BOUND | 10000 | TID_2 | 0 |
+ +---------+----------+-----------+-----------+--------+----------+
+ | Port_2 | IP_3 | INIT_BIND | 1 | TID_3 | 0 |
+ +---------+----------+-----------+-----------+--------+----------+
+
+ Figure 4: Example Binding State Table
+
+6. DHCP Snooping Process
+
+ This section specifies the process of setting up bindings based on
+ DHCP snooping. This process is illustrated using a state machine.
+
+6.1. Rationale
+
+ The rationale of the DHCP Snooping Process is that if a DHCP client
+ is legitimately using a DHCP-assigned address, the DHCP address
+ assignment procedure that assigns the IP address to the client must
+ have been performed via the client's point of attachment. This
+ assumption works when the SAVI device is always on the path(s) from
+ the DHCP client to the DHCP server(s)/relay(s). Without considering
+ the movement of DHCP clients, the SAVI device should be the cut
+ vertex whose removal will separate the DHCP client and the remaining
+ network containing the DHCP server(s)/relay(s). For most of the
+ networks whose topologies are simple, it is possible to deploy this
+ SAVI function at proper devices to meet this requirement.
+
+
+
+
+Bi, et al. Standards Track [Page 18]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ However, if there are multiple paths from a DHCP client to the DHCP
+ server and the SAVI device is only on one of them, there is an
+ obvious failure case: the SAVI device may not be able to snoop the
+ DHCP procedure. Host movement may also make this requirement
+ difficult to meet. For example, when a DHCP client moves from one
+ attachment to another attachment in the same network, it may fail to
+ reinitialize its interface or send a Confirm message because of
+ incomplete protocol implementation. Thus, there can be scenarios in
+ which only performing this DHCP Snooping Process is insufficient to
+ set up bindings for all the valid DHCP addresses. These exceptions
+ and the solutions are discussed in Section 7.
+
+6.2. Binding States Description
+
+ The following binding states are present in this process and the
+ corresponding state machine:
+
+ NO_BIND: No binding has been set up.
+
+ INIT_BIND: A potential binding has been set up.
+
+ BOUND: The binding has been set up.
+
+6.3. Events
+
+ This section describes events in this process and the corresponding
+ state machine transitions. The DHCP message categories (e.g., DHCPv4
+ Discover) defined in Section 3 are used extensively in the
+ definitions of events and elsewhere in the state machine definition.
+ If an event will trigger the creation of a new binding entry, the
+ binding entry limit on the binding anchor MUST NOT be exceeded.
+
+6.3.1. Timer Expiration Event
+
+ EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires.
+
+6.3.2. Control Message Arriving Events
+
+ EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
+ received.
+
+ EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received.
+
+ EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received.
+
+ EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
+ received.
+
+
+
+
+Bi, et al. Standards Track [Page 19]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is received.
+
+ EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
+ Commit option is received.
+
+ EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received.
+
+ EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
+ received.
+
+ EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
+ received.
+
+ EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY (refer to
+ Section 4.3.3 of [RFC5007]) is received.
+
+ Note: the events listed here do not cover all the DHCP messages in
+ Section 3. The messages that do not really determine address usage
+ (DHCPv4 Discover, DHCPv4 Inform, DHCPv6 Solicit without Rapid Commit,
+ DHCPv6 Information-Request, DHCPv4 Offer, DHCPv6 Advertise, and
+ DHCPv6 Reconfigure) and that are not necessary to snoop (DHCPv4
+ Negative Acknowledgment (NAK); refer to Section 6.4.2.3) are not
+ included. Note also that DHCPv4 DHCPLEASEQUERY is not used in the
+ DHCP Snooping Process to avoid confusion with Section 7. Also, since
+ the LEASEQUERY should have been originated by the SAVI device itself,
+ the destination check should verify that the message is directed to
+ this SAVI device, and it should not be forwarded once it has been
+ processed here.
+
+ Moreover, only if a DHCP message can pass the following checks, the
+ corresponding event is regarded as a valid event:
+
+ o Attribute check: the DHCP Server-to-Client messages and
+ LEASEQUERY-REPLY should be from attachments with the DHCP-Trust
+ attribute; the DHCP Client-to-Server messages should be from
+ attachments with the DHCP-Snooping attribute.
+
+ o Destination check: the DHCP Server-to-Client messages should be
+ destined to attachments with the DHCP-Snooping attribute. This
+ check is performed to ensure the binding is set up on the SAVI
+ device that is nearest to the destination client.
+
+ o Binding anchor check: the DHCP Client-to-Server messages that may
+ trigger modification or removal of an existing binding entry must
+ have a matching binding anchor with the corresponding entry.
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 20]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ o TID check: the DHCP Server-to-Client/Client-to-Server messages
+ that may cause modification of existing binding entries must have
+ a matched TID with the corresponding entry. Note that this check
+ is not performed on LEASEQUERY and LEASEQUERY-REPLY messages as
+ they are exchanged between the SAVI devices and the DHCP servers.
+ Besides, this check is not performed on DHCP Renew/Rebind
+ messages.
+
+ o Binding limitation check: the DHCP messages must not cause new
+ binding setup on an attachment whose binding entry limitation has
+ been reached (refer to Section 11.5).
+
+ o Address check: the source address of the DHCP messages should pass
+ the check specified in Section 8.2.
+
+ On receiving a DHCP message without triggering a valid event, the
+ state will not change, and the actions will not be performed. Note
+ that if a message does not trigger a valid event but it can pass the
+ checks in Section 8.2, it MUST be forwarded.
+
+6.4. The State Machine of DHCP Snooping Process
+
+ This section specifies state transitions and their corresponding
+ actions.
+
+6.4.1. Initial State: NO_BIND
+
+6.4.1.1. Event: EVE_DHCP_REQUEST - A DHCPv4 Request or a DHCPv6 Request
+ message is received
+
+ The SAVI device MUST forward the message.
+
+ The SAVI device will generate an entry in the BST. The Binding
+ Anchor field is set to the binding anchor of the attachment from
+ which the message is received. The State field is set to INIT_BIND.
+ The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
+ field is set to the TID of the message. If the message is DHCPv4
+ Request, the Address field can be set to the address to request,
+ i.e., the 'requested IP address'. An example of the entry is
+ illustrated in Figure 5.
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 21]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Port_1 | |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+ +--------+-------+---------+-----------------------+-----+----------+
+
+ Figure 5: Binding Entry in BST on Initialization Triggered by
+ Request/Rapid Commit/Reboot Messages
+
+ Resulting state: INIT_BIND - A potential binding has been set up.
+
+6.4.1.2. Event: EVE_DHCP_REBOOT - A DHCPv4 Reboot message is received
+
+ The SAVI device MUST forward the message.
+
+ The SAVI device will generate an entry in the BST. The Binding
+ Anchor field is set to the binding anchor of the attachment from
+ which the message is received. The State field is set to INIT_BIND.
+ The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
+ field is set to the TID of the message. If the message is DHCPv4
+ Reboot, the Address field can be set to the address to request, i.e.,
+ the 'requested IP address'. An example of the entry is illustrated
+ in Figure 5.
+
+ Resulting state: INIT_BIND - A potential binding has been set up.
+
+6.4.1.3. Event: EVE_DHCP_SOLICIT_RC - A DHCPv6 Solicitation message
+ with the Rapid Commit option is received
+
+ The SAVI device MUST forward the message.
+
+ The SAVI device will generate an entry in the BST. The Binding
+ Anchor field is set to the binding anchor of the attachment from
+ which the message is received. The State field is set to INIT_BIND.
+ The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
+ field is set to the TID of the message. An example of the entry is
+ illustrated in Figure 5.
+
+ Resulting state: INIT_BIND - A potential binding has been set up.
+
+6.4.1.4. Event: EVE_DHCP_CONFIRM - A DHCPv6 Confirm message is received
+
+ The SAVI device MUST forward the message.
+
+ The SAVI device will generate corresponding entries in the BST for
+ each address in each Identity Association (IA) option of the Confirm
+ message. The Binding Anchor field is set to the binding anchor of
+ the attachment from which the message is received. The State field
+
+
+
+Bi, et al. Standards Track [Page 22]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ is set to INIT_BIND. The Lifetime field is set to be
+ MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the
+ message. The Address field is set to the address(es) to confirm. An
+ example of the entries is illustrated in Figure 6.
+
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Port_1 | Addr1 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Port_1 | Addr2 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+ +--------+-------+---------+-----------------------+-----+----------+
+
+ Figure 6: Binding Entry in BST on Confirm-Triggered Initialization
+
+ Resulting state: INIT_BIND - A potential binding has been set up.
+
+6.4.1.5. Events That Cannot Happen in the NO_BIND State
+
+ o EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires
+
+ o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
+ received
+
+ o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is
+ received
+
+ o EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received
+
+ o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
+ received
+
+ o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
+ received
+
+ o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is
+ received
+
+ These cannot happen because they are each something that happens
+ AFTER a binding has been created.
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 23]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.2. Initial State: INIT_BIND
+
+6.4.2.1. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message
+ is received
+
+ The message MUST be forwarded to the corresponding client.
+
+ If the message is DHCPv4 ACK, the Address field of the corresponding
+ entry (i.e., the binding entry whose TID is the same as the message)
+ is set to the address in the message (i.e., 'yiaddr' in DHCPv4 ACK).
+ The Lifetime field is set to the sum of the lease time in the ACK
+ message and MAX_DHCP_RESPONSE_TIME. The State field is changed to
+ BOUND.
+
+ If the message is DHCPv6 Reply, note the following cases:
+
+ 1. If the status code is not "Success", no modification of
+ corresponding entries will be made. Corresponding entries will
+ expire automatically if no "Success" Reply is received during the
+ lifetime. The entries are not removed immediately because the
+ client may be able to use the addresses whenever a "Success"
+ Reply is received ("If the client receives any Reply messages
+ that do not indicate a NotOnLink status, the client can use the
+ addresses in the IA and ignore any messages that indicate a
+ NotOnLink status" [RFC3315]).
+
+ 2. If the status code is "Success", the SAVI device checks the IA
+ options in the Reply message.
+
+ A. If there are IA options in the Reply message, the SAVI device
+ checks each IA option. When the first assigned address is
+ found, the Address field of the binding entry with a matched
+ TID is set to the address. The Lifetime field is set to the
+ sum of the lease time in the Reply message and
+ MAX_DHCP_RESPONSE_TIME. The State field is changed to BOUND.
+ If there is more than one address assigned in the message,
+ new binding entries are set up for the remaining address
+ assigned in the IA options. An example of the entries is
+ illustrated in Figure 8. SAVI devices do not specially
+ process IA options with a NoAddrsAvail status because there
+ should be no address contained in such IA options.
+
+ B. Otherwise, the DHCP Reply message is in response to a Confirm
+ message. The state of the binding entries with a matched TID
+ is changed to BOUND. Because [RFC3315] does not require the
+ lease time of addresses to be contained in the Reply message,
+ the SAVI device SHOULD send a LEASEQUERY [RFC5007] message
+ querying by IP address to the All_DHCP_Servers multicast
+
+
+
+Bi, et al. Standards Track [Page 24]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ address [RFC3315] or a list of configured DHCP server
+ addresses. The LEASEQUERY message is generated for each IP
+ address if multiple addresses are confirmed. The lifetime of
+ corresponding entries is set to 2*MAX_LEASEQUERY_DELAY. If
+ there is no response message after MAX_LEASEQUERY_DELAY, send
+ the LEASEQUERY message again. An example of the entries is
+ illustrated in Figure 7. If the SAVI device does not send
+ the LEASEQUERY message, a preconfigured lifetime
+ DHCP_DEFAULT_LEASE MUST be set on the corresponding entry.
+ (Note: it is RECOMMENDED to use T1 configured on DHCP servers
+ as the DHCP_DEFAULT_LEASE.)
+
+ Note: the SAVI devices do not check if the assigned addresses are
+ duplicated because in SAVI-DHCP scenarios, the DHCP servers are the
+ only source of valid addresses. However, the DHCP servers should be
+ configured to make sure no duplicated addresses are assigned.
+
+ +--------+-------+-------+------------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+-------+------------------------+-----+----------+
+ | Port_1 | Addr1 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 |
+ +--------+-------+-------+------------------------+-----+----------+
+ | Port_1 | Addr2 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 |
+ +--------+-------+-------+------------------------+-----+----------+
+
+ Figure 7: From INIT_BIND to BOUND on DHCP Reply in Response to
+ Confirm
+
+ Transition
+ +--------+-------+-------+------------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+-------+------------------------+-----+----------+
+ | Port_1 | Addr1 | BOUND |Lease time+ | TID | 0 |
+ | | | |MAX_DHCP_RESPONSE_TIME | | |
+ +--------+-------+-------+------------------------+-----+----------+
+ | Port_1 | Addr2 | BOUND |Lease time+ | TID | 0 |
+ | | | |MAX_DHCP_RESPONSE_TIME | | |
+ +--------+-------+-------+------------------------+-----+----------+
+
+ Figure 8: From INIT_BIND to BOUND on DHCP Reply in Response to
+ Request
+
+ Resulting state: BOUND - The binding has been set up.
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 25]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.2.2. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry
+ expires
+
+ The entry MUST be deleted from the BST.
+
+ Resulting state: An entry that has been deleted from the BST may be
+ considered to be in the "NO_BIND" state - No binding has been set up.
+
+6.4.2.3. Events That Are Ignored in INIT_BIND
+
+ If no DHCP Server-to-Client messages that assign addresses or confirm
+ addresses are received, corresponding entries will expire
+ automatically. Thus, other DHCP Server-to-Client messages (e.g.,
+ DHCPv4 NAK) are not specially processed.
+
+ As a result, the following events, should they occur, are ignored
+ until either a DHCPv4 ACK or a DHCPv6 Reply message is received or
+ the lifetime of the binding entry expires.
+
+ o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
+ received
+
+ o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received
+
+ o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received
+
+ o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
+ received
+
+ o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is
+ received
+
+ o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
+ Commit option is received
+
+ o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
+ received
+
+ o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
+ received
+
+ o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is
+ received
+
+ In each case, the message MUST be forwarded.
+
+ Resulting state: INIT_BIND - A potential binding has been set up.
+
+
+
+
+Bi, et al. Standards Track [Page 26]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.3. Initial State: BOUND
+
+6.4.3.1. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry
+ expires
+
+ The entry MUST be deleted from the BST.
+
+ Resulting state: An entry that has been deleted from the BST may be
+ considered to be in the "NO_BIND" state - No binding has been set up.
+
+6.4.3.2. Event: EVE_DHCP_DECLINE - A DHCPv4 Decline or a DHCPv6 Decline
+ message is received
+
+ The message MUST be forwarded.
+
+ First, the SAVI device gets all the addresses ("Requested IP address"
+ in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all
+ the IA options of DHCPv6 Decline/Release) to decline/release in the
+ message. Then, the corresponding entries MUST be removed.
+
+ Resulting state in each relevant BST entry: An entry that has been
+ deleted from the BST may be considered to be in the "NO_BIND" state -
+ No binding has been set up.
+
+6.4.3.3. Event: EVE_DHCP_RELEASE - A DHCPv4 Release or a DHCPv6 Release
+ message is received
+
+ The message MUST be forwarded.
+
+ First, the SAVI device gets all the addresses ("Requested IP address"
+ in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all
+ the IA options of DHCPv6 Decline/Release) to decline/release in the
+ message. Then, the corresponding entries MUST be removed.
+
+ Resulting state in each relevant BST entry: An entry that has been
+ deleted from the BST may be considered to be in the "NO_BIND" state -
+ No binding has been set up.
+
+6.4.3.4. Event: EVE_DHCP_REBIND - A DHCPv4 Rebind or a DHCPv6 Rebind
+ message is received
+
+ The message MUST be forwarded.
+
+ In such a case, a new TID will be used by the client. The TID field
+ of the corresponding entries MUST be set to the new TID. Note that
+ the TID check will not be performed on such messages.
+
+ Resulting state: BOUND: The binding has been set up.
+
+
+
+Bi, et al. Standards Track [Page 27]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.3.5. Event: EVE_DHCP_RENEW - A DHCPv4 Renew or a DHCPv6 Renew
+ message is received
+
+ The message MUST be forwarded.
+
+ In such a case, a new TID will be used by the client. The TID field
+ of the corresponding entries MUST be set to the new TID. Note that
+ the TID check will not be performed on such messages.
+
+ Resulting state: BOUND: The binding has been set up.
+
+6.4.3.6. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message
+ is received
+
+ The message MUST be forwarded.
+
+ The DHCP Reply messages received in current states should be in
+ response to DHCP Renew/Rebind.
+
+ If the message is DHCPv4 ACK, the SAVI device updates the binding
+ entry with a matched TID, with the Lifetime field set to be the sum
+ of the new lease time and MAX_DHCP_RESPONSE_TIME, leaving the entry
+ in the BOUND state.
+
+ If the message is DHCPv6 Reply, the SAVI device checks each IA
+ Address option in each IA option. For each:
+
+ 1. If the IA entry in the REPLY message has the status "NoBinding",
+ there is no address in the option, and no operation on an address
+ is performed.
+
+ 2. If the valid lifetime of an IA Address option is 0, the binding
+ entry with a matched TID and address is removed, leaving it
+ effectively in the NO_BIND state.
+
+ 3. Otherwise, set the Lifetime field of the binding entry with the
+ matched TID and address to be the sum of the new valid lifetime
+ and MAX_DHCP_RESPONSE_TIME, leaving the entry in the BOUND state.
+
+ Resulting state: NO_BIND or BOUND, as specified.
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 28]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.3.7. Event: EVE_DHCP_LEASEQUERY - A successful DHCPv6
+ LEASEQUERY_REPLY is received
+
+ The message MUST be forwarded.
+
+ The message should be in response to the LEASEQUERY message sent in
+ Section 6.4.2. The related binding entry can be determined based on
+ the address in the IA Address option in the LEASEQUERY-REPLY message.
+ The Lifetime field of the corresponding binding entry is set to the
+ sum of the lease time in the LEASEQUERY-REPLY message and
+ MAX_DHCP_RESPONSE_TIME.
+
+ Resulting state: BOUND: The binding has been set up.
+
+6.4.3.8. Events Not Processed in the State BOUND
+
+ The following events are ignored if received while the indicated
+ entry is in the BOUND state. Any required action will be the result
+ of the next message in the client/server exchange.
+
+ o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
+ received
+
+ o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received
+
+ o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received
+
+ o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
+ Commit option is received
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 29]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+6.4.4. Table of State Machine
+
+ The main state transits are listed as follows. Note that not all the
+ details are specified in the table and the diagram.
+
+ State Event Action Next State
+ ---------------------------------------------------------------------
+ NO_BIND RQ/RC/CF/RE Generate entry INIT_BIND
+
+ INIT_BIND RPL Record lease time BOUND
+ (send leasequery if no lease)
+
+ INIT_BIND EVE_ENTRY_EXPIRE Remove entry NO_BIND
+
+ BOUND RLS/DCL Remove entry NO_BIND
+
+ BOUND EVE_ENTRY_EXPIRE Remove entry NO_BIND
+
+ BOUND RPL Set new lifetime BOUND
+
+ BOUND LQR Record lease time BOUND
+
+ Figure 9: State Transition Table
+
+ RQ: EVE_DHCP_REQUEST
+ RC: EVE_DHCP_SOLICIT_RC
+ CF: EVE_DHCP_CONFIRM
+ RE: EVE_DHCP_REBOOT
+ RPL: EVE_DHCP_REPLY
+ RLS: EVE_DHCP_RELEASE
+ DCL: EVE_DHCP_DECLINE
+ LQR: EVE_DHCP_LEASEQUERY
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 30]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ +-------------+
+ | |
+ /--------+ NO_BIND |<--------\
+ | ----->| | |
+ | | +-------------+ |EVE_DHCP_RELEASE
+ EVE_DHCP_REQUEST | | |EVE_DHCP_DECLINE
+ EVE_DHCP_CONFIRM | |EVE_ENTRY_EXPIRE |EVE_ENTRY_EXPIRE
+ EVE_DHCP_SOLICIT_RC| | |
+ EVE_DHCP_REBOOT | | |
+ | | |
+ | | |
+ v | |
+ +-------------+ +------------+
+ | | EVE_DHCP_REPLY | |
+ | INIT_BIND --------------------->| BOUND |<-\
+ | | | | |
+ +-------------+ +------------+ |
+ | |
+ \--------/
+ EVE_DHCP_REPLY
+ EVE_DHCP_LEASEQUERY
+
+ Figure 10: Diagram of Transit
+
+7. Data Snooping Process
+
+7.1. Scenario
+
+ The rationale of the DHCP Snooping Process specified in Section 6 is
+ that if a DHCP client's use of a DHCP address is legitimate, the
+ corresponding DHCP address assignment procedure must have been
+ finished during the attachment of the DHCP client. This is the case
+ when the SAVI device is continuously on the path(s) from the DHCP
+ client to the DHCP server(s)/relay(s). However, there are two cases
+ in which this does not work:
+
+ o Multiple paths: there is more than one feasible link-layer path
+ from the client to the DHCP server/relay, and the SAVI device is
+ not on every one of them. The client may get its address through
+ one of the paths that does not pass through the SAVI device, but
+ packets from the client can travel on paths that pass through the
+ SAVI device, such as when the path through the link-layer network
+ changes. Because the SAVI device could not snoop the DHCP packet
+ exchange procedure, the DHCP Snooping Process cannot set up the
+ corresponding binding.
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 31]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ o Dynamic path: there is only one feasible link-layer path from the
+ client to the DHCP server/relay, but the path is dynamic due to
+ topology change (for example, some link becomes broken due to
+ failure or some planned change) or link-layer path change. This
+ situation also covers the local-link movement of clients without
+ the address confirm/reconfiguration process. For example, a host
+ changes its attached switch port in a very short time. In such
+ cases, the DHCP Snooping Process will not set up the corresponding
+ binding.
+
+ The Data Snooping Process can avoid the permanent blocking of
+ legitimate traffic in case one of these two exceptions occurs. This
+ process is performed on attachments with the Data-Snooping attribute.
+ Data packets without a matching binding entry may trigger this
+ process to set up bindings.
+
+ Snooping data traffic introduces a considerable burden on the
+ processor and ASIC-to-Processor bandwidth of SAVI devices. Because
+ of the overhead of this process, the implementation of this process
+ is OPTIONAL. This function SHOULD be enabled unless the
+ implementation is known to be used in the scenarios without the above
+ exceptions. For example, if the implementation is to be used in
+ networks with tree topology and without host local-link movement,
+ there is no need to implement this process in such scenarios.
+
+ This process is not intended to set up a binding whenever a data
+ packet without a matched binding entry is received. Instead,
+ unmatched data packets trigger this process probabilistically, and
+ generally a number of unmatched packets will be discarded before the
+ binding is set up. The parameter(s) of this probabilistic process
+ SHOULD be configurable, defaulting to a situation where data snooping
+ is disabled.
+
+7.2. Rationale
+
+ This process makes use of NS/ARP and DHCP Leasequery to set up
+ bindings. If an address is not used by another client in the
+ network, and the address has been assigned in the network, the
+ address can be bound with the binding anchor of the attachment from
+ which the unmatched packet is received.
+
+ The Data Snooping Process provides an alternative path for binding
+ entries to reach the BOUND state in the exceptional cases explained
+ in Section 7.1 when there are no DHCP messages that can be snooped by
+ the SAVI device.
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 32]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ In some of the exceptional cases (especially the dynamic topology
+ case), by the time the binding has reached the BOUND state, the DHCP
+ messages may be passing through the SAVI device. In this case, the
+ events driven by DHCP messages that are expected in the BOUND state
+ in the DHCP Snooping Process may occur, and the binding can be
+ handled by the DHCP Snooping Process state machine.
+
+ In any event, the lease expiry timeout event will occur even if no
+ others do. This will cause the binding to be deleted and the state
+ to logically return to NO_BIND state. Either the DHCP or the Data
+ Snooping Process will be reinvoked if the lease is still in place.
+ If DHCP messages are still not passing through the SAVI device, there
+ will be a brief disconnection during which data packets passing
+ through the SAVI device will be dropped. The probabilistic
+ initiation of the Data Snooping Process can then take over again and
+ return the binding state to BOUND in due course.
+
+ The security issues concerning this process are discussed in
+ Section 11.1.
+
+7.3. Additional Binding States Description
+
+ In addition to NO_BIND and BOUND from Section 6.2, three new states
+ used in this process are listed here. The INIT_BIND state is not
+ used, as it is entered by observing a DHCP message.
+
+ DETECTION: The address in the entry is undergoing local duplication
+ detection.
+
+ RECOVERY: The SAVI device is querying the assignment and lease time
+ of the address in the entry through DHCP Leasequery.
+
+ VERIFY: The SAVI device is verifying that the device connected to the
+ attachment point has a hardware address that matches the one returned
+ in the DHCP Leasequery.
+
+ Because the mechanisms used for the operations carried out while the
+ binding is in these three states operate over unreliable protocols,
+ each operation is carried out twice with a timeout that is triggered
+ if no response is received.
+
+7.4. Events
+
+ To handle the Data Snooping Process, six extra events, described
+ here, are needed in addition to those used by the DHCP Snooping
+ Process (see Section 6.3). If an event will trigger the creation of
+ a new binding entry, the binding entry limit on the binding anchor
+ MUST NOT be exceeded.
+
+
+
+Bi, et al. Standards Track [Page 33]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ EVE_DATA_UNMATCH: A data packet without a matched binding is
+ received.
+
+ EVE_DATA_CONFLICT: An ARP Reply / Neighbor Advertisement (NA) message
+ against an address in the DETECTION state is received from a host
+ other than the one for which the entry was added (i.e., a host
+ attached at a point other than the one on which the triggering data
+ packet was received).
+
+ EVE_DATA_LEASEQUERY:
+
+ o IPv4: A DHCPLEASEACTIVE message with the IP Address Lease Time
+ option is received. Note that the DHCPLEASEUNKNOWN and
+ DHCPLEASEUNASSIGNED replies are ignored.
+
+ o IPv6: A successful LEASEQUERY-REPLY is received.
+
+ EVE_DATA_VERIFY: An ARP Reply / NA message has been received in the
+ VERIFY state from the device connected to the attachment point on
+ which the data packet was received.
+
+ The triggering packet should pass the following checks to trigger a
+ valid event:
+
+ o Attribute check: the data packet should be from attachments with
+ the Data-Snooping attribute; the DHCPLEASEACTIVE/LEASEQUERY-REPLY
+ messages should be from attachments with the DHCP-Snooping
+ attribute.
+
+ o Binding limitation check: the data messages must not cause new
+ binding setup on an attachment whose binding entry limitation has
+ been reached (refer to Section 11.5).
+
+ o Address check: For EVE_DATA_LEASEQUERY, the source address of the
+ DHCPLEASEQUERY messages must pass the check specified in
+ Section 8.2. For EVE_DATA_CONFLICT and EVE_DATA_VERIFY, the
+ source address and target address of the ARP or NA messages must
+ pass the check specified in Section 8.2.
+
+ o Interval check: the interval between two successive
+ EVE_DATA_UNMATCH events triggered by an attachment MUST be no
+ smaller than DATA_SNOOPING_INTERVAL.
+
+ o TID check: the DHCPLEASEACTIVE/LEASEQUERY-REPLY messages must have
+ a matched TID with the corresponding entry.
+
+ o Prefix check: the source address of the data packet should be of a
+ valid local prefix, as specified in Section 7 of [RFC7039].
+
+
+
+Bi, et al. Standards Track [Page 34]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ EVE_DATA_EXPIRE: A timer expires indicating that a response to a
+ hardware address verification message sent in the VERIFY state has
+ not been received within the specified DETECTION_TIMEOUT period.
+
+ EVE_ENTRY_EXPIRE: A timer expires after the Lifetime indicated in the
+ relevant BST entry has elapsed. This is identical to the usage in
+ the DHCP Snooping Process.
+
+7.5. Message Sender Functions
+
+ The Data Snooping Process involves sending three different messages
+ to other network devices. Each message may be sent up to two times
+ since they are sent over unreliable transports and are sent in
+ different states. The functions defined in this section specify the
+ messages to be sent in the three cases. In each case, the message to
+ be sent depends on whether the triggering data packet is an IPv4 or
+ an IPv6 packet.
+
+7.5.1. Duplicate Detection Message Sender
+
+ Send a message to check if the source address in the data packet that
+ triggered the Data Snooping Process has a local conflict (that is, it
+ uses an address that is being used by another node):
+
+ IPv4 address: Broadcast an Address Resolution Protocol (ARP) Request
+ [RFC826] or an ARP Probe [RFC5227] for the address to the local
+ network. An ARP Response will be expected from the device on
+ the attachment point on which the triggering data packet was
+ received. An ARP Reply received on any other port indicates a
+ duplicate address.
+
+ IPv6 address: Send a Duplicate Address Detection (DAD) message
+ (Neighbor Solicitation message) to the solicited-node multicast
+ address [RFC4861] targeting the address. Ideally, only the
+ host on that point of attachment responds with a Neighbor
+ Advertisement. A Neighbor Advertisement received on any other
+ port indicates a duplicate address.
+
+ As both the ARP and DAD processes are unreliable (the packet either
+ to or from the other system may be lost in transit; see [RFC6620]),
+ if there is no response after the DETECTION_TIMEOUT, an
+ EVE_ENTRY_EXPIRE is generated.
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 35]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+7.5.2. Leasequery Message Sender
+
+ Send a DHCPLEASEQUERY message to the DHCP server(s) to determine if
+ it has given out a lease for the source address in the triggering
+ data packet. A list of authorized DHCP servers is kept by the SAVI
+ device. The list should be either preconfigured with the IPv4 and/or
+ IPv6 addresses or dynamically discovered: For networks using IPv4,
+ this can be done by sending DHCPv4 Discover messages and parsing the
+ returned DHCPv4 Offer messages; for networks using IPv6, discovery
+ can be done by sending DHCPv6 SOLICIT messages and parsing the
+ returned ADVERTISE messages. The same TID should be used for all
+ LEASEQUERY messages sent in response to a triggering data message on
+ an attachment point. The TID is generated if the TID field in the
+ BST entry is empty and recorded in the TID field of the BST entry
+ when the first message is sent. Subsequent messages use the TID from
+ the BST entry.
+
+ (1) IPv4 address: Send a DHCPLEASEQUERY [RFC4388] message querying
+ by IP address to each DHCPv4 server in the list of authorized
+ servers with an IP Address Lease Time option (option 51). If
+ the server has a valid lease for the address, the requested
+ information will be returned in a DHCPLEASEACTIVE message.
+
+ (2) IPv6 address: Send a LEASEQUERY [RFC5007] message querying by IP
+ address to each DHCPv6 server in the list of authorized servers
+ using the server address as the link-address in the LEASEQUERY
+ message. If the server has a valid lease for the address, the
+ requested information will be returned in a LEASEQUERY-REPLY
+ message marked as successful (i.e., without an
+ OPTION_STATUS_CODE in the reply). The IA Address option(s)
+ returned contains any IPv6 addresses bound to the same link
+ together with the lease validity time.
+
+ As DHCP Leasequeries are an unreliable process (the packet either to
+ or from the server may be lost in transit), if there is no response
+ after the MAX_LEASEQUERY_DELAY, an EVE_DATA_EXPIRE is generated.
+ Note that multiple response messages may be received if the list of
+ authorized servers contains more than one address of the appropriate
+ type and, in the case of DHCPv6, the responses may contain additional
+ addresses for which leases have been allocated.
+
+7.5.3. Address Verification Message Sender
+
+ Send a message to verify that the link-layer address in the attached
+ device that sent the triggering data packet matches the link-layer
+ address contained in the leasequery response:
+
+
+
+
+
+Bi, et al. Standards Track [Page 36]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ IPv4 address: Send an ARP Request with the Target Protocol Address
+ set to the IP address in the BST entry. The ARP Request is
+ only sent to the attachment that triggered the binding. If the
+ attached device has the IP address bound to the interface
+ attached to the SAVI device, an ARP Reply should be received
+ containing the hardware address of the interface on the
+ attached device that can be compared with the leasequery value.
+
+ IPv6 address: Send a Neighbor Solicitation (NS) message with the
+ target address set to the IP address in the BST entry. The NS
+ is only sent to the attachment that triggered the binding. If
+ the attached device has the IP address bound to the interface
+ attached to the SAVI device, an NA should be received
+ indicating that the attached device has the IP address
+ configured on the interface.
+
+ As both the ARP and NS/NA processes are unreliable (the packet either
+ to or from the other system may be lost in transit; see [RFC6620]),
+ if there is no response after the DETECTION_TIMEOUT, an
+ EVE_DATA_EXPIRE is generated.
+
+7.6. Initial State: NO_BIND
+
+7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a matched binding
+ is received
+
+ Make a probabilistic determination as to whether to act on this
+ event. The probability may be configured or calculated based on the
+ state of the SAVI device. This probability should be low enough to
+ mitigate the damage from DoS attacks against this process.
+
+ Create a new entry in the BST. Set the Binding Anchor field to the
+ corresponding binding anchor of the attachment. Set the Address
+ field to the source address of the packet.
+
+ Address conflicts MUST be detected and prevented.
+
+ If local address detection is performed:
+ Set the State field to DETECTION. Set the Lifetime of the
+ created entry to DETECTION_TIMEOUT. Set the Timeouts field to
+ 0. Start the detection of any local address conflicts by
+ sending a Duplicate Address Detection Message (Section 7.5.1).
+ Transition to DETECTION state.
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 37]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ If local address detection is not performed:
+ Set the State field to RECOVERY. Set the Lifetime of the
+ created entry to LEASEQUERY_DELAY. Set the Timeouts field to
+ 0. Start the recovery of any DHCP lease associated with the
+ source IP address by sending one or more LEASEQUERY messages
+ (Section 7.5.2). Transition to RECOVERY state.
+
+ The packet that triggers this event SHOULD be discarded.
+
+ An example of the BST entry during duplicate address detection is
+ illustrated in Figure 11.
+
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+---------+-----------------------+-----+----------+
+ | Port_1 | Addr1 |DETECTION| DETECTION_TIMEOUT | | 0 |
+ +--------+-------+---------+-----------------------+-----+----------+
+
+ Figure 11: Binding Entry in BST on Data-Triggered Initialization
+
+ Resulting state: DETECTION - The address in the entry is undergoing
+ local duplication detection - or RECOVERY - The DHCP lease(s)
+ associated with the address is being queried.
+
+7.6.2. Events Not Observed in NO_BIND for Data Snooping
+
+ EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
+ unexpected system.
+
+ EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or LEASEQUERY-REPLY is
+ received.
+
+ EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the
+ attached device.
+
+ All EVE_DHCP_* events defined in Section 6.3.2 are treated as
+ described in the DHCP Snooping Process (Section 6.4.1) and may result
+ in that process being triggered.
+
+ EVE_ENTRY_EXPIRE: Expiration of the DECTECTION_TIMEOUT
+
+ EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 38]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+7.7. Initial State: DETECTION
+
+7.7.1. Event: EVE_ENTRY_EXPIRE
+
+ When this event occurs, no address conflict has been detected during
+ the previous DETECTION_TIMEOUT period.
+
+ If the Timeouts field in the BST entry is 0:
+ Set the Lifetime of the BST entry to DETECTION_TIMEOUT. Set
+ the Timeouts field to 1. Restart the detection of any local
+ address conflicts by sending a second Duplicate Address
+ Detection Message (Section 7.5.1). Remain in DETECTION state.
+
+ If the Timeouts field in the BST entry is 1:
+
+ Assume that there is no local address conflict. Set the State
+ field to RECOVERY. Set the Lifetime of the BST entry to
+ LEASEQUERY_DELAY. Set the Timeouts field to 0. Start the
+ recovery of any DHCP lease associated with the source IP
+ address by sending one or more LEASEQUERY messages
+ (Section 7.5.2). Transition to RECOVERY state.
+
+ An example of the entry is illustrated in Figure 12.
+
+ +--------+-------+----------+----------------------+-----+----------+
+ | Anchor |Address| State | Lifetime | TID | Timeouts |
+ +--------+-------+----------+----------------------+-----+----------+
+ | Port_1 | Addr1 | RECOVERY | MAX_LEASEQUERY_DELAY | TID | 0 |
+ +--------+-------+----------+----------------------+-----+----------+
+
+ Figure 12: Binding Entry in BST on Leasequery
+
+ Resulting state: DETECTION - If a second local conflict period is
+ required - or RECOVERY - The SAVI device is querying the assignment
+ and lease time of the address in the entry through DHCP Leasequery.
+
+7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply / NA Message Received from
+ Unexpected System
+
+ Remove the entry.
+
+ Resulting state: NO_BIND - No binding has been set up.
+
+7.7.3. Events Not Observed in DETECTION
+
+ EVE_DATA_UNMATCH: A data packet without a matched binding is received
+
+ All EVE_DHCP_* events defined in Section 6.3.2
+
+
+
+Bi, et al. Standards Track [Page 39]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
+ received
+
+7.8. Initial State: RECOVERY
+
+7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or
+ successful LEASEQUERY-REPLY is received
+
+ Set the State in the BST entry to VERIFY. Depending on the type of
+ triggering source IP address, process the received DHCP Leasequery
+ response:
+
+ IPv4 address: Update the Lifetime field in the BST entry to the sum
+ of the value encoded in the IP Address Lease Time option of the
+ DHCPLEASEACTIVE message and MAX_DHCP_RESPONSE_TIME. Record the
+ value of the "chaddr" field (hardware address) in the message
+ for checking against the hardware address received during
+ verification in the next state. Set the Timeouts field to 0.
+ Start the verification process by sending an Address
+ Verification Message (see Section 7.5.3). Transition to VERIFY
+ state. Start an additional verification timer with a duration
+ of DETECTION_TIMEOUT. When this expires, an EVE_DATA_EXPIRE
+ event will be generated.
+
+ IPv6 address: Update the Lifetime field in the BST entry to the sum
+ of the valid lifetime extracted from the OPTION_CLIENT_DATA
+ option in the LEASEQUERY-REPLY message and
+ MAX_DHCP_RESPONSE_TIME. Set the Timeouts field to 0. Start
+ the verification process by sending an Address Verification
+ Message (see Section 7.5.3). Transition to VERIFY state.
+ Start an additional verification timer with a duration of
+ DETECTION_TIMEOUT. When this expires, an EVE_DATA_EXPIRE event
+ will be generated.
+
+ If multiple addresses are received in the LEASEQUERY-REPLY, new
+ BST entries MUST be created for the additional addresses using
+ the same binding anchor. The entries are created with state
+ set to VERIFY and the other fields set as described in this
+ section for the triggering source IP address. Also, start the
+ verification process and start verification timers for each
+ additional address.
+
+ Resulting state: VERIFY - Awaiting verification or otherwise of the
+ association of the IP address with the connected interface.
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 40]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+7.8.2. Event: EVE_ENTRY_EXPIRE
+
+ Depending on the value of the Timeouts field in the BST entry, either
+ send repeat LEASEQUERY messages or discard the binding:
+
+ If the Timeouts field in the BST entry is 0:
+ No responses to the LEASEQUERY message(s) sent have been
+ received during the first LEASEQUERY_DELAY period. Set the
+ Lifetime of the BST entry to LEASEQUERY_DELAY. Set the
+ Timeouts field to 1. Restart the recovery of any DHCP lease
+ associated with the source IP address by sending one or more
+ LEASEQUERY messages (Section 7.5.2). Remain in RECOVERY state.
+
+ If the Timeouts field in the BST entry is 1:
+ No responses to the LEASEQUERY messages sent during two
+ LEASEQUERY_DELAY periods were received. Assume that no leases
+ exist and hence that the source IP address is bogus. Delete
+ the BST entry. Transition to NO_BIND state.
+
+ Resulting state: RECOVERY - If repeat leasequeries are sent - or
+ NO_BIND - If no successful responses to LEASEQUERY messages have been
+ received.
+
+7.8.3. Events Not Observed in RECOVERY
+
+ EVE_DATA_UNMATCH: A data packet without a matched binding is received
+
+ EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
+ unexpected system
+
+ EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the
+ attached device
+
+ All EVE_DHCP_* events defined in Section 6.3.2
+
+ EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT
+
+7.9. Initial State: VERIFY
+
+7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or
+ successful LEASEQUERY-REPLY is received
+
+ If LEASEQUERY messages were sent to more than one DHCP server during
+ RECOVERY state, additional successful leasequery responses may be
+ received relating to the source IP address. The conflict resolution
+ mechanisms specified in Section 6.8 of [RFC4388] and Section 4.3.4 of
+ [RFC5007] can be used to determine the message from which values are
+ used to update the BST Lifetime entry and the hardware address
+
+
+
+Bi, et al. Standards Track [Page 41]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ obtained from DHCP, as described in Section 7.8.1. In the case of
+ DHCPv6 queries, the LEASEQUERY-REPLY may contain additional addresses
+ as described in Section 7.8.1. If so, additional BST entries MUST be
+ created or ones previously created updated as described in that
+ section.
+
+ Resulting state: VERIFY (no change).
+
+7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is received from
+ the device attached via the binding anchor
+
+ Depending on the type of triggering source IP address, this event may
+ indicate that the device attached via the binding anchor in the BST
+ entry is configured by DHCP using the IP address:
+
+ IPv4 address: Check that the value of the sender hardware address in
+ the ARP Reply matches the saved "chaddr" field (hardware
+ address) from the previously received DHCPLEASEACTIVE message.
+ If not, ignore this event; a subsequent retry may provide
+ verification. If the hardware addresses match, the binding
+ entry has been verified.
+
+ IPv6 address: Simple receipt of a valid NA from the triggering
+ source IP address at the binding anchor port provides
+ verification for the binding entry.
+
+ If the binding entry has been verified, set the state in the BST
+ entry to BOUND. Clear the TID field. Cancel the verification timer.
+
+ Resulting state: VERIFY (no change) - If the IPv4 DHCPLEASEQUERY
+ "chaddr" address does not match the ARP Reply hardware address.
+ Otherwise, the resulting state is BOUND.
+
+7.9.3. Event: EVE_ENTRY_EXPIRE
+
+ The DHCP lease lifetime has expired before the entry could be
+ verified. Remove the entry. Transition to NO_BIND state.
+
+ Resulting state: NO_BIND - No binding has been set up.
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 42]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+7.9.4. Event: EVE_DATA_EXPIRE
+
+ Depending on the value of the Timeouts field in the BST entry, either
+ send a repeat validation message or discard the binding:
+
+ If the Timeouts field in the BST entry is 0:
+ No response to the verification message sent has been received
+ during the first DETECTION_TIMEOUT period. Set the Timeouts
+ field to 1. Restart the verification process by sending an
+ Address Verification Message (see Section 7.5.3). Start a
+ verification timer with a duration of DETECTION_TIMEOUT. When
+ this expires, an EVE_DATA_EXPIRE event will be generated.
+ Remain in VERIFY state.
+
+ If the Timeouts field in the BST entry is 1:
+ No responses to the verification messages sent during two
+ DETECTION_TIMEOUT periods were received. Assume that the
+ configuration of the triggering source IP address cannot be
+ verified and hence that the source IP address is bogus. Delete
+ the BST entry. Transition to NO_BIND state.
+
+ Resulting state: VERIFY - Additional verification message sent - or
+ NO_BIND - No binding has been set up.
+
+7.9.5. Events Not Observed in VERIFY
+
+ EVE_DATA_UNMATCH: A data packet without a matched binding is received
+
+ EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
+ unexpected system
+
+ All EVE_DHCP_* events defined in Section 6.3.2
+
+7.10. Initial State: BOUND
+
+ Upon entry to the BOUND state, control of the system continues as if
+ a DHCP message assigning the address has been observed, as in
+ Section 6.4.3. The BST entry has been restored.
+
+ Note that the TID field contains no value after the binding state
+ changes to BOUND. The TID field is recovered from snooping DHCP
+ Renew/Rebind messages if these are observed as described in the DHCP
+ Snooping Process. Because TID is used to associate binding entries
+ with messages from DHCP servers, it must be recovered or else a
+ number of state transitions of this mechanism will not be executed
+ normally.
+
+
+
+
+
+Bi, et al. Standards Track [Page 43]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+7.11. Table of State Machine
+
+ The main state transitions are listed as follows.
+
+ State Event Action Next State
+ ---------------------------------------------------------------------
+ NO_BIND EVE_DATA_UNMATCH Start duplicate detect DETECTION
+
+ DETECTION EVE_ENTRY_EXPIRE 1 Repeat duplicate detect DETECTION
+
+ DETECTION EVE_ENTRY_EXPIRE 2 Start leasequery RECOVERY
+
+ DETECTION EVE_DATA_CONFLICT Remove entry NO_BIND
+
+ RECOVERY EVE_ENTRY_EXPIRE 1 Repeat leasequery RECOVERY
+
+ RECOVERY EVE_ENTRY_EXPIRE 2 No lease found; remove entry NO_BIND
+
+ RECOVERY EVE_DATA_LEASEQUERY Set lease time; start verify VERIFY
+
+ VERIFY EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND
+
+ VERIFY EVE_DATA_LEASEQUERY Resolve lease conflict(s) VERIFY
+
+ VERIFY EVE_DATA_VERIFY Finish validation BOUND or NO_BIND
+
+ VERIFY EVE_DATA_EXPIRE 1 Repeat verify VERIFY
+
+ VERIFY EVE_DATA_EXPIRE 2 Verify failed; remove entry NO_BIND
+
+ BOUND EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND
+
+ BOUND RENEW/REBIND Record TID BOUND
+
+ Figure 13: State Transition Table
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 44]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ +-------------+ EVE_ENTRY_EXPIRE
+ /---------+ |<------------------------\
+ | | NO_BIND | EVE_DATA_EXPIRE |
+ EVE_DATA_UNMATCH | /----->| |<----\ (2nd VRF_DELAY) |
+ | | +-------------+ | |
+ | | EVE_ENTRY_EXPIRE | |
+ | | (2nd LQ_DELAY) | |
+ EVE_ENTRY_EXPIRE | | | EVE_ENTRY_EXPIRE |
+ (1st DAD_DELAY) | | | (1st LQ_DELAY) |
+ /------\ | | | /--------\ |
+ | | | | EVE_DATA_CONFLICT \---\ | | |
+ | v v | | v | |
+ | +-------------+ EVE_ENTRY_EXPIRE +------------+ | |
+ | | | (2nd DAD_DELAY) | | | |
+ \----+ DETECTION ------------------------>| RECOVERY +--/ |
+ | | | | |
+ +-------------+ (To NO_BIND) +------------+ |
+ ^ | |
+ | EVE_DATA_LEASEQUERY | |
+ /----------\ | | |
+ | | | EVE_ENTRY_EXPIRE | |
+ EVE_DHCP_RENEW| v | v |
+ EVE_DHCP_REBIND| +-------------+ +-------------+ |
+ | | | | +--/
+ \----+ BOUND |<---------------+ VERIFY |
+ | | EVE_DATA_VERIFY| |<-\
+ +-------------+ +-------------+ |
+ | |
+ \----------/
+ EVE_DATA_LEASEQUERY
+ EVE_DATA_EXPIRE
+ (1st VRF_DELAY)
+
+ Figure 14: Diagram of Transit
+
+ LQ_DELAY: MAX_LEASEQUERY_DELAY
+ VRF_DELAY: DETECTION_TIMEOUT
+
+8. Filtering Specification
+
+ This section specifies how to use bindings to filter out packets with
+ spoofed source addresses.
+
+ Filtering policies are different for data packets and control
+ packets. DHCP, ARP, and Neighbor Discovery Protocol (NDP) [RFC4861]
+ messages are classified as control packets. All other packets are
+ classified as data packets.
+
+
+
+
+Bi, et al. Standards Track [Page 45]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+8.1. Data Packet Filtering
+
+ Data packets from attachments with the Validating attribute TRUE MUST
+ have their source addresses validated. There is one exception to
+ this rule.
+
+ A packet whose source IP address is a link-local address cannot be
+ checked against DHCP assignments, as it is not assigned using DHCP.
+ Note: as explained in Section 1, a SAVI solution for link-local
+ addresses, e.g., FCFS SAVI [RFC6620], can be enabled to check packets
+ with a link-local source address.
+
+ If the source IP address of a packet is not a link-local address, but
+ there is not a matching entry in the BST with BOUND state, this
+ packet MUST be discarded. However, the packet may trigger the Data
+ Snooping Process (Section 7) if the Data-Snooping attribute is set on
+ the attachment.
+
+ Data packets from an attachment with the Validating attribute set
+ FALSE will be forwarded without having their source addresses
+ validated.
+
+ The SAVI device MAY log packets that fail source address validation.
+
+8.2. Control Packet Filtering
+
+ For attachments with the Validating attribute:
+
+ DHCPv4 Client-to-Server messages in which the source IP address is
+ neither all zeros nor bound with the corresponding binding anchor in
+ the BST MUST be discarded.
+
+ DHCPv6 Client-to-Server messages in which the source IP address is
+ neither a link-local address nor bound with the corresponding binding
+ anchor in the BST MUST be discarded.
+
+ NDP messages in which the source IP address is neither a link-local
+ address nor bound with the corresponding binding anchor MUST be
+ discarded.
+
+ NA messages in which the target address is neither a link-local
+ address nor bound with the corresponding binding anchor MUST be
+ discarded.
+
+ ARP messages in which the protocol is IP and the sender protocol
+ address is neither all zeros nor bound with the corresponding binding
+ anchor MUST be discarded.
+
+
+
+
+Bi, et al. Standards Track [Page 46]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ ARP Reply messages in which the target protocol address is not bound
+ with the corresponding binding anchor MUST be discarded.
+
+ For attachments with other attributes:
+
+ DHCP Server-to-Client messages not from attachments with the DHCP-
+ Trust attribute or Trust attribute MUST be discarded.
+
+ For attachments with no attribute:
+
+ DHCP Server-to-Client messages from such attachments MUST be
+ discarded.
+
+ The SAVI device MAY record any messages that are discarded.
+
+9. State Restoration
+
+ If a SAVI device reboots, the information kept in volatile memory
+ will be lost. This section specifies the restoration of attribute
+ configuration and the BST.
+
+9.1. Attribute Configuration Restoration
+
+ The loss of attribute configuration will not break the network: no
+ action will be performed on traffic from attachments with no
+ attribute. However, the loss of attribute configuration makes this
+ SAVI function unable to work.
+
+ To avoid the loss of binding anchor attribute configuration, the
+ configuration MUST be able to be stored in non-volatile storage.
+ After the reboot of the SAVI device, if the configuration of binding
+ anchor attributes is found in non-volatile storage, the configuration
+ MUST be used.
+
+9.2. Binding State Restoration
+
+ The loss of binding state will cause the SAVI devices to discard
+ legitimate traffic. Simply using the Data Snooping Process to
+ recover a large number of bindings is a heavy overhead and may cause
+ considerable delay. Thus, recovering bindings from non-volatile
+ storage, as specified below, is RECOMMENDED.
+
+ Binding entries MAY be saved into non-volatile storage whenever a new
+ binding entry changes to BOUND state. If a binding with BOUND state
+ is removed, the saved entry MUST be removed correspondingly. The
+ time when each binding entry is established is also saved.
+
+
+
+
+
+Bi, et al. Standards Track [Page 47]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ If the BST is stored in non-volatile storage, the SAVI device SHOULD
+ restore binding state from the non-volatile storage immediately after
+ reboot. Using the time when each binding entry was saved, the SAVI
+ device should check whether the entry has become obsolete by
+ comparing the saved lifetime and the difference between the current
+ time and time when the binding entry was established. Obsolete
+ entries that would have expired before the reboot MUST be removed.
+
+10. Constants
+
+ The following constants are recommended for use in this context:
+
+ o MAX_DHCP_RESPONSE_TIME (120s): Maximum Solicit timeout value
+ (SOL_MAX_RT from [RFC3315])
+
+ o MAX_LEASEQUERY_DELAY (10s): Maximum LEASEQUERY timeout value
+ (LQ_MAX_RT from [RFC5007])
+
+ o DETECTION_TIMEOUT (0.5s): Maximum duration of a hardware address
+ verification step in the VERIFY state (TENT_LT from [RFC6620])
+
+ o DATA_SNOOPING_INTERVAL: Minimum interval between two successive
+ EVE_DATA_UNMATCH events triggered by an attachment.
+ Recommended interval: 60s and configurable
+
+ o OFFLINK_DELAY: Period after a client is last detected before the
+ binding anchor is being removed. Recommended delay: 30s
+
+11. Security Considerations
+
+11.1. Security Problems with the Data Snooping Process
+
+ There are two security problems with the Data Snooping Process
+ (Section 7):
+
+ (1) The Data Snooping Process is costly, but an attacker can trigger
+ it simply through sending a number of data packets. To avoid
+ Denial-of-Service attacks against the SAVI device itself, the
+ Data Snooping Process MUST be rate limited. A constant
+ DATA_SNOOPING_INTERVAL is used to control the frequency. Two
+ Data Snooping Processes on one attachment MUST be separated by a
+ minimum interval time of DATA_SNOOPING_INTERVAL. If this value
+ is changed, the value needs to be large enough to minimize DoS
+ attacks.
+
+ (2) The Data Snooping Process may set up incorrect bindings if the
+ clients do not reply to the detection probes (Section 7.6.1).
+ An attack will pass the duplicate detection if the client
+
+
+
+Bi, et al. Standards Track [Page 48]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ assigned the target address does not reply to the detection
+ probes. The DHCP Leasequery procedure performed by the SAVI
+ device just tells whether or not the address is assigned in the
+ network. However, the SAVI device cannot determine whether the
+ address is just assigned to the triggering attachment from the
+ DHCPLEASEQUERY Reply.
+
+11.2. Securing Leasequery Operations
+
+ In [RFC4388] and [RFC5007], the specific case of DHCP Leasequeries
+ originated by "access concentrators" is addressed extensively. SAVI
+ devices are very similar to access concentrators in that they snoop
+ on DHCP traffic and seek to validate source addresses based on the
+ results. Accordingly, the recommendations for securing leasequery
+ operations for access concentrators in Section 7 of [RFC4388] and
+ Section 5 of [RFC5007] MUST be followed when leasequeries are made
+ from SAVI devices. [RFC5007] RECOMMENDS that communications between
+ the querier and the DHCP server are protected with IPsec. It is
+ pointed out that there are relatively few devices involved in a given
+ administrative domain (SAVI devices, DHCP relays, and DHCP servers)
+ so that manual configuration of keying material would not be overly
+ burdensome.
+
+11.3. Client Departure Issues
+
+ After a binding is set up, the corresponding client may leave its
+ attachment point. It may depart temporarily due to signal fade or
+ permanently by moving to a new attachment point or leaving the
+ network. In the signal fade case, since the client may return
+ shortly, the binding should be kept momentarily, lest legitimate
+ traffic from the client be blocked. However, if the client leaves
+ permanently, keeping the binding can be a security issue. If the
+ binding anchor is a property of the attachment point rather than the
+ client, e.g., the switch port but not incorporating the MAC address,
+ an attacker using the same binding anchor can send packets using IP
+ addresses assigned to the client. Even if the binding anchor is a
+ property of the client, retaining binding state for a departed client
+ for a long time is a waste of resources.
+
+ Whenever a direct client departs from the network, a link-down event
+ associated with the binding anchor will be triggered. SAVI-DHCP
+ monitors such events and performs the following mechanism.
+
+ (1) Whenever a client with the Validating attribute leaves, a timer
+ of duration OFFLINK_DELAY is set on the corresponding binding
+ entries.
+
+
+
+
+
+Bi, et al. Standards Track [Page 49]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ (2) If a DAD Neighbor Solicitation / Gratuitous ARP request is
+ received that targets the address during OFFLINK_DELAY, the
+ entry MAY be removed.
+
+ (3) If the client returns on-link during OFFLINK_DELAY, cancel the
+ timer.
+
+ In this way, the bindings of a departing client are kept for
+ OFFLINK_DELAY. In cases of link flapping, the client will not be
+ blocked. If the client leaves permanently, the bindings will be
+ removed after OFFLINK_DELAY.
+
+ SAVI-DHCP does not handle the departure of indirect clients because
+ it will not be notified of such events. Switches supporting indirect
+ attachment (e.g., through a separate non-SAVI switch) SHOULD use
+ information specific to the client such as its MAC address as part of
+ the binding anchor.
+
+11.4. Compatibility with Detecting Network Attachment (DNA)
+
+ DNA [RFC4436] [RFC6059] is designed to decrease the handover latency
+ after reattachment to the same network. DNA mainly relies on
+ performing a reachability test by sending unicast Neighbor
+ Solicitation / Router Solicitation / ARP Request messages to
+ determine whether a previously configured address is still valid.
+
+ Although DNA provides optimization for clients, there is insufficient
+ information for this mechanism to migrate the previous binding or
+ establish a new binding. If a binding is set up only by snooping the
+ reachability test message, the binding may be invalid. For example,
+ an attacker can perform the reachability test with an address bound
+ to another client. If a binding is migrated to the attacker, the
+ attacker can successfully obtain the binding from the victim.
+ Because this mechanism wouldn't set up a binding based on snooping
+ the DNA procedure, it cannot achieve perfect compatibility with DNA.
+ However, it only means the reconfiguration of the interface is slowed
+ but not prevented. Details are discussed as follows.
+
+ In Simple DNAv6 [RFC6059], the probe is sent with the source address
+ set to a link-local address, and such messages will not be discarded
+ by the policy specified in Section 8.2. If a client is reattached to
+ a previous network, the detection will be completed, and the address
+ will be regarded as valid by the client. However, the candidate
+ address is not contained in the probe. Thus, the binding cannot be
+ recovered through snooping the probe. As the client will perform
+ DHCP exchange at the same time, the binding will be recovered from
+ the DHCP Snooping Process. The DHCP Request messages will not be
+ filtered out in this case because they have link-local source
+
+
+
+Bi, et al. Standards Track [Page 50]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ addresses. Before the DHCP procedure is completed, packets will be
+ filtered out by the SAVI device. In other words, if this SAVI
+ function is enabled, Simple DNAv6 will not help reduce the handover
+ latency. If the Data-Snooping attribute is configured on the new
+ attachment of the client, the data-triggered procedure may reduce
+ latency.
+
+ In DNAv4 [RFC4436], the ARP Probe will be discarded because an
+ unbound address is used as the sender protocol address. As a result,
+ the client will regard the address under detection as valid.
+ However, the data traffic will be filtered. The DHCP Request message
+ sent by the client will not be discarded because the source IP
+ address field should be all zeros as required by [RFC2131]. Thus, if
+ the address is still valid, the binding will be recovered from the
+ DHCP Snooping Process.
+
+11.5. Binding Number Limitation
+
+ A binding entry will consume certain high-speed memory resources. In
+ general, a SAVI device can afford only a quite limited number of
+ binding entries. In order to prevent an attacker from overloading
+ the resources of the SAVI device, a binding entry limit is set on
+ each attachment. The binding entry limit is the maximum number of
+ bindings supported on each attachment with the Validating attribute.
+ No new binding should be set up after the limit has been reached. If
+ a DHCP Reply assigns more addresses than the remaining binding entry
+ quota of each client, the message will be discarded and no binding
+ will be set up.
+
+11.6. Privacy Considerations
+
+ A SAVI device MUST delete binding anchor information as soon as
+ possible (i.e., as soon as the state for a given address is back to
+ NO_BIND), except where there is an identified reason why that
+ information is likely to be involved in the detection, prevention, or
+ tracing of actual source-address spoofing. Information about hosts
+ that never spoof (probably the majority of hosts) SHOULD NOT be
+ logged.
+
+11.7. Fragmented DHCP Messages
+
+ This specification does not preclude reassembly of fragmented DHCP
+ messages, but it also does not require it. If DHCP fragmentation
+ proves to be an issue, the issue will need to be specified and
+ addressed. (This topic is beyond the scope of this document.)
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 51]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+12. References
+
+12.1. Normative References
+
+ [RFC826] Plummer, D., "Ethernet Address Resolution Protocol: Or
+ Converting Network Protocol Addresses to 48.bit Ethernet
+ Address for Transmission on Ethernet Hardware", STD 37,
+ RFC 826, DOI 10.17487/RFC0826, November 1982,
+ <http://www.rfc-editor.org/info/rfc826>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
+ RFC 2131, DOI 10.17487/RFC2131, March 1997,
+ <http://www.rfc-editor.org/info/rfc2131>.
+
+ [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
+ C., and M. Carney, "Dynamic Host Configuration Protocol
+ for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
+ 2003, <http://www.rfc-editor.org/info/rfc3315>.
+
+ [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
+ Protocol (DHCP) Leasequery", RFC 4388,
+ DOI 10.17487/RFC4388, February 2006,
+ <http://www.rfc-editor.org/info/rfc4388>.
+
+ [RFC4436] Aboba, B., Carlson, J., and S. Cheshire, "Detecting
+ Network Attachment in IPv4 (DNAv4)", RFC 4436,
+ DOI 10.17487/RFC4436, March 2006,
+ <http://www.rfc-editor.org/info/rfc4436>.
+
+ [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
+ "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
+ DOI 10.17487/RFC4861, September 2007,
+ <http://www.rfc-editor.org/info/rfc4861>.
+
+ [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng,
+ "DHCPv6 Leasequery", RFC 5007, DOI 10.17487/RFC5007,
+ September 2007, <http://www.rfc-editor.org/info/rfc5007>.
+
+ [RFC5227] Cheshire, S., "IPv4 Address Conflict Detection", RFC 5227,
+ DOI 10.17487/RFC5227, July 2008,
+ <http://www.rfc-editor.org/info/rfc5227>.
+
+
+
+
+
+Bi, et al. Standards Track [Page 52]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+ [RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for
+ Detecting Network Attachment in IPv6", RFC 6059,
+ DOI 10.17487/RFC6059, November 2010,
+ <http://www.rfc-editor.org/info/rfc6059>.
+
+ [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS
+ SAVI: First-Come, First-Served Source Address Validation
+ Improvement for Locally Assigned IPv6 Addresses",
+ RFC 6620, DOI 10.17487/RFC6620, May 2012,
+ <http://www.rfc-editor.org/info/rfc6620>.
+
+12.2. Informative References
+
+ [DHCPv6-SHIELD]
+ Gont, F., Liu, W., and G. Van de Velde, "DHCPv6-Shield:
+ Protecting Against Rogue DHCPv6 Servers", Work in
+ Progress, draft-ietf-opsec-dhcpv6-shield-07, May 2015.
+
+ [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
+ Defeating Denial of Service Attacks which employ IP Source
+ Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
+ May 2000, <http://www.rfc-editor.org/info/rfc2827>.
+
+ [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol
+ (DHCP) Service for IPv6", RFC 3736, DOI 10.17487/RFC3736,
+ April 2004, <http://www.rfc-editor.org/info/rfc3736>.
+
+ [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed.,
+ "Source Address Validation Improvement (SAVI) Framework",
+ RFC 7039, DOI 10.17487/RFC7039, October 2013,
+ <http://www.rfc-editor.org/info/rfc7039>.
+
+ [RFC7341] Sun, Q., Cui, Y., Siodelski, M., Krishnan, S., and I.
+ Farrer, "DHCPv4-over-DHCPv6 (DHCP 4o6) Transport",
+ RFC 7341, DOI 10.17487/RFC7341, August 2014,
+ <http://www.rfc-editor.org/info/rfc7341>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 53]
+
+RFC 7513 SAVI DHCP May 2015
+
+
+Acknowledgments
+
+ Special thanks to Jean-Michel Combes, Christian Vogt, Joel M.
+ Halpern, Eric Levy-Abegnoli, Marcelo Bagnulo Braun, Jari Arkko, Elwyn
+ Davies, Barry Leiba, Ted Lemon, Leaf Yeh, Ralph Droms, and Alberto
+ Garcia for careful review and evaluation comments on the mechanism
+ and text.
+
+ Thanks to Mark Williams, Erik Nordmark, Mikael Abrahamsson, David
+ Harrington, Pekka Savola, Xing Li, Lixia Zhang, Bingyang Liu, Duanqi
+ Zhou, Robert Raszuk, Greg Daley, John Kaippallimalil, and Tao Lin for
+ their valuable contributions.
+
+Authors' Addresses
+
+ Jun Bi
+ Network Research Center, Tsinghua University
+ Beijing 100084
+ China
+
+ EMail: junbi@tsinghua.edu.cn
+
+
+ Jianping Wu
+ Dept. of Computer Science, Tsinghua University
+ Beijing 100084
+ China
+
+ EMail: jianping@cernet.edu.cn
+
+
+ Guang Yao
+ Network Research Center, Tsinghua University
+ Beijing 100084
+ China
+
+ EMail: yaoguang@cernet.edu.cn
+
+
+ Fred Baker
+ Cisco Systems
+ Santa Barbara, CA 93117
+ United States
+
+ EMail: fred@cisco.com
+
+
+
+
+
+
+Bi, et al. Standards Track [Page 54]
+