1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
|
Internet Engineering Task Force (IETF) E. Nordmark
Request for Comments: 6620 Cisco Systems
Category: Standards Track M. Bagnulo
ISSN: 2070-1721 UC3M
E. Levy-Abegnoli
Cisco Systems
May 2012
FCFS SAVI: First-Come, First-Served Source Address Validation
Improvement for Locally Assigned IPv6 Addresses
Abstract
This memo describes First-Come, First-Served Source Address
Validation Improvement (FCFS SAVI), a mechanism that provides source
address validation for IPv6 networks using the FCFS principle. The
proposed mechanism is intended to complement ingress filtering
techniques to help detect and prevent source address spoofing.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6620.
Nordmark, et al. Standards Track [Page 1]
^L
RFC 6620 FCFS SAVI May 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Nordmark, et al. Standards Track [Page 2]
^L
RFC 6620 FCFS SAVI May 2012
Table of Contents
1. Introduction ....................................................4
1.1. Terminology ................................................4
2. Background to FCFS SAVI .........................................4
2.1. Scope of FCFS SAVI .........................................4
2.2. Constraints for FCFS SAVI Design ...........................5
2.3. Address Ownership Proof ....................................5
2.4. Binding Anchor Considerations ..............................6
2.5. FCFS SAVI Protection Perimeter .............................6
2.6. Special Cases .............................................10
3. FCFS SAVI Specification ........................................11
3.1. FCFS SAVI Data Structures .................................12
3.2. FCFS SAVI Algorithm .......................................12
3.2.1. Discovering On-Link Prefixes .......................12
3.2.2. Processing of Transit Traffic ......................13
3.2.3. Processing of Local Traffic ........................13
3.2.4. FCFS SAVI Port Configuration Guidelines ............21
3.2.5. VLAN Support .......................................22
3.3. Default Protocol Values ...................................22
4. Security Considerations ........................................22
4.1. Denial-of-Service Attacks .................................22
4.2. Residual Threats ..........................................23
4.3. Privacy Considerations ....................................24
4.4. Interaction with Secure Neighbor Discovery ................25
5. Contributors ...................................................25
6. Acknowledgments ................................................25
7. References .....................................................26
7.1. Normative References ......................................26
7.2. Informative References ....................................26
Appendix A. Implications of Not Following the Recommended
Behavior .............................................28
A.1. Implications of Not Generating DAD_NS Packets upon the
Reception of Non-Compliant Data Packets ...................28
A.1.1. Lack of Binding State due to Packet Loss...............28
A.1.2. Lack of Binding State due to a Change in the
Topology ..............................................31
A.1.3. Lack of Binding State due to State Loss ...............31
A.2. Implications of Not Discarding Non-Compliant Data
Packets ...................................................35
Nordmark, et al. Standards Track [Page 3]
^L
RFC 6620 FCFS SAVI May 2012
1. Introduction
This memo describes FCFS SAVI, a mechanism that provides source
address validation for IPv6 networks using the FCFS principle. The
proposed mechanism is intended to complement ingress filtering
techniques to help detect and prevent source address spoofing.
Section 2 gives the background and description of FCFS SAVI, and
Section 3 specifies the FCFS SAVI protocol.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Background to FCFS SAVI
2.1. Scope of FCFS SAVI
The application scenario for FCFS SAVI is limited to the local link.
Hence, the goal of FCFS SAVI is to verify that the source address of
the packets generated by the hosts attached to the local link have
not been spoofed.
In a link, hosts and routers are usually attached. Hosts generate
packets with their own address as the source address. This is called
"local traffic". Routers send packets containing a source IP address
other than their own, since they are forwarding packets generated by
other hosts (usually located in a different link). This is called
"transit traffic".
The applicability of FCFS SAVI is limited to the local traffic, i.e.,
to verify if the traffic generated by the hosts attached to the local
link contains a valid source address. The verification of the source
address of the transit traffic is out of the scope of FCFS SAVI.
Other techniques, like ingress filtering [RFC2827], are recommended
to validate transit traffic. In that sense, FCFS SAVI complements
ingress filtering, since it relies on ingress filtering to validate
transit traffic, but it provides validation of local traffic, which
is not provided by ingress filtering. Hence, the security level is
increased by using these two techniques.
In addition, FCFS SAVI is designed to be used with locally assigned
IPv6 addresses, in particular with IPv6 addresses configured through
Stateless Address Autoconfiguration (SLAAC) [RFC4862]. Manually
configured IPv6 addresses can be supported by FCFS SAVI, but manual
configuration of the binding on the FCFS SAVI device provides higher
security and seems compatible with manual address management. FCFS
Nordmark, et al. Standards Track [Page 4]
^L
RFC 6620 FCFS SAVI May 2012
SAVI can also be used with IPv6 addresses assigned via DHCPv6, since
they ought to perform the Duplicate Address Detection (DAD)
procedure, but there is a specific mechanism tailored for dealing
with DHCP-assigned addresses defined in [SAVI-DHCP]. Additional
considerations about how to use FCFS SAVI depending on the type of
address management used and the nature of the addresses are discussed
in the framework document [SAVI-FRAMEWORK].
2.2. Constraints for FCFS SAVI Design
FCFS SAVI is designed to be deployed in existing networks requiring a
minimum set of changes. For that reason, FCFS SAVI does not require
any changes in the host whose source address is to be verified. Any
verification solely relies on the usage of already available
protocols. That is, FCFS SAVI does not define a new protocol, define
any new message on existing protocols, or require that a host use an
existent protocol message in a different way. In other words, no
host changes are required.
FCFS SAVI validation is performed by the FCFS SAVI function. The
function can be placed in different types of devices, including a
router or a Layer 2 (L2) bridge. The basic idea is that the FCFS
SAVI function is located in the points of the topology that can
enforce the correct usage of the source address by dropping the non-
compliant packets.
2.3. Address Ownership Proof
The main function performed by FCFS SAVI is to verify that the source
address used in data packets actually belongs to the originator of
the packet. Since the FCFS SAVI scope is limited to the local link,
the originator of the packet is attached to the local link. In order
to define a source address validation solution, we need to define the
meaning of "address ownership", i.e., what it means that a given host
owns a given address in the sense that the host is entitled to send
packets with that source address. With that definition, we can
define how a device can confirm that the source address in a datagram
is owned by the originator of the datagram.
In FCFS SAVI, proof of address ownership is based on the First-Come,
First-Served principle. The first host that claims a given source
address is the owner of the address until further notice. Since no
host changes are acceptable, we need to find the means to confirm
address ownership without requiring a new protocol. So, whenever a
source address is used for the first time, a state is created in the
device that is performing the FCFS SAVI function binding the source
address to a binding anchor that consists of Layer 2 information that
the FCFS SAVI box has available (e.g., the port in a switched LAN).
Nordmark, et al. Standards Track [Page 5]
^L
RFC 6620 FCFS SAVI May 2012
Subsequent data packets containing that IP source address can be
checked against the same binding anchor to confirm that the
originator owns the source IP address.
There are, however, additional considerations to be taken into
account. For instance, consider the case of a host that moves from
one segment of a LAN to another segment of the same subnetwork and
keeps the same IP address. In this case, the host is still the owner
of the IP address, but the associated binding anchor may have
changed. In order to cope with this case, the defined FCFS SAVI
behavior implies verification of whether or not the host is still
reachable using the previous binding anchor. In order to do that,
FCFS SAVI uses the Neighbor Discovery (ND) protocol. If the host is
no longer reachable at the previously recorded binding anchor, FCFS
SAVI assumes that the new location is valid and creates a new binding
using the new binding anchor. In case the host is still reachable
using the previously recorded binding anchor, the packets coming from
the new binding anchor are dropped.
Note that this only applies to local traffic. Transit traffic
generated by a router would be verified using alternative techniques,
such as ingress filtering. FCFS SAVI checks would not be fulfilled
by the transit traffic, since the router is not the owner of the
source address contained in the packets.
2.4. Binding Anchor Considerations
Any SAVI solution is not stronger than the binding anchor it uses.
If the binding anchor is easily spoofable (e.g., a Media Access
Control (MAC) address), then the resulting solution will be weak.
The treatment of non-compliant packets needs to be tuned accordingly.
In particular, if the binding anchor is easily spoofable and the FCFS
SAVI device is configured to drop non-compliant packets, then the
usage of FCFS SAVI may open a new vector of Denial-of-Service (DoS)
attacks, based on spoofed binding anchors. For that reason, in this
specification, only switch ports MUST be used as binding anchors.
Other forms of binding anchors are out of the scope of this
specification, and proper analysis of the implications of using them,
should be performed before their usage.
2.5. FCFS SAVI Protection Perimeter
FCFS SAVI provides perimetrical security. FCFS SAVI devices form
what can be called an FCFS SAVI protection perimeter, and they verify
that any packet that crosses the perimeter is compliant (i.e., the
source address is validated). Once the packet is inside the
perimeter, no further validations are performed on the packet. This
Nordmark, et al. Standards Track [Page 6]
^L
RFC 6620 FCFS SAVI May 2012
model has implications both on how FCFS SAVI devices are deployed in
the topology and on the configuration of the FCFS SAVI boxes.
The implication of this perimetrical security approach is that there
is part of the topology that is inside the perimeter and part of the
topology that is outside the perimeter. So, while packets coming
from interfaces connected to the external part of the topology need
to be validated by the FCFS SAVI device, packets coming from
interfaces connected to the internal part of the topology do not need
to be validated. This significantly reduces the processing
requirements of the FCFS SAVI device. It also implies that each FCFS
SAVI device that is part of the perimeter must be able to verify the
source addresses of the packets coming from the interfaces connected
to the external part of the perimeter. In order to do so, the FCFS
SAVI device binds the source address to a binding anchor.
One possible approach would be for every FCFS SAVI device to store
binding information about every source address in the subnetwork. In
this case, every FCFS SAVI device would store a binding for each
source address of the local link. The problem with this approach is
that it imposes a significant memory burden on the FCFS SAVI devices.
In order to reduce the memory requirements imposed on each device,
the FCFS SAVI solution described in this specification distributes
the storage of FCFS SAVI binding information among the multiple FCFS
SAVI devices of a subnetwork. The FCFS SAVI binding state is
distributed across the FCFS SAVI devices according to the following
criterion: each FCFS SAVI device only stores binding information
about the source addresses bound to anchors corresponding to the
interfaces that connect to the part of the topology that is outside
of the FCFS SAVI protection perimeter. Since all the untrusted
packet sources are by definition in the external part of the
perimeter, packets generated by each of the untrusted sources will
reach the perimeter through an interface of an FCFS SAVI device. The
binding information for that particular source address will be stored
in the first FCFS SAVI device the packet reaches.
The result is that the FCFS SAVI binding information will be
distributed across multiple devices. In order to provide proper
source address validation, it is critical that the information
distributed among the different FCFS SAVI devices be coherent. In
particular, it is important to avoid having the same source address
bound to different binding anchors in different FCFS SAVI devices.
Should that occur, then it would mean that two hosts are allowed to
send packets with the same source address, which is what FCFS SAVI is
trying to prevent. In order to preserve the coherency of the FCFS
SAVI bindings distributed among the FCFS SAVI devices within a realm,
the Neighbor Discovery (ND) protocol [RFC4861] is used, in particular
the Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
Nordmark, et al. Standards Track [Page 7]
^L
RFC 6620 FCFS SAVI May 2012
messages. Following is a simplified example of how this might work.
Before creating an FCFS SAVI binding in the local FCFS SAVI database,
the FCFS SAVI device will send an NS message querying for the address
involved. Should any host reply to that message with an NA message,
the FCFS SAVI device that sent the NS will infer that a binding for
that address exists in another FCFS SAVI device and will not create a
local binding for it. If no NA message is received as a reply to the
NS, then the local FCFS SAVI device will infer that no binding for
that address exists in other FCFS SAVI device and will create the
local FCFS SAVI binding for that address.
To summarize, the proposed FCFS SAVI approach relies on the following
design choices:
o An FCFS SAVI provides perimetrical security, so some interfaces of
an FCFS SAVI device will connect to the internal (trusted) part of
the topology, and other interfaces will connect to the external
(untrusted) part of the topology.
o An FCFS SAVI device only verifies packets coming through an
interface connected to the untrusted part of the topology.
o An FCFS SAVI device only stores binding information for the source
addresses that are bound to binding anchors that correspond to
interfaces that connect to the untrusted part of the topology.
o An FCFS SAVI uses NS and NA messages to preserve the coherency of
the FCFS SAVI binding state distributed among the FCFS SAVI
devices within a realm.
Nordmark, et al. Standards Track [Page 8]
^L
RFC 6620 FCFS SAVI May 2012
So, in a link that is constituted of multiple L2 devices, some of
which are FCFS SAVI capable and some of which are not, the FCFS-SAVI-
capable devices MUST be deployed forming a connected perimeter (i.e.,
no data packet can get inside the perimeter without passing through
an FCFS SAVI device). Packets that cross the perimeter will be
validated while packets that do not cross the perimeter are not
validated (hence, FCFS SAVI protection is not provided for these
packets). Consider the deployment of FCFS SAVI in the topology
depicted in the following figure:
+--------+
+--+ +--+ +--+ | +--+ |
|H1| |H2| |H3| | |R1| |
+--+ +--+ +--+ | +--+ |
| | | | | |
+-------------SAVI-PROTECTION-PERIMETER------+ | |
| | | | | |
| +-1-----2-+ +-1-----2-+ |
| | SAVI1 | | SAVI2 | |
| +-3--4----+ +--3------+ |
| | | +--------------+ | |
| | +----------| |--------+ |
| | | SWITCH-A | |
| | +----------| |--------+ |
| | | +--------------+ | |
| +-1--2----+ +--1------+ |
| | SAVI3 | | SAVI4 | |
| +-3-----4-+ +----4----+ |
| | | | |
| +------SAVI-PROTECTION-PERIMETER---------------+
| | | | |
| +--+| +--+ +---------+
| |R2|| |H4| |SWITCH-B |
| +--+| +--+ +---------+
+------+ | |
+--+ +--+
|H5| |H6|
+--+ +--+
Figure 1: SAVI Protection Perimeter
In Figure 1, the FCFS SAVI protection perimeter is provided by four
FCFS SAVI devices, namely SAVI1, SAVI2, SAVI3, and SAVI4. These
devices verify the source address and filter packets accordingly.
FCFS SAVI devices then have two types of ports: Trusted Ports and
Validating Ports.
Nordmark, et al. Standards Track [Page 9]
^L
RFC 6620 FCFS SAVI May 2012
o Validating Ports (VPs) are those in which FCFS SAVI processing is
performed. When a packet is received through one of the
Validating Ports, FCFS SAVI processing and filtering will be
executed.
o Trusted Ports (TPs) are those in which FCFS SAVI processing is not
performed. So, packets received through Trusted Ports are not
validated, and no FCFS SAVI processing is performed on them.
Trusted Ports are used for connections with trusted infrastructure,
including the communication between FCFS SAVI devices, the
communication with routers, and the communication of other switches
that, while not FCFS SAVI devices, only connect to trusted
infrastructure (i.e., other FCFS SAVI devices, routers, or other
trusted nodes). So, in Figure 1, Port 3 of SAVI1 and Port 1 of SAVI3
are trusted because they connect two FCFS SAVI devices. Port 4 of
SAVI1, Port 3 of SAVI2, Port 2 of SAVI3, and Port 1 of SAVI4 are
trusted because they connect to SWITCH-A, to which only trusted nodes
are connected. In Figure 1, Port 2 of SAVI2 and Port 3 of SAVI3 are
Trusted Ports because they connect to routers.
Validating Ports are used for connection with non-trusted
infrastructure. In particular, hosts are normally connected to
Validating Ports. Non-SAVI switches that are outside of the FCFS
SAVI protection perimeter also are connected through Validating
Ports. In particular, non-SAVI devices that connect directly to
hosts or that have no SAVI-capable device between themselves and the
hosts are connected through a Validating Port. So, in Figure 1,
Ports 1 and 2 of SAVI1, Port 1 of SAVI2, and Port 4 of SAVI 3 are
Validating Ports because they connect to hosts. Port 4 of SAVI4 is
also a Validating Port because it is connected to SWITCH-B, which is
a non-SAVI-capable switch that is connected to hosts H5 and H6.
2.6. Special Cases
Multi-subnet links: In some cases, a given subnet may have several
prefixes. This is directly supported by SAVI as any port can support
multiple prefixes. Forwarding of packets between different prefixes
involving a router is even supported, as long as the router is
connected to a Trusted Port, as recommended for all the routers.
Multihomed hosts: A multihomed host is a host with multiple
interfaces. The interaction between SAVI and multihomed hosts is as
follows. If the different interfaces of the host are assigned
different IP addresses and packets sent from each interface always
carry the address assigned to that interface as the source address,
then from the perspective of a SAVI device, this is equivalent to two
hosts with a single interface, each with an IP address. This is
Nordmark, et al. Standards Track [Page 10]
^L
RFC 6620 FCFS SAVI May 2012
supported by SAVI without the need for additional considerations. If
the different interfaces share the same IP address or if the
interfaces have different addresses but the host sends packets using
the address of one of the interfaces through any of the interfaces,
then SAVI does not directly support it. It would require either
connecting at least one interface of the multihomed host to a Trusted
Port or manually configuring the SAVI bindings to allow binding the
address of the multihomed host to multiple anchors simultaneously.
Untrusted routers: One can envision scenarios where routers are
dynamically attached to an FCFS SAVI network. A typical example
would be a mobile phone connecting to an FCFS SAVI switch where the
mobile phone is acting as a router for other personal devices that
are accessing the network through it. In this case, the router does
not seem to directly fall in the category of trusted infrastructure
(if this was the case, it is likely that all devices would be
trusted); hence, it cannot be connected to a Trusted Port and if it
is connected to a Validating Port, the FCFS SAVI switch would discard
all the packets containing an off-link source address coming from
that device. As a result, the default recommendation specified in
this specification does not support such a scenario.
3. FCFS SAVI Specification
3.1. FCFS SAVI Data Structures
The FCFS SAVI function relies on state information binding the source
address used in data packets to the binding anchor that contained the
first packet that used that source IP address. Such information is
stored in an FCFS SAVI database (DB). The FCFS SAVI DB will contain
a set of entries about the currently used IP source addresses. Each
entry will contain the following information:
o IP source address
o Binding anchor: port through which the packet was received
o Lifetime
o Status: either TENTATIVE, VALID, TESTING_VP, or TESTING_TP-LT
o Creation time: the value of the local clock when the entry was
firstly created
In addition, FCFS SAVI needs to know what prefixes are directly
connected, so it maintains a data structure called the FCFS SAVI
Prefix List, which contains:
Nordmark, et al. Standards Track [Page 11]
^L
RFC 6620 FCFS SAVI May 2012
o Prefix
o Interface where prefix is directly connected
3.2. FCFS SAVI Algorithm
3.2.1. Discovering On-Link Prefixes
In order to distinguish local traffic from transit traffic, the FCFS
SAVI device relies on the FCFS SAVI Prefix List, which contains the
set of on-link IPv6 prefixes. An FCFS SAVI device MUST support the
following two methods for populating the Prefix List: manual
configuration and Router Advertisement, as detailed next.
Manual configuration: An FCFS SAVI device MUST support manual
configuration of the on-link prefixes included in the Prefix List.
For example, this can be used when there are no prefixes being
advertised on the link.
Router Advertisement: An FCFS SAVI device MUST support discovery of
on-link prefixes through Router Advertisement messages in Trusted
Ports. For Trusted Ports, the FCFS SAVI device will learn the on-
link prefixes following the procedure defined for a host to process
the Prefix Information options described in Section 6.3.4 of
[RFC4861] with the difference that the prefixes will be configured in
the FCFS SAVI Prefix List rather than in the ND Prefix List. In
addition, when the FCFS SAVI device boots, it MUST send a Router
Solicitation message as described in Section 6.3.7 of [RFC4861],
using the unspecified source address.
3.2.2. Processing of Transit Traffic
The FCFS SAVI function is located in a forwarding device, such as a
router or a Layer 2 switch. The following processing is performed
depending on the type of port through which the packet has been
received:
o If the data packet is received through a Trusted Port, the data
packet is forwarded, and no SAVI processing performed on the
packet.
o If the data packet is received through a Validating Port, then the
FCFS SAVI function checks whether the received data packet is
local traffic or transit traffic. It does so by verifying if the
source address of the packet belongs to one of the directly
connected prefixes available in the receiving interface. It does
so by searching the FCFS SAVI Prefix List.
Nordmark, et al. Standards Track [Page 12]
^L
RFC 6620 FCFS SAVI May 2012
* If the IP source address does not belong to one of the on-link
prefixes of the receiving interface, the data packet is transit
traffic, and the packet SHOULD be discarded. (If for some
reason, discarding the packets is not acceptable, logging or
triggering of alarms MAY be used). The FCFS SAVI function MAY
send an ICMP Destination Unreachable Error back to the source
address of the data packet, and ICMPv6, code 5 (Source address
failed ingress/egress policy), should be used.
* If the source address of the packet does belong to one of the
prefixes available in the receiving port, then the FCFS SAVI
local traffic validation process is executed as described
below.
* If the source address of the packet is an unspecified address,
the packet is forwarded, and no SAVI processing is performed
except for the case of the Neighbor Solicitation messages
involved in the Duplicate Address Detection, which are treated
as described in Section 3.2.3.
3.2.3. Processing of Local Traffic
We next describe how local traffic, including both control and data
packets, is processed by the FCFS SAVI device using a state machine
approach.
The state machine described is for the binding of a given source IP
address (called IPAddr) in a given FCFS SAVI device. This means that
all the packets described as inputs in the state machine above refer
to that given IP address. In the case of data packets, the source
address of the packet is IPAddr. In the case of the DAD_NS packets,
the Target Address is IPAddr. The key attribute is the IP address.
The full state information is as follows:
o IP ADDRESS: IPAddr
o BINDING ANCHOR: P
o LIFETIME: LT
The possible states are as follows:
o NO_BIND
o TENTATIVE
o VALID
Nordmark, et al. Standards Track [Page 13]
^L
RFC 6620 FCFS SAVI May 2012
o TESTING_TP-LT
o TESTING_VP
We will use VP for Validating Port and TP for Trusted Port.
After bootstrapping (when no binding exists), the state for all
source IP addresses is NO-BIND, i.e., there is no binding for the IP
address to any binding anchor.
NO_BIND: The binding for a source IP address entry is in this state
when it does not have any binding to an anchor. All addresses are in
this state by default after bootstrapping, unless bindings were
created for them.
TENTATIVE: The binding for a source address for which a data packet
or an NS generated by the Duplicate Address Detection (DAD) procedure
has been received is in this state during the waiting period during
which the DAD procedure is being executed (either by the host itself
or the FCFS SAVI device on its behalf).
VALID: The binding for the source address is in this state after it
has been verified. It means that it is valid and usable for
filtering traffic.
TESTING_TP-LT: A binding for a source address enters this state due
to one of two reasons:
o When a Duplicate Address Detection Neighbor Solicitation has been
received through a Trusted Port. This implies that a host is
performing the DAD procedure for that source address in another
switch. This may be due to an attack or to the fact that the host
may have moved. The binding in this state is then being tested to
determine which is the situation.
o The lifetime of the binding entry is about to expire. This is due
to the fact that no packets have been seen by the FCFS SAVI device
for the LIFETIME period. This may be due to the host simply being
silent or because the host has left the location. In order to
determine which is the case, a test is performed to determine if
the binding information should be discarded.
TESTING_VP: A binding for a source address enters this state when a
Duplicate Address Detection Neighbor Solicitation or a data packet
has been received through a Validating Port other than the one
address to which it is currently bound. This implies that a host is
performing the DAD procedure for that source address through a
different port. This may be due to an attack, the fact that the host
Nordmark, et al. Standards Track [Page 14]
^L
RFC 6620 FCFS SAVI May 2012
may have moved, or just because another host tries to configure an
address already used. The binding in this state is then being tested
to determine which is the situation.
Next, we describe how the different inputs are processed depending on
the state of the binding of the IP address (IPAddr).
A simplified figure of the state machine is included in Figure 2
below.
NO_BIND
o Upon the reception through a Validating Port (VP) of a Neighbor
Solicitation (NS) generated by the Duplicate Address Detection
(DAD) procedure (hereafter named DAD_NS) containing Target Address
IPAddr, the FCFS SAVI device MUST forward the NS, and T_WAIT
milliseconds later, it MUST send a copy of the same message.
These DAD_NS messages are not sent through any of the ports
configured as Validating Ports. The DAD_NS messages are sent
through the Trusted Ports (but, of course, subject to usual switch
behavior and possible Multicast Listener Discovery (MLD) snooping
optimizations). The state is moved to TENTATIVE. The LIFETIME is
set to TENT_LT (i.e., LT:=TENT_LT), the BINDING ANCHOR is set to
VP (i.e., P:=VP), and the Creation time is set to the current
value of the local clock.
o Upon the reception through a Validating Port (VP) of a DATA packet
containing IPAddr as the source address, the SAVI device SHOULD
execute the process of sending Neighbor Solicitation messages of
the Duplicate Address Detection process as described in Section
5.4.2 of [RFC4862] for the IPAddr using the following default
parameters: DupAddrDetectTransmits set to 2 (i.e., 2 Neighbor
Solicitation messages for that address will be sent by the SAVI
device) and RetransTimer set to T_WAIT milliseconds (i.e., the
time between two Neighbor Solicitation messages is T_WAIT
milliseconds). The implications of not following the recommended
behavior are described in Appendix A. The DAD_NS messages are not
sent through any of the ports configured as Validating Ports. The
DAD_NSOL messages are sent through Trusted Ports (but, of course,
subject to usual switch behavior and possible MLD snooping
optimizations). The SAVI device MAY discard the data packets
while the DAD procedure is being executed, or it MAY store them
until the binding is created. In any case, it MUST NOT forward
the data packets until the binding has been verified. The state
is moved to TENTATIVE. The LIFETIME is set to TENT_LT (i.e., LT:
=TENT_LT), the BINDING ANCHOR is set to VP (i.e., P:=VP), and the
Creation time is set to the current value of the local clock.
Nordmark, et al. Standards Track [Page 15]
^L
RFC 6620 FCFS SAVI May 2012
o Data packets containing IPAddr as the source address received
through Trusted Ports are processed and forwarded as usual (i.e.,
no special SAVI processing).
o DAD_NS packets containing IPAddr as the Target Address that are
received through a Trusted Port MUST NOT be forwarded through any
of the Validating Ports, but they are sent through the Trusted
Ports (but, of course, subject to usual switch behavior and
possible MLD snooping optimizations).
o Neighbor Advertisement packets sent to all nodes as a reply to the
DAD_NS (hereafter called DAD_NA) containing IPAddr as the Target
Address coming through a Validating Port are discarded.
o Other signaling packets are processed and forwarded as usual
(i.e., no SAVI processing).
TENTATIVE
o If the LIFETIME times out, the state is moved to VALID. The
LIFETIME is set to DEFAULT_LT (i.e., LT:= DEFAULT_LT). Stored
data packets (if any) are forwarded.
o If a Neighbor Advertisement (NA) is received through a Trusted
Port with the Target Address set to IPAddr, then the message is
forwarded through port P, the state is set to NO_BIND, and the
BINDING ANCHOR and the LIFETIME are cleared. Data packets stored
corresponding to this binding are discarded.
o If an NA is received through a Validating Port with the Target
Address set to IPAddr, the NA packet is discarded
o If a data packet with source address IPAddr is received with
binding anchor equal to P, then the packet is either stored or
discarded.
o If a data packet with source address IPAddr is received through a
Trusted Port, the data packet is forwarded. The state is
unchanged.
o If a data packet with source address IPAddr is received through a
Validating Port other than P, the data packet is discarded.
o If a DAD_NS is received from a Trusted Port, with the Target
Address set to IPAddr, then the message is forwarded to the
Validating Port P, the state is set to NO_BIND, and the BINDING
ANCHOR and LIFETIME are cleared. Data packets stored
corresponding to this binding are discarded.
Nordmark, et al. Standards Track [Page 16]
^L
RFC 6620 FCFS SAVI May 2012
o If a DAD_NS with the Target Address set to IPAddr is received from
a Validating Port P' other than P, the message is forwarded to the
Validating Port P and to the Trusted Ports, and the state remains
in TENTATIVE; however, the BINDING ANCHOR is changed from P to P',
and LIFETIME is set to TENT_LT. Data packets stored corresponding
to the binding with P are discarded.
o Other signaling packets are processed and forwarded as usual
(i.e., no SAVI processing).
VALID
o If a data packet containing IPAddr as the source address arrives
from Validating Port P, then the LIFETIME is set to DEFAULT_LT and
the packet is forwarded as usual.
o If a DAD_NS is received from a Trusted Port, then the DAD_NS
message is forwarded to port P and is also forwarded to the
Trusted Ports (but, of course, subject to usual switch behavior
and possible MLD snooping optimizations). The state is changed to
TESTING_TP-LT. The LIFETIME is set to TENT_LT.
o If a data packet containing source address IPAddr or a DAD_NA
packet with the Target Address set to IPAddr is received through a
Validating Port P' other than P, then the SAVI device will execute
the process of sending DAD_NS messages as described in Section
5.4.2 of [RFC4862] for the IPAddr using the following default
parameters: DupAddrDetectTransmits set to 2 (i.e., two NS messages
for that address will be sent by the SAVI device) and RetransTimer
set to T_WAIT milliseconds (i.e., the time between two NS messages
is T_WAIT milliseconds). The DAD_NS message will be forwarded to
the port P. The state is moved to TESTING_VP. The LIFETIME is
set to TENT_LT. The SAVI device MAY discard the data packet while
the DAD procedure is being executed, or it MAY store them until
the binding is created. In any case, it MUST NOT forward the data
packets until the binding has been verified.
o If a DAD_NS packet with the Target Address set to IPAddr is
received through a Validating Port P' other than P, then the SAVI
device will forward the DAD_NS packet, and T_WAIT milliseconds
later, it will execute the process of sending DAD_NS messages as
described in Section 5.4.2 of [RFC4862] for the IPAddr using the
following default parameters: DupAddrDetectTransmits set to 1 and
RetransTimer set to T_WAIT milliseconds. The DAD_NS messages will
be forwarded to the port P. The state is moved to TESTING_VP.
The LIFETIME is set to TENT_LT. The SAVI device MAY discard the
data packets while the DAD procedure is being executed, or it MAY
Nordmark, et al. Standards Track [Page 17]
^L
RFC 6620 FCFS SAVI May 2012
store them until the binding is created. In any case, it MUST NOT
forward the data packets until the binding has been verified.
o If the LIFETIME expires, then the SAVI device will execute the
process of sending DAD_NS messages as described in Section 5.4.2
of [RFC4862] for the IPAddr using the following default
parameters: DupAddrDetectTransmits set to 2 (i.e., two NS messages
for that address will be sent by the SAVI device) and RetransTimer
set to T_WAIT milliseconds (i.e., the time between two NS messages
is T_WAIT milliseconds). The DAD_NS messages will be forwarded to
the port P. The state is changed to TESTING_TP-LT, and the
LIFETIME is set to TENT_LT.
o If a data packet containing IPAddr as a source address arrives
from Trusted Port, the packet MAY be discarded. The event MAY be
logged.
o Other signaling packets are processed and forwarded as usual
(i.e., no SAVI processing). In particular, a DAD_NA coming from
port P and containing IPAddr as the Target Address is forwarded as
usual.
TESTING_TP-LT
o If the LIFETIME expires, the BINDING ANCHOR is cleared, and the
state is changed to NO_BIND.
o If an NA message containing the IPAddr as the Target Address is
received through the Validating Port P as a reply to the DAD_NS
message, then the NA is forwarded as usual, and the state is
changed to VALID. The LIFETIME is set to DEFAULT_LT
o If a data packet containing IPAddr as the source address is
received through port P, then the packet is forwarded and the
state is changed to VALID. The LIFETIME is set to DEFAULT_LT.
o If a DAD_NS is received from a Trusted Port, the DAD_NS is
forwarded as usual.
o If a DAD_NS is received from a Validating Port P' other than P,
the DAD_NS is forwarded as usual, and the state is moved to
TESTING_VP.
o If a data packet is received through a Validating Port P' that is
other than port P, then the packet is discarded.
o If a data packet is received through a Trusted Port, then the
packet MAY be discarded. The event MAY be logged.
Nordmark, et al. Standards Track [Page 18]
^L
RFC 6620 FCFS SAVI May 2012
TESTING_VP
o If the LIFETIME expires, the BINDING ANCHOR is modified from P to
P', the LIFETIME is set to DEFAULT_LT, and the state is changed to
VALID. Stored data packet coming from P' are forwarded.
o If an NA message containing the IPAddr as the Target Address is
received through the Validating Port P as a reply to the DAD_NS
message, then the NA is forwarded as usual and the state is
changed to VALID. The LIFETIME is set to DEFAULT_LT.
o If a data packet containing IPAddr as the source address is
received through port P, then the packet is forwarded.
o If a data packet containing IPAddr as the source address is
received through a Validating Port P'' that is other than port P
or P', then the packet is discarded.
o If a data packet containing IPAddr as the source address is
received through a Trusted Port (i.e., other than port P), the
state is moved to TESTING_TP-LT, and the packet MAY be discarded.
o If a DAD_NS is received through a Trusted Port, the packet is
forwarded as usual, and the state is moved to TESTING_TP-LT.
o If a DAD_NS is received through Validating Port P'' other than P
or P', the packet is forwarded as usual, and P'' is stored as the
tentative port, i.e., P':=P''. The state remains the same.
Nordmark, et al. Standards Track [Page 19]
^L
RFC 6620 FCFS SAVI May 2012
+---------+ VP_NS, VP_DATA/2xNS +-----------+
| |---------------------------------------->| |
| NO_BIND | | TENTATIVE |
| |<----------------------------------------| |
+---------+ TP_NA, TP_NS/- +-----------+
^ |
| | TimeOut
Timeout| |
| v
+---------+ VP_NA/- +-----------+
| |---------------------------------------->| |
| TESTING | TP_NS/- | |
| TP-LT |<----------------------------------------| VALID |
| | TimeOut/2xNS | |
| |<----------------------------------------| |
+---------+ +-----------+
^ | ^ |
| | | |
| +--------------------- ---------------------+ |
| VP_NS/- | | NP_NA, TimeOut/- |
| v | |
| +-----------+ |
| | | |
+---------------------| TESTING |<----------------------+
VP_NS, VP_DATA/- | VP | VP_DATA, VP_NS,
+-----------+ VP_NA/2xNS
Figure 2: Simplified State Machine
MLD Considerations
The FCFS SAVI device MUST join the solicited node multicast group for
all the addresses with a state other than NO_BIND. This is needed to
make sure that the FCFS SAVI device will receive the DAD_NS for those
addresses. Please note that it may not be enough to rely on the host
behind the Validating Port to do so, since the node may move, and
after a while, the packets for that particular solicited node
multicast group will no longer be forwarded to the FCFS SAVI device.
Therefore, the FCFS SAVI device MUST join the solicited node
multicast groups for all the addresses that are in a state other than
NO_BIND.
Nordmark, et al. Standards Track [Page 20]
^L
RFC 6620 FCFS SAVI May 2012
3.2.4. FCFS SAVI Port Configuration Guidelines
The guidelines for port configuration in FCFS SAVI devices are as
follows:
o The FCFS SAVI realm (i.e., the realm that is inside the FCFS SAVI
protection perimeter) MUST be connected. If this is not the case,
legitimate transit traffic may be dropped.
o Ports that are connected to another FCFS SAVI device MUST be
configured as Trusted Ports. Not doing so will significantly
increase the memory consumption in the FCFS SAVI devices and may
result in legitimate transit traffic being dropped.
o Ports connected to hosts SHOULD be configured as Validating Ports.
Not doing so will allow the host connected to that port to send
packets with spoofed source addresses. A valid exception is the
case of a trusted host (e.g., a server) that could be connected to
a Trusted Port, but untrusted hosts MUST be connected to
Validating Ports.
o Ports connected to routers MUST be configured as Trusted Ports.
Configuring them as Validating Ports should result in transit
traffic being dropped.
o Ports connected to a chain of one or more legacy switches that
have hosts connected SHOULD be configured as Validating Ports.
Not doing so will allow the host connected to any of these
switches to send packets with spoofed source addresses. A valid
exception is the case where the legacy switch only has trusted
hosts attached, in which case it could be connected to a Trusted
Port, but if there is at least one untrusted hosts connected to
the legacy switch, then it MUST be connected to Validating Ports.
o Ports connected to a chain of one or more legacy switches that
have other FCFS SAVI devices and/or routers connected but had no
hosts attached to them MUST be configured as Trusted Ports. Not
doing so will at least significantly increase the memory
consumption in the FCFS SAVI devices, increase the signaling
traffic due to FCFS SAVI validation, and may result in legitimate
transit traffic being dropped.
Nordmark, et al. Standards Track [Page 21]
^L
RFC 6620 FCFS SAVI May 2012
3.2.5. VLAN Support
If the FCFS SAVI device is a switch that supports customer VLANs
[IEEE.802-1Q.2005], the FCFS SAVI implementation MUST behave as if
there was one FCFS SAVI process per customer VLAN. The FCFS SAVI
process of each customer VLAN will store the binding information
corresponding to the nodes attached to that particular customer VLAN.
3.3. Default Protocol Values
Following are the default values used in the FCFS SAVI specification.
TENT_LT is 500 milliseconds
DEFAULT_LT is 5 minutes
T_WAIT is 250 milliseconds
An implementation MAY allow these values to be modified, but tuning
them precisely is considered out of the scope of this document.
4. Security Considerations
4.1. Denial-of-Service Attacks
There are two types of Denial-of-Service (DoS) attacks [RFC4732] that
can be envisaged in an FCFS SAVI environment. On one hand, we can
envision attacks against the FCFS SAVI device resources. On the
other hand, we can envision DoS attacks against the hosts connected
to the network where FCFS SAVI is running.
The attacks against the FCFS SAVI device basically consist of making
the FCFS SAVI device consume its resources until it runs out of them.
For instance, a possible attack would be to send packets with
different source addresses, making the FCFS SAVI device create state
for each of the addresses and waste memory. At some point, the FCFS
SAVI device runs out of memory and needs to decide how to react. The
result is that some form of garbage collection is needed to prune the
entries. When the FCFS SAVI device runs out of the memory allocated
for the FCFS SAVI DB, it is RECOMMENDED that it create new entries by
deleting the entries with a higher Creation time. This implies that
older entries are preserved and newer entries overwrite each other.
In an attack scenario where the attacker sends a batch of data
packets with different source addresses, each new source address is
likely to rewrite another source address created by the attack
itself. It should be noted that entries are also garbage collected
using the LIFETIME, which is updated using data packets. The result
is that in order for an attacker to actually fill the FCFS SAVI DB
Nordmark, et al. Standards Track [Page 22]
^L
RFC 6620 FCFS SAVI May 2012
with false source addresses, it needs to continuously send data
packets for all the different source addresses so that the entries
grow old and compete with the legitimate entries. The result is that
the cost of the attack is highly increased for the attacker.
In addition, it is RECOMMENDED that an FCFS SAVI device reserves a
minimum amount of memory for each available port (in the case where
the port is used as part of the L2 anchor). The recommended minimum
is the memory needed to store four bindings associated with the port.
The motivation for this recommendation is as follows. An attacker
attached to a given port of an FCFS SAVI device may attempt to launch
a DoS attack towards the FCFS SAVI device by creating many bindings
for different addresses. It can do so by sending DAD_NS for
different addresses. The result is that the attack will consume all
the memory available in the FCFS SAVI device. The above
recommendation aims to reserve a minimum amount of memory per port,
so that hosts located in different ports can make use of the reserved
memory for their port even if a DoS attack is occurring in a
different port.
As the FCFS SAVI device may store data packets while the address is
being verified, the memory for data packet storage may also be a
target of DoS attacks. The effects of such attacks may be limited to
the lack of capacity to store new data packets. The effect of such
attacks will be that data packets will be dropped during the
verification period. An FCFS SAVI device MUST limit the amount of
memory used to store data packets, allowing the other functions to
have available memory even in the case of attacks such those
described above.
The FCFS SAVI device generates two DAD_NS packets upon the reception
of a DAD_NS or a data packet. As such, the FCFS SAVI device can be
used as an amplifier by attackers. In order to limit this type of
attack, the FCFS SAVI device MUST perform rate limiting of the
messages it generates. Rate limiting is performed on a per-port
basis, since having an attack on a given port should not prevent the
FCFS SAVI device from functioning normally in the rest of the ports.
4.2. Residual Threats
FCFS SAVI performs its function by binding an IP source address to a
binding anchor. If the attacker manages to send packets using the
binding anchor associated to a given IP address, FCFS SAVI validation
will be successful, and the FCFS SAVI device will allow the packet
through. This can be achieved by spoofing the binding anchor or by
sharing of the binding anchor between the legitimate owner of the
address and the attacker. An example of the latter is the case where
the binding anchor is a port of a switched network and a legacy
Nordmark, et al. Standards Track [Page 23]
^L
RFC 6620 FCFS SAVI May 2012
switch (i.e., not a SAVI-capable switch) is connected to that port.
All the source addresses of the hosts connected to the legacy switch
will share the same binding anchor (i.e., the switch port). This
means that hosts connected to the legacy switch can spoof each
other's IP address and will not be detected by the FCFS SAVI device.
This can be prevented by not sharing binding anchors among hosts.
FCFS SAVI assumes that a host will be able to defend its address when
the DAD procedure is executed for its addresses. This is needed,
among other things, to support mobility within a link (i.e., to allow
a host to detach and reconnect to a different Layer 2 anchor of the
same IP subnetwork without changing its IP address). So, when a
DAD_NS is issued for a given IP address for which a binding exists in
an FCFS SAVI device, the FCFS SAVI device expects to see a DAD_NA
coming from the binding anchor associated to that IP address in order
to preserve the binding. If the FCFS SAVI device does not see the
DAD_NA, it may grant the binding to a different binding anchor. This
means that if an attacker manages to prevent a host from defending
its source address, it will be able to destroy the existing binding
and create a new one, with a different binding anchor. An attacker
may do so, for example, by intercepting the DAD_NA or launching a DoS
attack to the host that will prevent it from issuing proper DAD
replies.
Even if routers are considered trusted, nothing can prevent a router
from being compromised and sending traffic with spoofed IP source
addresses. Such traffic would be allowed with the present FCFS SAVI
specification. A way to mitigate this issue could be to specify a
new port type (e.g., Router Port (RP)) that would act as Trusted Port
for the transit traffic and as Validating Port for the local traffic.
A detailed solution about this issue is outside the scope of this
document.
4.3. Privacy Considerations
Personally identifying information MUST NOT be included in the FCFS
SAVI DB with the MAC address as the canonical example, except when
there is an attack attempt involved. Moreover, compliant
implementations MUST NOT log binding anchor information except where
there is an identified reason why that information is likely to be
involved in detection, prevention, or tracing of actual source
address spoofing. Information that is not logged MUST be deleted as
soon as possible (i.e., as soon as the state for a given address is
back to NO_BIND). Information about the majority of hosts that never
spoof SHOULD NOT be logged.
Nordmark, et al. Standards Track [Page 24]
^L
RFC 6620 FCFS SAVI May 2012
4.4. Interaction with Secure Neighbor Discovery
Even if the FCFS SAVI could get information from ND messages secured
with Secure Neighbor Discovery (SEND) [RFC3971], in some case, the
FCFS SAVI device must spoof DAD_NS messages but doesn't know the
security credentials associated with the IPAddr (i.e., the private
key used to sign the DAD_NS messages). So, when SEND is deployed, it
is recommended to use SEND SAVI [SAVI-SEND] rather than FCFS SAVI.
5. Contributors
Jun Bi
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: junbi@cernet.edu.cn
Guang Yao
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: yaog@netarchlab.tsinghua.edu.cn
Fred Baker
Cisco Systems
EMail: fred@cisco.com
Alberto Garcia Martinez
University Carlos III of Madrid
EMail: alberto@it.uc3m.es
6. Acknowledgments
This document benefited from the input of the following individuals:
Joel Halpern, Christian Vogt, Dong Zhang, Frank Xia, Jean-Michel
Combes, Jari Arkko, Stephen Farrel, Dan Romascanu, Russ Housley, Pete
Resnick, Ralph Droms, Wesley Eddy, Dave Harrington, and Lin Tao.
Marcelo Bagnulo is partly funded by Trilogy, a research project
supported by the European Commission under its Seventh Framework
Program.
Nordmark, et al. Standards Track [Page 25]
^L
RFC 6620 FCFS SAVI May 2012
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP
Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
7.2. Informative References
[SAVI-FRAMEWORK]
Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt,
"Source Address Validation Improvement Framework", Work
in Progress, December 2011.
[SAVI-DHCP] Bi, J., Wu, J., Yao, G., and F. Baker, "SAVI Solution for
DHCP", Work in Progress, February 2012.
[SAVI-SEND] Bagnulo, M. and A. Garcia-Martinez, "SEND-based Source-
Address Validation Implementation", Work in Progress,
March 2012.
[RFC1958] Carpenter, B., "Architectural Principles of the
Internet", RFC 1958, June 1996.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
Service Considerations", RFC 4732, December 2006.
[IEEE.802-1D.1998]
Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and Metropolitan Area Networks Media
Access Control (MAC) Bridges", IEEE Standard 802.1D,
1998.
Nordmark, et al. Standards Track [Page 26]
^L
RFC 6620 FCFS SAVI May 2012
[IEEE.802-1D.2004]
Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and Metropolitan Area Networks Media
Access Control (MAC) Bridges", IEEE Standard 802.1D,
2004.
[IEEE.802-1Q.2005]
Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and metropolitan area networks -
Virtual Bridged Local Area Networks", IEEE Standard
802.1Q, May 2005.
[IEEE.802-1X.2004]
Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and metropolitan area networks - Port-
Based Network Access Control", IEEE Standard 802.1X,
2004.
Nordmark, et al. Standards Track [Page 27]
^L
RFC 6620 FCFS SAVI May 2012
Appendix A. Implications of Not Following the Recommended Behavior
This section qualifies some of the SHOULDs that are included in this
specification by explaining the implications of not following the
recommended behavior. We start by describing the implication of not
following the recommendation of generating DAD_NS upon the reception
of a data packet for which there is no binding, and then we describe
the implications of not discarding the non-compliant packets.
A.1. Implications of Not Generating DAD_NS Packets upon the Reception
of Non-Compliant Data Packets
This specification recommends that SAVI implementations generate a
DAD_NS message upon the reception of a data packet for which they
have no binding. In this section, we describe the implications of
not doing so and simply discarding the data packet instead.
The main argument against discarding the data packet is the overall
robustness of the resulting network. The main concern that has been
stated is that a network running SAVI that discards data packets in
this case may end up disconnecting legitimate users from the network,
by filtering packets coming from them. The net result would be a
degraded robustness of the network as a whole, since legitimate users
would perceive this as a network failure. There are three different
causes that resulted in the lack of state in the binding device for a
legitimate address, namely, packet loss, state loss, and topology
change. We will next perform an analysis for each of them.
A.1.1. Lack of Binding State due to Packet Loss
The DAD procedure is inherently unreliable. It consists of sending
an NS packet, and if no NA packet is received back, success is
assumed, and the host starts using the address. In general, the lack
of response is because no other host has that particular address
configured in its interface, but it may also be the case that the NS
packet or the NA packet has been lost. From the perspective of the
sending host, there is no difference, and the host assumes that it
can use the address. In other words, the default action is to allow
the host to obtain network connectivity.
It should be noted that the loss of a DAD packet has little impact on
the network performance, since address collision is very rare, and
the host assumes success in that case. By designing a SAVI solution
that would discard packets for which there is no binding, we are
diametrically changing the default behavior in this respect, since
the default would be that if the DAD packets are lost, then the node
is disconnected from the network (as its packets are filtered). What
is worse, the node has little clue of what is going wrong, since it
Nordmark, et al. Standards Track [Page 28]
^L
RFC 6620 FCFS SAVI May 2012
has successfully configured an address, but it has no connectivity.
The net result is that the overall reliability of the network has
significantly decreased as the loss of a single packet would imply
that a host is disconnected from the network.
The only mechanism that the DAD has to improve its reliability is
sending multiple NSs. However, [RFC4862] defines a default value of
1 NS message for the DAD procedure, so requiring any higher value
would imply manual configuration of all the hosts connected to the
SAVI domain.
A.1.1.1. Why Initial Packets May Be (Frequently) Lost
The Case of LANs
Devices connecting to a network may experience periods of packet loss
after the link-layer becomes available for two reasons: Invalid
Authentication state and incomplete topology assessment. In both
cases, physical-layer connection occurs initially and presents a
medium where packets are transmissible, but frame forwarding is not
available across the LAN.
For the authentication system, devices on a controlled port are
forced to complete 802.1X authentication, which may take multiple
round trips and many milliseconds to complete (see
[IEEE.802-1X.2004]). In this time, initial DHCP, IPv6 Neighbor
Discovery, Multicast Listener, or Duplicate Address Detection
messages may be transmitted. However, it has also been noted that
some devices have the ability for the IP stack to not see the port as
up until 802.1X has completed. Hence, that issue needs investigation
to determine how common it is now.
Additionally, any system that requires user input at this stage can
extend the authentication time and thus the outage. This is
problematic where hosts relying upon DHCP for address configuration
time out.
Upon completion of authentication, it is feasible to signal upper-
layer protocols as to LAN forwarding availability. This is not
typical today, so it is necessary to assume that protocols are not
aware of the preceding loss period.
For environments that do not require authentication, addition of a
new link can cause loops where LAN frames are forwarded continually.
In order to prevent loops, all LANs today run a spanning tree
protocol, which selectively disables redundant ports. Devices that
perform spanning tree calculations are either traditional Spanning
Tree Protocol (STP) (see [IEEE.802-1D.1998]) or rapidly converging
Nordmark, et al. Standards Track [Page 29]
^L
RFC 6620 FCFS SAVI May 2012
versions of the same (Rapid Spanning Tree Protocol (RSTP) / Multiple
Spanning Tree Protocol (RSTP)) (see [IEEE.802-1D.2004] and
[IEEE.802-1Q.2005]).
Until a port is determined to be an edge port (RSTP/MSTP), the rapid
protocol speaker has identified its position within the spanning tree
(RSTP/MSTP) or completed a Listening phase (STP), its packets are
discarded.
For ports that are not connected to rapid protocol switches, it takes
a minimum of three seconds to perform edge port determination (see
[IEEE.802-1D.2004]). Alternatively, completion of the Listening
phase takes 15 seconds (see [IEEE.802-1D.1998]). During this period,
the link-layer appears available, but initial packet transmissions
into and out of this port will fail.
It is possible to pre-assess ports as edge ports using manual
configuration of all the involved devices and thus make them
immediately transmissible. This is never default behavior though.
The Case of Fixed Access Networks
In fixed access networks such as DSL and cable, the end hosts are
usually connected to the access network through a residential gateway
(RG). If the host interface is initialized prior to the RG getting
authenticated and connected to the access network, the access network
is not aware of the DAD packets that the host sent out. As an
example, in DSL networks, the Access Node (Digital Subscriber Link
Access Multiplexer (DSLAM)) that needs to create and maintain binding
state will never see the DAD message that is required to create such
a state.
A.1.1.1.1. Special Sub-Case: SAVI Device Rate-Limiting Packets
A particular sub-case is the one where the SAVI device itself "drops"
ND packets. In order to protect itself against DoS attacks and
flash-crowds, the SAVI device will have to rate limit the processing
of packets triggering the state-creation process (which requires
processing from the SAVI device). This implies that the SAVI device
may not process all the ND packets if it is under heavy conditions.
The result is that the SAVI device will fail to create a binding for
a given DAD_NS packet, which implies that the data packets coming
from the host that sent the DAD_NS packet will be filtered if this
approach is adopted. The problem is that the host will assume that
the DAD procedure was successful and will not perform the DAD
procedure again, which in turn will imply that the host will be
disconnected from the network. While it is true that the SAVI device
will also have to rate limit the processing of the data packets, the
Nordmark, et al. Standards Track [Page 30]
^L
RFC 6620 FCFS SAVI May 2012
host will keep on sending data packets, so it is possible to recover
from the alternative approach where data packets trigger the binding-
creation procedure.
A.1.2. Lack of Binding State due to a Change in the Topology
If SAVI is deployed in a switched Ethernet network, topology changes
may result in a SAVI device receiving packets from a legitimate user
for which the SAVI device does not have a binding. Consider the
following example:
+------+ +--------+ +---------------+
|SAVI I|-------------|SWITCH I|-------|rest of the net|
+------+ +--------+ +---------------+
| |
| +--------+
| | SAVI II|
| +--------+
| +----------+ |
+---|SWITCH II |-----+
+----------+
|
+-----+
| Host|
+-----+
Figure 3: Topology Example
Suppose that after bootstrapping, all the elements are working
properly and the spanning tree is rooted in the router and includes
one branch that follows the path SWITCH I - SAVI I - SWITCH II, and
another branch that follows SWITCH I-SAVI II.
Suppose that the host boots at this moment and sends the DAD_NS. The
message is propagated through the spanning tree and is received by
SAVI I but not by SAVI II. SAVI I creates the binding.
Suppose that SAVI I fails and the spanning tree reconverges to SWITCH
I - SAVI II - SWITCH II. Now, data packets coming from the host will
be coursed through SAVI II, which does not have binding state and
will drop the packets.
A.1.3. Lack of Binding State due to State Loss
The other reason a SAVI device may not have state for a legitimate
address is simply because it lost it. State can be lost due to a
reboot of the SAVI device or other reasons such as memory corruption.
So, the situation would be as follows. The host performs the DAD
Nordmark, et al. Standards Track [Page 31]
^L
RFC 6620 FCFS SAVI May 2012
procedure, and the SAVI device creates a binding for the host's
address. The host successfully communicates for a while. The SAVI
device reboots and loses the binding state. The packets coming from
the host are now discarded as there is no binding state for that
address. It should be noted that in this case, the host has been
able to use the address successfully for a certain period of time.
Architecturally, the degradation of the network robustness in this
case can be easily explained by observing that this approach to SAVI
implementation breaks the fate-sharing principle. [RFC1958] reads:
An end-to-end protocol design should not rely on the maintenance
of state (i.e. information about the state of the end-to-end
communication) inside the network. Such state should be
maintained only in the endpoints, in such a way that the state can
only be destroyed when the endpoint itself breaks (known as fate-
sharing).
By binding the fate of the host's connectivity to the state in the
SAVI device, we are breaking this principle, and the result is
degraded network resilience.
Moving on to more practical matters, we can dig deeper into the
actual behavior by considering two scenarios, namely, the case where
the host is directly connected to the SAVI device and the case where
there is an intermediate device between the two.
A.1.3.1. The Case of a Host Directly Connected to the SAVI Device
The considered scenario is depicted in the following diagram:
+------+ +-----------+ +---------------+
| Host |-------------|SAVI device|-------|rest of the net|
+------+ +-----------+ +---------------+
Figure 4: Host Attached Directly to SAVI Device
The key distinguishing element of this scenario is that the host is
directly connected to the SAVI device. As a result, if the SAVI
device reboots, the host will see the carrier disappear and appear
again.
Nordmark, et al. Standards Track [Page 32]
^L
RFC 6620 FCFS SAVI May 2012
[RFC4862] requires that the DAD procedure is performed when the IP
address is assigned to the interface (see [RFC4862], Section 5.4):
Duplicate Address Detection:
Duplicate Address Detection MUST be performed on all unicast
addresses prior to assigning them to an interface, regardless of
whether they are obtained through stateless autoconfiguration,
DHCPv6, or manual configuration, with the following exceptions:
...
However, it has been stated that some of the widely used OSs actually
do perform DAD each time the link is up, but further data would be
required for this to be taken for granted. Assuming that behavior,
this implies that if the loss of state in the SAVI device also
results in the link to the host going down, then the host using the
tested OSs would redo the DAD procedure allowing the recreation of
the binding state in the SAVI device and preserving the connectivity
of the host. This would be the case if the SAVI device reboots. It
should be noted, however, that it is also possible that the binding
state is lost because of an error in the SAVI process and that the
SAVI link does not goes down. In this case, the host would not redo
the DAD procedure. However, it has been pointed out that it would be
possible to require the SAVI process to flap the links of the device
it is running, in order to make sure that the link goes down each
time the SAVI process restarts and to improve the chances the host
will redo the DAD procedure when the SAVI process is rebooted.
A.1.3.2. The Case of a Host Connected to the SAVI Device through One or
More Legacy Devices
The considered scenario is depicted in the following diagram:
+------+ +-------------+ +-----------+ +---------------+
| Host |----|Legacy device|-----|SAVI device|----|rest of the net|
+------+ +-------------+ +-----------+ +---------------+
Figure 5: Host Attached to a Legacy Device
The key distinguishing element of this scenario is that the host is
not directly connected to the SAVI device. As a result, if the SAVI
device reboots, the host will not see any changes.
In this case, the host would get disconnected from the rest of the
network since the SAVI device would filter all its packets once the
state has gone. As the node will not perform the DAD procedure
again, it will remain disconnected until it reboots.
Nordmark, et al. Standards Track [Page 33]
^L
RFC 6620 FCFS SAVI May 2012
As a final comment, it should be noted that it may not be obvious to
the network admin which scenario its network is running. Consider
the case of a campus network where all the switches in the network
are SAVI capable. A small hub connected in the office would turn
this into the scenario where the host is not directly connected to
the SAVI device. Moreover, consider the case of a host running
multiple virtual machines connected through a virtual hub. Depending
on the implementation of such a virtual hub, this may turn a directly
connected host scenario to the scenario where the multiple (virtual)
hosts are connected through a legacy (virtual) hub.
A.1.3.2.1. Enforcing Direct Connectivity between the SAVI Device and
the Host
It has been argued that enforcing direct connectivity between the
SAVI device and the end host is actually a benefit. There are
several comments that can be made in this respect:
o First, it may well be the case in some scenarios that this is
desirable, but it is certainly not the case in most scenarios.
Because of that, the issue of enforcing direct connectivity must
be treated as orthogonal to how data packets for which there is no
binding are treated, since a general solution must support
directly connected nodes and nodes connected through legacy
switches.
o Second, as a matter of fact, the resulting behavior described
above would not actually enforce direct connectivity between the
end host and the SAVI device as it would work as long as the SAVI
device does not reboot. So, the argument being made is that this
approach is not good enough to provide a robust network service,
but it is not bad enough to enforce the direct connectivity of the
host to the SAVI switch.
o Third, it should be noted that topology enforcement is not part of
the SAVI problem space and that the SAVI problem by itself is
complex enough without adding additional requirements.
A.2. Implications of Not Discarding Non-Compliant Data Packets
The FCFS SAVI mechanism is composed of two main functions, namely,
the mechanisms for tracking compliant and non-compliant data packets
and the actions to be performed upon the detection of a non-compliant
packet. Throughout this specification, we recommend discarding non-
compliant data packets. This is because forwarding non-compliant
data packets is essentially allowing packets with spoofed source
addresses to flow throughout the network. However, there are
alternative actions that can be taken with respect to these packets.
Nordmark, et al. Standards Track [Page 34]
^L
RFC 6620 FCFS SAVI May 2012
For instance, it would be possible to forward the packets and trigger
an alarm to network administrators to make them aware of the
situation. Similarly, it would be possible to log these events and
allow the tracking down cases where packets with spoofed addresses
were used for malicious purposes. The reason a site deploying SAVI
may not want to take milder actions like the ones mentioned above
instead of discarding packets is because there may be cases where the
non-compliant packets may be legitimate packets (for example, in the
case that the SAVI device is malfunctioning and has failed to create
the appropriate bindings upon the reception of a DAD packet).
Authors' Addresses
Erik Nordmark
Cisco Systems
510 McCarthy Blvd.
Milpitas, CA 95035
United States
EMail: nordmark@acm.org
Marcelo Bagnulo
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
Spain
Phone: 34 91 6248814
EMail: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es
Eric Levy-Abegnoli
Cisco Systems
Village d'Entreprises Green Side - 400, Avenue Roumanille
Biot-Sophia Antipolis - 06410
France
EMail: elevyabe@cisco.com
Nordmark, et al. Standards Track [Page 35]
^L
|
