1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
|
Internet Engineering Task Force (IETF) J. Bi
Request for Comments: 7513 J. Wu
Category: Standards Track G. Yao
ISSN: 2070-1721 Tsinghua Univ.
F. Baker
Cisco
May 2015
Source Address Validation Improvement (SAVI) Solution for DHCP
Abstract
This document specifies the procedure for creating a binding between
a DHCPv4/DHCPv6-assigned IP address and a binding anchor on a Source
Address Validation Improvement (SAVI) device. The bindings set up by
this procedure are used to filter packets with forged source IP
addresses. This mechanism complements BCP 38 (RFC 2827) ingress
filtering, providing finer-grained source IP address validation.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7513.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Bi, et al. Standards Track [Page 1]
^L
RFC 7513 SAVI DHCP May 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Deployment Scenario and Configuration . . . . . . . . . . . . 8
4.1. Elements and Scenario . . . . . . . . . . . . . . . . . . 8
4.2. SAVI Binding Type Attributes . . . . . . . . . . . . . . 10
4.2.1. Trust Attribute . . . . . . . . . . . . . . . . . . . 10
4.2.2. DHCP-Trust Attribute . . . . . . . . . . . . . . . . 11
4.2.3. DHCP-Snooping Attribute . . . . . . . . . . . . . . . 11
4.2.4. Data-Snooping Attribute . . . . . . . . . . . . . . . 11
4.2.5. Validating Attribute . . . . . . . . . . . . . . . . 12
4.2.6. Table of Mutual Exclusions . . . . . . . . . . . . . 13
4.3. Perimeter . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3.1. SAVI-DHCP Perimeter Overview . . . . . . . . . . . . 13
4.3.2. SAVI-DHCP Perimeter Configuration Guideline . . . . . 14
4.3.3. On the Placement of the DHCP Server and Relay . . . . 15
4.3.4. An Alternative Deployment . . . . . . . . . . . . . . 15
4.3.5. Considerations regarding Binding Anchors . . . . . . 16
4.4. Other Device Configuration . . . . . . . . . . . . . . . 17
5. Binding State Table (BST) . . . . . . . . . . . . . . . . . . 17
6. DHCP Snooping Process . . . . . . . . . . . . . . . . . . . . 18
6.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2. Binding States Description . . . . . . . . . . . . . . . 19
6.3. Events . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.3.1. Timer Expiration Event . . . . . . . . . . . . . . . 19
6.3.2. Control Message Arriving Events . . . . . . . . . . . 19
6.4. The State Machine of DHCP Snooping Process . . . . . . . 21
6.4.1. Initial State: NO_BIND . . . . . . . . . . . . . . . 21
6.4.2. Initial State: INIT_BIND . . . . . . . . . . . . . . 24
6.4.3. Initial State: BOUND . . . . . . . . . . . . . . . . 27
6.4.4. Table of State Machine . . . . . . . . . . . . . . . 30
7. Data Snooping Process . . . . . . . . . . . . . . . . . . . . 31
7.1. Scenario . . . . . . . . . . . . . . . . . . . . . . . . 31
7.2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 32
7.3. Additional Binding States Description . . . . . . . . . . 33
7.4. Events . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.5. Message Sender Functions . . . . . . . . . . . . . . . . 35
7.5.1. Duplicate Detection Message Sender . . . . . . . . . 35
7.5.2. Leasequery Message Sender . . . . . . . . . . . . . . 36
7.5.3. Address Verification Message Sender . . . . . . . . . 36
7.6. Initial State: NO_BIND . . . . . . . . . . . . . . . . . 37
7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a
matched binding is received . . . . . . . . . . . . . 37
7.6.2. Events Not Observed in NO_BIND for Data Snooping . . 38
Bi, et al. Standards Track [Page 2]
^L
RFC 7513 SAVI DHCP May 2015
7.7. Initial State: DETECTION . . . . . . . . . . . . . . . . 39
7.7.1. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 39
7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply / NA Message
Received from Unexpected System . . . . . . . . . . . 39
7.7.3. Events Not Observed in DETECTION . . . . . . . . . . 39
7.8. Initial State: RECOVERY . . . . . . . . . . . . . . . . . 40
7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE
or successful LEASEQUERY-REPLY is received . . . . . 40
7.8.2. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 41
7.8.3. Events Not Observed in RECOVERY . . . . . . . . . . . 41
7.9. Initial State: VERIFY . . . . . . . . . . . . . . . . . . 41
7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE
or successful LEASEQUERY-REPLY is received . . . . . 41
7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is
received from the device attached via the binding
anchor . . . . . . . . . . . . . . . . . . . . . . . 42
7.9.3. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . . 42
7.9.4. Event: EVE_DATA_EXPIRE . . . . . . . . . . . . . . . 43
7.9.5. Events Not Observed in VERIFY . . . . . . . . . . . . 43
7.10. Initial State: BOUND . . . . . . . . . . . . . . . . . . 43
7.11. Table of State Machine . . . . . . . . . . . . . . . . . 44
8. Filtering Specification . . . . . . . . . . . . . . . . . . . 45
8.1. Data Packet Filtering . . . . . . . . . . . . . . . . . . 46
8.2. Control Packet Filtering . . . . . . . . . . . . . . . . 46
9. State Restoration . . . . . . . . . . . . . . . . . . . . . . 47
9.1. Attribute Configuration Restoration . . . . . . . . . . . 47
9.2. Binding State Restoration . . . . . . . . . . . . . . . . 47
10. Constants . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11. Security Considerations . . . . . . . . . . . . . . . . . . . 48
11.1. Security Problems with the Data Snooping Process . . . . 48
11.2. Securing Leasequery Operations . . . . . . . . . . . . . 49
11.3. Client Departure Issues . . . . . . . . . . . . . . . . 49
11.4. Compatibility with Detecting Network Attachment (DNA) . 50
11.5. Binding Number Limitation . . . . . . . . . . . . . . . 51
11.6. Privacy Considerations . . . . . . . . . . . . . . . . . 51
11.7. Fragmented DHCP Messages . . . . . . . . . . . . . . . . 51
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
12.1. Normative References . . . . . . . . . . . . . . . . . . 52
12.2. Informative References . . . . . . . . . . . . . . . . . 53
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
Bi, et al. Standards Track [Page 3]
^L
RFC 7513 SAVI DHCP May 2015
1. Introduction
This document describes a fine-grained source address validation
mechanism for IPv4 and IPv6 packets. This mechanism creates bindings
between IP addresses assigned to network interfaces by DHCP and
suitable binding anchors (Section 4.3.5). As discussed in Section 3
and [RFC7039], a "binding anchor" is an attribute that is immutable
or difficult to change that may be used to identify the system an IP
address has been assigned to; common examples include a Media Access
Control (MAC) address found on an Ethernet switch port or Wi-Fi
security association. The bindings are used to identify and filter
packets originated by these interfaces using forged source IP
addresses. In this way, this mechanism can prevent hosts from using
IP addresses assigned to any other attachment point in or not
associated with the network. This behavior is referred to as
"spoofing" and is key to amplification attacks, in which a set of
systems send messages to another set of systems claiming to be from a
third set of systems, and sending the replies to systems that don't
expect them. Whereas BCP 38 [RFC2827] protects a network from a
neighboring network by providing prefix granularity source IP address
validity, this mechanism protects a network, including a Local Area
Network, from itself by providing address granularity source IP
validity when DHCP/DHCPv6 is used to assign IPv4/IPv6 addresses.
Both provide a certain level of traceability, in that packet drops
indicate the presence of a system that is producing packets with
spoofed IP addresses.
SAVI-DHCP snoops DHCP address assignments to set up bindings between
IP addresses assigned by DHCP and corresponding binding anchors. It
includes the DHCPv4 and DHCPv6 Snooping Process (Section 6) and the
Data Snooping Process (Section 7), as well as a number of other
technical details. The Data Snooping Process is a data-triggered
procedure that snoops the IP header of data packets to set up
bindings. It is designed to avoid a permanent blockage of valid
addresses in the case that DHCP snooping is insufficient to set up
all the valid bindings.
This mechanism is designed for the stateful DHCP scenario [RFC2131]
[RFC3315]. Stateless DHCP [RFC3736] is out of scope for this
document, as it has nothing to do with IP address allocation. An
alternative SAVI method would have be used in those cases. For hosts
using Stateless Address Autoconfiguration (SLAAC) to allocate
addresses, First-Come, First-Served Source Address Validation
Improvement (FCFS SAVI) [RFC6620] should be enabled. SAVI-DHCP is
primarily designed for pure DHCP scenarios in which only addresses
assigned through DHCP are allowed. However, it does not block link-
Bi, et al. Standards Track [Page 4]
^L
RFC 7513 SAVI DHCP May 2015
local addresses, as they are not assigned using DHCP. It is
RECOMMENDED that the administration deploy a SAVI solution for link-
local addresses, e.g., FCFS SAVI [RFC6620].
This mechanism works for networks that use DHCPv4 only, DHCPv6 only,
or both DHCPv4 and DHCPv6. However, the DHCP address assignment
mechanism in IPv4/IPv6 transition scenarios, e.g., [RFC7341], are
beyond the scope of this document.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology
Binding anchor: A "binding anchor" is defined to be a physical and/or
link-layer property of an attached device, as in [RFC7039]. A list
of sample binding anchors can be found in Section 3.2 of that
document. To the degree possible, a binding anchor associates an IP
address with something unspoofable that identifies a single-client
system or one of its interfaces. See Section 4.3.5 for more detail.
Attribute: A configurable property of each binding anchor (port, MAC
address, or other information) that indicates the actions to be
performed on packets received from the attached network device.
DHCP address: An IP address assigned via DHCP.
SAVI-DHCP: The name of this SAVI function for DHCP-assigned
addresses.
SAVI device: A network device on which SAVI-DHCP is enabled.
Non-SAVI device: A network device on which SAVI-DHCP is not enabled.
DHCP Client-to-Server message: A message that is sent from a DHCP
client to a DHCP server or DHCP servers and is one of the following
types:
o DHCPv4 Discover: DHCPDISCOVER [RFC2131].
o DHCPv4 Request: DHCPREQUEST generated during SELECTING state
[RFC2131].
o DHCPv4 Renew: DHCPREQUEST generated during RENEWING state
[RFC2131].
Bi, et al. Standards Track [Page 5]
^L
RFC 7513 SAVI DHCP May 2015
o DHCPv4 Rebind: DHCPREQUEST generated during REBINDING state
[RFC2131].
o DHCPv4 Reboot: DHCPREQUEST generated during INIT-REBOOT state
[RFC2131].
o Note: DHCPv4 Request/Renew/Rebind/Reboot messages can be
identified based on Table 4 of [RFC2131].
o DHCPv4 Decline: DHCPDECLINE [RFC2131].
o DHCPv4 Release: DHCPRELEASE [RFC2131].
o DHCPv4 Inform: DHCPINFORM [RFC2131].
o DHCPv4 DHCPLEASEQUERY: A message sent to inquire about the lease
that might exist for an IPv4 address [RFC4388].
o DHCPv6 Request: REQUEST [RFC3315].
o DHCPv6 Solicit: SOLICIT [RFC3315].
o DHCPv6 Confirm: CONFIRM [RFC3315].
o DHCPv6 Decline: DECLINE [RFC3315].
o DHCPv6 Release: RELEASE [RFC3315].
o DHCPv6 Rebind: REBIND [RFC3315].
o DHCPv6 Renew: RENEW [RFC3315].
o DHCPv6 Information-Request: INFORMATION-REQUEST [RFC3315].
o DHCPv6 LEASEQUERY: A message sent to inquire about the lease that
might exist for an IPv6 address [RFC5007].
DHCP Server-to-Client message: A message that is sent from a DHCP
server to a DHCP client and is one of the following types:
o DHCPv4 ACK: DHCPACK [RFC2131].
o DHCPv4 NAK: DHCPNAK [RFC2131].
o DHCPv4 Offer: DHCPOFFER [RFC2131].
o DHCPv4 DHCPLEASEACTIVE: A response to a DHCPLEASEQUERY request
containing lease information [RFC4388].
Bi, et al. Standards Track [Page 6]
^L
RFC 7513 SAVI DHCP May 2015
o DHCPv4 DHCPLEASEUNKNOWN: A response to a DHCPLEASEQUERY request
indicating that the server does not manage the address [RFC4388].
o DHCPv4 DHCPLEASEUNASSIGNED: A response to a DHCPLEASEQUERY request
indicating that the server manages the address and there is no
current lease [RFC4388].
o DHCPv6 Reply: REPLY [RFC3315].
o DHCPv6 Advertise: ADVERTISE [RFC3315].
o DHCPv6 Reconfigure: RECONFIGURE [RFC3315].
o DHCPv6 LEASEQUERY-REPLY: A response to a LEASEQUERY request
[RFC5007].
Lease time: The lease time in IPv4 [RFC2131] or the valid lifetime in
IPv6 [RFC3315].
Binding entry: A rule that associates an IP address with a binding
anchor.
Binding State Table (BST): The data structure that contains the
binding entries.
Binding entry limit: The maximum number of binding entries that may
be associated with a binding anchor. Limiting the number of binding
entries per binding anchor prevents a malicious or malfunctioning
node from overloading the binding table on a SAVI device.
Direct attachment: Ideally, a SAVI device is an access device that
hosts are attached to directly. In such a case, the hosts are direct
attachments (i.e., they attach directly) to the SAVI device.
Indirect attachment: A SAVI device MAY be an aggregation device that
other access devices are attached to and that hosts in turn attach
to. In such a case, the hosts are indirect attachments (i.e., they
attach indirectly) to the SAVI device.
Unprotected link: Unprotected links are links that connect to hosts
or networks of hosts that receive their DHCP traffic by another path
and are therefore outside the SAVI perimeter.
Unprotected device: An unprotected device is a device associated with
an unprotected link. One example might be the gateway router of a
network.
Bi, et al. Standards Track [Page 7]
^L
RFC 7513 SAVI DHCP May 2015
Protected link: If DHCP messages for a given attached device always
use a given link, the link is considered to be "protected" by the
SAVI device and is therefore within the SAVI perimeter.
Protected device: A protected device is a device associated with a
protected link. One example might be a desktop switch in the
network, or a host.
Cut vertex: A cut vertex is any vertex whose removal increases the
number of connected components in a (network) graph. This is a
concept in graph theory. This term is used in Section 6.1 to
accurately specify the required deployment location of SAVI devices
when they only perform the DHCP Snooping Process.
Identity Association (IA): "A collection of addresses assigned to a
client" [RFC3315].
Detection message: A Neighbor Solicitation or ARP message intended by
the Data Snooping Process to detect a duplicate address.
DHCP_DEFAULT_LEASE: Default lifetime for a DHCPv6 address when the
binding is triggered by a DHCPv6 Confirm message but a DHCPv6
Leasequery exchange [RFC5007] cannot be performed by the SAVI device
to fetch the lease.
4. Deployment Scenario and Configuration
4.1. Elements and Scenario
The essential elements in a SAVI-DHCP deployment scenario include at
least one DHCP server (which may or may not be assigned an address
using DHCP and therefore may or may not be protected), zero or more
protected DHCP clients, and one or more SAVI devices. It may also
include DHCP relays, when the DHCP server is not co-located with a
set of clients, and zero or more protected non-SAVI devices. Outside
the perimeter, via unprotected links, there may be many unprotected
devices.
Bi, et al. Standards Track [Page 8]
^L
RFC 7513 SAVI DHCP May 2015
+-------------+
| Unprotected |
| Device |
+------+------+
|
+--------+ +-----+------+ +----------+
|DHCP +-----+ Non-SAVI +----+Bogus DHCP|
|Server A| | Device 1 | |Server |
+--------+ +-----+------+ +----------+
|trusted, unprotected link
. . . . . . . . . . . . . . . . .|. . . . . . . . . . . . . .
. | .
. Protection +---+------+ trusted link .
. Perimeter | SAVI +--------------+ .
. | Device C | | .
. +---+------+ | .
. | | .
. untrusted, +----------+ +---+------+ +------+---+ .
. protected | SAVI | | Non-SAVI | | SAVI | .
. link+------+ Device A +----+ Device 3 +-------+ Device B | .
. | +----+--+--+ +----------+ +-+---+----+ .
. | | +----------+ . . . . . | | .
. | . . . . . . | . . | | .
. | . | . | . +--------+ | .
. +----+-----+. +--+---+ . +----+-+ . +--+---+ . +---+----+ .
. | Non-SAVI |. |Client| . |DHCP | . |Client| . |DHCP | .
. | Device 2 |. |A | . |Relay | . |B | . |Server B| .
. +----------+. +------+ . +------+ . +------+ . +--------+ .
. . . . . . . . . . . . . . . . . . .
Figure 1: SAVI-DHCP Scenario
Figure 1 shows a deployment scenario that contains these elements.
Note that a physical device can instantiate multiple elements, e.g.,
a switch can be both a SAVI device and a DHCP relay, or in a cloud-
computing environment, a physical host may contain a virtual switch
plus some number of virtual hosts. In such cases, the links are
logical links rather than physical links.
Networks are not usually isolated. As a result, traffic from other
networks, including transit traffic as specified in [RFC6620] (e.g.,
traffic from another SAVI switch or a router) may enter a SAVI-DHCP
network through the unprotected links. Since SAVI solutions are
limited to validating traffic generated from a local link, SAVI-DHCP
does not set up bindings for addresses assigned in other networks and
cannot validate them. Traffic from unprotected links should be
checked by an unprotected device or mechanisms described in
Bi, et al. Standards Track [Page 9]
^L
RFC 7513 SAVI DHCP May 2015
[RFC2827]. The generation and deployment of such a mechanism is
beyond the scope of this document.
Traffic from protected links is, however, locally generated and
should have its source addresses validated by SAVI-DHCP if possible.
In the event that there is an intervening protected non-SAVI device
between the host and the SAVI device, however, use of the physical
attachment point alone as a binding anchor is insufficiently secure,
as several devices on a port or other point of attachment can spoof
each other. Hence, additional information such as a MAC address
SHOULD be used to disambiguate them.
4.2. SAVI Binding Type Attributes
As illustrated in Figure 1, a system attached to a SAVI device can be
a DHCP client, a DHCP relay/server, a SAVI device, or a non-SAVI
device. Different actions are performed on traffic originated from
different elements. To distinguish among their requirements, several
properties are associated with their point of attachment on the SAVI
device.
When a binding association is uninstantiated, e.g., when no host is
attached to the SAVI device using a given port or other binding
anchor, the binding port attributes take default values unless
overridden by configuration. By default, a SAVI switch does not
filter DHCP messages, nor does it attempt to validate source
addresses, which is to say that the binding attributes are ignored
until SAVI-DHCP is itself enabled. This is because a SAVI switch
that depends on DHCP cannot tell, a priori, which ports have valid
DHCP servers attached, or which have routers or other equipment that
would validly appear to use an arbitrary set of source addresses.
When SAVI has been enabled, the attributes take effect.
4.2.1. Trust Attribute
The "Trust Attribute" is a Boolean value. If TRUE, it indicates that
the packets from the corresponding attached device need not have
their source addresses validated. Examples of a trusted attachment
would be a port to another SAVI device, or to an IP router, as shown
in Figure 1. In both cases, traffic using many source IP addresses
will be seen. By default, the Trust attribute is FALSE, indicating
that any device found on that port will seek an address using DHCP
and be limited to using such addresses.
SAVI devices will not set up bindings for points of attachment with
the Trust attribute set TRUE; no packets, including DHCP messages,
from devices with this attribute on their attachments will be
validated. However, DHCP Server-to-Client messages will be snooped
Bi, et al. Standards Track [Page 10]
^L
RFC 7513 SAVI DHCP May 2015
on attachment points with the Trust attribute set TRUE in the same
way as if they had the DHCP-Trust attribute set (see Section 4.2.2).
4.2.2. DHCP-Trust Attribute
The "DHCP-Trust Attribute" is similarly a Boolean attribute. It
indicates whether the attached device is permitted to initiate DHCP
Server-to-Client messages. In Figure 1, the points of attachment of
the DHCP server and the DHCP relay would have this attribute set
TRUE, and attachment points that have Trust set TRUE are implicitly
treated as if DHCP-Trust is TRUE.
If the DHCP-Trust attribute is TRUE, SAVI devices will forward DHCP
Server-to-Client messages from the points of attachment with this
attribute. If the DHCP Server-to-Client messages can trigger the
state transitions, the binding setup processes specified in Sections
6 and 7 will handle them. By default, the DHCP-Trust attribute is
FALSE, indicating that the attached system is not a DHCP server.
A DHCPv6 implementor can refer to [DHCPv6-SHIELD] for more details.
4.2.3. DHCP-Snooping Attribute
The "DHCP-Snooping Attribute" is similarly a Boolean attribute. It
indicates whether bindings will be set up based on DHCP snooping.
If this attribute is TRUE, DHCP Client-to-Server messages to points
of attachment with this attribute will trigger creation of bindings
based on the DHCP Snooping Process described in Section 6. If it is
FALSE, either the Trust attribute must be TRUE (so that bindings
become irrelevant) or another SAVI mechanism such as FCFS SAVI must
be used on the point of attachment.
The DHCP-Snooping attribute is configured on the DHCP client's point
of attachment. This attribute can be also used on the attachments to
protected non-SAVI devices that are used by DHCP clients. In
Figure 1, the attachment from Client A to SAVI Device A, the
attachment from Client B to SAVI Device B, and the attachment from
Non-SAVI Device 2 to SAVI Device A can be configured with this
attribute.
4.2.4. Data-Snooping Attribute
The "Data-Snooping Attribute" is a Boolean attribute. It indicates
whether data packets from the corresponding point of attachment may
trigger the binding setup procedure.
Bi, et al. Standards Track [Page 11]
^L
RFC 7513 SAVI DHCP May 2015
Data packets from points of attachment with this attribute may
trigger the setup of bindings. SAVI devices will set up bindings on
points of attachment with this attribute based on the data-triggered
process described in Section 7.
If the DHCP-Snooping attribute is configured on a point of
attachment, the bindings on this attachment are set up based on DHCP
message snooping. However, in some scenarios, a DHCP client may use
a DHCP address without the DHCP address assignment procedure being
performed on its current attachment. For such attached devices, the
Data Snooping Process, which is described in Section 7, is necessary.
This attribute is configured on such attachments. The usage of this
attribute is further discussed in Section 7.
Since some networks require DHCP deployment and others avoid it,
there is no obvious universal default value for the Data-Snooping
attribute. Hence, the Data-Snooping attribute should default to
FALSE, and a mechanism should be implemented to conveniently set it
to TRUE on all points of attachment for which the Trust attribute is
FALSE.
4.2.5. Validating Attribute
The "Validating Attribute" is a Boolean attribute. It indicates
whether packets from the corresponding attachment will have their IP
source addresses validated based on binding entries on the
attachment.
If it is TRUE, packets coming from attachments with this attribute
will be validated based on binding entries on the attachment as
specified in Section 8. If it is FALSE, they will not. Since the
binding table is used in common with other SAVI algorithms, it merely
signifies whether the check will be done, not whether it will be done
for SAVI-DHCP originated bindings.
This attribute is by default the inverse of the Trust attribute;
source addresses on untrusted links are validated by default. It MAY
be set FALSE by the administration.
The expected use case is when SAVI is used to monitor but not block
forged transmissions. The network manager, in that case, may set the
DHCP-Snooping and/or Data-Snooping attribute TRUE but the Validating
attribute FALSE.
Bi, et al. Standards Track [Page 12]
^L
RFC 7513 SAVI DHCP May 2015
4.2.6. Table of Mutual Exclusions
Different types of attributes may indicate mutually exclusive actions
on a packet. Mutually exclusive attributes MUST NOT be set TRUE on
the same attachment. The compatibility of different attributes is
listed in Figure 2. Note that although Trust and DHCP-Trust are
compatible, there is no need to configure DHCP-Trust to TRUE on an
attachment with Trust attribute TRUE.
+----------+----------+----------+----------+----------+----------+
| | | | DHCP- | Data- | |
| | Trust |DHCP-Trust| Snooping | Snooping |Validating|
+----------+----------+----------+----------+----------+----------+
| | | | mutually | mutually | mutually |
| Trust | - |compatible| exclusive| exclusive| exclusive|
+----------+----------+----------+----------+----------+----------+
| | | | | | |
|DHCP-Trust|compatible| - |compatible|compatible|compatible|
+----------+----------+----------+----------+----------+----------+
|DHCP- |mutually | | | | |
|Snooping |exclusive |compatible| - |compatible|compatible|
+----------+----------+----------+----------+----------+----------+
|Data- |mutually | | | | |
|Snooping |exclusive |compatible|compatible| - |compatible|
+----------+----------+----------+----------+----------+----------+
| |mutually | | | | |
|Validating|exclusive |compatible|compatible|compatible| - |
+----------+----------+----------+----------+----------+----------+
Figure 2: Table of Mutual Exclusions
4.3. Perimeter
4.3.1. SAVI-DHCP Perimeter Overview
SAVI devices form a perimeter separating trusted and untrusted
regions of a network, as FCFS SAVI does (Section 2.5 of [RFC6620]).
The perimeter is primarily designed for scalability. It has two
implications.
o SAVI devices only need to establish bindings for directly attached
clients, or clients indirectly attached through a non-SAVI
protected device, rather than all of the clients in the network.
o Each SAVI device only needs to validate the source addresses in
traffic from clients attached to it, without checking all the
traffic passing by.
Bi, et al. Standards Track [Page 13]
^L
RFC 7513 SAVI DHCP May 2015
Consider the example in Figure 1. The protection perimeter is formed
by SAVI Devices A, B, and C. In this case, SAVI Device B does not
create a binding for Client A. However, because SAVI Device A
filters spoofed traffic from Client A, SAVI Device B can avoid
receiving spoofed traffic from Client A.
The perimeter in SAVI-DHCP is not only a perimeter for data packets
but also a perimeter for DHCP messages. DHCP server response
messages incoming across the perimeter will be dropped (Section 8).
The placement of the DHCP relay and DHCP server, which are not
involved in [RFC6620], is related to the construction of the
perimeter. The requirement on the placement and configuration of the
DHCP relay and DHCP server is discussed in Section 4.3.3.
4.3.2. SAVI-DHCP Perimeter Configuration Guideline
A perimeter separating trusted and untrusted regions of the network
is formed as follows:
(1) Configure the Validating and DHCP-Snooping attributes TRUE on
the direct attachments of all DHCP clients.
(2) Configure the Validating and DHCP-Snooping attributes TRUE on
the indirect attachments of all DHCP clients (i.e., DHCP clients
on protected links).
(3) Configure the Trust attribute TRUE on the attachments to other
SAVI devices.
(4) If a non-SAVI device, or a number of connected non-SAVI devices,
are attached only to SAVI devices, set the Trust attribute TRUE
on their attachments.
(5) Configure the DHCP-Trust attribute TRUE on the direct
attachments to trusted DHCP relays and servers.
In this way, the points of attachments with the Validating attribute
TRUE (and generally together with attachments of unprotected devices)
on SAVI devices can form a perimeter separating DHCP clients and
trusted devices. Data packet checks are only performed on the
perimeter. The perimeter is also a perimeter for DHCP messages. The
DHCP-Trust attribute is only TRUE on links inside the perimeter.
Only DHCP Server-to-Client messages originated within the perimeter
are trusted.
Bi, et al. Standards Track [Page 14]
^L
RFC 7513 SAVI DHCP May 2015
4.3.3. On the Placement of the DHCP Server and Relay
As a result of the configuration guidelines, SAVI devices only trust
DHCP Server-to-Client messages originated inside the perimeter.
Thus, the trusted DHCP relays and DHCP servers must be placed within
the perimeter. DHCP Server-to-Client messages will be filtered on
the perimeter. Server-to-Relay messages will not be filtered, as
they are within the perimeter. In this way, DHCP Server-to-Client
messages from bogus DHCP servers are filtered on the perimeter,
having entered through untrusted points of attachment. The SAVI
devices are protected from forged DHCP messages.
DHCP Server-to-Client messages arriving at the perimeter from outside
the perimeter are not trusted. There is no distinction between a
DHCP server owned and operated by the correct administration but
outside the SAVI perimeter and a bogus DHCP server. For example, in
Figure 1, DHCP Server A is valid, but it is attached to Non-SAVI
Device 1. A bogus DHCP server is also attached to Non-SAVI Device 1.
While one could imagine a scenario in which the valid one had a
statistically configured port number and MAC address, and therefore a
binding, by default SAVI-DHCP cannot distinguish whether a message
received from the port of Non-SAVI Device 1 is from DHCP Server A or
the bogus DHCP server. If DHCP Server A is contained in the
perimeter, Non-SAVI Device 1 will also be contained in the perimeter.
Thus, DHCP Server A cannot be contained within the perimeter apart
from manual configuration of the binding anchor.
Another consideration on the placement is that if the DHCP server/
relay is not inside the perimeter, the SAVI devices may not be able
to set up bindings correctly because the SAVI devices may not be on
the path between the clients and the server/relay, or the DHCP
messages are encapsulated (e.g., Relay-reply and Relay-forward).
4.3.4. An Alternative Deployment
In common deployment practice, the traffic from the unprotected
network is treated as trustworthy, which is to say that it is not
filtered. In such a case, the Trust attribute can be set TRUE on the
unprotected link. If non-SAVI devices, or a number of connected non-
SAVI devices, are only attached to SAVI devices and unprotected
devices, their attachment to SAVI devices can have the Trust
attribute set TRUE. Then an unclosed perimeter will be formed, as
illustrated in Figure 3.
Bi, et al. Standards Track [Page 15]
^L
RFC 7513 SAVI DHCP May 2015
| . . Protection |
| | | Perimeter |
| | | |
| Unprotected | | Unprotected |
| Link | | Link |
| | | |
| | | |
| +----+---+ +----+---+ +--------+ |
| |SAVI +----+Non-SAVI+----+SAVI | |
| |Device | |Device | |Device | |
| +----+---+ +--------+ +----+---+ |
| | | |
\_____________+___________________________+________/
| |
| |
+--------+ +--------+
|DHCP | |DHCP |
|Client | |Client |
+--------+ +--------+
Figure 3: Alternative Perimeter Configuration
4.3.5. Considerations regarding Binding Anchors
The strength of this binding-based mechanism depends on the strength
of the binding anchor. The sample binding anchors in [RFC7039] have
the property in which they associate an IP address with a direct
physical or secure virtual interface such as a switch port, a
subscriber association, or a security association. In addition,
especially in the case where a protected non-SAVI device such as a
desktop switch or a hub is between the client and SAVI devices, they
MAY be extended to also include a MAC address or other link-layer
attribute. In short, a binding anchor is intended to associate an IP
address with something unspoofable that identifies a single-client
system or one of its interfaces; this may be a physical or virtual
interface or that plus disambiguating link-layer information.
If the binding anchor is spoofable, such as a plain MAC address, or
non-exclusive, such as a switch port extended using a non-SAVI
device, an attacker can use a forged binding anchor to evade
validation. Indeed, using a binding anchor that can be easily
spoofed can lead to worse outcomes than allowing spoofed IP traffic.
Thus, a SAVI device MUST use a non-spoofable and exclusive binding
anchor.
Bi, et al. Standards Track [Page 16]
^L
RFC 7513 SAVI DHCP May 2015
4.4. Other Device Configuration
In addition to a possible binding anchor configuration specified in
Section 4.2, an implementation has the following configuration
requirements:
(1) Address configuration. For DHCPv4: the SAVI device MUST have an
IPv4 address. For DHCPv6: the client of a SAVI device MUST have
a link-local address; when the DHCPv6 server is not on the same
link as the SAVI device, the SAVI device MUST also have an IPv6
address of at least the same scope as the DHCPv6 Server.
(2) DHCP server address configuration: a SAVI device MUST store the
list of the DHCP server addresses that it could contact during a
leasequery process.
(3) A SAVI device may also require security parameters, such as
preconfigured keys to establish a secure connection for the
leasequery process [RFC4388] [RFC5007] connection.
5. Binding State Table (BST)
The Binding State Table, which may be implemented centrally in the
switch or distributed among its ports, is used to contain the
bindings between the IP addresses assigned to the attachments and the
corresponding binding anchors of the attachments. Note that in this
description, there is a binding entry for each IPv4 or IPv6 address
associated with each binding anchor, and there may be several of each
such address, especially if the port is extended using a protected
non-SAVI device. Each binding entry has six fields:
o Binding Anchor (listed as "Anchor" in subsequent figures): the
binding anchor, i.e., one or more physical and/or link-layer
properties of the attachment.
o IP Address (listed as "Address" in subsequent figures): the IPv4
or IPv6 address assigned to the attachment by DHCP.
o State: the state of the binding. Possible values of this field
are listed in Sections 6.2 and 7.3.
o Lifetime: the remaining seconds of the binding. Internally, this
MAY be stored as the timestamp value at which the lifetime
expires.
o Transaction ID (TID): the Transaction ID [RFC2131] [RFC3315] of
the corresponding DHCP transaction. The TID field is used to
Bi, et al. Standards Track [Page 17]
^L
RFC 7513 SAVI DHCP May 2015
associate DHCP Server-to-Client messages with corresponding
binding entries.
o Timeouts: the number of timeouts that expired in the current state
(only used in the Data Snooping Process; see Section 7).
The IA is not present in the BST for three reasons:
o The lease of each address in one IA is assigned separately.
o When the binding is set up based on data snooping, the IA cannot
be recovered from the leasequery protocol.
o DHCPv4 does not define an IA.
An example of such a table is shown in Figure 4.
+---------+----------+-----------+-----------+--------+----------+
| Anchor | Address | State | Lifetime | TID | Timeouts |
+---------+----------+-----------+-----------+--------+----------+
| Port_1 | IP_1 | BOUND | 65535 | TID_1 | 0 |
+---------+----------+-----------+-----------+--------+----------+
| Port_1 | IP_2 | BOUND | 10000 | TID_2 | 0 |
+---------+----------+-----------+-----------+--------+----------+
| Port_2 | IP_3 | INIT_BIND | 1 | TID_3 | 0 |
+---------+----------+-----------+-----------+--------+----------+
Figure 4: Example Binding State Table
6. DHCP Snooping Process
This section specifies the process of setting up bindings based on
DHCP snooping. This process is illustrated using a state machine.
6.1. Rationale
The rationale of the DHCP Snooping Process is that if a DHCP client
is legitimately using a DHCP-assigned address, the DHCP address
assignment procedure that assigns the IP address to the client must
have been performed via the client's point of attachment. This
assumption works when the SAVI device is always on the path(s) from
the DHCP client to the DHCP server(s)/relay(s). Without considering
the movement of DHCP clients, the SAVI device should be the cut
vertex whose removal will separate the DHCP client and the remaining
network containing the DHCP server(s)/relay(s). For most of the
networks whose topologies are simple, it is possible to deploy this
SAVI function at proper devices to meet this requirement.
Bi, et al. Standards Track [Page 18]
^L
RFC 7513 SAVI DHCP May 2015
However, if there are multiple paths from a DHCP client to the DHCP
server and the SAVI device is only on one of them, there is an
obvious failure case: the SAVI device may not be able to snoop the
DHCP procedure. Host movement may also make this requirement
difficult to meet. For example, when a DHCP client moves from one
attachment to another attachment in the same network, it may fail to
reinitialize its interface or send a Confirm message because of
incomplete protocol implementation. Thus, there can be scenarios in
which only performing this DHCP Snooping Process is insufficient to
set up bindings for all the valid DHCP addresses. These exceptions
and the solutions are discussed in Section 7.
6.2. Binding States Description
The following binding states are present in this process and the
corresponding state machine:
NO_BIND: No binding has been set up.
INIT_BIND: A potential binding has been set up.
BOUND: The binding has been set up.
6.3. Events
This section describes events in this process and the corresponding
state machine transitions. The DHCP message categories (e.g., DHCPv4
Discover) defined in Section 3 are used extensively in the
definitions of events and elsewhere in the state machine definition.
If an event will trigger the creation of a new binding entry, the
binding entry limit on the binding anchor MUST NOT be exceeded.
6.3.1. Timer Expiration Event
EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires.
6.3.2. Control Message Arriving Events
EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
received.
EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received.
EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received.
EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
received.
Bi, et al. Standards Track [Page 19]
^L
RFC 7513 SAVI DHCP May 2015
EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is received.
EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
Commit option is received.
EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received.
EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
received.
EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
received.
EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY (refer to
Section 4.3.3 of [RFC5007]) is received.
Note: the events listed here do not cover all the DHCP messages in
Section 3. The messages that do not really determine address usage
(DHCPv4 Discover, DHCPv4 Inform, DHCPv6 Solicit without Rapid Commit,
DHCPv6 Information-Request, DHCPv4 Offer, DHCPv6 Advertise, and
DHCPv6 Reconfigure) and that are not necessary to snoop (DHCPv4
Negative Acknowledgment (NAK); refer to Section 6.4.2.3) are not
included. Note also that DHCPv4 DHCPLEASEQUERY is not used in the
DHCP Snooping Process to avoid confusion with Section 7. Also, since
the LEASEQUERY should have been originated by the SAVI device itself,
the destination check should verify that the message is directed to
this SAVI device, and it should not be forwarded once it has been
processed here.
Moreover, only if a DHCP message can pass the following checks, the
corresponding event is regarded as a valid event:
o Attribute check: the DHCP Server-to-Client messages and
LEASEQUERY-REPLY should be from attachments with the DHCP-Trust
attribute; the DHCP Client-to-Server messages should be from
attachments with the DHCP-Snooping attribute.
o Destination check: the DHCP Server-to-Client messages should be
destined to attachments with the DHCP-Snooping attribute. This
check is performed to ensure the binding is set up on the SAVI
device that is nearest to the destination client.
o Binding anchor check: the DHCP Client-to-Server messages that may
trigger modification or removal of an existing binding entry must
have a matching binding anchor with the corresponding entry.
Bi, et al. Standards Track [Page 20]
^L
RFC 7513 SAVI DHCP May 2015
o TID check: the DHCP Server-to-Client/Client-to-Server messages
that may cause modification of existing binding entries must have
a matched TID with the corresponding entry. Note that this check
is not performed on LEASEQUERY and LEASEQUERY-REPLY messages as
they are exchanged between the SAVI devices and the DHCP servers.
Besides, this check is not performed on DHCP Renew/Rebind
messages.
o Binding limitation check: the DHCP messages must not cause new
binding setup on an attachment whose binding entry limitation has
been reached (refer to Section 11.5).
o Address check: the source address of the DHCP messages should pass
the check specified in Section 8.2.
On receiving a DHCP message without triggering a valid event, the
state will not change, and the actions will not be performed. Note
that if a message does not trigger a valid event but it can pass the
checks in Section 8.2, it MUST be forwarded.
6.4. The State Machine of DHCP Snooping Process
This section specifies state transitions and their corresponding
actions.
6.4.1. Initial State: NO_BIND
6.4.1.1. Event: EVE_DHCP_REQUEST - A DHCPv4 Request or a DHCPv6 Request
message is received
The SAVI device MUST forward the message.
The SAVI device will generate an entry in the BST. The Binding
Anchor field is set to the binding anchor of the attachment from
which the message is received. The State field is set to INIT_BIND.
The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
field is set to the TID of the message. If the message is DHCPv4
Request, the Address field can be set to the address to request,
i.e., the 'requested IP address'. An example of the entry is
illustrated in Figure 5.
Bi, et al. Standards Track [Page 21]
^L
RFC 7513 SAVI DHCP May 2015
+--------+-------+---------+-----------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+---------+-----------------------+-----+----------+
| Port_1 | |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+--------+-------+---------+-----------------------+-----+----------+
Figure 5: Binding Entry in BST on Initialization Triggered by
Request/Rapid Commit/Reboot Messages
Resulting state: INIT_BIND - A potential binding has been set up.
6.4.1.2. Event: EVE_DHCP_REBOOT - A DHCPv4 Reboot message is received
The SAVI device MUST forward the message.
The SAVI device will generate an entry in the BST. The Binding
Anchor field is set to the binding anchor of the attachment from
which the message is received. The State field is set to INIT_BIND.
The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
field is set to the TID of the message. If the message is DHCPv4
Reboot, the Address field can be set to the address to request, i.e.,
the 'requested IP address'. An example of the entry is illustrated
in Figure 5.
Resulting state: INIT_BIND - A potential binding has been set up.
6.4.1.3. Event: EVE_DHCP_SOLICIT_RC - A DHCPv6 Solicitation message
with the Rapid Commit option is received
The SAVI device MUST forward the message.
The SAVI device will generate an entry in the BST. The Binding
Anchor field is set to the binding anchor of the attachment from
which the message is received. The State field is set to INIT_BIND.
The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID
field is set to the TID of the message. An example of the entry is
illustrated in Figure 5.
Resulting state: INIT_BIND - A potential binding has been set up.
6.4.1.4. Event: EVE_DHCP_CONFIRM - A DHCPv6 Confirm message is received
The SAVI device MUST forward the message.
The SAVI device will generate corresponding entries in the BST for
each address in each Identity Association (IA) option of the Confirm
message. The Binding Anchor field is set to the binding anchor of
the attachment from which the message is received. The State field
Bi, et al. Standards Track [Page 22]
^L
RFC 7513 SAVI DHCP May 2015
is set to INIT_BIND. The Lifetime field is set to be
MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the
message. The Address field is set to the address(es) to confirm. An
example of the entries is illustrated in Figure 6.
+--------+-------+---------+-----------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+---------+-----------------------+-----+----------+
| Port_1 | Addr1 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+--------+-------+---------+-----------------------+-----+----------+
| Port_1 | Addr2 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 |
+--------+-------+---------+-----------------------+-----+----------+
Figure 6: Binding Entry in BST on Confirm-Triggered Initialization
Resulting state: INIT_BIND - A potential binding has been set up.
6.4.1.5. Events That Cannot Happen in the NO_BIND State
o EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires
o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
received
o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is
received
o EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received
o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
received
o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
received
o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is
received
These cannot happen because they are each something that happens
AFTER a binding has been created.
Bi, et al. Standards Track [Page 23]
^L
RFC 7513 SAVI DHCP May 2015
6.4.2. Initial State: INIT_BIND
6.4.2.1. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message
is received
The message MUST be forwarded to the corresponding client.
If the message is DHCPv4 ACK, the Address field of the corresponding
entry (i.e., the binding entry whose TID is the same as the message)
is set to the address in the message (i.e., 'yiaddr' in DHCPv4 ACK).
The Lifetime field is set to the sum of the lease time in the ACK
message and MAX_DHCP_RESPONSE_TIME. The State field is changed to
BOUND.
If the message is DHCPv6 Reply, note the following cases:
1. If the status code is not "Success", no modification of
corresponding entries will be made. Corresponding entries will
expire automatically if no "Success" Reply is received during the
lifetime. The entries are not removed immediately because the
client may be able to use the addresses whenever a "Success"
Reply is received ("If the client receives any Reply messages
that do not indicate a NotOnLink status, the client can use the
addresses in the IA and ignore any messages that indicate a
NotOnLink status" [RFC3315]).
2. If the status code is "Success", the SAVI device checks the IA
options in the Reply message.
A. If there are IA options in the Reply message, the SAVI device
checks each IA option. When the first assigned address is
found, the Address field of the binding entry with a matched
TID is set to the address. The Lifetime field is set to the
sum of the lease time in the Reply message and
MAX_DHCP_RESPONSE_TIME. The State field is changed to BOUND.
If there is more than one address assigned in the message,
new binding entries are set up for the remaining address
assigned in the IA options. An example of the entries is
illustrated in Figure 8. SAVI devices do not specially
process IA options with a NoAddrsAvail status because there
should be no address contained in such IA options.
B. Otherwise, the DHCP Reply message is in response to a Confirm
message. The state of the binding entries with a matched TID
is changed to BOUND. Because [RFC3315] does not require the
lease time of addresses to be contained in the Reply message,
the SAVI device SHOULD send a LEASEQUERY [RFC5007] message
querying by IP address to the All_DHCP_Servers multicast
Bi, et al. Standards Track [Page 24]
^L
RFC 7513 SAVI DHCP May 2015
address [RFC3315] or a list of configured DHCP server
addresses. The LEASEQUERY message is generated for each IP
address if multiple addresses are confirmed. The lifetime of
corresponding entries is set to 2*MAX_LEASEQUERY_DELAY. If
there is no response message after MAX_LEASEQUERY_DELAY, send
the LEASEQUERY message again. An example of the entries is
illustrated in Figure 7. If the SAVI device does not send
the LEASEQUERY message, a preconfigured lifetime
DHCP_DEFAULT_LEASE MUST be set on the corresponding entry.
(Note: it is RECOMMENDED to use T1 configured on DHCP servers
as the DHCP_DEFAULT_LEASE.)
Note: the SAVI devices do not check if the assigned addresses are
duplicated because in SAVI-DHCP scenarios, the DHCP servers are the
only source of valid addresses. However, the DHCP servers should be
configured to make sure no duplicated addresses are assigned.
+--------+-------+-------+------------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+-------+------------------------+-----+----------+
| Port_1 | Addr1 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 |
+--------+-------+-------+------------------------+-----+----------+
| Port_1 | Addr2 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 |
+--------+-------+-------+------------------------+-----+----------+
Figure 7: From INIT_BIND to BOUND on DHCP Reply in Response to
Confirm
Transition
+--------+-------+-------+------------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+-------+------------------------+-----+----------+
| Port_1 | Addr1 | BOUND |Lease time+ | TID | 0 |
| | | |MAX_DHCP_RESPONSE_TIME | | |
+--------+-------+-------+------------------------+-----+----------+
| Port_1 | Addr2 | BOUND |Lease time+ | TID | 0 |
| | | |MAX_DHCP_RESPONSE_TIME | | |
+--------+-------+-------+------------------------+-----+----------+
Figure 8: From INIT_BIND to BOUND on DHCP Reply in Response to
Request
Resulting state: BOUND - The binding has been set up.
Bi, et al. Standards Track [Page 25]
^L
RFC 7513 SAVI DHCP May 2015
6.4.2.2. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry
expires
The entry MUST be deleted from the BST.
Resulting state: An entry that has been deleted from the BST may be
considered to be in the "NO_BIND" state - No binding has been set up.
6.4.2.3. Events That Are Ignored in INIT_BIND
If no DHCP Server-to-Client messages that assign addresses or confirm
addresses are received, corresponding entries will expire
automatically. Thus, other DHCP Server-to-Client messages (e.g.,
DHCPv4 NAK) are not specially processed.
As a result, the following events, should they occur, are ignored
until either a DHCPv4 ACK or a DHCPv6 Reply message is received or
the lifetime of the binding entry expires.
o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
received
o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received
o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received
o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
received
o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is
received
o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
Commit option is received
o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is
received
o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is
received
o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is
received
In each case, the message MUST be forwarded.
Resulting state: INIT_BIND - A potential binding has been set up.
Bi, et al. Standards Track [Page 26]
^L
RFC 7513 SAVI DHCP May 2015
6.4.3. Initial State: BOUND
6.4.3.1. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry
expires
The entry MUST be deleted from the BST.
Resulting state: An entry that has been deleted from the BST may be
considered to be in the "NO_BIND" state - No binding has been set up.
6.4.3.2. Event: EVE_DHCP_DECLINE - A DHCPv4 Decline or a DHCPv6 Decline
message is received
The message MUST be forwarded.
First, the SAVI device gets all the addresses ("Requested IP address"
in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all
the IA options of DHCPv6 Decline/Release) to decline/release in the
message. Then, the corresponding entries MUST be removed.
Resulting state in each relevant BST entry: An entry that has been
deleted from the BST may be considered to be in the "NO_BIND" state -
No binding has been set up.
6.4.3.3. Event: EVE_DHCP_RELEASE - A DHCPv4 Release or a DHCPv6 Release
message is received
The message MUST be forwarded.
First, the SAVI device gets all the addresses ("Requested IP address"
in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all
the IA options of DHCPv6 Decline/Release) to decline/release in the
message. Then, the corresponding entries MUST be removed.
Resulting state in each relevant BST entry: An entry that has been
deleted from the BST may be considered to be in the "NO_BIND" state -
No binding has been set up.
6.4.3.4. Event: EVE_DHCP_REBIND - A DHCPv4 Rebind or a DHCPv6 Rebind
message is received
The message MUST be forwarded.
In such a case, a new TID will be used by the client. The TID field
of the corresponding entries MUST be set to the new TID. Note that
the TID check will not be performed on such messages.
Resulting state: BOUND: The binding has been set up.
Bi, et al. Standards Track [Page 27]
^L
RFC 7513 SAVI DHCP May 2015
6.4.3.5. Event: EVE_DHCP_RENEW - A DHCPv4 Renew or a DHCPv6 Renew
message is received
The message MUST be forwarded.
In such a case, a new TID will be used by the client. The TID field
of the corresponding entries MUST be set to the new TID. Note that
the TID check will not be performed on such messages.
Resulting state: BOUND: The binding has been set up.
6.4.3.6. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message
is received
The message MUST be forwarded.
The DHCP Reply messages received in current states should be in
response to DHCP Renew/Rebind.
If the message is DHCPv4 ACK, the SAVI device updates the binding
entry with a matched TID, with the Lifetime field set to be the sum
of the new lease time and MAX_DHCP_RESPONSE_TIME, leaving the entry
in the BOUND state.
If the message is DHCPv6 Reply, the SAVI device checks each IA
Address option in each IA option. For each:
1. If the IA entry in the REPLY message has the status "NoBinding",
there is no address in the option, and no operation on an address
is performed.
2. If the valid lifetime of an IA Address option is 0, the binding
entry with a matched TID and address is removed, leaving it
effectively in the NO_BIND state.
3. Otherwise, set the Lifetime field of the binding entry with the
matched TID and address to be the sum of the new valid lifetime
and MAX_DHCP_RESPONSE_TIME, leaving the entry in the BOUND state.
Resulting state: NO_BIND or BOUND, as specified.
Bi, et al. Standards Track [Page 28]
^L
RFC 7513 SAVI DHCP May 2015
6.4.3.7. Event: EVE_DHCP_LEASEQUERY - A successful DHCPv6
LEASEQUERY_REPLY is received
The message MUST be forwarded.
The message should be in response to the LEASEQUERY message sent in
Section 6.4.2. The related binding entry can be determined based on
the address in the IA Address option in the LEASEQUERY-REPLY message.
The Lifetime field of the corresponding binding entry is set to the
sum of the lease time in the LEASEQUERY-REPLY message and
MAX_DHCP_RESPONSE_TIME.
Resulting state: BOUND: The binding has been set up.
6.4.3.8. Events Not Processed in the State BOUND
The following events are ignored if received while the indicated
entry is in the BOUND state. Any required action will be the result
of the next message in the client/server exchange.
o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is
received
o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received
o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received
o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid
Commit option is received
Bi, et al. Standards Track [Page 29]
^L
RFC 7513 SAVI DHCP May 2015
6.4.4. Table of State Machine
The main state transits are listed as follows. Note that not all the
details are specified in the table and the diagram.
State Event Action Next State
---------------------------------------------------------------------
NO_BIND RQ/RC/CF/RE Generate entry INIT_BIND
INIT_BIND RPL Record lease time BOUND
(send leasequery if no lease)
INIT_BIND EVE_ENTRY_EXPIRE Remove entry NO_BIND
BOUND RLS/DCL Remove entry NO_BIND
BOUND EVE_ENTRY_EXPIRE Remove entry NO_BIND
BOUND RPL Set new lifetime BOUND
BOUND LQR Record lease time BOUND
Figure 9: State Transition Table
RQ: EVE_DHCP_REQUEST
RC: EVE_DHCP_SOLICIT_RC
CF: EVE_DHCP_CONFIRM
RE: EVE_DHCP_REBOOT
RPL: EVE_DHCP_REPLY
RLS: EVE_DHCP_RELEASE
DCL: EVE_DHCP_DECLINE
LQR: EVE_DHCP_LEASEQUERY
Bi, et al. Standards Track [Page 30]
^L
RFC 7513 SAVI DHCP May 2015
+-------------+
| |
/--------+ NO_BIND |<--------\
| ----->| | |
| | +-------------+ |EVE_DHCP_RELEASE
EVE_DHCP_REQUEST | | |EVE_DHCP_DECLINE
EVE_DHCP_CONFIRM | |EVE_ENTRY_EXPIRE |EVE_ENTRY_EXPIRE
EVE_DHCP_SOLICIT_RC| | |
EVE_DHCP_REBOOT | | |
| | |
| | |
v | |
+-------------+ +------------+
| | EVE_DHCP_REPLY | |
| INIT_BIND --------------------->| BOUND |<-\
| | | | |
+-------------+ +------------+ |
| |
\--------/
EVE_DHCP_REPLY
EVE_DHCP_LEASEQUERY
Figure 10: Diagram of Transit
7. Data Snooping Process
7.1. Scenario
The rationale of the DHCP Snooping Process specified in Section 6 is
that if a DHCP client's use of a DHCP address is legitimate, the
corresponding DHCP address assignment procedure must have been
finished during the attachment of the DHCP client. This is the case
when the SAVI device is continuously on the path(s) from the DHCP
client to the DHCP server(s)/relay(s). However, there are two cases
in which this does not work:
o Multiple paths: there is more than one feasible link-layer path
from the client to the DHCP server/relay, and the SAVI device is
not on every one of them. The client may get its address through
one of the paths that does not pass through the SAVI device, but
packets from the client can travel on paths that pass through the
SAVI device, such as when the path through the link-layer network
changes. Because the SAVI device could not snoop the DHCP packet
exchange procedure, the DHCP Snooping Process cannot set up the
corresponding binding.
Bi, et al. Standards Track [Page 31]
^L
RFC 7513 SAVI DHCP May 2015
o Dynamic path: there is only one feasible link-layer path from the
client to the DHCP server/relay, but the path is dynamic due to
topology change (for example, some link becomes broken due to
failure or some planned change) or link-layer path change. This
situation also covers the local-link movement of clients without
the address confirm/reconfiguration process. For example, a host
changes its attached switch port in a very short time. In such
cases, the DHCP Snooping Process will not set up the corresponding
binding.
The Data Snooping Process can avoid the permanent blocking of
legitimate traffic in case one of these two exceptions occurs. This
process is performed on attachments with the Data-Snooping attribute.
Data packets without a matching binding entry may trigger this
process to set up bindings.
Snooping data traffic introduces a considerable burden on the
processor and ASIC-to-Processor bandwidth of SAVI devices. Because
of the overhead of this process, the implementation of this process
is OPTIONAL. This function SHOULD be enabled unless the
implementation is known to be used in the scenarios without the above
exceptions. For example, if the implementation is to be used in
networks with tree topology and without host local-link movement,
there is no need to implement this process in such scenarios.
This process is not intended to set up a binding whenever a data
packet without a matched binding entry is received. Instead,
unmatched data packets trigger this process probabilistically, and
generally a number of unmatched packets will be discarded before the
binding is set up. The parameter(s) of this probabilistic process
SHOULD be configurable, defaulting to a situation where data snooping
is disabled.
7.2. Rationale
This process makes use of NS/ARP and DHCP Leasequery to set up
bindings. If an address is not used by another client in the
network, and the address has been assigned in the network, the
address can be bound with the binding anchor of the attachment from
which the unmatched packet is received.
The Data Snooping Process provides an alternative path for binding
entries to reach the BOUND state in the exceptional cases explained
in Section 7.1 when there are no DHCP messages that can be snooped by
the SAVI device.
Bi, et al. Standards Track [Page 32]
^L
RFC 7513 SAVI DHCP May 2015
In some of the exceptional cases (especially the dynamic topology
case), by the time the binding has reached the BOUND state, the DHCP
messages may be passing through the SAVI device. In this case, the
events driven by DHCP messages that are expected in the BOUND state
in the DHCP Snooping Process may occur, and the binding can be
handled by the DHCP Snooping Process state machine.
In any event, the lease expiry timeout event will occur even if no
others do. This will cause the binding to be deleted and the state
to logically return to NO_BIND state. Either the DHCP or the Data
Snooping Process will be reinvoked if the lease is still in place.
If DHCP messages are still not passing through the SAVI device, there
will be a brief disconnection during which data packets passing
through the SAVI device will be dropped. The probabilistic
initiation of the Data Snooping Process can then take over again and
return the binding state to BOUND in due course.
The security issues concerning this process are discussed in
Section 11.1.
7.3. Additional Binding States Description
In addition to NO_BIND and BOUND from Section 6.2, three new states
used in this process are listed here. The INIT_BIND state is not
used, as it is entered by observing a DHCP message.
DETECTION: The address in the entry is undergoing local duplication
detection.
RECOVERY: The SAVI device is querying the assignment and lease time
of the address in the entry through DHCP Leasequery.
VERIFY: The SAVI device is verifying that the device connected to the
attachment point has a hardware address that matches the one returned
in the DHCP Leasequery.
Because the mechanisms used for the operations carried out while the
binding is in these three states operate over unreliable protocols,
each operation is carried out twice with a timeout that is triggered
if no response is received.
7.4. Events
To handle the Data Snooping Process, six extra events, described
here, are needed in addition to those used by the DHCP Snooping
Process (see Section 6.3). If an event will trigger the creation of
a new binding entry, the binding entry limit on the binding anchor
MUST NOT be exceeded.
Bi, et al. Standards Track [Page 33]
^L
RFC 7513 SAVI DHCP May 2015
EVE_DATA_UNMATCH: A data packet without a matched binding is
received.
EVE_DATA_CONFLICT: An ARP Reply / Neighbor Advertisement (NA) message
against an address in the DETECTION state is received from a host
other than the one for which the entry was added (i.e., a host
attached at a point other than the one on which the triggering data
packet was received).
EVE_DATA_LEASEQUERY:
o IPv4: A DHCPLEASEACTIVE message with the IP Address Lease Time
option is received. Note that the DHCPLEASEUNKNOWN and
DHCPLEASEUNASSIGNED replies are ignored.
o IPv6: A successful LEASEQUERY-REPLY is received.
EVE_DATA_VERIFY: An ARP Reply / NA message has been received in the
VERIFY state from the device connected to the attachment point on
which the data packet was received.
The triggering packet should pass the following checks to trigger a
valid event:
o Attribute check: the data packet should be from attachments with
the Data-Snooping attribute; the DHCPLEASEACTIVE/LEASEQUERY-REPLY
messages should be from attachments with the DHCP-Snooping
attribute.
o Binding limitation check: the data messages must not cause new
binding setup on an attachment whose binding entry limitation has
been reached (refer to Section 11.5).
o Address check: For EVE_DATA_LEASEQUERY, the source address of the
DHCPLEASEQUERY messages must pass the check specified in
Section 8.2. For EVE_DATA_CONFLICT and EVE_DATA_VERIFY, the
source address and target address of the ARP or NA messages must
pass the check specified in Section 8.2.
o Interval check: the interval between two successive
EVE_DATA_UNMATCH events triggered by an attachment MUST be no
smaller than DATA_SNOOPING_INTERVAL.
o TID check: the DHCPLEASEACTIVE/LEASEQUERY-REPLY messages must have
a matched TID with the corresponding entry.
o Prefix check: the source address of the data packet should be of a
valid local prefix, as specified in Section 7 of [RFC7039].
Bi, et al. Standards Track [Page 34]
^L
RFC 7513 SAVI DHCP May 2015
EVE_DATA_EXPIRE: A timer expires indicating that a response to a
hardware address verification message sent in the VERIFY state has
not been received within the specified DETECTION_TIMEOUT period.
EVE_ENTRY_EXPIRE: A timer expires after the Lifetime indicated in the
relevant BST entry has elapsed. This is identical to the usage in
the DHCP Snooping Process.
7.5. Message Sender Functions
The Data Snooping Process involves sending three different messages
to other network devices. Each message may be sent up to two times
since they are sent over unreliable transports and are sent in
different states. The functions defined in this section specify the
messages to be sent in the three cases. In each case, the message to
be sent depends on whether the triggering data packet is an IPv4 or
an IPv6 packet.
7.5.1. Duplicate Detection Message Sender
Send a message to check if the source address in the data packet that
triggered the Data Snooping Process has a local conflict (that is, it
uses an address that is being used by another node):
IPv4 address: Broadcast an Address Resolution Protocol (ARP) Request
[RFC826] or an ARP Probe [RFC5227] for the address to the local
network. An ARP Response will be expected from the device on
the attachment point on which the triggering data packet was
received. An ARP Reply received on any other port indicates a
duplicate address.
IPv6 address: Send a Duplicate Address Detection (DAD) message
(Neighbor Solicitation message) to the solicited-node multicast
address [RFC4861] targeting the address. Ideally, only the
host on that point of attachment responds with a Neighbor
Advertisement. A Neighbor Advertisement received on any other
port indicates a duplicate address.
As both the ARP and DAD processes are unreliable (the packet either
to or from the other system may be lost in transit; see [RFC6620]),
if there is no response after the DETECTION_TIMEOUT, an
EVE_ENTRY_EXPIRE is generated.
Bi, et al. Standards Track [Page 35]
^L
RFC 7513 SAVI DHCP May 2015
7.5.2. Leasequery Message Sender
Send a DHCPLEASEQUERY message to the DHCP server(s) to determine if
it has given out a lease for the source address in the triggering
data packet. A list of authorized DHCP servers is kept by the SAVI
device. The list should be either preconfigured with the IPv4 and/or
IPv6 addresses or dynamically discovered: For networks using IPv4,
this can be done by sending DHCPv4 Discover messages and parsing the
returned DHCPv4 Offer messages; for networks using IPv6, discovery
can be done by sending DHCPv6 SOLICIT messages and parsing the
returned ADVERTISE messages. The same TID should be used for all
LEASEQUERY messages sent in response to a triggering data message on
an attachment point. The TID is generated if the TID field in the
BST entry is empty and recorded in the TID field of the BST entry
when the first message is sent. Subsequent messages use the TID from
the BST entry.
(1) IPv4 address: Send a DHCPLEASEQUERY [RFC4388] message querying
by IP address to each DHCPv4 server in the list of authorized
servers with an IP Address Lease Time option (option 51). If
the server has a valid lease for the address, the requested
information will be returned in a DHCPLEASEACTIVE message.
(2) IPv6 address: Send a LEASEQUERY [RFC5007] message querying by IP
address to each DHCPv6 server in the list of authorized servers
using the server address as the link-address in the LEASEQUERY
message. If the server has a valid lease for the address, the
requested information will be returned in a LEASEQUERY-REPLY
message marked as successful (i.e., without an
OPTION_STATUS_CODE in the reply). The IA Address option(s)
returned contains any IPv6 addresses bound to the same link
together with the lease validity time.
As DHCP Leasequeries are an unreliable process (the packet either to
or from the server may be lost in transit), if there is no response
after the MAX_LEASEQUERY_DELAY, an EVE_DATA_EXPIRE is generated.
Note that multiple response messages may be received if the list of
authorized servers contains more than one address of the appropriate
type and, in the case of DHCPv6, the responses may contain additional
addresses for which leases have been allocated.
7.5.3. Address Verification Message Sender
Send a message to verify that the link-layer address in the attached
device that sent the triggering data packet matches the link-layer
address contained in the leasequery response:
Bi, et al. Standards Track [Page 36]
^L
RFC 7513 SAVI DHCP May 2015
IPv4 address: Send an ARP Request with the Target Protocol Address
set to the IP address in the BST entry. The ARP Request is
only sent to the attachment that triggered the binding. If the
attached device has the IP address bound to the interface
attached to the SAVI device, an ARP Reply should be received
containing the hardware address of the interface on the
attached device that can be compared with the leasequery value.
IPv6 address: Send a Neighbor Solicitation (NS) message with the
target address set to the IP address in the BST entry. The NS
is only sent to the attachment that triggered the binding. If
the attached device has the IP address bound to the interface
attached to the SAVI device, an NA should be received
indicating that the attached device has the IP address
configured on the interface.
As both the ARP and NS/NA processes are unreliable (the packet either
to or from the other system may be lost in transit; see [RFC6620]),
if there is no response after the DETECTION_TIMEOUT, an
EVE_DATA_EXPIRE is generated.
7.6. Initial State: NO_BIND
7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a matched binding
is received
Make a probabilistic determination as to whether to act on this
event. The probability may be configured or calculated based on the
state of the SAVI device. This probability should be low enough to
mitigate the damage from DoS attacks against this process.
Create a new entry in the BST. Set the Binding Anchor field to the
corresponding binding anchor of the attachment. Set the Address
field to the source address of the packet.
Address conflicts MUST be detected and prevented.
If local address detection is performed:
Set the State field to DETECTION. Set the Lifetime of the
created entry to DETECTION_TIMEOUT. Set the Timeouts field to
0. Start the detection of any local address conflicts by
sending a Duplicate Address Detection Message (Section 7.5.1).
Transition to DETECTION state.
Bi, et al. Standards Track [Page 37]
^L
RFC 7513 SAVI DHCP May 2015
If local address detection is not performed:
Set the State field to RECOVERY. Set the Lifetime of the
created entry to LEASEQUERY_DELAY. Set the Timeouts field to
0. Start the recovery of any DHCP lease associated with the
source IP address by sending one or more LEASEQUERY messages
(Section 7.5.2). Transition to RECOVERY state.
The packet that triggers this event SHOULD be discarded.
An example of the BST entry during duplicate address detection is
illustrated in Figure 11.
+--------+-------+---------+-----------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+---------+-----------------------+-----+----------+
| Port_1 | Addr1 |DETECTION| DETECTION_TIMEOUT | | 0 |
+--------+-------+---------+-----------------------+-----+----------+
Figure 11: Binding Entry in BST on Data-Triggered Initialization
Resulting state: DETECTION - The address in the entry is undergoing
local duplication detection - or RECOVERY - The DHCP lease(s)
associated with the address is being queried.
7.6.2. Events Not Observed in NO_BIND for Data Snooping
EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
unexpected system.
EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or LEASEQUERY-REPLY is
received.
EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the
attached device.
All EVE_DHCP_* events defined in Section 6.3.2 are treated as
described in the DHCP Snooping Process (Section 6.4.1) and may result
in that process being triggered.
EVE_ENTRY_EXPIRE: Expiration of the DECTECTION_TIMEOUT
EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT
Bi, et al. Standards Track [Page 38]
^L
RFC 7513 SAVI DHCP May 2015
7.7. Initial State: DETECTION
7.7.1. Event: EVE_ENTRY_EXPIRE
When this event occurs, no address conflict has been detected during
the previous DETECTION_TIMEOUT period.
If the Timeouts field in the BST entry is 0:
Set the Lifetime of the BST entry to DETECTION_TIMEOUT. Set
the Timeouts field to 1. Restart the detection of any local
address conflicts by sending a second Duplicate Address
Detection Message (Section 7.5.1). Remain in DETECTION state.
If the Timeouts field in the BST entry is 1:
Assume that there is no local address conflict. Set the State
field to RECOVERY. Set the Lifetime of the BST entry to
LEASEQUERY_DELAY. Set the Timeouts field to 0. Start the
recovery of any DHCP lease associated with the source IP
address by sending one or more LEASEQUERY messages
(Section 7.5.2). Transition to RECOVERY state.
An example of the entry is illustrated in Figure 12.
+--------+-------+----------+----------------------+-----+----------+
| Anchor |Address| State | Lifetime | TID | Timeouts |
+--------+-------+----------+----------------------+-----+----------+
| Port_1 | Addr1 | RECOVERY | MAX_LEASEQUERY_DELAY | TID | 0 |
+--------+-------+----------+----------------------+-----+----------+
Figure 12: Binding Entry in BST on Leasequery
Resulting state: DETECTION - If a second local conflict period is
required - or RECOVERY - The SAVI device is querying the assignment
and lease time of the address in the entry through DHCP Leasequery.
7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply / NA Message Received from
Unexpected System
Remove the entry.
Resulting state: NO_BIND - No binding has been set up.
7.7.3. Events Not Observed in DETECTION
EVE_DATA_UNMATCH: A data packet without a matched binding is received
All EVE_DHCP_* events defined in Section 6.3.2
Bi, et al. Standards Track [Page 39]
^L
RFC 7513 SAVI DHCP May 2015
EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is
received
7.8. Initial State: RECOVERY
7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or
successful LEASEQUERY-REPLY is received
Set the State in the BST entry to VERIFY. Depending on the type of
triggering source IP address, process the received DHCP Leasequery
response:
IPv4 address: Update the Lifetime field in the BST entry to the sum
of the value encoded in the IP Address Lease Time option of the
DHCPLEASEACTIVE message and MAX_DHCP_RESPONSE_TIME. Record the
value of the "chaddr" field (hardware address) in the message
for checking against the hardware address received during
verification in the next state. Set the Timeouts field to 0.
Start the verification process by sending an Address
Verification Message (see Section 7.5.3). Transition to VERIFY
state. Start an additional verification timer with a duration
of DETECTION_TIMEOUT. When this expires, an EVE_DATA_EXPIRE
event will be generated.
IPv6 address: Update the Lifetime field in the BST entry to the sum
of the valid lifetime extracted from the OPTION_CLIENT_DATA
option in the LEASEQUERY-REPLY message and
MAX_DHCP_RESPONSE_TIME. Set the Timeouts field to 0. Start
the verification process by sending an Address Verification
Message (see Section 7.5.3). Transition to VERIFY state.
Start an additional verification timer with a duration of
DETECTION_TIMEOUT. When this expires, an EVE_DATA_EXPIRE event
will be generated.
If multiple addresses are received in the LEASEQUERY-REPLY, new
BST entries MUST be created for the additional addresses using
the same binding anchor. The entries are created with state
set to VERIFY and the other fields set as described in this
section for the triggering source IP address. Also, start the
verification process and start verification timers for each
additional address.
Resulting state: VERIFY - Awaiting verification or otherwise of the
association of the IP address with the connected interface.
Bi, et al. Standards Track [Page 40]
^L
RFC 7513 SAVI DHCP May 2015
7.8.2. Event: EVE_ENTRY_EXPIRE
Depending on the value of the Timeouts field in the BST entry, either
send repeat LEASEQUERY messages or discard the binding:
If the Timeouts field in the BST entry is 0:
No responses to the LEASEQUERY message(s) sent have been
received during the first LEASEQUERY_DELAY period. Set the
Lifetime of the BST entry to LEASEQUERY_DELAY. Set the
Timeouts field to 1. Restart the recovery of any DHCP lease
associated with the source IP address by sending one or more
LEASEQUERY messages (Section 7.5.2). Remain in RECOVERY state.
If the Timeouts field in the BST entry is 1:
No responses to the LEASEQUERY messages sent during two
LEASEQUERY_DELAY periods were received. Assume that no leases
exist and hence that the source IP address is bogus. Delete
the BST entry. Transition to NO_BIND state.
Resulting state: RECOVERY - If repeat leasequeries are sent - or
NO_BIND - If no successful responses to LEASEQUERY messages have been
received.
7.8.3. Events Not Observed in RECOVERY
EVE_DATA_UNMATCH: A data packet without a matched binding is received
EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
unexpected system
EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the
attached device
All EVE_DHCP_* events defined in Section 6.3.2
EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT
7.9. Initial State: VERIFY
7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or
successful LEASEQUERY-REPLY is received
If LEASEQUERY messages were sent to more than one DHCP server during
RECOVERY state, additional successful leasequery responses may be
received relating to the source IP address. The conflict resolution
mechanisms specified in Section 6.8 of [RFC4388] and Section 4.3.4 of
[RFC5007] can be used to determine the message from which values are
used to update the BST Lifetime entry and the hardware address
Bi, et al. Standards Track [Page 41]
^L
RFC 7513 SAVI DHCP May 2015
obtained from DHCP, as described in Section 7.8.1. In the case of
DHCPv6 queries, the LEASEQUERY-REPLY may contain additional addresses
as described in Section 7.8.1. If so, additional BST entries MUST be
created or ones previously created updated as described in that
section.
Resulting state: VERIFY (no change).
7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is received from
the device attached via the binding anchor
Depending on the type of triggering source IP address, this event may
indicate that the device attached via the binding anchor in the BST
entry is configured by DHCP using the IP address:
IPv4 address: Check that the value of the sender hardware address in
the ARP Reply matches the saved "chaddr" field (hardware
address) from the previously received DHCPLEASEACTIVE message.
If not, ignore this event; a subsequent retry may provide
verification. If the hardware addresses match, the binding
entry has been verified.
IPv6 address: Simple receipt of a valid NA from the triggering
source IP address at the binding anchor port provides
verification for the binding entry.
If the binding entry has been verified, set the state in the BST
entry to BOUND. Clear the TID field. Cancel the verification timer.
Resulting state: VERIFY (no change) - If the IPv4 DHCPLEASEQUERY
"chaddr" address does not match the ARP Reply hardware address.
Otherwise, the resulting state is BOUND.
7.9.3. Event: EVE_ENTRY_EXPIRE
The DHCP lease lifetime has expired before the entry could be
verified. Remove the entry. Transition to NO_BIND state.
Resulting state: NO_BIND - No binding has been set up.
Bi, et al. Standards Track [Page 42]
^L
RFC 7513 SAVI DHCP May 2015
7.9.4. Event: EVE_DATA_EXPIRE
Depending on the value of the Timeouts field in the BST entry, either
send a repeat validation message or discard the binding:
If the Timeouts field in the BST entry is 0:
No response to the verification message sent has been received
during the first DETECTION_TIMEOUT period. Set the Timeouts
field to 1. Restart the verification process by sending an
Address Verification Message (see Section 7.5.3). Start a
verification timer with a duration of DETECTION_TIMEOUT. When
this expires, an EVE_DATA_EXPIRE event will be generated.
Remain in VERIFY state.
If the Timeouts field in the BST entry is 1:
No responses to the verification messages sent during two
DETECTION_TIMEOUT periods were received. Assume that the
configuration of the triggering source IP address cannot be
verified and hence that the source IP address is bogus. Delete
the BST entry. Transition to NO_BIND state.
Resulting state: VERIFY - Additional verification message sent - or
NO_BIND - No binding has been set up.
7.9.5. Events Not Observed in VERIFY
EVE_DATA_UNMATCH: A data packet without a matched binding is received
EVE_DATA_CONFLICT: An ARP Reply / NA message is received from an
unexpected system
All EVE_DHCP_* events defined in Section 6.3.2
7.10. Initial State: BOUND
Upon entry to the BOUND state, control of the system continues as if
a DHCP message assigning the address has been observed, as in
Section 6.4.3. The BST entry has been restored.
Note that the TID field contains no value after the binding state
changes to BOUND. The TID field is recovered from snooping DHCP
Renew/Rebind messages if these are observed as described in the DHCP
Snooping Process. Because TID is used to associate binding entries
with messages from DHCP servers, it must be recovered or else a
number of state transitions of this mechanism will not be executed
normally.
Bi, et al. Standards Track [Page 43]
^L
RFC 7513 SAVI DHCP May 2015
7.11. Table of State Machine
The main state transitions are listed as follows.
State Event Action Next State
---------------------------------------------------------------------
NO_BIND EVE_DATA_UNMATCH Start duplicate detect DETECTION
DETECTION EVE_ENTRY_EXPIRE 1 Repeat duplicate detect DETECTION
DETECTION EVE_ENTRY_EXPIRE 2 Start leasequery RECOVERY
DETECTION EVE_DATA_CONFLICT Remove entry NO_BIND
RECOVERY EVE_ENTRY_EXPIRE 1 Repeat leasequery RECOVERY
RECOVERY EVE_ENTRY_EXPIRE 2 No lease found; remove entry NO_BIND
RECOVERY EVE_DATA_LEASEQUERY Set lease time; start verify VERIFY
VERIFY EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND
VERIFY EVE_DATA_LEASEQUERY Resolve lease conflict(s) VERIFY
VERIFY EVE_DATA_VERIFY Finish validation BOUND or NO_BIND
VERIFY EVE_DATA_EXPIRE 1 Repeat verify VERIFY
VERIFY EVE_DATA_EXPIRE 2 Verify failed; remove entry NO_BIND
BOUND EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND
BOUND RENEW/REBIND Record TID BOUND
Figure 13: State Transition Table
Bi, et al. Standards Track [Page 44]
^L
RFC 7513 SAVI DHCP May 2015
+-------------+ EVE_ENTRY_EXPIRE
/---------+ |<------------------------\
| | NO_BIND | EVE_DATA_EXPIRE |
EVE_DATA_UNMATCH | /----->| |<----\ (2nd VRF_DELAY) |
| | +-------------+ | |
| | EVE_ENTRY_EXPIRE | |
| | (2nd LQ_DELAY) | |
EVE_ENTRY_EXPIRE | | | EVE_ENTRY_EXPIRE |
(1st DAD_DELAY) | | | (1st LQ_DELAY) |
/------\ | | | /--------\ |
| | | | EVE_DATA_CONFLICT \---\ | | |
| v v | | v | |
| +-------------+ EVE_ENTRY_EXPIRE +------------+ | |
| | | (2nd DAD_DELAY) | | | |
\----+ DETECTION ------------------------>| RECOVERY +--/ |
| | | | |
+-------------+ (To NO_BIND) +------------+ |
^ | |
| EVE_DATA_LEASEQUERY | |
/----------\ | | |
| | | EVE_ENTRY_EXPIRE | |
EVE_DHCP_RENEW| v | v |
EVE_DHCP_REBIND| +-------------+ +-------------+ |
| | | | +--/
\----+ BOUND |<---------------+ VERIFY |
| | EVE_DATA_VERIFY| |<-\
+-------------+ +-------------+ |
| |
\----------/
EVE_DATA_LEASEQUERY
EVE_DATA_EXPIRE
(1st VRF_DELAY)
Figure 14: Diagram of Transit
LQ_DELAY: MAX_LEASEQUERY_DELAY
VRF_DELAY: DETECTION_TIMEOUT
8. Filtering Specification
This section specifies how to use bindings to filter out packets with
spoofed source addresses.
Filtering policies are different for data packets and control
packets. DHCP, ARP, and Neighbor Discovery Protocol (NDP) [RFC4861]
messages are classified as control packets. All other packets are
classified as data packets.
Bi, et al. Standards Track [Page 45]
^L
RFC 7513 SAVI DHCP May 2015
8.1. Data Packet Filtering
Data packets from attachments with the Validating attribute TRUE MUST
have their source addresses validated. There is one exception to
this rule.
A packet whose source IP address is a link-local address cannot be
checked against DHCP assignments, as it is not assigned using DHCP.
Note: as explained in Section 1, a SAVI solution for link-local
addresses, e.g., FCFS SAVI [RFC6620], can be enabled to check packets
with a link-local source address.
If the source IP address of a packet is not a link-local address, but
there is not a matching entry in the BST with BOUND state, this
packet MUST be discarded. However, the packet may trigger the Data
Snooping Process (Section 7) if the Data-Snooping attribute is set on
the attachment.
Data packets from an attachment with the Validating attribute set
FALSE will be forwarded without having their source addresses
validated.
The SAVI device MAY log packets that fail source address validation.
8.2. Control Packet Filtering
For attachments with the Validating attribute:
DHCPv4 Client-to-Server messages in which the source IP address is
neither all zeros nor bound with the corresponding binding anchor in
the BST MUST be discarded.
DHCPv6 Client-to-Server messages in which the source IP address is
neither a link-local address nor bound with the corresponding binding
anchor in the BST MUST be discarded.
NDP messages in which the source IP address is neither a link-local
address nor bound with the corresponding binding anchor MUST be
discarded.
NA messages in which the target address is neither a link-local
address nor bound with the corresponding binding anchor MUST be
discarded.
ARP messages in which the protocol is IP and the sender protocol
address is neither all zeros nor bound with the corresponding binding
anchor MUST be discarded.
Bi, et al. Standards Track [Page 46]
^L
RFC 7513 SAVI DHCP May 2015
ARP Reply messages in which the target protocol address is not bound
with the corresponding binding anchor MUST be discarded.
For attachments with other attributes:
DHCP Server-to-Client messages not from attachments with the DHCP-
Trust attribute or Trust attribute MUST be discarded.
For attachments with no attribute:
DHCP Server-to-Client messages from such attachments MUST be
discarded.
The SAVI device MAY record any messages that are discarded.
9. State Restoration
If a SAVI device reboots, the information kept in volatile memory
will be lost. This section specifies the restoration of attribute
configuration and the BST.
9.1. Attribute Configuration Restoration
The loss of attribute configuration will not break the network: no
action will be performed on traffic from attachments with no
attribute. However, the loss of attribute configuration makes this
SAVI function unable to work.
To avoid the loss of binding anchor attribute configuration, the
configuration MUST be able to be stored in non-volatile storage.
After the reboot of the SAVI device, if the configuration of binding
anchor attributes is found in non-volatile storage, the configuration
MUST be used.
9.2. Binding State Restoration
The loss of binding state will cause the SAVI devices to discard
legitimate traffic. Simply using the Data Snooping Process to
recover a large number of bindings is a heavy overhead and may cause
considerable delay. Thus, recovering bindings from non-volatile
storage, as specified below, is RECOMMENDED.
Binding entries MAY be saved into non-volatile storage whenever a new
binding entry changes to BOUND state. If a binding with BOUND state
is removed, the saved entry MUST be removed correspondingly. The
time when each binding entry is established is also saved.
Bi, et al. Standards Track [Page 47]
^L
RFC 7513 SAVI DHCP May 2015
If the BST is stored in non-volatile storage, the SAVI device SHOULD
restore binding state from the non-volatile storage immediately after
reboot. Using the time when each binding entry was saved, the SAVI
device should check whether the entry has become obsolete by
comparing the saved lifetime and the difference between the current
time and time when the binding entry was established. Obsolete
entries that would have expired before the reboot MUST be removed.
10. Constants
The following constants are recommended for use in this context:
o MAX_DHCP_RESPONSE_TIME (120s): Maximum Solicit timeout value
(SOL_MAX_RT from [RFC3315])
o MAX_LEASEQUERY_DELAY (10s): Maximum LEASEQUERY timeout value
(LQ_MAX_RT from [RFC5007])
o DETECTION_TIMEOUT (0.5s): Maximum duration of a hardware address
verification step in the VERIFY state (TENT_LT from [RFC6620])
o DATA_SNOOPING_INTERVAL: Minimum interval between two successive
EVE_DATA_UNMATCH events triggered by an attachment.
Recommended interval: 60s and configurable
o OFFLINK_DELAY: Period after a client is last detected before the
binding anchor is being removed. Recommended delay: 30s
11. Security Considerations
11.1. Security Problems with the Data Snooping Process
There are two security problems with the Data Snooping Process
(Section 7):
(1) The Data Snooping Process is costly, but an attacker can trigger
it simply through sending a number of data packets. To avoid
Denial-of-Service attacks against the SAVI device itself, the
Data Snooping Process MUST be rate limited. A constant
DATA_SNOOPING_INTERVAL is used to control the frequency. Two
Data Snooping Processes on one attachment MUST be separated by a
minimum interval time of DATA_SNOOPING_INTERVAL. If this value
is changed, the value needs to be large enough to minimize DoS
attacks.
(2) The Data Snooping Process may set up incorrect bindings if the
clients do not reply to the detection probes (Section 7.6.1).
An attack will pass the duplicate detection if the client
Bi, et al. Standards Track [Page 48]
^L
RFC 7513 SAVI DHCP May 2015
assigned the target address does not reply to the detection
probes. The DHCP Leasequery procedure performed by the SAVI
device just tells whether or not the address is assigned in the
network. However, the SAVI device cannot determine whether the
address is just assigned to the triggering attachment from the
DHCPLEASEQUERY Reply.
11.2. Securing Leasequery Operations
In [RFC4388] and [RFC5007], the specific case of DHCP Leasequeries
originated by "access concentrators" is addressed extensively. SAVI
devices are very similar to access concentrators in that they snoop
on DHCP traffic and seek to validate source addresses based on the
results. Accordingly, the recommendations for securing leasequery
operations for access concentrators in Section 7 of [RFC4388] and
Section 5 of [RFC5007] MUST be followed when leasequeries are made
from SAVI devices. [RFC5007] RECOMMENDS that communications between
the querier and the DHCP server are protected with IPsec. It is
pointed out that there are relatively few devices involved in a given
administrative domain (SAVI devices, DHCP relays, and DHCP servers)
so that manual configuration of keying material would not be overly
burdensome.
11.3. Client Departure Issues
After a binding is set up, the corresponding client may leave its
attachment point. It may depart temporarily due to signal fade or
permanently by moving to a new attachment point or leaving the
network. In the signal fade case, since the client may return
shortly, the binding should be kept momentarily, lest legitimate
traffic from the client be blocked. However, if the client leaves
permanently, keeping the binding can be a security issue. If the
binding anchor is a property of the attachment point rather than the
client, e.g., the switch port but not incorporating the MAC address,
an attacker using the same binding anchor can send packets using IP
addresses assigned to the client. Even if the binding anchor is a
property of the client, retaining binding state for a departed client
for a long time is a waste of resources.
Whenever a direct client departs from the network, a link-down event
associated with the binding anchor will be triggered. SAVI-DHCP
monitors such events and performs the following mechanism.
(1) Whenever a client with the Validating attribute leaves, a timer
of duration OFFLINK_DELAY is set on the corresponding binding
entries.
Bi, et al. Standards Track [Page 49]
^L
RFC 7513 SAVI DHCP May 2015
(2) If a DAD Neighbor Solicitation / Gratuitous ARP request is
received that targets the address during OFFLINK_DELAY, the
entry MAY be removed.
(3) If the client returns on-link during OFFLINK_DELAY, cancel the
timer.
In this way, the bindings of a departing client are kept for
OFFLINK_DELAY. In cases of link flapping, the client will not be
blocked. If the client leaves permanently, the bindings will be
removed after OFFLINK_DELAY.
SAVI-DHCP does not handle the departure of indirect clients because
it will not be notified of such events. Switches supporting indirect
attachment (e.g., through a separate non-SAVI switch) SHOULD use
information specific to the client such as its MAC address as part of
the binding anchor.
11.4. Compatibility with Detecting Network Attachment (DNA)
DNA [RFC4436] [RFC6059] is designed to decrease the handover latency
after reattachment to the same network. DNA mainly relies on
performing a reachability test by sending unicast Neighbor
Solicitation / Router Solicitation / ARP Request messages to
determine whether a previously configured address is still valid.
Although DNA provides optimization for clients, there is insufficient
information for this mechanism to migrate the previous binding or
establish a new binding. If a binding is set up only by snooping the
reachability test message, the binding may be invalid. For example,
an attacker can perform the reachability test with an address bound
to another client. If a binding is migrated to the attacker, the
attacker can successfully obtain the binding from the victim.
Because this mechanism wouldn't set up a binding based on snooping
the DNA procedure, it cannot achieve perfect compatibility with DNA.
However, it only means the reconfiguration of the interface is slowed
but not prevented. Details are discussed as follows.
In Simple DNAv6 [RFC6059], the probe is sent with the source address
set to a link-local address, and such messages will not be discarded
by the policy specified in Section 8.2. If a client is reattached to
a previous network, the detection will be completed, and the address
will be regarded as valid by the client. However, the candidate
address is not contained in the probe. Thus, the binding cannot be
recovered through snooping the probe. As the client will perform
DHCP exchange at the same time, the binding will be recovered from
the DHCP Snooping Process. The DHCP Request messages will not be
filtered out in this case because they have link-local source
Bi, et al. Standards Track [Page 50]
^L
RFC 7513 SAVI DHCP May 2015
addresses. Before the DHCP procedure is completed, packets will be
filtered out by the SAVI device. In other words, if this SAVI
function is enabled, Simple DNAv6 will not help reduce the handover
latency. If the Data-Snooping attribute is configured on the new
attachment of the client, the data-triggered procedure may reduce
latency.
In DNAv4 [RFC4436], the ARP Probe will be discarded because an
unbound address is used as the sender protocol address. As a result,
the client will regard the address under detection as valid.
However, the data traffic will be filtered. The DHCP Request message
sent by the client will not be discarded because the source IP
address field should be all zeros as required by [RFC2131]. Thus, if
the address is still valid, the binding will be recovered from the
DHCP Snooping Process.
11.5. Binding Number Limitation
A binding entry will consume certain high-speed memory resources. In
general, a SAVI device can afford only a quite limited number of
binding entries. In order to prevent an attacker from overloading
the resources of the SAVI device, a binding entry limit is set on
each attachment. The binding entry limit is the maximum number of
bindings supported on each attachment with the Validating attribute.
No new binding should be set up after the limit has been reached. If
a DHCP Reply assigns more addresses than the remaining binding entry
quota of each client, the message will be discarded and no binding
will be set up.
11.6. Privacy Considerations
A SAVI device MUST delete binding anchor information as soon as
possible (i.e., as soon as the state for a given address is back to
NO_BIND), except where there is an identified reason why that
information is likely to be involved in the detection, prevention, or
tracing of actual source-address spoofing. Information about hosts
that never spoof (probably the majority of hosts) SHOULD NOT be
logged.
11.7. Fragmented DHCP Messages
This specification does not preclude reassembly of fragmented DHCP
messages, but it also does not require it. If DHCP fragmentation
proves to be an issue, the issue will need to be specified and
addressed. (This topic is beyond the scope of this document.)
Bi, et al. Standards Track [Page 51]
^L
RFC 7513 SAVI DHCP May 2015
12. References
12.1. Normative References
[RFC826] Plummer, D., "Ethernet Address Resolution Protocol: Or
Converting Network Protocol Addresses to 48.bit Ethernet
Address for Transmission on Ethernet Hardware", STD 37,
RFC 826, DOI 10.17487/RFC0826, November 1982,
<http://www.rfc-editor.org/info/rfc826>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997,
<http://www.rfc-editor.org/info/rfc2131>.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
2003, <http://www.rfc-editor.org/info/rfc3315>.
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388,
DOI 10.17487/RFC4388, February 2006,
<http://www.rfc-editor.org/info/rfc4388>.
[RFC4436] Aboba, B., Carlson, J., and S. Cheshire, "Detecting
Network Attachment in IPv4 (DNAv4)", RFC 4436,
DOI 10.17487/RFC4436, March 2006,
<http://www.rfc-editor.org/info/rfc4436>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>.
[RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng,
"DHCPv6 Leasequery", RFC 5007, DOI 10.17487/RFC5007,
September 2007, <http://www.rfc-editor.org/info/rfc5007>.
[RFC5227] Cheshire, S., "IPv4 Address Conflict Detection", RFC 5227,
DOI 10.17487/RFC5227, July 2008,
<http://www.rfc-editor.org/info/rfc5227>.
Bi, et al. Standards Track [Page 52]
^L
RFC 7513 SAVI DHCP May 2015
[RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for
Detecting Network Attachment in IPv6", RFC 6059,
DOI 10.17487/RFC6059, November 2010,
<http://www.rfc-editor.org/info/rfc6059>.
[RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS
SAVI: First-Come, First-Served Source Address Validation
Improvement for Locally Assigned IPv6 Addresses",
RFC 6620, DOI 10.17487/RFC6620, May 2012,
<http://www.rfc-editor.org/info/rfc6620>.
12.2. Informative References
[DHCPv6-SHIELD]
Gont, F., Liu, W., and G. Van de Velde, "DHCPv6-Shield:
Protecting Against Rogue DHCPv6 Servers", Work in
Progress, draft-ietf-opsec-dhcpv6-shield-07, May 2015.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <http://www.rfc-editor.org/info/rfc2827>.
[RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol
(DHCP) Service for IPv6", RFC 3736, DOI 10.17487/RFC3736,
April 2004, <http://www.rfc-editor.org/info/rfc3736>.
[RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed.,
"Source Address Validation Improvement (SAVI) Framework",
RFC 7039, DOI 10.17487/RFC7039, October 2013,
<http://www.rfc-editor.org/info/rfc7039>.
[RFC7341] Sun, Q., Cui, Y., Siodelski, M., Krishnan, S., and I.
Farrer, "DHCPv4-over-DHCPv6 (DHCP 4o6) Transport",
RFC 7341, DOI 10.17487/RFC7341, August 2014,
<http://www.rfc-editor.org/info/rfc7341>.
Bi, et al. Standards Track [Page 53]
^L
RFC 7513 SAVI DHCP May 2015
Acknowledgments
Special thanks to Jean-Michel Combes, Christian Vogt, Joel M.
Halpern, Eric Levy-Abegnoli, Marcelo Bagnulo Braun, Jari Arkko, Elwyn
Davies, Barry Leiba, Ted Lemon, Leaf Yeh, Ralph Droms, and Alberto
Garcia for careful review and evaluation comments on the mechanism
and text.
Thanks to Mark Williams, Erik Nordmark, Mikael Abrahamsson, David
Harrington, Pekka Savola, Xing Li, Lixia Zhang, Bingyang Liu, Duanqi
Zhou, Robert Raszuk, Greg Daley, John Kaippallimalil, and Tao Lin for
their valuable contributions.
Authors' Addresses
Jun Bi
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: junbi@tsinghua.edu.cn
Jianping Wu
Dept. of Computer Science, Tsinghua University
Beijing 100084
China
EMail: jianping@cernet.edu.cn
Guang Yao
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: yaoguang@cernet.edu.cn
Fred Baker
Cisco Systems
Santa Barbara, CA 93117
United States
EMail: fred@cisco.com
Bi, et al. Standards Track [Page 54]
^L
|