One document matched: draft-ietf-savi-mix-01.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc compact="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-ietf-savi-mix-01">

<front>
  <title abbrev="SAVI mix">
        SAVI for Mixed Address Assignment Methods Scenario
  </title>

<author fullname="Jun Bi" initials="J" surname="Bi">
  <organization>CERNET</organization>
    <address>
      <postal>
        <street>Network Research Center, Tsinghua University</street>
        <city>Beijing 100084</city>
        <country>China</country>
      </postal>
      <email>junbi@cernet.edu.cn</email>
    </address>
</author>

<author fullname="Guang Yao" initials="G" surname="Yao" >
  <organization>Tsinghua University</organization>
    <address>
      <postal>
        <street>Network Research Center, Tsinghua University</street>
        <city>Beijing 100084</city>
        <country>China</country>
      </postal>
      <email>yaoguang.china@gmail.com</email>
    </address>
</author>

<author fullname="Joel M. Halpern" initials="J" surname="Halpern" >
  <organization>Newbridge Networks Inc</organization>
    <address>
      <email>jmh@joelhalpern.com</email>
    </address>
</author>

<author fullname="Eric Levy-Abegnoli" role="editor" initials="E.L.A."
 surname="Levy-Abegnoli">
    <organization> Cisco Systems</organization>
    <address>
      <postal>
        <street>Village d'Entreprises Green Side -
	  400, Avenue Roumanille </street>
        <city>Biot-Sophia Antipolis - 06410</city>
        <country>France</country>
      </postal>
      <email>elevyabe@cisco.com</email>
    </address>
</author>

 <date/>

<abstract>
<t>This document reviews how multiple address discovery methods can coexist in a single SAVI device and collisions are
resolved when the same binding entry is discovered by two or more methods.</t>
</abstract>
</front>

<middle>

<section anchor="intro" title="Introduction">
<t>
There are currently several documents <xref target="I-D.ietf-savi-fcfs"/>, <xref target="I-D.ietf-savi-dhcp"/> and <xref target="I-D.ietf-savi-send"/>
that describe the different methods by which a switch can discover and record bindings between a node's layer3 address and a binding anchor and use
that binding to perform Source Address Validation. Each of these documents specifies how to learn on-link addresses, based on the method used for their assignment, respectively:
StateLess Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and Secure Neighbor Discovery (SeND).
Each of these documents describes separately how one particular discovery method deals with address collisions (same address, different anchor).
</t>
<t>
While multiple assignment methods can be used in the same layer2 domain, a SAVI device might have
to deal with a mix of binding discovery methods. The purpose of this document is to provide
recommendations to avoid collisions and to review collisions handling when
two or more such methods come up with competing bindings.  
</t>
</section>

<section anchor="scope" title="Problem Scope">
<t>
There are three address assignment methods identified and reviewed in one of the SAVI document:
<list style="numbers">
<t>StateLess Address AutoConfiguration (SLAAC) - reviewed in <xref target="I-D.ietf-savi-fcfs"/></t>
<t>Dynamic Host Control Protocol address assignment (DHCP) - reviewed in <xref target="I-D.ietf-savi-dhcp"/></t>
<t>Secure Neighbor Discovery (SeND) address assignment, reviewed in <xref target="I-D.ietf-savi-send"/></t>
</list>
</t>
<t>
  Each address assignment method corresponds to a binding discovery method: SAVI-FCFS, SAVI-DHCP and SAVI-SeND.
  In addition, there is a fourth method for installing a bindings on the switch, referred to as "manual".
  It is based on manual (address or prefix) binding configuration and is reviewed in <xref target="I-D.ietf-savi-fcfs"/>
  and <xref target="I-D.ietf-savi-framework"/>
</t>
<t>
  All combinations of address assignment methods can coexist within a layer2 domain. A SAVI device will have
  to implement the corresponding SAVI discovery methods (referred to as  a "SAVI solution") to enable Source Address Validation.
  If more than one SAVI solution is enabled on a SAVI device,  the method is referred to as "mix address assignment method"
  in this document.
</t>
<t>
  SAVI solutions are independent from each other, each one handling its own entries.
  In the absence of reconciliation, each solution will reject packets sourced with an address it did not discovered.
  To prevent addresses discovered by one solution to be filtered out by another, the binding table should be shared
  by all the solutions. However this could create some conflict when the same entry is discovered by two different methods:
  the purpose of this document is of two folds: provide recommendations and method to avoid conflicts, and resolve conflicts if and
  when they happen. Collisions happening within a given solution are outside the scope of this document.
</t>
</section>

<section anchor="nocol" title="Recommendations for preventing collisions">
  <t>
    If each solution has a dedicated address space, collisions won't happen. Using non overlapping address space across SAVI solutions
    is therefore recommended. To that end, one should:
    <vspace blankLines="1" />
    <list style="numbers">
      <t>DHCP/SLAAC: use non-overlapping prefix for DHCP and SLAAC. Set the A bit in Prefix information option of Router Advertisement for SLAAC prefix.
	And set the M bit in Router Advertisement for DHCP prefix. For detail explanations on these bits, refer to <xref target="RFC4861"/> <xref target="RFC4862"/>.
      </t>
      <t>SeND/non-SeND: avoid mixed environment (where SeND and non-SeND nodes are deployed) or separate the prefixes announced to SeND and
	non-SenD nodes. One way to separate the prefixes is to have the router()s announcing different (non-overlapping) prefixes to SeND
	and to non-SeND nodes, using unicast Router Advertisements, in response to SeND/non-SeND Router Solicit.
      </t>
    </list>
  </t>
</section>


<section anchor="collisions" title="Handing binding collisions">
  <t>
    In situations where collisions could not be avoided, two cases should be considered:
    <list style="numbers">
      <t>The same address is bound on two different binding anchors by different SAVI solutions.</t>
      <t>The same address is bound on the same binding anchor by different SAVI solutions.</t>
    </list>
  </t>

  <section anchor="samea1" title="Same Address on Different Binding Anchors">
    <t>
      This would typically occur in case assignment address spaces could not be separated. For instance,overl
      an address is assigned by SLAAC on node X, installed in the binding table using SAVI-FCFS,  anchored to "anchor-X". Later,
      the same address is assigned by DHCP to node Y, as a potential candidate in the same binding table, anchored to "anchor-Y".
    </t>
    <section anchor="bpref" title="Basic preference">
      <t>
	The SAVI device must decide whom the address should be bound with (anchor-X or anchor-Y in this example). Current standard documents of address assignment methods
	have implied the prioritization relationship (first-come). In the absence of any configuration or protocol hint (see <xref target="xpref"/>)
	the SAVI device should choose the first-come entry, whether it was learnt from SLACC, SeND or DHCP.  
      </t>
    </section>
    <section anchor="xpref" title="Overwritten preference">
      <t>
	There are two identified exceptions to the general prioritization model, one of them being CGA addresses, another one controlled by the configuration
	of the switch:
	<vspace blankLines="1" />
	<list style="numbers">
	  <t>
	    When CGA addresses are used, and a collision is detected, preference should be given to the anchor that carries the
	    CGA credentials once they are verified, in particular the CGA parameters and the RSA options. Note that if an attacker was trying to replay CGA credentials,
        he would then compete on the base of fcfs (first-come, first-serve).        
	  </t>
	  <t>
	    The SAVI device should allow the configuration of a triplet ("prefix", "anchor", "method") or ("address", "anchor", "method"). 
        Later, if a DAD message is received for a target within "prefix" (or equal "address") bound to "anchor1" (different from "anchor"),
        or via a discovery method different from "method",  the switch should defend the address by responding to the DAD message. It should not at this point install
        the entry into the binding table. It will simply prevent the node to assign the address, and will de-facto prioritize the configured anchor or configured assignment method
        for that address. 
        
	    This is especially useful to protect well known bindings such as a static address of a server over anybody, even when the server
	    is down. It is also a way to give priority to a binding learnt from SAVI-DHCP over a binding for the same address, learnt from SAVI-FCFS.
	  </t>
	</list>
      </t>
    </section>

    <section anchor="mult" title="Multiple SAVI Device Scenario">
      <t>
	A single SAVI device doesn't have the information of all bound addresses on the perimeter. Therefore it is not enough to lookup local bindings to
	identify a collision.  However, assuming DAD is performed throughout the security perimeter for all addresses regardless of the assignment method,
	then DAD response will inform all SAVI devices about any collision. In that case, FCFS will apply the same way as in a single switch scenario.
	If the admin configured on one the switches a prefix (or a single static binding) to defend, the DAD response generated by this switch
	will also prevent the binding to be installed on other switches of the perimeter. 
      </t>
    </section>
  </section>

  <section anchor="sameb" title="Same Address on the Same Binding Anchor">
    <t>A binding may be set up on the same binding anchor by multiple solutions. Generally, the binding lifetimes of different
      solutions are different. Potentially, if one solution requires to remove the binding, the node using the address may be
      taken the use right.
    </t>
    <t>
      For example, a node performs DAD procedure after being assigned an address from DHCP, then the address will also be bound by
      SAVI-FCFS. If the SAVI-FCFS lifetime is shorter than DHCP lifetime, when the SAVI-FCFS lifetime expires, it will request to
      remove the binding. If the binding is removed, the node will not be able to use the address even the DHCP lease time doesn’t
      expire.
    </t>
    <t>
      The solution proposed is to keep a binding as long as possible. A binding is kept until it has been required to be removed by
      all the solutions that ever set up it.
    </t>
  </section>
</section>
</middle>

<back>
<references title='Normative References'>
<?rfc include="reference.RFC.2119"?>
</references>

<references title='Informative References'>
<?rfc include="reference.RFC.2460"?>
<?rfc include="reference.RFC.4861"?>
<?rfc include="reference.RFC.4862"?>
<?rfc include="reference.RFC.3971"?>
<?rfc include="reference.RFC.3972"?>
<?rfc include="reference.RFC.3315"?>

<?rfc include='reference.I-D.ietf-savi-framework.xml'?>
<?rfc include='reference.I-D.ietf-savi-dhcp.xml'?>
<?rfc include='reference.I-D.ietf-savi-fcfs.xml'?>
<?rfc include='reference.I-D.ietf-savi-send.xml'?>
</references>

<section title="Contributors and Acknowledgments">
<t>
Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun and Jari Arkko for their valuable
contributions.
</t>
</section>

</back>

</rfc>