SAVI for Mixed Address Assignment Methods Scenario
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
junbi@cernet.edu.cn
Tsinghua University
Network Research Center, Tsinghua University
Beijing 100084
China
yaoguang.china@gmail.com
Newbridge Networks Inc
jmh@joelhalpern.com
Cisco Systems
Village d'Entreprises Green Side -
400, Avenue Roumanille
Biot-Sophia Antipolis - 06410
France
elevyabe@cisco.com
This document reviews how multiple address discovery methods can coexist in a single SAVI device and collisions are
resolved when the same binding entry is discovered by two or more methods.
There are currently several documents , and
that describe the different methods by which a switch can discover and record bindings between a node's layer3 address and a binding anchor and use
that binding to perform Source Address Validation. Each of these documents specifies how to learn on-link addresses, based on the method used for their assignment, respectively:
StateLess Autoconfiguration (SLAAC), Dynamic Host Control Protocol (DHCP) and Secure Neighbor Discovery (SeND).
Each of these documents describes separately how one particular discovery method deals with address collisions (same address, different anchor).
While multiple assignment methods can be used in the same layer2 domain, a SAVI device might have
to deal with a mix of binding discovery methods. The purpose of this document is to provide
recommendations to avoid collisions and to review collisions handling when
two or more such methods come up with competing bindings.
There are three address assignment methods identified and reviewed in one of the SAVI document:
StateLess Address AutoConfiguration (SLAAC) - reviewed in
Dynamic Host Control Protocol address assignment (DHCP) - reviewed in
Secure Neighbor Discovery (SeND) address assignment, reviewed in
Each address assignment method corresponds to a binding discovery method: SAVI-FCFS, SAVI-DHCP and SAVI-SeND.
In addition, there is a fourth method for installing a bindings on the switch, referred to as "manual".
It is based on manual (address or prefix) binding configuration and is reviewed in
and
All combinations of address assignment methods can coexist within a layer2 domain. A SAVI device will have
to implement the corresponding SAVI discovery methods (referred to as a "SAVI solution") to enable Source Address Validation.
If more than one SAVI solution is enabled on a SAVI device, the method is referred to as "mix address assignment method"
in this document.
SAVI solutions are independent from each other, each one handling its own entries.
In the absence of reconciliation, each solution will reject packets sourced with an address it did not discovered.
To prevent addresses discovered by one solution to be filtered out by another, the binding table should be shared
by all the solutions. However this could create some conflict when the same entry is discovered by two different methods:
the purpose of this document is of two folds: provide recommendations and method to avoid conflicts, and resolve conflicts if and
when they happen. Collisions happening within a given solution are outside the scope of this document.
If each solution has a dedicated address space, collisions won't happen. Using non overlapping address space across SAVI solutions
is therefore recommended. To that end, one should:
DHCP/SLAAC: use non-overlapping prefix for DHCP and SLAAC. Set the A bit in Prefix information option of Router Advertisement for SLAAC prefix.
And set the M bit in Router Advertisement for DHCP prefix. For detail explanations on these bits, refer to .
SeND/non-SeND: avoid mixed environment (where SeND and non-SeND nodes are deployed) or separate the prefixes announced to SeND and
non-SenD nodes. One way to separate the prefixes is to have the router()s announcing different (non-overlapping) prefixes to SeND
and to non-SeND nodes, using unicast Router Advertisements, in response to SeND/non-SeND Router Solicit.
In situations where collisions could not be avoided, two cases should be considered:
The same address is bound on two different binding anchors by different SAVI solutions.
The same address is bound on the same binding anchor by different SAVI solutions.
This would typically occur in case assignment address spaces could not be separated. For instance,overl
an address is assigned by SLAAC on node X, installed in the binding table using SAVI-FCFS, anchored to "anchor-X". Later,
the same address is assigned by DHCP to node Y, as a potential candidate in the same binding table, anchored to "anchor-Y".
The SAVI device must decide whom the address should be bound with (anchor-X or anchor-Y in this example). Current standard documents of address assignment methods
have implied the prioritization relationship (first-come). In the absence of any configuration or protocol hint (see )
the SAVI device should choose the first-come entry, whether it was learnt from SLACC, SeND or DHCP.
There are two identified exceptions to the general prioritization model, one of them being CGA addresses, another one controlled by the configuration
of the switch:
When CGA addresses are used, and a collision is detected, preference should be given to the anchor that carries the
CGA credentials once they are verified, in particular the CGA parameters and the RSA options. Note that if an attacker was trying to replay CGA credentials,
he would then compete on the base of fcfs (first-come, first-serve).
The SAVI device should allow the configuration of a triplet ("prefix", "anchor", "method") or ("address", "anchor", "method").
Later, if a DAD message is received for a target within "prefix" (or equal "address") bound to "anchor1" (different from "anchor"),
or via a discovery method different from "method", the switch should defend the address by responding to the DAD message. It should not at this point install
the entry into the binding table. It will simply prevent the node to assign the address, and will de-facto prioritize the configured anchor or configured assignment method
for that address.
This is especially useful to protect well known bindings such as a static address of a server over anybody, even when the server
is down. It is also a way to give priority to a binding learnt from SAVI-DHCP over a binding for the same address, learnt from SAVI-FCFS.
A single SAVI device doesn't have the information of all bound addresses on the perimeter. Therefore it is not enough to lookup local bindings to
identify a collision. However, assuming DAD is performed throughout the security perimeter for all addresses regardless of the assignment method,
then DAD response will inform all SAVI devices about any collision. In that case, FCFS will apply the same way as in a single switch scenario.
If the admin configured on one the switches a prefix (or a single static binding) to defend, the DAD response generated by this switch
will also prevent the binding to be installed on other switches of the perimeter.
A binding may be set up on the same binding anchor by multiple solutions. Generally, the binding lifetimes of different
solutions are different. Potentially, if one solution requires to remove the binding, the node using the address may be
taken the use right.
For example, a node performs DAD procedure after being assigned an address from DHCP, then the address will also be bound by
SAVI-FCFS. If the SAVI-FCFS lifetime is shorter than DHCP lifetime, when the SAVI-FCFS lifetime expires, it will request to
remove the binding. If the binding is removed, the node will not be able to use the address even the DHCP lease time doesn’t
expire.
The solution proposed is to keep a binding as long as possible. A binding is kept until it has been required to be removed by
all the solutions that ever set up it.
Thanks to Christian Vogt, Eric Nordmark, Marcelo Bagnulo Braun and Jari Arkko for their valuable
contributions.