Source Address Validation ImprovementInternet Engineering Task Force (IETF) J. BiInternet-DraftRequest for Comments: 7513 J. WuIntended status:Category: Standards Track G. YaoExpires: August 23, 2015ISSN: 2070-1721 Tsinghua Univ. F. Baker CiscoFebruary 19,April 2015SAVISource Address Validation Improvement (SAVI) Solution for DHCPdraft-ietf-savi-dhcp-34Abstract This document specifies the procedure for creating a binding between a DHCPv4/DHCPv6-assigned IP address and a binding anchor on a Source Address ValidationImprovementsImprovement (SAVI) device. The bindings set up by this procedure are used to filter packets with forged source IP addresses. This mechanism complements BCP 38 (RFC 2827) ingress filtering, providing finer-grained source IP address validation. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 23, 2015.http://www.rfc-editor.org/info/rfc7513. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .43 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Deployment Scenario and Configuration . . . . . . . . . . . . 8 4.1. Elements and Scenario . . . . . . . . . . . . . . . . . . 8 4.2. SAVI Binding Type Attributes . . . . . . . . . . . . . . 10 4.2.1. Trust Attribute . . . . . . . . . . . . . . . . . . . 10 4.2.2. DHCP-Trust Attribute . . . . . . . . . . . . . . . . 11 4.2.3. DHCP-Snooping Attribute . . . . . . . . . . . . . . . 11 4.2.4. Data-Snooping Attribute . . . . . . . . . . . . . . . 11 4.2.5. Validating Attribute . . . . . . . . . . . . . . . . 12 4.2.6. Table of Mutual Exclusions . . . . . . . . . . . . . 13 4.3. Perimeter . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3.1. SAVI-DHCP Perimeter Overview . . . . . . . . . . . . 13 4.3.2. SAVI-DHCP Perimeter Configuration Guideline . . . . . 14 4.3.3. On the Placement of the DHCP Server and Relay . . . . 15 4.3.4. An Alternative Deployment . . . . . . . . . . . . . . 15 4.3.5. Considerations regarding Binding Anchors . . . . . . 16 4.4. Other Device Configuration . . . . . . . . . . . . . . . 17 5. Binding State Table (BST) . . . . . . . . . . . . . . . . . . 17 6. DHCP Snooping Process . . . . . . . . . . . . . . . . . . . . 18 6.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 18 6.2. Binding States Description . . . . . . . . . . . . . . . 19 6.3. Events . . . . . . . . . . . . . . . . . . . . . . . . . 19 6.3.1. Timer Expiration Event . . . . . . . . . . . . . . . 19 6.3.2. Control Message Arriving Events . . . . . . . . . . . 19 6.4. The State Machine of DHCP Snooping Process . . . . . . . 21 6.4.1. Initial State: NO_BIND- No binding has been set up.21 6.4.2. Initial State: INIT_BIND - A potential binding has been set up. . . . . . . . . . . . . . 21 6.4.2. Initial State: INIT_BIND . . . . . . . . . . . . . . 23 6.4.3. Initial State: BOUND- The binding has been set up. . . . . . . . . . . . . . . . 26 6.4.4. Table of State Machine . . . . . . . . . . . . . . . 29 7. Data Snooping Process . . . . . . . . . . . . . . . . . . . . 30 7.1. Scenario . . . . . . . . . . . . . . . . . . . . . . . .3130 7.2. Rationale . . . . . . . . . . . . . . . . . . . . . . . .3231 7.3. Additional Binding States Description . . . . . . . . . . 32 7.4. Events . . . . . . . . . . . . . . . . . . . . . . . . .3332 7.5. Message Sender Functions . . . . . . . . . . . . . . . . 34 7.5.1. Duplicate Detection Message Sender . . . . . . . . . 34 7.5.2.Lease QueryLeasequery Message Sender . . . . . . . . . . . . .35. 34 7.5.3. Address Verification Message Sender . . . . . . . . .3635 7.6. Initial State:stateNO_BIND- No binding has been set up. . . . . . . . . . . . . . . . . 36 7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a matched binding is received . . . . . . . . . . . . . 36 7.6.2. Eventsnot observedNot Observed in NO_BIND fordata snoopingData Snooping . . 37 7.7. Initial State:stateDETECTION- The address in the entry is undergoing local duplication detection. . . . . . . .38 7.7.1. Event: EVE_ENTRY_EXPIRE. . . . . . . . 37 7.7.1. Event: EVE_ENTRY_EXPIRE . . . . . . .38 7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply/Neighbor Advertisement(NA) message received from unexpected system . . . .. . . . . . . . 37 7.7.2. Event: EVE_DATA_CONFLICT: ARP Reply / NA Message Received from Unexpected System . . . . . . . . . . .3938 7.7.3. Eventsnot observedNot Observed in DETECTION . . . . . . . . . .3938 7.8. Initial State:stateRECOVERY- The SAVI device is querying the assignment and lease time of the address in the entry through DHCP Leasequery. . . . . . . . . . . .39. . . . . 38 7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or successful LEASEQUERY-REPLY is received . . . . .3938 7.8.2. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . .4039 7.8.3. Eventsnot observedNot Observed in RECOVERY . . . . . . . . . . . 40 7.9. Initial State:stateVERIFY- Verification of the use of the source IP address by the device interface attached to the SAVI device . . .. . . . . . . . . . . . . . . . . .4140 7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or successful LEASEQUERY-REPLY is received . . . . .4140 7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is received from the device attached via the binding anchor . . . . . . . . . . . . . . . . . . . . . . .4140 7.9.3. Event: EVE_ENTRY_EXPIRE . . . . . . . . . . . . . . .4241 7.9.4. Event: EVE_DATA_EXPIRE . . . . . . . . . . . . . . .4241 7.9.5. Eventsnot observedNot Observed in VERIFY . . . . . . . . . . . . 42 7.10. Initial State:stateBOUND- The binding has been set up. . . . . . . . . . . . . . . . . . 42 7.11. Table of State Machine . . . . . . . . . . . . . . . . .4342 8. Filtering Specification . . . . . . . . . . . . . . . . . . . 44 8.1. Data Packet Filtering . . . . . . . . . . . . . . . . . . 45 8.2. Control Packet Filtering . . . . . . . . . . . . . . . . 45 9. State Restoration . . . . . . . . . . . . . . . . . . . . . . 46 9.1. Attribute Configuration Restoration . . . . . . . . . . . 46 9.2. Binding State Restoration . . . . . . . . . . . . . . . . 46 10. Constants . . . . . . . . . . . . . . . . . . . . . . . . . . 47 11. Security Considerations . . . . . . . . . . . . . . . . . . . 47 11.1. Security Problemsaboutwith the Data Snooping Process . . . . 47 11.2. SecuringLease QueryLeasequery Operations . . . . . . . . . . . . . 48 11.3. Clientdeparture issuesDeparture Issues . . . . . . . . . . . . . . . . 48 11.4. Compatibility withDNA (DetectingDetecting NetworkAttachment)Attachment (DNA) . 49 11.5. Binding Number Limitation . . . . . . . . . . . . . . . 50 11.6. Privacy Considerations . . . . . . . . . . . . . . . . . 50 11.7. Fragmented DHCP Messages . . . . . . . . . . . . . . . . 50 12.IANA Considerations .References . . . . . . . . . . . . . . . . . . . .51 13. Acknowledgment. . . . . 51 12.1. Normative References . . . . . . . . . . . . . . . . . . 5114.12.2. Informative References . . . . . . . . . . . . . . . . . 52 Acknowledgments . . . . . . . .51 14.1. Normative References. . . . . . . . . . . . . . . . . 53 Authors' Addresses .51 14.2. Informative References. . . . . . . . . . . . . . . . .52. . . . . 53 1. Introduction This document describes a fine-grained source address validation mechanism for IPv4 and IPv6 packets. This mechanism creates bindings between IP addresses assigned to network interfaces by DHCP and suitable binding anchors (Section 4.3.5). As discussed in Section 3 and [RFC7039], a "binding anchor" is an attribute that is immutable or difficult to change that may be used to identify the system an IP address has been assigned to; common examples include aMACMedia Access Control (MAC) address found on an Ethernet switch port orWiFiWi-Fi security association. The bindings are used to identify and filter packets originated by these interfaces using forged source IP addresses. In this way, this mechanism can prevent hosts from using IP addresses assigned to any other attachment point in or not associated with the network. This behavior is referred to as"spoofing","spoofing" and is key to amplification attacks, in which a set of systems send messages to another set of systems claiming to be from a third set of systems, and sending the replies to systems that don't expect them. Whereas BCP 38 [RFC2827] protects a network from a neighboring network by providing prefix granularity source IP address validity, this mechanism protects a network, including a Local Area Network, from itself by providing address granularity source IP validity when DHCP/DHCPv6 is used to assign IPv4/IPv6 addresses. Both provide a certain level of traceability, in that packet drops indicate the presence of a system that is producing packets with spoofed IP addresses. SAVI-DHCP snoops DHCP address assignments to set up bindings between IP addresses assigned by DHCP and corresponding binding anchors. It includes the DHCPv4 andv6 snooping processDHCPv6 Snooping Process (Section6),6) and the Data SnoopingprocessProcess (Section 7), as well as a number of other technical details. The Data SnoopingprocessProcess is a data-triggered procedure that snoops the IP header of data packets to set up bindings. It is designed to avoid a permanent blockage of valid addresses in the case that DHCP snooping is insufficient to set up all the valid bindings. This mechanism is designed for the stateful DHCP scenario[RFC2131],[RFC2131] [RFC3315]. Stateless DHCP [RFC3736] is out of scope for this document, as it has nothing to do with IP address allocation. An alternative SAVI method would have be used in those cases. For hosts using Stateless AddressAuto-ConfigurationAutoconfiguration (SLAAC) to allocate addresses,SAVI-FCFSFirst-Come, First-Served Source Address Validation Improvement (FCFS SAVI) [RFC6620] should be enabled. SAVI-DHCP is primarily designed for pure DHCP scenarios in which only addresses assigned through DHCP are allowed. However, it does not block link- local addresses, as they are not assigned using DHCP. It is RECOMMENDED that the administration deploy a SAVI solution for link- local addresses, e.g.,SAVI-FCFSFCFS SAVI [RFC6620]. This mechanism works for networks that use DHCPv4 only, DHCPv6 only, or both DHCPv4 and DHCPv6. However, the DHCP address assignment mechanism in IPv4/IPv6 transition scenarios, e.g., [RFC7341], are beyond the scope of this document. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described inRFC 2119[RFC2119]. 3. Terminology Binding anchor: A "binding anchor" is defined to be a physical and/or link-layer property of an attached device, as in [RFC7039]. A list of sample binding anchors can be found in Section 3.2 of that document. To the degree possible, a binding anchor associates an IP address with something unspoofable that identifies asingle clientsingle-client system or one of its interfaces. See Section 4.3.5 for more detail. Attribute: A configurable property of each binding anchor (port, MACAddress,address, or other information) that indicates the actions to be performed on packets received from the attached network device. DHCP address: An IP address assigned via DHCP. SAVI-DHCP: The name of this SAVI function for DHCP-assigned addresses. SAVI device: A network device on which SAVI-DHCP is enabled. Non-SAVI device: A network device on which SAVI-DHCP is not enabled. DHCPClient-ServerClient-to-Server message: A message that is sent from a DHCP client to a DHCP server or DHCPservers. Such a messageservers and isofone of the following types: o DHCPv4 Discover: DHCPDISCOVER[RFC2131][RFC2131]. o DHCPv4 Request: DHCPREQUEST generated during SELECTING state[RFC2131][RFC2131]. o DHCPv4 Renew: DHCPREQUEST generated during RENEWING state[RFC2131][RFC2131]. o DHCPv4 Rebind: DHCPREQUEST generated during REBINDING state[RFC2131][RFC2131]. o DHCPv4 Reboot: DHCPREQUEST generated during INIT-REBOOT state[RFC2131][RFC2131]. o Note: DHCPv4 Request/Renew/Rebind/Reboot messages can be identified based ontheTable 4 of[RFC2131][RFC2131]. o DHCPv4 Decline: DHCPDECLINE[RFC2131][RFC2131]. o DHCPv4 Release: DHCPRELEASE[RFC2131][RFC2131]. o DHCPv4 Inform: DHCPINFORM[RFC2131][RFC2131]. o DHCPv4 DHCPLEASEQUERY: A message sent toenquireinquire about the lease that might exist for an IPv4address. [RFC4388]address [RFC4388]. o DHCPv6 Request: REQUEST[RFC3315][RFC3315]. o DHCPv6 Solicit: SOLICIT[RFC3315][RFC3315]. o DHCPv6 Confirm: CONFIRM[RFC3315][RFC3315]. o DHCPv6 Decline: DECLINE[RFC3315][RFC3315]. o DHCPv6 Release: RELEASE[RFC3315][RFC3315]. o DHCPv6 Rebind: REBIND[RFC3315][RFC3315]. o DHCPv6 Renew: RENEW[RFC3315][RFC3315]. o DHCPv6 Information-Request: INFORMATION-REQUEST[RFC3315][RFC3315]. o DHCPv6 LEASEQUERY: A message sent toenquireinquire about the lease that might exist for an IPv6address. [RFC5007]address [RFC5007]. DHCP Server-to-Client message: A message that is sent from a DHCP server to a DHCPclient. Such a messageclient and isofone of the following types: o DHCPv4 ACK: DHCPACK[RFC2131][RFC2131]. o DHCPv4 NAK: DHCPNAK[RFC2131][RFC2131]. o DHCPv4 Offer: DHCPOFFER[RFC2131][RFC2131]. o DHCPv4 DHCPLEASEACTIVE: A response to a DHCPLEASEQUERY request containing leaseinformation. [RFC4388]information [RFC4388]. o DHCPv4 DHCPLEASEUNKNOWN: A response to a DHCPLEASEQUERY request indicating that the server does not manage theaddress. [RFC4388]address [RFC4388]. o DHCPv4 DHCPLEASEUNASSIGNED: A response to a DHCPLEASEQUERY request indicating that the server manages the address and there is no currentlease. [RFC4388]lease [RFC4388]. o DHCPv6 Reply: REPLY[RFC3315][RFC3315]. o DHCPv6 Advertise: ADVERTISE[RFC3315][RFC3315]. o DHCPv6 Reconfigure: RECONFIGURE[RFC3315][RFC3315]. o DHCPv6 LEASEQUERY-REPLY: A response to a LEASEQUERYrequest. [RFC5007]request [RFC5007]. Lease time: The lease time in IPv4 [RFC2131] or the valid lifetime in IPv6 [RFC3315]. Binding entry: A rule that associates an IP address with a binding anchor. Binding State Table (BST): The data structure that contains the binding entries. Binding entry limit: The maximum number of binding entries that may be associated with a binding anchor. Limiting the number of binding entries per binding anchor prevents a malicious or malfunctioning node from overloading the binding table on a SAVI device. Direct attachment: Ideally, a SAVI device is an access device that hosts are attached to directly. In such a case, the hosts are direct attachments (i.e., they attach directly) to the SAVI device. Indirect attachment: A SAVI device MAY be an aggregation device that other access devices are attachedto,to andwhichthat hosts in turn attach to. In such a case, the hosts are indirect attachments (i.e., they attach indirectly) to the SAVI device. Unprotected link: Unprotected links are links that connect to hosts or networks of hosts that receive their DHCP traffic by anotherpath,path and are therefore outside the SAVI perimeter. Unprotected device: An unprotected device is a device associated with an unprotected link. One example might be the gateway router of a network. Protected link: If DHCP messages for a given attached device always use a given link, the link is considered to be "protected" by the SAVIDevice,device and is therefore within the SAVI perimeter. Protected device: A protected device is a device associated with a protected link. One example might be a desktop switch in the network, or a host. CutVertex:vertex: A cut vertex is any vertex whose removal increases the number of connected components in a (network) graph. This is a concept in graph theory. This term is used in Section 6.1 to accurately specify the required deployment location of SAVI devices when they only perform the DHCP Snooping Process. Identity Association (IA): "A collection of addresses assigned to aclient." [RFC3315]client" [RFC3315]. Detection message:aA Neighbor Solicitation or ARP message intended by the Data Snooping Process to detect a duplicate address. DHCP_DEFAULT_LEASE:defaultDefault lifetime for a DHCPv6 address when the binding is triggered by a DHCPv6 Confirm message but a DHCPv6lease queryLeasequery exchange [RFC5007] cannot be performed by the SAVI device to fetch the lease. 4. Deployment Scenario and Configuration 4.1. Elements and Scenario The essential elements in a SAVI-DHCP deployment scenario include at least one DHCP server (which may or may not be assigned an address usingDHCP,DHCP and therefore may or may not be protected), zero or more protected DHCP clients, and one or more SAVI devices. It may also include DHCP relays, when the DHCP server is not co-located with a set of clients, and zero or more protectedNon-SAVInon-SAVI devices. Outside the perimeter, via unprotected links, there may be many unprotected devices. +-------------+ |unprotectedUnprotected | |deviceDevice | +------+------+ | +--------+ +-----+------+ +----------+ |DHCP +-----+ Non-SAVI +----+Bogus DHCP| |Server A| | Device 1 | |Server | +--------+ +-----+------+ +----------+ |trusted, unprotected link . . . . . . . . . . . . . . . . .|. . . . . . . . . . . . . . . | . . Protection +---+------+ trusted link . . Perimeter | SAVI +--------------+ . . | DeviceC|C | | . . +---+------+ | . . | | . . untrusted, +----------+ +---+------+ +------+---+ . . protected | SAVI | |Non SAVI|Non-SAVI | | SAVI | . . link+------+ DeviceA+----+A +----+ Device3+-------+3 +-------+ DeviceB|B | . . | +----+--+--+ +----------+ +-+---+----+ . . | | +----------+ . . . . . | | . . | . . . . . . | . . | | . . | . | . | . +--------+ | . . +----+-----+. +--+---+ . +----+-+ . +--+---+ . +---+----+ . . | Non-SAVI |. |Client| . |DHCP | . |Client| . |DHCP | . . | Device 2 |. |A | . |Relay | . |B | . |Server B| . . +----------+. +------+ . +------+ . +------+ . +--------+ . . . . . . . . . . . . . . . . . . . . Figure 1: SAVI-DHCP Scenario Figure 1 shows a deployment scenario that contains these elements. Note that a physical device can instantiate multiple elements, e.g., a switch can be both a SAVI device and a DHCP relay, or in acloudcloud- computing environment, a physical host may contain a virtual switch plus some number of virtual hosts. In such cases, the links are logical links rather than physical links. Networks are not usually isolated. As a result, traffic from other networks, including transit traffic as specified in [RFC6620] (e.g., traffic from another SAVI switch or a router) may enter a SAVI-DHCP network through the unprotected links. Since SAVI solutions are limited to validating traffic generated from a local link, SAVI-DHCP does not set up bindings for addresses assigned in other networks and cannot validate them. Traffic from unprotected links should be checked by an unprotected device or[RFC2827] mechanisms.mechanisms described in [RFC2827]. The generation and deployment of such a mechanism is beyond the scope of this document. Traffic from protected links is, however, locallygenerated,generated and should have its source addresses validated by SAVI-DHCP if possible. In the event that there is an intervening protected non-SAVI device between the host and the SAVI device, however, use of the physical attachment point alone as a binding anchor is insufficiently secure, astheseveral devices on a port or other point of attachment can spoof each other. Hence, additional information such as a MAC address SHOULD be used to disambiguate them. 4.2. SAVI Binding Type Attributes As illustrated in Figure 1, a system attached to a SAVI device can be a DHCP client, a DHCP relay/server, a SAVI device, or a non-SAVI device. Different actions are performed on traffic originated from different elements. To distinguish among their requirements, several properties are associated with their point of attachment on the SAVI device. When a binding association is uninstantiated, e.g., when no host is attached to the SAVI device using a given port or other binding anchor, the binding port attributes take default values unless overridden by configuration. By default, a SAVI switch does not filter DHCP messages, nor does it attempt to validate source addresses, which is to say that the binding attributes are ignored until SAVI-DHCP is itself enabled. This is because a SAVI switch that depends on DHCP cannot tell, a priori, which ports have valid DHCP servers attached, or which have routers or other equipment that would validly appear to use an arbitrary set of source addresses. When SAVI has been enabled, the attributes take effect. 4.2.1. Trust Attribute The "Trust Attribute" is a Boolean value. If TRUE, it indicates that the packets from the corresponding attached device need not have their source addresses validated. Examples of a trusted attachment would be a port to another SAVI device, or to an IP router, as shown in Figure 1. In both cases, traffic using many source IP addresses will be seen. By default, the Trust attribute is FALSE, indicating that any device found on that port will seek an address using DHCP and be limited to using such addresses. SAVI devices will not set up bindings for points of attachment with the Trust attribute set TRUE; no packets, including DHCP messages, from devices with this attribute on their attachments will be validated.HoweverHowever, DHCP Server-to-Client messages will be snooped on attachment points with the Trust attribute set TRUE in the same way as if they had the DHCP-Trust attribute set (see Section4.2.2.)4.2.2). 4.2.2. DHCP-Trust Attribute The "DHCP-Trust Attribute" is similarly a Boolean attribute. It indicates whether the attached device is permitted to initiate DHCP Server-to-Client messages. In Figure 1, the points of attachment of the DHCPServerserver and the DHCPRelayrelay would have this attribute set TRUE, and attachment points that have Trust set TRUE are implicitly treated as if DHCP-Trust isTRUE..TRUE. If the DHCP-TrustAttributeattribute is TRUE, SAVI devices will forward DHCP Server-to-Client messages from the points of attachment with this attribute. If the DHCP Server-to-Client messages can trigger the state transitions, the binding setup processes specified inSectionSections 6 andSection7 will handle them. By default, the DHCP-Trust attribute is FALSE, indicating that the attached system is not a DHCP server. A DHCPv6 implementor can refer to[I-D.ietf-opsec-dhcpv6-shield][DHCPv6-SHIELD] for more details. 4.2.3. DHCP-Snooping Attribute The "DHCP-Snooping Attribute" is similarly a Boolean attribute. It indicates whether bindings will be set up based on DHCP snooping. If this attribute is TRUE, DHCPClient-ServerClient-to-Server messages to points of attachment with this attribute will trigger creation of bindings based on the DHCP Snooping Process described in Section 6. If it is FALSE, either the Trust attribute must be TRUE (so that bindings become irrelevant) or another SAVI mechanism such asSAVI-FCFSFCFS SAVI must be used on the point of attachment. The DHCP-Snooping attribute is configured on the DHCPClient'sclient's point of attachment. This attribute can be also used on the attachments to protectedNon-SAVInon-SAVI devices that are used by DHCP clients. In Figure 1, the attachment fromtheClient A totheSAVI Device A, the attachment fromtheClient B totheSAVI Device B, and the attachment fromtheNon-SAVI Device 2 totheSAVI Device A can be configured with this attribute. 4.2.4. Data-Snooping Attribute The "Data-Snooping Attribute" is a Boolean attribute. It indicates whether data packets from the corresponding point of attachment may trigger the binding setup procedure. Data packets from points of attachment with this attribute may trigger the setup of bindings. SAVI devices will set up bindings on points of attachment with this attribute based on the data-triggered process described in Section 7. If the DHCP-Snooping attribute is configured on a point of attachment, the bindings on this attachment are set up based on DHCP message snooping. However, in some scenarios, a DHCP client may use a DHCP address without the DHCP address assignment procedure being performed on its current attachment. For such attached devices, the Data Snooping Process, which is described in Section 7, is necessary. This attribute is configured on such attachments. The usage of this attribute is further discussed in Section 7. Since some networks require DHCP deployment and others avoid it, there is no obvious universal default value for the Data-SnoopingAttribute.attribute. Hence, the Data-SnoopingAttributeattribute should default to FALSE, and a mechanism should be implemented to conveniently set it to TRUE on all points of attachment for which the Trust attribute is FALSE. 4.2.5. Validating Attribute The "Validating Attribute" is a Boolean attribute. It indicates whether packets from the corresponding attachment will have their IP source addresses validated based on binding entries on the attachment. If it is TRUE, packets coming from attachments with this attribute will be validated based on binding entries on the attachment as specified in Section 8. If it is FALSE, they will not. Since the binding table is used in common with other SAVI algorithms, it merely signifies whether the check will be done, not whether it will be done for SAVI-DHCP originated bindings. This attribute is by default the inverse of the Trust attribute; source addresses on untrusted links are validated by default. It MAY be set FALSE by the administration. The expected use case is when SAVI is used to monitor but not block forged transmissions. The network manager, in that case, may set the DHCP-Snooping and/or Data-Snooping attribute TRUE but the Validating attribute FALSE. 4.2.6. Table of Mutual Exclusions Different types of attributes may indicate mutually exclusive actions on a packet. Mutually exclusive attributes MUST NOT be set TRUE on the same attachment. The compatibility of different attributes is listed in Figure 2. Note that although Trust and DHCP-Trust are compatible, there is no need to configure DHCP-Trust to TRUE on an attachment with Trust attribute TRUE. +----------+----------+----------+----------+----------+----------+ | | | | DHCP- | Data- | | | | Trust |DHCP-Trust| Snooping | Snooping |Validating| +----------+----------+----------+----------+----------+----------+ | | | | mutually | mutually | mutually | | Trust | - |compatible| exclusive| exclusive| exclusive| +----------+----------+----------+----------+----------+----------+ | | | | | | | |DHCP-Trust|compatible| - |compatible|compatible|compatible| +----------+----------+----------+----------+----------+----------+ |DHCP- |mutually | | | | | |Snooping |exclusive |compatible| - |compatible|compatible| +----------+----------+----------+----------+----------+----------+ |Data- |mutually | | | | | |Snooping |exclusive |compatible|compatible| - |compatible| +----------+----------+----------+----------+----------+----------+ | |mutually | | | | | |Validating|exclusive |compatible|compatible|compatible| - | +----------+----------+----------+----------+----------+----------+ Figure 2: Table of Mutual Exclusions 4.3. Perimeter 4.3.1. SAVI-DHCP Perimeter Overview SAVI devices form a perimeter separating trusted and untrusted regions of a network, asSAVI-FCFSFCFS SAVI does( Section(Section 2.5 of [RFC6620]). The perimeter is primarily designed for scalability. It has two implications. o SAVI devices only need to establish bindings for directly attached clients, or clients indirectly attached through a non-SAVI protected device, rather than all of the clients in the network. o Each SAVI device only needs to validate the source addresses in traffic from clients attached to it, without checking all the traffic passing by. Consider the example in Figure 1. The protection perimeter is formed by SAVI Devices A,BB, and C. In this case, SAVIdeviceDevice B does not create a binding forclientClient A. However, because SAVIdeviceDevice A filters spoofed traffic fromclientClient A, SAVIdeviceDevice B can avoid receiving spoofed traffic fromclientClient A. The perimeter in SAVI-DHCP is not only a perimeter for datapackets,packets but also a perimeter for DHCP messages. DHCP server response messages incoming across the perimeter will be dropped (Section 8). The placement of the DHCPRelayrelay and DHCPServer,server, which are not involved in [RFC6620], is related to the construction of the perimeter. The requirement on the placement and configuration of the DHCPRelayrelay and DHCPServer areserver is discussed in Section 4.3.3. 4.3.2. SAVI-DHCP Perimeter Configuration Guideline A perimeter separating trusted and untrusted regions of the network is formed as follows: (1) Configure the Validating and DHCP-Snooping attributes TRUE on the direct attachments of all DHCP clients. (2) Configure the Validating and DHCP-Snooping attributes TRUE on the indirect attachments of all DHCP clients (i.e., DHCP clients on protected links). (3) Configure the Trust attribute TRUE on the attachments to other SAVI devices. (4) If aNon-SAVInon-SAVI device, or a number of connectedNon-SAVInon-SAVI devices, are attached only to SAVI devices, set the Trust attribute TRUE on their attachments. (5) Configure the DHCP-Trust attribute TRUE on the direct attachments to trusted DHCP relays and servers. In this way, the points of attachments with the Validating attribute TRUE (and generally together with attachments of unprotected devices) on SAVI devices can form a perimeter separating DHCP clients and trusted devices. Data packet checks are only performed on the perimeter. The perimeter is also a perimeter for DHCP messages. The DHCP-Trust attribute is only TRUE on links inside the perimeter. Only DHCP Server-to-Client messages originated within the perimeter are trusted. 4.3.3. On the Placement of the DHCP Server and Relay As a result of the configuration guidelines, SAVI devices only trust DHCP Server-to-Client messages originated inside the perimeter. Thus, the trusted DHCPRelaysrelays and DHCPServersservers must be placed within the perimeter. DHCP Server-to-Client messages will be filtered on the perimeter.Server-to-relayServer-to-Relay messages will not be filtered, as they are within the perimeter. In this way, DHCP Server-to-Client messages from bogus DHCP servers are filtered on the perimeter, having entered through untrusted points of attachment. The SAVI devices are protected from forged DHCP messages. DHCP Server-to-Client messages arriving at the perimeter from outside the perimeter are not trusted. There is no distinction between a DHCP server owned and operated by the correct administration but outside the SAVI perimeter and a bogus DHCP server. For example, in Figure 1, DHCPserverServer A is valid, but it is attached to Non-SAVIdeviceDevice 1. A bogus DHCP server is also attached to Non-SAVIdeviceDevice 1. While one could imagine a scenario in which the valid one had a statistically configured port number and MAC address, and therefore a binding, by default SAVI-DHCP cannot distinguish whether a message received from the port of Non-SAVIdeviceDevice 1 is from DHCPserverServer A or the bogus DHCP server. IftheDHCPserverServer A is contained in the perimeter, Non-SAVIdeviceDevice 1 will also be contained in the perimeter. Thus,theDHCPserverServer A cannot be contained within the perimeter apart from manual configuration of the binding anchor. Another consideration on the placement is that if the DHCP server/ relay is not inside the perimeter, the SAVI devices may not be able to set up bindingscorrectly,correctly because the SAVI devices may not be on the path between the clients and the server/relay, or the DHCP messages are encapsulated (e.g., Relay-reply and Relay-forward). 4.3.4. An Alternative Deployment In common deployment practice, the traffic from the unprotected network is treated as trustworthy, which is to say that it is not filtered. In such a case, the Trust attribute can be set TRUE on the unprotected link. IfNon-SAVInon-SAVI devices, or a number of connectedNon-non- SAVI devices, are only attached to SAVI devices and unprotected devices, their attachment to SAVI devices can have the Trust attribute set TRUE. Then an unclosed perimeter will be formed, as illustrated in Figure 3. | . . Protection | | | | Perimeter | | | | | | Unprotected | | Unprotected | | Link | | Link | | | | | | | | | | +----+---+ +----+---+ +--------+ | | |SAVI +----+Non-SAVI+----+SAVI | | | |Device | |Device | |Device | | | +----+---+ +--------+ +----+---+ | | | | | \_____________+___________________________+________/ | | | | +--------+ +--------+ |DHCP | |DHCP | |Client | |Client | +--------+ +--------+ Figure 3: Alternative Perimeter Configuration 4.3.5. Considerations regarding Binding Anchors The strength of this binding-based mechanism depends on the strength of the binding anchor. The sample binding anchors in [RFC7039] have the propertythatin which they associate an IP address with a direct physical or secure virtual interface such as a switch port, a subscriber association, or a security association. In addition, especially in the casethatwhere a protected non-SAVI device such as a desktop switch or a hub is between the client and SAVI devices, they MAY be extended to also include a MAC address or other link-layer attribute. In short, a binding anchor is intended to associate an IP address with something unspoofable that identifies asingle clientsingle-client system or one of its interfaces; this may be a physical or virtual interface or that plus disambiguating link-layer information. If the binding anchor is spoofable, such as a plain MAC address, or non-exclusive, such as a switch port extended using a non-SAVI device, an attacker can use a forged binding anchor to evade validation. Indeed, using a binding anchor that can be easily spoofed can lead to worse outcomes than allowing spoofed IP traffic. Thus, a SAVI device MUST use a non-spoofable and exclusive binding anchor. 4.4. Other Device Configuration In addition to a possible binding anchor configuration specified in Section 4.2, an implementation has the following configuration requirements: (1) Address configuration. For DHCPv4: the SAVI device MUST have an IPv4 address. For DHCPv6: the client of a SAVI device MUST have a link-local address; when the DHCPv6 server is not on the same link as the SAVI device, the SAVI device MUST also have an IPv6 address of at least the same scope as the DHCPv6 Server. (2) DHCP server address configuration: a SAVI device MUST store the list of the DHCP server addresses that it could contact during aLease queryleasequery process. (3) A SAVI device may also require security parameters, such aspre- configuredpreconfigured keys to establish a secure connection for theLease queryleasequery process[RFC4388][RFC5007][RFC4388] [RFC5007] connection. 5. Binding State Table (BST) The Binding State Table, which may be implemented centrally in the switch or distributed among its ports, is used to contain the bindings between the IP addresses assigned to the attachments and the corresponding binding anchors of the attachments. Note that in this description, there is a binding entry for each IPv4 or IPv6 address associated with each binding anchor, and there may be several of each such address, especially if the port is extended using a protected non-SAVI device. Each bindingentry,entry has5six fields: o BindingAnchor(Anchor):Anchor (listed as "Anchor" in subsequent figures): the binding anchor, i.e., one or more physicaland/ orand/or link-layer properties of the attachment. o IPAddress(Address):Address (listed as "Address" in subsequent figures): the IPv4 or IPv6 address assigned to the attachment by DHCP. o State: the state of the binding. Possible values of this field are listed inSectionSections 6.2 andSection7.3. o Lifetime: the remaining seconds of the binding. Internally, this MAY be stored as the timestamp value at which the lifetime expires. oTID:Transaction ID (TID): the Transaction ID(TID) ([RFC2131][RFC3315])[RFC3315] of the corresponding DHCP transaction. The TID field is used to associate DHCP Server-to-Client messages with corresponding binding entries. o Timeouts: the number of timeouts that expired in the current state (only used in the Data SnoopingProcess,Process; see Section7.)7). The IA is not present in the BST for three reasons: o The lease of each address in one IA is assigned separately. o When the binding is set up based on data snooping, the IA cannot be recovered from thelease queryleasequery protocol. o DHCPv4 does not define an IA. An example of such a table is shown in Figure 4. +---------+----------+-----------+-----------+--------+----------+ | Anchor | Address | State | Lifetime | TID | Timeouts | +---------+----------+-----------+-----------+--------+----------+ | Port_1 | IP_1 | BOUND | 65535 | TID_1 | 0 | +---------+----------+-----------+-----------+--------+----------+ | Port_1 | IP_2 | BOUND | 10000 | TID_2 | 0 | +---------+----------+-----------+-----------+--------+----------+ | Port_2 | IP_3 | INIT_BIND | 1 | TID_3 | 0 | +---------+----------+-----------+-----------+--------+----------+ Figure 4: Example Binding State Table 6. DHCP Snooping Process This section specifies the process of setting up bindings based on DHCP snooping. This process is illustrated using a state machine. 6.1. Rationale The rationale of the DHCP Snooping Process is that if a DHCP client is legitimately using a DHCP-assigned address, the DHCP address assignment procedure that assigns the IP address to the client must have been performed via the client's point of attachment. This assumption works when the SAVI device is always on the path(s) from the DHCP client to the DHCP server(s)/relay(s). Without considering the movement of DHCP clients, the SAVI device should be the cut vertex whose removal will separate the DHCP client and the remaining network containing the DHCPserver(s)/ and relay(s).server(s)/relay(s). For most of the networks whose topologies are simple, it is possible to deploy this SAVI function at proper devices to meet this requirement. However, if there are multiple paths from a DHCP client to the DHCP server and the SAVI device is only on one of them, there is an obvious failure case: the SAVI device may not be able to snoop the DHCP procedure. Host movement may also make this requirement difficult to meet. For example, when a DHCP client moves from one attachment to another attachment in the same network, it may fail to reinitialize its interface or send a Confirm message because of incomplete protocol implementation. Thus, there can be scenarios in which only performing this DHCP Snooping Process is insufficient to set up bindings for all the valid DHCP addresses. These exceptions and the solutions are discussed in Section 7. 6.2. Binding States DescriptionFollowingThe following binding states are present in this process and the corresponding state machine: NO_BIND: No binding has been set up. INIT_BIND: A potential binding has been set up. BOUND: The binding has been set up. 6.3. Events This section describes events in this process and the corresponding state machine transitions. The DHCP message categories (e.g., DHCPv4 Discover) defined in Section 3 are used extensively in the definitions of events and elsewhere in the state machine definition. If an event will trigger the creation of a new binding entry, the binding entry limit on the binding anchor MUST NOT be exceeded. 6.3.1. Timer Expiration Event EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires. 6.3.2. Control Message Arriving Events EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is received. EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received. EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received. EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is received. EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is received. EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid Commit option is received. EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received. EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is received. EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is received. EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY (refer tosectionSection 4.3.3 of [RFC5007]) is received. Note: the events listed here do not cover all the DHCP messages in Section 3. The messageswhichthat do not really determine address usage (DHCPv4 Discover, DHCPv4 Inform, DHCPv6 Solicit without Rapid Commit, DHCPv6 Information-Request, DHCPv4 Offer, DHCPv6 Advertise, and DHCPv6Reconfigure),Reconfigure) andwhichthat are not necessary to snoop (DHCPv4NAK,Negative Acknowledgment (NAK); refer tosection 6.4.2.1),Section 6.4.2.3) are not included. Note also that DHCPv4 DHCPLEASEQUERY is not used in the DHCP SnoopingprocessProcess to avoid confusion with Section 7.AlsoAlso, since the LEASEQUERY should have been originated by the SAVIDevicedevice itself, the destination check should verify that the message is directed to this SAVIdevice -device, and it should not be forwarded once it has been processed here. Moreover, only if a DHCP message can pass the following checks, the corresponding event is regarded as a valid event: o Attribute check: the DHCP Server-to-Client messages and LEASEQUERY-REPLY should be from attachments with the DHCP-Trust attribute; the DHCPClient-ServerClient-to-Server messages should be from attachments with the DHCP-Snooping attribute. o Destination check: the DHCP Server-to-Client messages should be destined to attachments with the DHCP-Snooping attribute. This check is performed to ensure the binding is set up on the SAVI devicewhichthat is nearest to the destination client. o Binding anchor check: the DHCPClient-ServerClient-to-Server messageswhichthat may trigger modification or removal of an existing binding entry must have a matching binding anchor with the corresponding entry. o TID check: the DHCPServer-to-Client/Client-ServerServer-to-Client/Client-to-Server messageswhichthat may cause modificationonof existing binding entries must have a matched TID with the corresponding entry. Note that this check is not performed onLease queryLEASEQUERY andLease query-replyLEASEQUERY-REPLY messages as they are exchanged between the SAVI devices and the DHCP servers. Besides, this check is not performed on DHCP Renew/Rebind messages. o Binding limitation check: the DHCP messages must not cause new binding setup on an attachment whose binding entry limitation has beenreached.reached (refer to Section 11.5). o Address check: the source address of the DHCP messages should pass the check specified in Section 8.2. On receiving a DHCP message without triggering a valid event, the state will not change, and the actions will not be performed. Note that if a message does not trigger a valid event but it can pass the checks in Section 8.2, it MUST be forwarded. 6.4. The State Machine of DHCP Snooping Process This section specifies state transitions and their corresponding actions. 6.4.1. Initial State: NO_BIND- No binding has been set up6.4.1.1. Event: EVE_DHCP_REQUEST - A DHCPv4 Request or a DHCPv6 Request message is received The SAVI device MUST forward the message. The SAVI device will generate an entry in the BST. The BindinganchorAnchor field is set to the binding anchor of the attachment from which the message is received. The State field is set to INIT_BIND. The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the message. If the message is DHCPv4 Request, the Address field can be set to the address to request, i.e., the 'requested IP address'. An example of the entry is illustrated in Figure 5. +--------+-------+---------+-----------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+---------+-----------------------+-----+----------+ | Port_1 | |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 | +--------+-------+---------+-----------------------+-----+----------+ Figure 5: BindingentryEntry in BST on Initialization Triggered by Request/Rapid Commit/Reboottriggered initializationMessages Resulting state: INIT_BIND - A potential binding has been setupup. 6.4.1.2. Event: EVE_DHCP_REBOOT - A DHCPv4 Reboot message is received The SAVI device MUST forward the message. The SAVI device will generate an entry in the BST. The BindinganchorAnchor field is set to the binding anchor of the attachment from which the message is received. The State field is set to INIT_BIND. The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the message. If the message is DHCPv4 Reboot, the Address field can be set to the address to request, i.e., the 'requested IP address'. An example of the entry is illustrated in Figure 5. Resulting state: INIT_BIND - A potential binding has been setupup. 6.4.1.3. Event: EVE_DHCP_SOLICIT_RC - A DHCPv6 Solicitation message with the Rapid Commit option is received The SAVI device MUST forward the message. The SAVI device will generate an entry in the BST. The BindinganchorAnchor field is set to the binding anchor of the attachment from which the message is received. The State field is set to INIT_BIND. The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the message. An example of the entry is illustrated in Figure 5. Resulting state: INIT_BIND - A potential binding has been setupup. 6.4.1.4. Event: EVE_DHCP_CONFIRM - A DHCPv6 Confirm message is received The SAVI device MUST forward the message. The SAVI device will generate corresponding entries in the BST for each address in each Identity Association (IA) option of the Confirm message. The BindinganchorAnchor field is set to the binding anchor of the attachment from which the message is received. The State field is set to INIT_BIND. The Lifetime field is set to be MAX_DHCP_RESPONSE_TIME. The TID field is set to the TID of the message. The Address field is set to the address(es) to confirm. An example of the entries is illustrated in Figure 6. +--------+-------+---------+-----------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+---------+-----------------------+-----+----------+ | Port_1 | Addr1 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 | +--------+-------+---------+-----------------------+-----+----------+ | Port_1 | Addr2 |INIT_BIND|MAX_DHCP_RESPONSE_TIME | TID | 0 | +--------+-------+---------+-----------------------+-----+----------+ Figure 6: BindingentryEntry in BST onConfirm triggered initializationConfirm-Triggered Initialization Resulting state: INIT_BIND - A potential binding has been setupup. 6.4.1.5. Eventsthat cannot happenThat Cannot Happen in the NO_BINDstateState o EVE_ENTRY_EXPIRE: The lifetime of a binding entry expires o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is received o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is received o EVE_DHCP_REPLY: A DHCPv4 ACK or a DHCPv6 Reply message is received o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is received o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is received o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is received These cannot happen because they are each something that happens AFTER a binding has been created. 6.4.2. Initial State: INIT_BIND- A potential binding has been set up6.4.2.1. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message is received The message MUST be forwarded to the corresponding client. If the message is DHCPv4 ACK, the Address field of the corresponding entry (i.e., the binding entry whose TID is the sameofas the message) is set to the address in themessage(i.e.,message (i.e., 'yiaddr' in DHCPv4 ACK). The Lifetime field is set to the sum of the lease time in the ACK message and MAX_DHCP_RESPONSE_TIME. The State field is changed to BOUND. If the message is DHCPv6 Reply,there arenote the following cases: 1. If the status code is not "Success", no modificationonof corresponding entries will be made. Corresponding entries will expire automatically if no "Success" Reply is received during the lifetime. The entries are not removed immediatelydue tobecause the client may be able to use the addresses whenever a "Success" Reply is received ("If the client receives any Reply messages that do not indicate a NotOnLink status, the client can use the addresses in the IA and ignore any messages that indicate a NotOnLinkstatus."status" [RFC3315]). 2. If the status code is "Success", the SAVI device checks the IA options in the Reply message. A. If there are IA options in the Reply message, the SAVI device checks each IA option. When the first assigned address is found, the Address field of the binding entry with a matched TID is set to the address. The Lifetime field is set to the sum of the lease time in the Reply message and MAX_DHCP_RESPONSE_TIME. The State field is changed to BOUND. If thereareis more than one address assigned in the message, new binding entries are set up for the remaining address assigned in the IA options. An example of the entries is illustrated in Figure 8. SAVI devices do not specially process IA options with a NoAddrsAvailstatus,status because there should be no address contained in such IA options. B. Otherwise, the DHCP Reply message is in response to a Confirm message. The state of the binding entries with a matched TID is changed to BOUND. Because [RFC3315] does not require the lease time of addresses to be contained in the Reply message, the SAVI device SHOULD send a LEASEQUERY [RFC5007] message querying by IP address to the All_DHCP_Servers multicast address [RFC3315] or a list of configured DHCP server addresses. TheLease queryLEASEQUERY message is generated for each IP address if multiple addresses are confirmed. TheLifetimelifetime of corresponding entries is set to 2*MAX_LEASEQUERY_DELAY. If there is no response message after MAX_LEASEQUERY_DELAY, send the LEASEQUERY message again. An example of the entries is illustrated in Figure 7. If the SAVI device does not send the LEASEQUERY message, apre-configuredpreconfigured lifetime DHCP_DEFAULT_LEASE MUST be set on the corresponding entry. (Note: it is RECOMMENDED to use T1 configured on DHCP servers as the DHCP_DEFAULT_LEASE.) Note: the SAVI devices do not check if the assigned addresses are duplicated because in SAVI-DHCP scenarios, the DHCP servers are the only source of valid addresses. However, the DHCP servers should be configured to make sure no duplicated addresses are assigned. +--------+-------+-------+------------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+-------+------------------------+-----+----------+ | Port_1 | Addr1 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 | +--------+-------+-------+------------------------+-----+----------+ | Port_1 | Addr2 | BOUND | 2*MAX_LEASEQUERY_DELAY | TID | 0 | +--------+-------+-------+------------------------+-----+----------+ Figure 7: From INIT_BIND to BOUND on DHCP Reply inresponseResponse to Confirm Transition +--------+-------+-------+------------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+-------+------------------------+-----+----------+ | Port_1 | Addr1 | BOUND |Lease time+ | TID | 0 | | | | |MAX_DHCP_RESPONSE_TIME | | | +--------+-------+-------+------------------------+-----+----------+ | Port_1 | Addr2 | BOUND |Lease time+ | TID | 0 | | | | |MAX_DHCP_RESPONSE_TIME | | | +--------+-------+-------+------------------------+-----+----------+ Figure 8: From INIT_BIND to BOUND on DHCP Reply inresponseResponse to Request Resulting state: BOUND - The binding has been setupup. 6.4.2.2. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry expires The entry MUST be deleted from the BST. Resulting state: An entry that has been deleted from the BST may be considered to be in thestate"NO_BIND" state - No binding has been set up. 6.4.2.3. Eventsthat are ignoredThat Are Ignored in INIT_BIND If no DHCP Server-to-Client messageswhichthat assign addresses or confirm addresses are received, corresponding entries will expire automatically. Thus, other DHCP Server-to-Client messages (e.g., DHCPv4 NAK) are not specially processed. As a result, the following events, should they occur, are ignored until either a DHCPv4 ACK or a DHCPv6 Reply message is received or the lifetime of the binding entry expires. o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is received o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received o EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is received o EVE_DHCP_RENEW: A DHCPv4 Renew or a DHCPv6 Renew message is received o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid Commit option is received o EVE_DHCP_DECLINE: A DHCPv4 Decline or a DHCPv6 Decline message is received o EVE_DHCP_RELEASE: A DHCPv4 Release or a DHCPv6 Release message is received o EVE_DHCP_LEASEQUERY: A successful DHCPv6 LEASEQUERY-REPLY is received In each case, the message MUST be forwarded. Resulting state: INIT_BIND - A potential binding has been setupup. 6.4.3. Initial State: BOUND- The binding has been set up6.4.3.1. Event: EVE_ENTRY_EXPIRE - The lifetime of a binding entry expires The entry MUST be deleted from the BST. Resulting state: An entry that has been deleted from the BST may be considered to be in thestate"NO_BIND" state - No binding has been set up. 6.4.3.2. Event: EVE_DHCP_DECLINE - A DHCPv4 Decline or a DHCPv6 Decline message is received The message MUST be forwarded.TheFirst, the SAVI devicefirstgets all the addresses ("Requested IP address" in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all the IA options of DHCPv6 Decline/Release) to decline/release in the message.ThenThen, the corresponding entries MUST be removed. Resulting state in each relevant BST entry: An entry that has been deleted from the BST may be considered to be in thestate"NO_BIND" state - No binding has been set up. 6.4.3.3. Event: EVE_DHCP_RELEASE - A DHCPv4 Release or a DHCPv6 Release message is received The message MUST be forwarded.TheFirst, the SAVI devicefirstgets all the addresses ("Requested IP address" in DHCPv4 Decline, "ciaddr" in DHCPv4 Release, and addresses in all the IA options of DHCPv6 Decline/Release) to decline/release in the message.ThenThen, the corresponding entries MUST be removed. Resulting state in each relevant BST entry: An entry that has been deleted from the BST may be considered to be in thestate"NO_BIND" state - No binding has been set up. 6.4.3.4. Event: EVE_DHCP_REBIND - A DHCPv4 Rebind or a DHCPv6 Rebind message is received The message MUST be forwarded. In such a case, a new TID will be used by the client. The TID field of the corresponding entries MUST be set to the new TID. Note that the TID check will not be performed on such messages. Resulting state: BOUND: The binding has been setupup. 6.4.3.5. Event: EVE_DHCP_RENEW - A DHCPv4 Renew or a DHCPv6 Renew message is received The message MUST be forwarded. In such a case, a new TID will be used by the client. The TID field of the corresponding entries MUST be set to the new TID. Note that the TID check will not be performed on such messages. Resulting state: BOUND: The binding has been setupup. 6.4.3.6. Event: EVE_DHCP_REPLY - A DHCPv4 ACK or a DHCPv6 Reply message is received The message MUST be forwarded. The DHCP Reply messages received in current states should be in response to DHCP Renew/Rebind. If the message is DHCPv4 ACK, the SAVI device updates the binding entry with a matched TID, with the Lifetime field set to be the sum of the new lease time and MAX_DHCP_RESPONSE_TIME, leaving the entry in thestate BOUND.BOUND state. If the message is DHCPv6 Reply, the SAVI device checks each IA Address option in each IA option. For each: 1. If the IA entry in the REPLY message has the status "NoBinding", there is no address in the option, and no operation on an address is performed. 2. If the valid lifetime of an IAaddressAddress option is 0, the binding entry with a matched TID and address is removed, leaving it effectively in thestate NO_BIND.NO_BIND state. 3. Otherwise, set the Lifetime field of the binding entry with the matched TID and address to be the sum of the new valid lifetime and MAX_DHCP_RESPONSE_TIME, leaving the entry in thestate BOUND.BOUND state. Resulting state: NO_BIND or BOUND, as specified. 6.4.3.7. Event: EVE_DHCP_LEASEQUERY - A successful DHCPv6 LEASEQUERY_REPLY is received The message MUST be forwarded. The message should be in response to theLease queryLEASEQUERY message sent in Section 6.4.2. The related binding entry can be determined based on the address in the IA Address option in theLease query-replyLEASEQUERY-REPLY message. The Lifetime field of the corresponding binding entry is set to the sum of the lease time in the LEASEQUERY-REPLY message and MAX_DHCP_RESPONSE_TIME. Resulting state: BOUND: The binding has been setupup. 6.4.3.8. Eventsnot processedNot Processed in thestateState BOUND The following events are ignored if received while the indicated entry is in thestate BOUND.BOUND state. Any required action will be the result of the next message in the client/server exchange. o EVE_DHCP_REQUEST: A DHCPv4 Request or a DHCPv6 Request message is received o EVE_DHCP_CONFIRM: A DHCPv6 Confirm message is received o EVE_DHCP_REBOOT: A DHCPv4 Reboot message is received o EVE_DHCP_SOLICIT_RC: A DHCPv6 Solicitation message with the Rapid Commit option is received 6.4.4. Table of State Machine The main state transits are listed as follows. Note that not all the details are specified in the table and the diagram. State Event Action Next State --------------------------------------------------------------------- NO_BIND RQ/RC/CF/RE Generate entry INIT_BIND INIT_BIND RPL Record lease time BOUND (sendlease queryleasequery if no lease) INIT_BIND EVE_ENTRY_EXPIRE Remove entry NO_BIND BOUND RLS/DCL Remove entry NO_BIND BOUND EVE_ENTRY_EXPIRE Remove entry NO_BIND BOUND RPL Set new lifetime BOUND BOUND LQR Record lease time BOUND Figure 9: State Transition Table RQ: EVE_DHCP_REQUESTCF: EVE_DHCP_CONFIRMRC: EVE_DHCP_SOLICIT_RC CF: EVE_DHCP_CONFIRM RE: EVE_DHCP_REBOOT RPL: EVE_DHCP_REPLYDCL: EVE_DHCP_DECLINERLS: EVE_DHCP_RELEASE DCL: EVE_DHCP_DECLINE LQR: EVE_DHCP_LEASEQUERY +-------------+ | | /--------+ NO_BIND |<--------\ | ----->| | | | | +-------------+ |EVE_DHCP_RELEASE EVE_DHCP_REQUEST | | |EVE_DHCP_DECLINE EVE_DHCP_CONFIRM | |EVE_ENTRY_EXPIRE |EVE_ENTRY_EXPIRE EVE_DHCP_SOLICIT_RC| | | EVE_DHCP_REBOOT | | | | | | | | | v | | +-------------+ +------------+ | | EVE_DHCP_REPLY | | | INIT_BIND --------------------->| BOUND |<-\ | | | | | +-------------+ +------------+ | | | \--------/ EVE_DHCP_REPLY EVE_DHCP_LEASEQUERY Figure 10: Diagram of Transit 7. Data Snooping Process 7.1. Scenario The rationale of the DHCP Snooping Process specified in Section 6 is that if a DHCP client's use of a DHCP address is legitimate, the corresponding DHCP address assignment procedure must have been finished during the attachment of the DHCP client. This is the case when the SAVI device is continuously on the path(s) from the DHCP client to the DHCP server(s)/relay(s). However, there are two cases in which this does not work: o Multiple paths: there is more than one feasible link-layer path from the client to the DHCP server/relay, and the SAVI device is not on every one of them. The client may get its address through one of the paths that does not pass through the SAVI device, but packets from the client can travel on paths that pass through the SAVI device, such as when the path through thelink layerlink-layer network changes. Because the SAVI device could not snoop the DHCP packet exchange procedure, the DHCP Snooping Process cannot set up the corresponding binding. o Dynamic path: there is only one feasible link-layer path from the client to the DHCP server/relay, but the path is dynamic due to topology change (for example, some link becomes broken due to failure or some planned change) or link-layer path change. This situation also covers the local-link movement of clients without the addressconfirm/re-configurationconfirm/reconfiguration process. For example, a host changes its attached switch port in a very short time. In such cases, the DHCP Snooping Process will not set up the corresponding binding. The Data Snooping Process can avoid the permanent blocking of legitimate traffic in case one of these two exceptions occurs. This process is performed on attachments with the Data-Snooping attribute. Data packets without a matching binding entry may trigger this process to set up bindings. Snooping data traffic introduces a considerable burden on the processor and ASIC-to-Processor bandwidth of SAVI devices. Because of the overhead of this process, the implementation of this process is OPTIONAL. This function SHOULD be enabled unless the implementation is known to be used in the scenarios without the above exceptions. For example, if the implementation is to be used in networks with tree topology and without host local-link movement, there is no need to implement this process in such scenarios. This process is not intended to set up a binding whenever a data packet without a matched binding entry is received. Instead, unmatched data packets trigger this processprobabilisticallyprobabilistically, and generally a number of unmatched packets will be discarded before the binding is set up. The parameter(s) of this probabilistic process SHOULD be configurable, defaulting to a situation where data snooping is disabled. 7.2. Rationale This process makes use of NS/ARP and DHCPLEASEQUERYLeasequery to set up bindings. If an address is not used by another client in the network, and the address has been assigned in the network, the address can be bound with the binding anchor of the attachment from which the unmatched packet is received. The Data Snooping Process provides an alternative path for binding entries to reach the BOUND state in the exceptional cases explained in Section 7.1 when there are no DHCP messages that can be snooped by the SAVI device. In some of the exceptional cases (especially the dynamic topology case), by the time the binding has reached the BOUNDstatestate, the DHCP messages may be passing through the SAVI device. In thiscasecase, the events driven by DHCP messages that are expected in the BOUND state in the DHCP Snooping Process mayoccuroccur, and the binding can be handled by the DHCP Snooping Process state machine. In any event, the lease expiry timeout event will occur even if no others do. This will cause the binding to be deleted and the state to logically return to NO_BIND state. Either the DHCP or the Data Snooping Process will be reinvoked if the lease is still in place. If DHCP messages are still not passing through the SAVI device, there will be a brief disconnection during which data packets passing through the SAVI device will be dropped. The probabilistic initiation of the Data Snooping Process can then take over again and return the binding state to BOUND in due course. The security issues concerning this process are discussedisin Section 11.1. 7.3. Additional Binding States Description In addition to NO_BIND and BOUND from Section 6.2, three new states used in this process are listed here. The INIT_BIND state is not used, as it is entered by observing a DHCP message. DETECTION: The address in the entry is undergoing local duplication detection. RECOVERY: The SAVI device is querying the assignment and lease time of the address in the entry through DHCPlease query.Leasequery. VERIFY: The SAVI device is verifying that the device connected to the attachment point has a hardware address that matches the one returned in the DHCPlease query.Leasequery. Because the mechanisms used for the operations carried out while the binding is in these three states operate over unreliable protocols, each operation is carried out twice with a timeout that is triggered if no response is received. 7.4. Events To handle the Data Snooping Process,fivesix extra events, described here, are needed in addition to those used by the DHCP Snooping Process (see Section 6.3). If an event will trigger the creation of a new binding entry, the binding entry limit on the binding anchor MUST NOT be exceeded. EVE_DATA_UNMATCH: A data packet without a matched binding is received. EVE_DATA_CONFLICT: An ARPReply/Neighbor Advertisement(NA)Reply / Neighbor Advertisement (NA) message against an address in the DETECTION state is received from a host other than the one for which the entry was added (i.e., a host attached atanothera point other than the one on which the triggering data packet was received). EVE_DATA_LEASEQUERY: o IPv4: A DHCPLEASEACTIVE message with the IP Address Lease Time option is received. Note that the DHCPLEASEUNKNOWN and DHCPLEASEUNASSIGNED replies are ignored. o IPv6: A successful LEASEQUERY-REPLY is received. EVE_DATA_VERIFY: An ARPReply/Neighbor Advertisement(NA)Reply / NA message has been received in the VERIFY state from the device connected to the attachment point on which the data packet was received. The triggering packet should pass the following checks to trigger a valid event: o Attribute check: the data packet should be from attachments with the Data-Snooping attribute; the DHCPLEASEACTIVE/LEASEQUERY-REPLY messages should be from attachments with the DHCP-Snooping attribute. o Binding limitation check: the data messages must not cause new binding setup on an attachment whose binding entry limitation has beenreached.reached (refer to Section 11.5). o Address check: For EVE_DATA_LEASEQUERY, the source address of theDHCP Lease queryDHCPLEASEQUERY messages must pass the check specified in Section 8.2. For EVE_DATA_CONFLICT and EVE_DATA_VERIFY, the source address and target address of the ARP or NA messages must pass the check specified in Section 8.2. o Interval check: the interval between two successive EVE_DATA_UNMATCH events triggered by an attachment MUST be no smaller than DATA_SNOOPING_INTERVAL. o TID check: the DHCPLEASEACTIVE/LEASEQUERY-REPLY messages must have a matched TID with the corresponding entry. o Prefix check: the source address of the data packet should be of a valid local prefix, as specified insectionSection 7 of [RFC7039]. EVE_DATA_EXPIRE: A timer expires indicating that a response to a hardware address verification message sent in the VERIFY state has not been received within the specified DETECTION_TIMEOUT period. EVE_ENTRY_EXPIRE: A timer expires after the Lifetime indicated in the relevant BST entry has elapsed. This is identical to the usage in the DHCP Snooping Process. 7.5. Message Sender Functions The Data Snooping Process involves sending three different messages to other network devices. Each message may be sent up totwicetwo times since they are sent over unreliable transports and are sent in different states. The functions defined in this section specify the messages to be sent in the three cases. In eachcasecase, the message to be sent depends on whether the triggering data packet is an IPv4 or an IPv6 packet. 7.5.1. Duplicate Detection Message Sender Send a message to check if the source address in the data packet that triggered thedata snooping processData Snooping Process has a local conflict (that is, it uses an address that is being used by another node): IPv4 address:broadcastBroadcast an Address Resolution Protocol (ARP) Request [RFC0826] or an ARPprobeProbe [RFC5227] for the address to the local network. An ARP Response will be expected from the device on the attachment point on which the triggering data packet was received. An ARP Reply received on any other port indicates a duplicate address. IPv6 address:sendSend a Duplicate Address Detection (DAD) message (Neighbor Solicitation message) to thesolicited nodesolicited-node multicast address [RFC4861] targeting the address. Ideally, only the host on that point of attachment responds with a Neighbor Advertisement. A Neighbor Advertisement received on any other port indicates a duplicate address. As both the ARP and DAD processes are unreliable(either the(the packet either to or from the other system may be lost intransit,transit; see [RFC6620]), if there is no response after theDETECTION_TIMEOUTDETECTION_TIMEOUT, an EVE_ENTRY_EXPIRE is generated. 7.5.2.Lease QueryLeasequery Message Sender Send aDHCP lease queryDHCPLEASEQUERY message to the DHCP server(s) to determine if it has given out a lease for the source address in the triggering data packet. A list of authorized DHCP servers is kept by the SAVI device. The list should be eitherpre-configuredpreconfigured with the IPv4and/ orand/or IPv6 addresses or dynamically discovered: For networks usingIPV4IPv4, this can be done by sending DHCPv4 Discover messages and parsing the returned DHCPv4 Offer messages; for networks usingIPv6IPv6, discovery can be done by sending DHCPv6 SOLICIT messages and parsing the returned ADVERTISE messages.See Section 11.2 regarding the securing of the process and the advisability of using the DHCPv6 All_DHCP_Relay_Agents_and_Servers or All_DHCP_Servers multicast addresses.The same TID should be used for alllease queryLEASEQUERY messages sent in response to a triggering data message on an attachment point. The TID is generated if the TID field in the BST entry is empty and recorded in the TID field of the BST entry when the first message is sent. Subsequent messages use the TID from the BST entry. (1) IPv4 address: Send a DHCPLEASEQUERY [RFC4388] message querying by IP address to each DHCPv4 server in the list of authorized servers with an IP Address Lease Time option (option 51). If the server has a valid lease for the address, the requested information will be returned in a DHCPLEASEACTIVE message. (2) IPv6 address: Send a LEASEQUERY [RFC5007] message querying by IP address to each DHCPv6 server in the list of authorized servers using the server address as the link-address in the LEASEQUERY message. If the server has a valid lease for the address, the requested information will be returned in a LEASEQUERY-REPLY message marked as successful (i.e., without an OPTION_STATUS_CODE in the reply). The IA Address option(s) returnedcontaincontains any IPv6 addresses bound to the same link together with the lease validity time. As DHCPlease queriesLeasequeries are an unreliable process(either the(the packet either to or from the server may be lost in transit), if there is no response after theMAX_LEASEQUERY_DELAYMAX_LEASEQUERY_DELAY, an EVE_DATA_EXPIRE is generated. Note that multiple response messages may be received if the list of authorized servers contains more than one address of the appropriate type and, in the case of DHCPv6, the responses may contain additional addresses for which leases have been allocated. 7.5.3. Address Verification Message Sender Send a message to verify that thelink layerlink-layer address in the attached device that sent the triggering data packet matches thelink layerlink-layer address contained in thelease queryleasequery response: IPv4 address: Send an ARP Request with the Target Protocol Address set to the IP address in the BST entry. The ARP Request is only sent to the attachment that triggered the binding. If the attached device has the IP address bound to the interface attached to the SAVI device, an ARP Reply should be received containing the hardware address of the interface on the attached device that can be compared with thelease queryleasequery value. IPv6 address: Send a Neighbor Solicitation (NS) message with the target address set to the IP address in the BST entry. The NS is only sent to the attachment that triggered the binding. If the attached device has the IP address bound to the interface attached to the SAVI device,a Neighbor Announcement (NA)an NA should be received indicating that the attached device has the IP address configured on the interface. As both the ARP and NS/NA processes are unreliable(either the(the packet either to or from the other system may be lost intransit,transit; see [RFC6620]), if there is no response after theDETECTION_TIMEOUTDETECTION_TIMEOUT, an EVE_DATA_EXPIRE is generated. 7.6. Initial State:stateNO_BIND- No binding has been set up7.6.1. Event: EVE_DATA_UNMATCH: A data packet without a matched binding is received Make a probabilistic determination as to whether to act on this event. The probability may be configured or calculated based on the state of the SAVI device. This probability should be low enough to mitigate the damage from DoSattackattacks against this process. Create a new entry in the BST. Set the Binding Anchor field to the corresponding binding anchor of the attachment. Set the Address field to the source address of the packet. Address conflicts MUST be detected and prevented. If local address detection is performed: Set the State field to DETECTION. Set the Lifetime of the created entry to DETECTION_TIMEOUT. Set the Timeouts field to 0. Start the detection of any local address conflicts by sending a Duplicate Address Detection Message (Section7.5.1)).7.5.1). Transition tostate DETECTION.DETECTION state. If local address detection is not performed: Set the State field to RECOVERY. Set the Lifetime of the created entry to LEASEQUERY_DELAY. Set the Timeouts field to 0. Start the recovery of any DHCP lease associated with the source IP address by sending one or morelease queryLEASEQUERY messages (Section7.5.2)).7.5.2). Transition tostate RECOVERY.RECOVERY state. The packet that triggers this event SHOULD be discarded. An example of the BST entry during duplicate address detection is illustrated in Figure 11. +--------+-------+---------+-----------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+---------+-----------------------+-----+----------+ | Port_1 | Addr1 |DETECTION| DETECTION_TIMEOUT | | 0 | +--------+-------+---------+-----------------------+-----+----------+ Figure 11: BindingentryEntry in BST ondata triggered initializationData-Triggered Initialization Resulting state: DETECTION - The address in the entry is undergoing local duplication detection - or RECOVERY - The DHCP lease(s) associated with the addressareis being queried. 7.6.2. Eventsnot observedNot Observed in NO_BIND fordata snoopingData Snooping EVE_DATA_CONFLICT: An ARPReply/Neighbor Advertisement(NA)Reply / NA message is received from an unexpectedsystemsystem. EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or LEASEQUERY-REPLY isreceivedreceived. EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the attacheddevicedevice. All EVE_DHCP_* events defined in Section 6.3.2 are treated as described in the DHCP Snooping Process (Section 6.4.1) and may result in that process being triggered. EVE_ENTRY_EXPIRE: Expiration of the DECTECTION_TIMEOUT EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT 7.7. Initial State:stateDETECTION- The address in the entry is undergoing local duplication detection7.7.1. Event: EVE_ENTRY_EXPIRE When this event occurs, no address conflict has been detected during the previous DETECTION_TIMEOUT period. If the Timeouts field in the BST entry is 0: Set the Lifetime of the BST entry to DETECTION_TIMEOUT. Set the Timeouts field to 1. Restart the detection of any local address conflicts by sending a second Duplicate Address Detection Message (Section7.5.1)).7.5.1). Remain instate DETECTION.DETECTION state. If the Timeouts field in the BST entry is 1: Assume that there is no local address conflict. Set the State field to RECOVERY. Set the Lifetime of the BST entry to LEASEQUERY_DELAY. Set the Timeouts field to 0. Start the recovery of any DHCP lease associated with the source IP address by sending one or morelease queryLEASEQUERY messages (Section7.5.2)).7.5.2). Transition tostate RECOVERY.RECOVERY state. An example of the entry is illustrated in Figure 12. +--------+-------+----------+----------------------+-----+----------+ | Anchor |Address| State | Lifetime | TID | Timeouts | +--------+-------+----------+----------------------+-----+----------+ | Port_1 | Addr1 | RECOVERY | MAX_LEASEQUERY_DELAY | TID | 0 | +--------+-------+----------+----------------------+-----+----------+ Figure 12: BindingentryEntry in BST onLease QueryLeasequery Resulting state: DETECTION - If a second local conflict period is required - or RECOVERY - The SAVI device is querying the assignment and lease time of the address in the entry through DHCPLeasequeryLeasequery. 7.7.2. Event: EVE_DATA_CONFLICT: ARPReply/Neighbor Advertisement(NA) message receivedReply / NA Message Received fromunexpected systemUnexpected System Remove the entry. Resulting state: NO_BIND - No binding has been setupup. 7.7.3. Eventsnot observedNot Observed in DETECTION EVE_DATA_UNMATCH: A data packet without a matched binding is received All EVE_DHCP_* events defined in Section 6.3.2 EVE_DHCP_REBIND: A DHCPv4 Rebind or a DHCPv6 Rebind message is received 7.8. Initial State:stateRECOVERY- The SAVI device is querying the assignment and lease time of the address in the entry through DHCP Leasequery7.8.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or successful LEASEQUERY-REPLY is received Set the State in the BST entry to VERIFY. Depending on the type of triggering source IP address, process the received DHCPlease queryLeasequery response: IPv4 address: Update the Lifetime field in the BST entry to the sum of the value encoded in the IP Address Lease Time option of the DHCPLEASEACTIVE message and MAX_DHCP_RESPONSE_TIME. Record the value of the "chaddr" field (hardware address) in the message for checking against the hardware address received during verification in the next state. Set the Timeouts field to 0. Start the verification process by sending an Address Verification Message (see Section 7.5.3). Transition tostate VERIFY.VERIFY state. Start an additional verification timer with a duration of DETECTION_TIMEOUT. When thisexpiresexpires, an EVE_DATA_EXPIRE event will be generated. IPv6 address: Update the Lifetime field in the BST entry to the sum of the valid lifetime extracted from the OPTION_CLIENT_DATA option in the LEASEQUERY-REPLY message and MAX_DHCP_RESPONSE_TIME. Set the Timeouts field to 0. Start the verification process by sending an Address Verification Message (see Section 7.5.3). Transition tostate VERIFY.VERIFY state. Start an additional verification timer with a duration of DETECTION_TIMEOUT. When thisexpiresexpires, an EVE_DATA_EXPIRE event will be generated. If multiple addresses are received in the LEASEQUERY-REPLY, new BST entries MUST be created for the additional addresses using the same binding anchor. The entries are created withStatestate set to VERIFY and the other fields set as described in this section for the triggering source IP address.AlsoAlso, start the verification process and start verification timers for each additional address. Resulting state: VERIFY -awaitingAwaiting verification or otherwise of the association of the IP address with the connected interface. 7.8.2. Event: EVE_ENTRY_EXPIRE Depending on the value of the Timeouts field in the BST entry, either send repeatlease queryLEASEQUERY messages or discard the binding: If the Timeouts field in the BST entry is 0: No responses to thelease queryLEASEQUERY message(s) sent have been received during the first LEASEQUERY_DELAY period. Set the Lifetime of the BST entry to LEASEQUERY_DELAY. Set the Timeouts field to 1. Restart the recovery of any DHCP lease associated with the source IP address by sending one or morelease queryLEASEQUERY messages (Section7.5.2)).7.5.2). Remain instate RECOVERY.RECOVERY state. If the Timeouts field in the BST entry is 1: No responses to thelease queryLEASEQUERY messages sent during two LEASEQUERY_DELAY periods were received. Assume that no leases exist and hence that the source IP address is bogus. Delete the BST entry. Transition tostate NO_BIND.NO_BIND state. Resulting state: RECOVERY -ifIf repeatlease queriesleasequeries are sent - or NO_BIND -ifIf no successful responses tolease queryLEASEQUERY messages have been received. 7.8.3. Eventsnot observedNot Observed in RECOVERY EVE_DATA_UNMATCH: A data packet without a matched binding is received EVE_DATA_CONFLICT: An ARPReply/Neighbor Advertisement(NA)Reply / NA message is received from an unexpected system EVE_DATA_VERIFY: A valid ARP Reply or NA message is received from the attached device All EVE_DHCP_* events defined in Section 6.3.2 EVE_DATA_EXPIRE: Expiration of the DECTECTION_TIMEOUT 7.9. Initial State:stateVERIFY- Verification of the use of the source IP address by the device interface attached to the SAVI device7.9.1. Event: EVE_DATA_LEASEQUERY: A valid DHCPLEASEACTIVE or successful LEASEQUERY-REPLY is received Iflease queryLEASEQUERY messages were sent to more than one DHCP server during RECOVERY state, additional successfullease queryleasequery responses may be received relating to the source IP address. The conflict resolution mechanisms specified in Section 6.8 of [RFC4388] and Section 4.3.4 of [RFC5007] can be used to determine the message from which values are used to update the BST Lifetime entry and the hardware address obtained from DHCP, as described in Section 7.8.1. In the case of DHCPv6 queries, the LEASEQUERY-REPLY may contain additional addresses as described in Section 7.8.1. Ifsoso, additional BST entries MUST be created or ones previously created updated as described in that section. Resulting state: VERIFY (no change). 7.9.2. Event: EVE_DATA_VERIFY: A valid ARP Reply or NA is received from the device attached via the binding anchor Depending on the type of triggering source IP address, this event may indicate that the device attached via the binding anchor in the BST entry is configured by DHCP using the IP address: IPv4 address: Check that the value of the sender hardware address in the ARP Reply matches the saved "chaddr" field (hardware address) from the previously received DHCPLEASEACTIVE message. If not, ignore this event; a subsequent retry may provide verification. If the hardware addresses match, the binding entry has been verified. IPv6 address: Simple receipt of a valid NA from the triggering source IP address at the binding anchor port provides verification for the binding entry. If the binding entry has been verified, set theStatestate in the BST entry to BOUND. Clear the TID field. Cancel the verification timer. Resulting state: VERIFY (no change) -ifIf the IPv4 DHCPLEASEQUERY "chaddr" address does not match the ARP Reply hardwareaddress - or BOUND - otherwise.address. Otherwise, the resulting state is BOUND. 7.9.3. Event: EVE_ENTRY_EXPIRE The DHCP lease lifetime has expired before the entry could be verified. Remove the entry. Transition to NO_BIND state. Resulting state: NO_BIND - No binding has been setupup. 7.9.4. Event: EVE_DATA_EXPIRE Depending on the value of the Timeouts field in the BST entry, either send a repeat validation message or discard the binding: If the Timeouts field in the BST entry is 0: No response to the verification message sent has been received during the first DETECTION_TIMEOUT period. Set the Timeouts field to 1. Restart the verification process by sending an Address Verification Message (see Section 7.5.3). Start a verification timer with a duration of DETECTION_TIMEOUT. When thisexpiresexpires, an EVE_DATA_EXPIRE event will be generated. Remain instate VERIFY.VERIFY state. If the Timeouts field in the BST entry is 1: No responses to the verification messages sent during two DETECTION_TIMEOUT periods were received. Assume that the configuration of the triggering source IP address cannot be verified and hence that the source IP address is bogus. Delete the BST entry. Transition tostate NO_BIND.NO_BIND state. Resulting state: VERIFY -additionalAdditional verification message sent - or NO_BIND - No binding has been setupup. 7.9.5. Eventsnot observedNot Observed in VERIFY EVE_DATA_UNMATCH: A data packet without a matched binding is received EVE_DATA_CONFLICT: An ARPReply/Neighbor Advertisement(NA)Reply / NA message is received from an unexpected system All EVE_DHCP_* events defined in Section 6.3.2 7.10. Initial State:stateBOUND- The binding has been set upUpon entry to thestate BOUND,BOUND state, control of the system continues as if a DHCP message assigning the address has been observed, as in Section 6.4.3. The BST entry has been restored. Note that the TID field contains no value after the binding state changes to BOUND. The TID field is recovered from snooping DHCP Renew/Rebind messages if these are observed as described in the DHCP Snooping Process. Because TID is used to associate binding entries with messages from DHCP servers, it must berecovered;recovered or else a number of state transitions of this mechanism willbenot be executed normally. 7.11. Table of State Machine The main state transitions are listed as follows. State Event Action Next State --------------------------------------------------------------------- NO_BIND EVE_DATA_UNMATCH Start duplicate detect DETECTION DETECTION EVE_ENTRY_EXPIRE 1 Repeat duplicate detect DETECTION DETECTION EVE_ENTRY_EXPIRE 2 Startlease queryleasequery RECOVERY DETECTION EVE_DATA_CONFLICT Remove entry NO_BIND RECOVERY EVE_ENTRY_EXPIRE 1 Repeatlease queryleasequery RECOVERY RECOVERY EVE_ENTRY_EXPIRE 2 No lease found; remove entry NO_BIND RECOVERY EVE_DATA_LEASEQUERY Set lease time;Startstart verify VERIFY VERIFY EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND VERIFY EVE_DATA_LEASEQUERY Resolve lease conflict(s) VERIFY VERIFY EVE_DATA_VERIFY Finish validation BOUND or NO_BIND VERIFY EVE_DATA_EXPIRE 1 Repeat verify VERIFY VERIFY EVE_DATA_EXPIRE 2 Verify failed; remove entry NO_BIND BOUND EVE_ENTRY_EXPIRE Lease expiry; remove entry NO_BIND BOUND RENEW/REBIND Record TID BOUND Figure 13: State Transition Table +-------------+ EVE_ENTRY_EXPIRE /---------+ |<------------------------\ | | NO_BIND | EVE_DATA_EXPIRE | EVE_DATA_UNMATCH | /----->| |<----\ (2nd VRF_DELAY) | | | +-------------+ | | | | EVE_ENTRY_EXPIRE | | | | (2nd LQ_DELAY) | | EVE_ENTRY_EXPIRE | | | EVE_ENTRY_EXPIRE | (1st DAD_DELAY) | | | (1st LQ_DELAY) | /------\ | | | /--------\ | | | | | EVE_DATA_CONFLICT \---\ | | | | v v | | v | | | +-------------+ EVE_ENTRY_EXPIRE +------------+ | | | | | (2nd DAD_DELAY) | | | | \----+ DETECTION ------------------------>| RECOVERY +--/ | | | | | | +-------------+ (To NO_BIND) +------------+ | ^ | | | EVE_DATA_LEASEQUERY | | /----------\ | | | | | | EVE_ENTRY_EXPIRE | | EVE_DHCP_RENEW| v | v | EVE_DHCP_REBIND| +-------------+ +-------------+ | | | | | +--/ \----+ BOUND |<---------------+ VERIFY | | | EVE_DATA_VERIFY| |<-\ +-------------+ +-------------+ | | | \----------/ EVE_DATA_LEASEQUERY EVE_DATA_EXPIRE (1st VRF_DELAY) Figure 14: Diagram of Transit LQ_DELAY: MAX_LEASEQUERY_DELAY VRF_DELAY: DETECTION_TIMEOUT 8. Filtering Specification This section specifies how to use bindings to filter out packets with spoofed source addresses. Filtering policies are different for data packets and control packets. DHCP, ARP, andNDP (NeighborNeighbor DiscoveryProtocol)Protocol (NDP) [RFC4861] messages are classified as control packets. All other packets are classified as data packets. 8.1. Data Packet Filtering Data packets from attachments with the Validating attribute TRUE MUST have their source addresses validated. There is one exception to this rule. A packet whose source IP address is a link-local address cannot be checked against DHCP assignments, as it is not assigned using DHCP. Note: as explained in Section 1, a SAVI solution for link-local addresses, e.g.,the SAVI-FCFSFCFS SAVI [RFC6620], can be enabled to check packets with a link-local source address. If the source IP address of a packet is not a link-local address, but there is not a matching entry in the BST withstate BOUND,BOUND state, this packet MUST be discarded. However, the packet may trigger the Data Snooping ProcessSection 7(Section 7) if the Data-Snooping attribute is set on the attachment. Data packets from an attachment with the Validating attribute set FALSE will be forwarded without having their source addresses validated. The SAVI device MAY log packets that fail source address validation. 8.2. Control Packet Filtering For attachments with the Validating attribute: DHCPv4Client-ServerClient-to-Server messages in which the source IP address is neither all zeros nor bound with the corresponding binding anchor in the BST MUST be discarded. DHCPv6Client-ServerClient-to-Server messages in which the source IP address is neither a link-local address nor bound with the corresponding binding anchor in the BST MUST be discarded. NDP messages in which the source IP address is neither a link-local address nor bound with the corresponding binding anchor MUST be discarded. NA messages in which the target address is neither a link-local address nor bound with the corresponding binding anchor MUST be discarded. ARP messages in which the protocol is IP and the sender protocol address is neither all zerosaddressnor bound with the corresponding binding anchor MUST be discarded. ARP Reply messages in which the target protocol address is not bound with the corresponding binding anchor MUST be discarded. For attachments with other attributes: DHCP Server-to-Client messages not from attachments with the DHCP- Trust attribute or Trust attribute MUST be discarded. For attachments with no attribute: DHCP Server-to-Client messages from such attachments MUST be discarded. The SAVI device MAY record any messages that are discarded. 9. State Restoration If a SAVI device reboots, the information kept in volatile memory will be lost. This section specifies the restoration of attribute configuration and the BST. 9.1. Attribute Configuration Restoration The loss of attribute configuration will not break the network: no action will be performed on traffic from attachments with no attribute. However, the loss of attribute configuration makes this SAVI function unable to work. To avoid the loss of binding anchor attribute configuration, the configuration MUST be able to be stored in non-volatile storage. After the reboot of the SAVI device, if the configuration of binding anchor attributes is found in non-volatile storage, the configuration MUST be used. 9.2. Binding State Restoration The loss of binding state will cause the SAVI devices to discard legitimate traffic. Simply using the Data Snooping Process to recover a large number of bindings is a heavy overhead and may cause considerable delay. Thus,to recoverrecovering bindings from non-volatile storage, as specified below, is RECOMMENDED. Binding entries MAY be saved into non-volatile storage whenever a new binding entry changes to BOUND state. If a binding with BOUND state is removed, the saved entry MUST be removed correspondingly. The time when each binding entry is established is also saved. If the BST is stored in non-volatile storage, the SAVI device SHOULD restore binding state from the non-volatile storage immediately after reboot. Using the time when each binding entry was saved, the SAVI device should check whether the entry has become obsolete by comparing the saved lifetime and the difference between the current time and time when the binding entry was established. Obsolete entrieswhichthat would have expired before the reboot MUST be removed. 10. Constants The following constants are recommended for use in this context: o MAX_DHCP_RESPONSE_TIME120s(120s): Maximum Solicit timeout value (SOL_MAX_RT from [RFC3315]) o MAX_LEASEQUERY_DELAY10s(10s): Maximum LEASEQUERY timeout value (LQ_MAX_RT from [RFC5007]) o DETECTION_TIMEOUT0.5s(0.5s): Maximum duration of a hardware address verification step in the VERIFY state (TENT_LT from [RFC6620]) oDATA_SNOOPING_INTERVALDATA_SNOOPING_INTERVAL: Minimum interval between two successive EVE_DATA_UNMATCH events triggered by an attachment. Recommended interval: 60s andconfigurable. (recommendation)configurable oOFFLINK_DELAY 30sOFFLINK_DELAY: Period after a client is last detected before the binding anchor is being removed.(recommendation)Recommended delay: 30s 11. Security Considerations 11.1. Security Problemsaboutwith the Data Snooping Process There are two security problemsaboutwith the Data Snooping ProcessSection 7:(Section 7): (1) The Data Snooping Process is costly, but an attacker can trigger it simply through sending a number of data packets. To avoidDenial of Services attackDenial-of-Service attacks against the SAVI device itself, the Data Snooping Process MUST be rate limited. A constant DATA_SNOOPING_INTERVAL is used to control the frequency. Two Data Snooping Processes on one attachment MUST be separated by a minimum interval time of DATA_SNOOPING_INTERVAL. If this value is changed, the value needs to be large enough to minimizedenial of serviceDoS attacks. (2) The Data Snooping Process may set up incorrect bindings if the clients do not reply to the detection probesSection 7.6.1.(Section 7.6.1). An attack will pass the duplicate detection if the client assigned the target address does not reply to the detection probes. The DHCPLease queryLeasequery procedure performed by the SAVI device just tells whether or not the address is assigned in thenetwork or not.network. However, the SAVI device cannot determine whether the address is just assigned to the triggering attachment from theDHCP LEASEQUERYDHCPLEASEQUERY Reply. 11.2. SecuringLease QueryLeasequery Operations In [RFC4388] and[RFC5007][RFC5007], the specific case of DHCPlease queriesLeasequeries originated by "access concentrators" is addressed extensively. SAVI devices are very similar to access concentrators in that they snoop on DHCP traffic and seek to validate source addresses based on the results.AccordinglyAccordingly, the recommendations for securinglease queryleasequery operations for access concentrators in Section 7 of [RFC4388] and Section 5 of [RFC5007] MUST be followed whenlease queriesleasequeries are made from SAVI devices. [RFC5007] RECOMMENDS that communications between the querier and the DHCP server are protected with IPsec. It is pointed out that there are relatively few devices involved in a given administrative domain (SAVI devices, DHCPrelaysrelays, and DHCP servers) so that manual configuration of keying material would not be overly burdensome. 11.3. Clientdeparture issuesDeparture Issues After a binding is set up, the corresponding client may leave its attachment point. It may depart temporarily due to signalfade,fade or permanently by moving to a new attachment point or leaving the network. In the signal fade case, since the client may return shortly, the binding should be kept momentarily, lest legitimate traffic from the client be blocked. However, if the client leaves permanently, keeping the binding can be a security issue. If the binding anchor is a property of the attachment point rather than the client, e.g., the switch port but not incorporating the MACAddress,address, an attacker using the same binding anchor can send packets using IP addresses assigned to the client. Even if the binding anchor is a property of the client, retaining binding state for a departed client for a long time is a waste of resources. Whenever a direct client departs from the network, a link-down event associated with the binding anchor will be triggered. SAVI-DHCP monitors suchevents,events and performs the following mechanism. (1) Whenever a client with the Validating attribute leaves, a timer of duration OFFLINK_DELAY is set on the corresponding binding entries. (2) If a DAD NeighborSolicitation/GratuitousSolicitation / Gratuitous ARP request is received that targets the address during OFFLINK_DELAY, the entry MAY be removed. (3) If the client returns on-link during OFFLINK_DELAY, cancel the timer. In this way, the bindings of a departing client are kept for OFFLINK_DELAY. Incasecases of link flapping, the client will not be blocked. If the client leaves permanently, the bindings will be removed after OFFLINK_DELAY. SAVI-DHCP does not handle the departure of indirectclients,clients because it will not be notified of such events. Switches supporting indirect attachment (e.g., through a separate non-SAVI switch) SHOULD use information specific to the client such as its MAC address as part of the binding anchor. 11.4. Compatibility withDNA (DetectingDetecting NetworkAttachment)Attachment (DNA) DNA[RFC4436][RFC6059][RFC4436] [RFC6059] is designed to decrease the handover latency afterre-attachmentreattachment to the same network. DNA mainly relies on performing a reachability test by sending unicast NeighborSolicitation/Router Solicitation/ARPSolicitation / Router Solicitation / ARP Requestmessagemessages to determine whether a previously configured address is still valid. Although DNA provides optimization for clients, there is insufficient information for this mechanism to migrate the previous binding or establish a new binding. If a binding is set up only by snooping the reachability test message, the binding may be invalid. For example, an attacker can perform the reachability test with an address bound to another client. If a binding is migrated to the attacker, the attacker can successfully obtain the binding from the victim. Because this mechanism wouldn't set up a binding based on snooping the DNA procedure, it cannot achieve perfect compatibility with DNA. However, it only means there-configurationreconfiguration of the interface is slowed but not prevented. Details are discussed as follows. In Simple DNAv6 [RFC6059], the probe is sent with the source address set to a link-local address, and such messages will not be discarded by the policy specified in Section 8.2. If a client isre-attachedreattached to a previous network, the detection will be completed, and the address will be regarded as valid by the client. However, the candidate address is not contained in the probe. Thus, the binding cannot be recovered through snooping the probe. As the client will perform DHCP exchange at the same time, the binding will be recovered from the DHCP Snooping Process. The DHCP Request messages will not be filtered out in this case because they have link-local source addresses. Before the DHCP procedure is completed, packets will be filtered out by the SAVI device. In other words, if this SAVI function is enabled, Simple DNAv6 will not help reduce the handover latency. If the Data-Snooping attribute is configured on the new attachment of the client, thedata triggereddata-triggered procedure may reduce latency. In DNAv4 [RFC4436], the ARPprobeProbe will be discarded because an unbound address is used as the sender protocol address. As a result, the client will regard the address under detectionisas valid. However, the data traffic will be filtered. The DHCP Request message sent by the client will not bediscarded,discarded because the source IP address field should be allzerozeros as required by [RFC2131]. Thus, if the address is still valid, the binding will be recovered from the DHCP Snooping Process. 11.5. Binding Number Limitation A binding entry will consumeacertain high-speed memory resources. In general, a SAVI device can afford only a quite limited number of binding entries. In order to prevent an attacker from overloading theresourceresources of the SAVI device, a binding entry limit is set on each attachment. The binding entry limit is the maximum number of bindings supported on each attachment with the Validating attribute. No new binding should be set up after the limit has been reached. If a DHCP Reply assigns more addresses than the remaining binding entry quota of each client, the message will be discarded and no binding will be set up. 11.6. Privacy Considerations A SAVI device MUST delete binding anchor information as soon as possible (i.e., as soon as the state for a given address is back to NO_BIND), except where there is an identified reason why that information is likely to be involved in the detection, prevention, or tracing of actualsource addresssource-address spoofing. Information aboutthe majority ofhosts that never spoof (probably the majority of hosts) SHOULD NOT be logged. 11.7. Fragmented DHCP Messages This specification does not preclude reassembly of fragmented DHCP messages, but it also does not require it. If DHCP fragmentation proves to be an issue,thatthe issue will need to bespecified. 12. IANA Considerations This memo asks the IANA for no new parameters. 13. Acknowledgment Special thanks to Jean-Michel Combes, Christian Vogt, Joel M. Halpern, Eric Levy-Abegnoli, Marcelo Bagnulo Braun, Jari Arkko, Elwyn Davies, Barry Leiba, Ted Lemon, Leaf Yeh, Ralph Droms and Alberto Garcia for careful review and valuation comments on the mechanism and text. Thanks to Mark Williams, Erik Nordmark, Mikael Abrahamsson, David Harrington, Pekka Savola, Xing Li, Lixia Zhang, Bingyang Liu, Duanqi Zhou, Robert Raszuk, Greg Daley, John Kaippallimalilspecified andTao Lin for their valuable contributions. This document was generated usingaddressed. (This topic is beyond thexml2rfc tool. 14.scope of this document.) 12. References14.1.12.1. Normative References [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Orconverting network protocol addressesConverting Network Protocol Addresses to 48.bit EthernetaddressAddress fortransmissionTransmission on Ethernethardware",Hardware", STD 37, RFC 826, DOI 10.17487/RFC0826, November1982.1982, <http://www.rfc-editor.org/info/rfc826>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March1997.1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, DOI 10.17487/RFC2131, March1997.1997, <http://www.rfc-editor.org/info/rfc2131>. [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July2003.2003, <http://www.rfc-editor.org/info/rfc3315>. [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, DOI 10.17487/ RFC4388, February2006.2006, <http://www.rfc-editor.org/info/rfc4388>. [RFC4436] Aboba, B., Carlson, J., and S. Cheshire, "Detecting Network Attachment in IPv4 (DNAv4)", RFC 4436, DOI 10.17487/RFC4436, March2006.2006, <http://www.rfc-editor.org/info/rfc4436>. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, September2007.2007, <http://www.rfc-editor.org/info/rfc4861>. [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 Leasequery", RFC 5007, DOI 10.17487/RFC5007, September2007.2007, <http://www.rfc-editor.org/info/rfc5007>. [RFC5227] Cheshire, S., "IPv4 Address Conflict Detection", RFC 5227, DOI 10.17487/RFC5227, July2008.2008, <http://www.rfc-editor.org/info/rfc5227>. [RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for Detecting Network Attachment in IPv6", RFC 6059, DOI 10.17487/RFC6059, November2010.2010, <http://www.rfc-editor.org/info/rfc6059>. [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS SAVI: First-Come, First-Served Source Address Validation Improvement for Locally Assigned IPv6 Addresses", RFC 6620, DOI 10.17487/RFC6620, May2012. 14.2.2012, <http://www.rfc-editor.org/info/rfc6620>. 12.2. Informative References[I-D.ietf-opsec-dhcpv6-shield][DHCPv6-SHIELD] Gont, F.,Will,Liu, W., and G. Van de Velde, "DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers",draft-ietf- opsec-dhcpv6-shield-05 (workWork inprogress), JanuaryProgress, draft-ietf-opsec-dhcpv6-shield-06, February 2015. [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May2000.2000, <http://www.rfc-editor.org/info/rfc2827>. [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, DOI 10.17487/RFC3736, April2004.2004, <http://www.rfc-editor.org/info/rfc3736>. [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., "Source Address Validation Improvement (SAVI) Framework", RFC 7039, DOI 10.17487/RFC7039, October2013.2013, <http://www.rfc-editor.org/info/rfc7039>. [RFC7341] Sun, Q., Cui, Y., Siodelski, M., Krishnan, S., and I. Farrer, "DHCPv4-over-DHCPv6 (DHCP 4o6) Transport", RFC 7341, DOI 10.17487/RFC7341, August2014.2014, <http://www.rfc-editor.org/info/rfc7341>. Acknowledgments Special thanks to Jean-Michel Combes, Christian Vogt, Joel M. Halpern, Eric Levy-Abegnoli, Marcelo Bagnulo Braun, Jari Arkko, Elwyn Davies, Barry Leiba, Ted Lemon, Leaf Yeh, Ralph Droms, and Alberto Garcia for careful review and evaluation comments on the mechanism and text. Thanks to Mark Williams, Erik Nordmark, Mikael Abrahamsson, David Harrington, Pekka Savola, Xing Li, Lixia Zhang, Bingyang Liu, Duanqi Zhou, Robert Raszuk, Greg Daley, John Kaippallimalil, and Tao Lin for their valuable contributions. Authors' Addresses Jun BiTsinghua UniversityNetwork Research Center, Tsinghua University Beijing 100084 China EMail: junbi@tsinghua.edu.cn Jianping WuTsinghua UniversityDept. of Computer Science, Tsinghua University Beijing 100084 China EMail: jianping@cernet.edu.cn Guang YaoTsinghua UniversityNetwork Research Center, Tsinghua University Beijing 100084 China EMail: yaoguang@cernet.edu.cn Fred Baker Cisco Systems Santa Barbara, CA 93117 United States EMail: fred@cisco.com