Re: [savi] SAVI device configuration with prefixes
"Bi Jun" <junbi@cernet.edu.cn> Sat, 26 June 2010 05:53 UTC
Return-Path: <junbi@cernet.edu.cn>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DA263A68A3 for <savi@core3.amsl.com>; Fri, 25 Jun 2010 22:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.027
X-Spam-Level: ***
X-Spam-Status: No, score=3.027 tagged_above=-999 required=5 tests=[AWL=0.330, BAYES_50=0.001, FH_HAS_XAIMC=2.696, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ityq7qvVJpVW for <savi@core3.amsl.com>; Fri, 25 Jun 2010 22:53:27 -0700 (PDT)
Received: from cernet.edu.cn (sea.net.edu.cn [202.112.3.66]) by core3.amsl.com (Postfix) with SMTP id 0B8083A63EC for <savi@ietf.org>; Fri, 25 Jun 2010 22:51:42 -0700 (PDT)
Received: from junbiVAIO([59.66.53.201]) by cernet.edu.cn(AIMC 3.2.0.0) with SMTP id jm54c25fe37; Sat, 26 Jun 2010 13:50:30 +0800
Message-ID: <FE83A3A42CB647058544601ACDB54F7D@junbiVAIO>
From: Bi Jun <junbi@cernet.edu.cn>
To: Christian Vogt <christian.vogt@ericsson.com>, Jean-Michel Combes <jeanmichel.combes@gmail.com>
References: <72A1E2E8E52C40AF860C5C5E0CE4B601@junbiVAIO><07063373-3E7F-4F9E-9EA1-705150ED343B@ericsson.com><4c203ba6.8c43e70a.1f23.ffffef7a@mx.google.com><4C2042DB.2070707@joelhalpern.com><4c205f6d.0953e70a.3884.fffffde8@mx.google.com><DF9F6FDD-3D52-418A-9291-7B3FEE35AC06@ericsson.com><4c244571.17bb720a.2641.0b4e@mx.google.com><AANLkTikzS_DMRzAHSXTcmMM9FS3-4lMxsK8b2lh-D2gd@mail.gmail.com> <E6B7F8EB-E1B4-4FE5-81BB-6E01B5EA4F40@ericsson.com>
In-Reply-To: <E6B7F8EB-E1B4-4FE5-81BB-6E01B5EA4F40@ericsson.com>
Date: Sat, 26 Jun 2010 13:41:26 +0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8064.206
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206
X-AIMC-AUTH: junbi
X-AIMC-MAILFROM: junbi@cernet.edu.cn
X-AIMC-Msg-ID: p8eRY2YB
Cc: Lin Tao <lint@h3c.com>, Guang Yao <yaoguang.china@gmail.com>, SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] SAVI device configuration with prefixes
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jun 2010 05:54:20 -0000
-------------------------------------------------- From: "Christian Vogt" <christian.vogt@ericsson.com> Sent: Saturday, June 26, 2010 1:43 AM To: "Jean-Michel Combes" <jeanmichel.combes@gmail.com> Cc: "Lin Tao" <lint@h3c.com>; "Guang Yao" <yaoguang.china@gmail.com>; "SAVI Mailing List" <savi@ietf.org> Subject: Re: [savi] SAVI device configuration with prefixes > Jean-Michel, > > two comments: > > - You are right that the SAVI For SLAAC document already includes the > notion of a prefix table, but it currently does not tell how this > table gets populated. The assumption is manual configuration, of > course. But either this should be mentioned explicitly, or we > should add a mechanism for automatic prefix table population based > on Router Advertisement messages. Of these two options, I am > personally in favor of the latter, because it reduces configuration > complexity and, hence, the risk for configuration errors. > > - If the working group adopts automatic prefix table population based on > Router Advertisement messages, then this mechanism would indeed have > to be protected against spoofing. One, in my opinion feasible, way > to do this is by configuring SAVI devices with respect to which > ports connect to first-hop routers. This would be a mechanism > analogous to the configuration of SAVI-For-DHCP devices with respect > to which ports connect to DHCP servers. Hi Christian, Please note that the port type "RA-Trust" was already proposed in draft-bi-savi-stateless-00/01. As I reported, this draft had been implemented by vendors joint CNGI-CERNET2 SAVI deployment project. So this "RA-Trust" port was ALREADY implemented by vendors and deployed in CNGI-CERNET2. Tsinghua University just did conformance testing for savi switches from 3Com, ZTE, Ruijie, and Digital China on this function in March and April. Best Regards, Jun Bi 10. Anchor Attributes This section specifies the anchor attributes involved in this mechanism. Anchor is defined in the [savi-framework]. Attribute of each anchor is configurable. In default, anchor has no attribute. An anchor MAY be configured to have one or more compatible attributes. However, an anchor MAY have no attribute. If an anchor has no attribute, in this solution, Router Advertisement message from this anchor MUST be dropped. However, other packets SHOULD NOT be dropped. 10.2. SAVI-RA-Trust Attribute If and only if an anchor is associated with a trustable router, it SHOULD be set to have this attribute. On a SAVI device enabled this solution, there may be no anchor with this attribute. This implies only link-local address is allowed, or prefix validation is not enabled, or only manually configured prefix is allowed. Router Advertisement message not coming from such anchors MUST be dropped. > > Makes sense? > > - Christian > > > > On Jun 25, 2010, Jean-Michel Combes wrote: > >> Hi Guang, >> >>> Actually I agree with these views. It's better to leave the security >>> problem of DHCP to DHCP itself. Any improvement achieved through SAVI is >>> costly. >>> >>> For SLAAC, prefix validation is of obvious necessity. As no other >>> protocols are in charge of bogus prefix on local link, I suggest SAVI to >>> take the responsibility. >> >> This is already the case in FCFS proposal: >> >> 4.1. FCFS SAVI Data structures >> >> [snip] >> >> In addition to this, FCFS SAVI need to know what are the prefixes that >> are directly connected, so it maintains a data structure called the the >> FCFS SAVI prefix list, which contains: o Prefix o Interface where >> prefix is directly connected >> >> [snip] >> >> 4.2.1. Processing of transit traffic >> >> [snip] >> >> o If the data packet is received through a Validating port, then the >> SAVI function checks whether the received data packet is local traffic >> or transit traffic. It does so by verifying if the source address of >> the packet belongs to one of the directly connected prefixes available >> in the receiving interface. It does so by searching the FCFS SAVI >> Prefix List. * If the IP source address does not belong to one of the >> local prefixes of the receiving interface, this means that the dat >> packet is transit traffic and the packet SHOULD be discarded. The FCFS >> SAVI function MAY send an ICMP Destination Unreachable Error back to the >> source address of the data packet. (ICMPv6, code 5 (Source address >> failed ingress/egress policy) should be used). * If the source address >> of the packet does belong to one of the prefixes available in the the >> receiving port, then the SAVI local traffic validation processes is >> executed as described below. >> >>> Learning proper prefix from RA automatically is a practical solution. >> >> Practical but, IMHO, it's dangerous: what does prevent a malicious node >> to poison the Prefix Table? You can use SEND to prevent such a case but >> that would require many exchanges (i.e. cert check) and CPU consumption >> (i.e. signature check). You can also use RA-Guard which needs, IIRC, >> manual configuration and so the SAVI device already knows the allowed >> prefixes. >> >> BTW, if the SAVI device is a router, the SAVI device already knows the >> allowed prefixes as they have been configured to be advertised. >> >> Best regards. >> >> JMC. > > _______________________________________________ > savi mailing list > savi@ietf.org > https://www.ietf.org/mailman/listinfo/savi >
- [savi] Fw: savi-dhcp-03 comments Bi Jun
- Re: [savi] savi-dhcp-03 comments Christian Vogt
- Re: [savi] savi-dhcp-03 comments Jun Bi
- Re: [savi] savi-dhcp-03 comments Guang Yao
- Re: [savi] savi-dhcp-03 comments Joel M. Halpern
- Re: [savi] savi-dhcp-03 comments marcelo bagnulo braun
- Re: [savi] savi-dhcp-03 comments Bi Jun
- Re: [savi] savi-dhcp-03 comments Guang Yao
- Re: [savi] savi-dhcp-03 comments Guang Yao
- Re: [savi] savi-dhcp-03 comments marcelo bagnulo braun
- [savi] SAVI device configuration with prefixes (R… Christian Vogt
- Re: [savi] SAVI device configuration with prefixe… Guang Yao
- Re: [savi] SAVI device configuration with prefixe… Joel M. Halpern
- Re: [savi] SAVI device configuration with prefixes Christian Vogt
- Re: [savi] SAVI device configuration with prefixes Christian Vogt
- Re: [savi] SAVI device configuration with prefixes Joel M. Halpern
- Re: [savi] SAVI device configuration with prefixe… Jean-Michel Combes
- Re: [savi] SAVI device configuration with prefixes Christian Vogt
- Re: [savi] SAVI device configuration with prefixes Christian Vogt
- Re: [savi] SAVI device configuration with prefixes Fred Baker
- Re: [savi] SAVI device configuration with prefixes Fred Baker
- Re: [savi] SAVI device configuration with prefixes Bi Jun
- Re: [savi] Conclusion on SAVI device configuratio… Christian Vogt
- Re: [savi] Conclusion on SAVI device configuratio… Jun Bi