Re: [savi] WGLC: draft-ietf-savi-framework-02
"Jun Bi" <junbi@tsinghua.edu.cn> Fri, 04 March 2011 15:22 UTC
Return-Path: <junbi@tsinghua.edu.cn>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEB173A69E2 for <savi@core3.amsl.com>; Fri, 4 Mar 2011 07:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.103
X-Spam-Level:
X-Spam-Status: No, score=-101.103 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, DNS_FROM_RFC_DSN=1.495, STOX_REPLY_TYPE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIM9rIR8LAsd for <savi@core3.amsl.com>; Fri, 4 Mar 2011 07:22:58 -0800 (PST)
Received: from smtp.tsinghua.edu.cn (smtp.tsinghua.edu.cn [166.111.8.80]) by core3.amsl.com (Postfix) with ESMTP id C3E163A69DA for <savi@ietf.org>; Fri, 4 Mar 2011 07:22:57 -0800 (PST)
Received: from th024090.ip.tsinghua.edu.cn ([59.66.24.90] helo=junbiVAIOz138) by smtp.tsinghua.edu.cn with esmtpa (Exim 4.69) (envelope-from <junbi@tsinghua.edu.cn>) id 1PvWrL-0007Ju-2n; Fri, 04 Mar 2011 23:24:03 +0800
Message-ID: <FCB94681A856465F86F919ABB69866A5@junbiVAIOz138>
From: Jun Bi <junbi@tsinghua.edu.cn>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>, SAVI Mailing List <savi@ietf.org>
References: <AANLkTi=OXeHzUb_DAxh2+jTuJPysLt5Qei+mAJb_x6UV@mail.gmail.com><AANLkTim=zsNG6_DR_m_u0sz5ySC75bGKwbyytXwzZsaE@mail.gmail.com> <AANLkTikowzH7mEfRJbaDLyfYp=_VTj2fPTJH_pKyTwvV@mail.gmail.com>
In-Reply-To: <AANLkTikowzH7mEfRJbaDLyfYp=_VTj2fPTJH_pKyTwvV@mail.gmail.com>
Date: Fri, 04 Mar 2011 23:24:04 +0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3502.922
X-MIMEOLE: Produced By Microsoft MimeOLE V15.4.3502.922
Cc: Christian Vogt <christian.vogt@ericsson.com>
Subject: Re: [savi] WGLC: draft-ietf-savi-framework-02
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2011 15:22:59 -0000
A new version will be delivered soon by taking comments in WGLC. thanks, Jun -----原始邮件----- From: Jean-Michel Combes Sent: Monday, February 28, 2011 10:13 PM To: SAVI Mailing List Cc: Christian Vogt Subject: Re: [savi] WGLC: draft-ietf-savi-framework-02 <WG chair hat off> Please find my review of this draft below (my comments are mostly minor/editorial ones): Source Address Validation Improvement Framework draft-ietf-savi-framework-02 Abstract The Source Address Validation Improvement method was developed to complement ingress filtering with finer-grained, standardized IP source address validation. This document describes and motivates the design of the SAVI method. [snip] 1. Introduction Since IP source addresses are used by hosts and network entities to determine the origin of a packet and as a destination for return data, spoofing of IP source addresses can enable impersonation, concealment, and malicious traffic redirection. Unfortunately, the Internet architecture does not prevent IP source address spoofing. <JMC> Maybe, add a reference to the treats doc [draft-ietf-savi-threat-scope] at the end of the sentence. <JMC> Since the IP source address of a packet generally takes no role in forwarding the packet, it can be selected arbitrarily by the sending host without jeopardizing packet delivery. Extra methods are necessary for IP source address validation, to augment packet forwarding with an explicit check of whether a given packet's IP source address is legitimate. IP source address validation can happen at different granularity: Ingress filtering [BCP38], a widely deployed standard for IP source address validation, functions at the coarse granularity of networks. It verifies that the prefix of an IP source address routes to the network from which the packet was received. An advantage of ingress filtering is simplicity: The decision of whether to accept or to <JMC> s/"is simplicity: The decision of"/"is simplicity: the decision of" <JMC> reject an IP source address can be made solely based on the information available from routing protocols. However, the <JMC> "information available from routing protocols": maybe add a reference to RFC3704 <JMC> simplicity comes at the cost of not being able to validate IP source addresses at a finer granularity, due to the aggregated nature of the information available from routing protocols. Finer-grained IP source address validation would be helpful to enable IP-source- address-based authentication, authorization, and host localization, as well as to efficiently identify misbehaving hosts. Partial solutions [BA2007] exist for finer-grained IP source address validation, but are proprietary and hence often unsuitable for corporate procurement. [snip] 3.1. IP Address Assignment Methods Since the SAVI method traces IP address assignment packets, it necessarily needs to incorporate logic that is specific to particular IP address assignment methods. However, developing SAVI method variants for each IP address assignment method is alone not sufficient, since multiple IP address assignment methods may co-exist on a given link. The SAVI method hence comes in multiple variants: for links with Stateless Address Autoconfiguration, for links with DHCP, for links with Secure Neighbor Discovery, and for links that use any combination of IP address assignment methods. <JMC> Maybe add a reference for each IP address assignment method. Maybe, even if this is out of scope from the WG charter, add IKEv2 [RFC5996][RFC5739] as IP address assignment method. I have especially in mind Mobile Node's Home Address assignment based on IKEv2 [RFC5026]. <JMC> The reason to develop SAVI method variants for each single IP address configuration method, in addition to the variant that handles all IP address assignment methods, is to minimize the complexity of the common case: Many link deployments today either are constrained to a <JMC> s/"common case: Many link deployments"/"common case: many link deployments" <JMC> single IP address assignment methods or, equivalently from the perspective of the SAVI method, separate IP address assignment methods into different IP address prefixes. The SAVI method for such links can be simpler than the SAVI method for links with multiple IP address assignment methods per IP address prefix. [snip] 4. Scalability Optimizations The preference to locate a SAVI instance close to hosts implies that multiple SAVI instances must be able to co-exist in order to support large links. Although the model of the SAVI method is independent of the number of SAVI instances per link, co-existence of multiple SAVI instances without further measures can lead to higher-than-necessary memory requirements: Since a SAVI instance creates bindings for the <JMC> s/"memory requirements: Since a SAVI instance creates"/"memory requirements: since a SAVI instance creates" <JMC> IP source addresses of all hosts on a link, bindings are replicated if multiple SAVI instances co-exist on the link. High memory requirements, in turn, increase the cost of a SAVI instance. This is problematic in particular for SAVI instances that are located on a switch, since it may significantly increase the cost of such a switch. [snip] In the example of figure Figure 1, the protection perimeter encompasses one of the legacy switches, located in the middle of the depicted link topology. This enables a single, unpartitioned protection perimeter. A single protection perimeter minimizes memory requirements for the SAVI instances because every binding is kept only once, namely, by the SAVI instance that attaches to the host being validated. Excluding the legacy switch from the protection perimeter would result in two smaller protection perimeters to the left and to the right of the depicted link topology. The memory requirements for the SAVI instances would then be higher: Since IP <JMC> s/"then be higher: Since IP"/"then be higher: since IP" <JMC> source address validation would be activated on the two ports connecting to the legacy switch, the SAVI instances adjacent to the legacy switch would replicate all bindings from the respectively other protection perimeter. The reason why it is possible to include the legacy switch in the protection perimeter is because the depicted link topology guarantees that packets cannot enter the protection perimeter via this legacy switch. Without this guarantee, the legacy switch would have to be excluded from the protection perimeter in order to ensure that packets entering the protection perimeter undergo IP source address validation. 5. Reliability Optimizations [snip] To limit the disruption that missing bindings for legitimate IP addresses can have, the SAVI method includes a mechanism for reactive binding creation based on regular packets. This mechanism supplements the proactive binding creation based on IP address configuration packets. Reactive binding creation occurs when a SAVI instances recognizes excessive drops of regular packets originating from the same IP address. The SAVI instance then verifies whether said IP address is unique on the link. How the verification is carried out depends on the IP address configuration method that the SAVI instance supports: The SAVI method variant for Stateless <JMC> s/"SAVI instance supports: The SAVI method variant"/"SAVI instance supports. The SAVI method variant" <JMC> Address Autoconfiguration and for Secure Neighbor Discovery verifies an IP address through the Duplicate Address Detection procedure. The SAVI method variant for DHCP verifies an IP address through a DHCP Lease Query message exchange with the DHCP server. If verification indicates that the IP address is unique on the link, the SAVI instance creates a binding for the IP address. Otherwise, no binding is created, and packets sent from the IP address continue to be dropped. 6. Mix Scenario While multiple assignment methods can be used on the same link, the SAVI device may have to deal with a mix of binding discovery methods. if the address prefix used for each assignment method is different, <JMC> s/"if the address prefix used for each assignment method"/"If the address prefix used for each assignment method" <JMC> mix scenario can handle the same as scenario with only one assignment method. If different address assignment methods are used to assign addresses from the same prefix, additional considerations are needed because one binding mechanism may create a binding violating an existing binding from another binding mechanism, e.g., binding from SAVI-FCFS may violate binding from SAVI-DHCP. Thus, the collision <JMC> Maybe, add references for SAVI-FCFS and SAVI-DHCP. <JMC> between different SAVI mechanisms in mix scenario must be handled in case more than one address assignment method is used to assign addresses from the same prefix. [snip] <JMC> A Security Considerations section is missing. An IANA Considerations section is missing too. <JMC> [snip] 8. References <JMC> The References section must be split into an Informative References section and a Normative References section. <JMC> [BA2007] Baker, F., "Cisco IP Version 4 Source Guard", IETF Internet draft (work in progress), November 2007. [BCP38] Paul, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2827, BCP 38, May 2000. [snip] Best regards. JMC. 2011/2/25 Jean-Michel Combes <jeanmichel.combes@gmail.com>: > Folks, > > only 4 days before the end of this WGLC and no feedback for the moment ... > > This document is important for the WG: > - all solutions will have to be compliant with it > - without feedback, it will be impossible to move forward it (i.e. AD > review, IESG review) > - the consequence is that it will be impossible to move forward the > solutions specs > > So, please, review it (it's a short document, only 12 pages) and send > your opinion on the ML. > > Thanks. > > Christian & Jean-Michel. > > > > 2011/2/16 Jean-Michel Combes <jeanmichel.combes@gmail.com>: >> Folks, >> >> This is a 2 weeks working group last call for the "Source Address >> Validation Improvement Framework" document. >> Please, don't hesitate to review the draft and to say whether you are >> in favor advancing the draft or not. >> >> Thanks. >> >> Christian & Jean-Michel. >> > _______________________________________________ savi mailing list savi@ietf.org https://www.ietf.org/mailman/listinfo/savi
- [savi] WGLC: draft-ietf-savi-framework-02 Jean-Michel Combes
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Jean-Michel Combes
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Frank Xia
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Mikael Abrahamsson
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Jean-Michel Combes
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Jun Bi
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Jun Bi
- Re: [savi] WGLC: draft-ietf-savi-framework-02 Jun Bi