Browse Prior Art Database

Source Address Validation Improvement (SAVI) Solution for DHCP (RFC7513)

IP.com Disclosure Number: IPCOM000241775D
Original Publication Date: 2015-May-01
Included in the Prior Art Database: 2015-May-30

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Bi: AUTHOR [+4]

Abstract

This document describes a fine-grained source address validation mechanism for IPv4 and IPv6 packets. This mechanism creates bindings between IP addresses assigned to network interfaces by DHCP and suitable binding anchors (Section 4.3.5). As discussed in Section 3 and [RFC7039], a "binding anchor" is an attribute that is immutable or difficult to change that may be used to identify the system an IP address has been assigned to; common examples include a Media Access Control (MAC) address found on an Ethernet switch port or Wi-Fi security association. The bindings are used to identify and filter packets originated by these interfaces using forged source IP addresses. In this way, this mechanism can prevent hosts from using IP addresses assigned to any other attachment point in or not associated with the network. This behavior is referred to as "spoofing" and is key to amplification attacks, in which a set of systems send messages to another set of systems claiming to be from a third set of systems, and sending the replies to systems that don't expect them. Whereas BCP 38 [RFC2827] protects a network from a neighboring network by providing prefix granularity source IP address validity, this mechanism protects a network, including a Local Area Network, from itself by providing address granularity source IP validity when DHCP/DHCPv6 is used to assign IPv4/IPv6 addresses. Both provide a certain level of traceability, in that packet drops indicate the presence of a system that is producing packets with spoofed IP addresses.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 2% of the total text.

Internet Engineering Task Force (IETF)                             J. Bi Request for Comments: 7513                                         J. Wu Category: Standards Track                                         G. Yao ISSN: 2070-1721                                           Tsinghua Univ.                                                                 F. Baker                                                                    Cisco                                                                 May 2015

      Source Address Validation Improvement (SAVI) Solution for DHCP

Abstract

   This document specifies the procedure for creating a binding between    a DHCPv4/DHCPv6-assigned IP address and a binding anchor on a Source    Address Validation Improvement (SAVI) device.  The bindings set up by    this procedure are used to filter packets with forged source IP    addresses.  This mechanism complements BCP 38 (RFC 2827) ingress    filtering, providing finer-grained source IP address validation.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force    (IETF).  It represents the consensus of the IETF community.  It has    received public review and has been approved for publication by the    Internet Engineering Steering Group (IESG).  Further information on    Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at    http://www.rfc-editor.org/info/rfc7513.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the    document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal    Provisions Relating to IETF Documents    (http://trustee.ietf.org/license-info) in effect on the date of    publication of this document.  Please review these documents    carefully, as they describe your rights and restrictions with respect    to this document.  Code Components extracted from this document must    include Simplified BSD License text as described in Section 4.e of    the Trust Legal Provisions and are provided without warranty as    described in the Simplified BSD License.

Bi, et al.                   Standards Track                    [Page 1]
 RFC 7513                        SAVI DHCP                       May 2015

 Table of Contents

   1.  Introduction  . . . . . ....