Internet-Draft | SAVI in a LISP network | November 2024 |
Ramanathan, et al. | Expires 6 May 2025 | [Page] |
This document specifies the procedures for Source Address Validation of LISP Endpoint Identifiers (EID). The implementation of these mechanisms provides endpoint detection, on-boarding and roaming support in LISP networks, while protecting against IP address spoofing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 May 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The LISP protocol [RFC9300] defines two numbering spaces, Endpoint Identifiers (EIDs) and Routing Locators (RLOCs) supporting an architecture to build network overlays. Mapping EIDs to RLOC-sets is accomplished with a Mapping Database System and the LISP control-plane [RFC9301] specifies procedures to learn and distribute these Mappings. Once EIDs are learned and on-boarded on a LISP network, the LISP architecture is flexible to extend subnets and routing domains with mobility and traffic optimization [I-D.ietf-lisp-eid-mobility].¶
With increased mobility support requirements and when operating LISP networks at scale, it becomes even more important to offer source address verification of EIDs and protect the system and endpoints against spoofing and duplication. This support needs to work across mobility events and routing domains.¶
To this end, Source Address Validation Improvements (SAVI) procedures have been specified to provide a set of mechanisms and state machines to verify Source Address ownership [RFC7039]. A SAVI instance enforces the EIDs to use legitimate IP source address and also verify the source address used in data packet actually belong to the originator of the packet.¶
This document describes the use of SAVI procedures to provide source address protection for IP addresses (both IPv4 and IPv6) in LISP networks. To perform Source Address Validation in a LISP network, the SAVI function is integrated with the LISP xTR. Only those EIDs validated by the SAVI instance will be detected and on-boarded by LISP, thereby protecting the integrity of EIDs distributed in the network. This integrated function does not require changes to the endpoint protocol stack.¶
Source Address Validation Improvement (SAVI) features are embedded into the LISP xTRs referenced as SAVI xTR. The SAVI xTR follows the mechanisms mentioned in [RFC7039] to perform source address validation of IP addresses used as EIDs. A SAVI instance monitors packets exchanged by endpoints and identify which IP source addresses are legitimate. SAVI creates a binding entry where the IP address (the EID) is bound to an immutable binding anchor. The binding entries have a state and lifetime which determines if the IP is valid and for how long. Once the EIDs are validated, they are treated as detected by a LISP xTR, added to the local Mapping Database and registered with the Mapping System.¶
The essential elements in a SAVI LISP deployment include one or more SAVI xTRs which belong to the RLOC space, endpoints which belong to the EID space and a LISP Mapping System which holds the EID to RLOC mappings. SAVI xTRs form a SAVI perimeter separating trusted and untrusted regions of a network. As specified in [RFC6620] and [RFC7513], only validated addresses can inject traffic over the trusted perimeter. This implies only SAVI validated endpoints can join the LISP network.¶
SAVI mainly follows packet exchanges used for address assignment to learn the source IP address of a host. As a consequence, the SAVI specification comes in multiple variants depending on the exchange used for address assignment. [RFC7513], describes a mechanism that provides Source Address Validation Improvements (SAVI) for addresses assigned by DHCPv6 or DHCPv4 server. [RFC6620] is another specification based on First Come First Serve (FCFS) principle, applicable to any IPv6 address including those assigned through IPv6 Neighbor Discovery and Stateless Address Autoconfiguration (SLAAC). While [RFC6620], does not explicitly mention IPv4, a very similar approach can be applied to IPv4 addresses when using ARP packets to learn and track a source address.¶
Following the above SAVI specifications, IP address can be validated by the SAVI instance on the SAVI xTR, and on-boarded as EIDs in the LISP network.¶
The SAVI instance creates a binding between the IP address and a binding anchor. As discussed in [RFC7039], a binding anchor is a physical or link layer property of an attached device. In SAVI LISP deployments, the Media Access Control (MAC) address is used as the binding anchor.¶
As a result, in a SAVI LISP environment, the IP address used as an EID is bound to a binding anchor which is the MAC address of the endpoint. This is referred as the binding entry present in the SAVI database.¶
Following [RFC6620], every binding goes through multiple states before it reaches the "VALID" state. The binding entry in state "NO_BIND" or "TENTATIVE" are considered not validated by SAVI yet. When an IP is in one of these states, SAVI xTR does not detect it as an EID. An IP binding entry to moves to state VALID is on-boarded as an EID LISP Mapping Database.¶
If the binding entry moves from VALID state to the "TESTING_TP_LT" state, it remains as a detected EID in the LISP Mapping Database, while the state gets resolved. If the resolution leads the IP to NO_BIND state, the EID is removed from the LISP Mapping Database. On the contrary, if the TESTING_TP_LT state resolves to VALID state, the EID remains in the LISP Mapping Database.¶
A similar mechanism applies when using a DHCP based SAVI instance. In this case instead of "VALID", the host has to reach the "BOUND" state to be considered validated and on-boarded as an EID in the LISP Mapping Database.¶
For completeness, note also that during the IP validation process, the ARP Address Conflict Detection (ARP ACD) is used for an IPv4 address and the Duplicate Address Detection Neighbor Solicitation (DAD NS) message is used for IPv6 address.¶
This section describes the endpoint discovery process in a SAVI xTR. The packet flow diagram in Figure 2 illustrates the sequence to validate and on-board the IP address of Host1 (IP1 in the figure) as an EID on the LISP network. Host1 uses MAC1 as its MAC address.¶
After host discovery, the SAVI binding entry is in VALID state and has a lifetime DEFAULT_LT. When the timer expires, the SAVI will probe the host to check for reachability. At any time, if Host1 leaves the network the reachability check fails and the binding entry will be removed from the database. Same applies if the binding entry is cleared for any reason.¶
The next sections discuss the case when the EID is already present in the LISP Mapping Database, and the Map-Resolution process initiated by the SAVI xTR resolves with a complete Mapping. In this case, there are two possible cases: the endpoint roamed to a new location or there is an attempt to spoof the IP address.¶
In instances where the LISP Network does no support silent EIDs and ARP/ND flooding suppression is possible, the onboarding of new EID can be sped up and optimized by suppressing the ACD/DAD packet broadcasted to all SAVI xTRs. In this case the Mapping System replies to the Map-Request with a Negative Map-Reply and Action Drop. This tells the SAVI xTR that the flooding of ACD/DAD is not required and it can proceed to onboard the EID.¶
Every IP address validated with SAVI is on-boarded in the LISP Database Mapping, at the xTR, and registered with the LISP Mapping System. At any point of time, the LISP Mapping System will have a registration for every IP validated in the SAVI LISP Network. To complete the interaction between SAVI and LISP, this section considers the behavior of the system when:¶
The packet flow in Figure 3 illustrates an example where a host (host1) initially connected to SAVI xTR1 roams to SAVI xTR2. The SAVI xTRs gather information from the LISP Mapping System to coordinate the old and new SAVI agents and support the roaming function. In this case the sequence works as follows:¶
Alternatively, the packet flow in Figure 4 illustrates an example sequence where a misbehaving EID attempts to spoof IP1. The SAVI xTR gathers information from the LISP Mapping System to learn that IP1 is already assigned to another EID and blocks the spoofed IP address. The SAVI-LISP sequence to block spoofed addresses proceeds as follows:¶
This section describes a scenario where there is need for fast detection. The EID is on-boarded before considered valid by SAVI and the validation is done after on-boarding. The following example describes the sequence for fast detection in a SAVI-LISP environment.¶
The LISP control-plane offers the flexibility to support multiple overlay flavours. In particular [I-D.ietf-lisp-eid-mobility] describes mechanisms to support unified L2 and L3 overlays with mobility support. This section describes implementations options of the SAVI LISP function when different L2 and L3 EID mobility options are used.¶
In this case, intrasubnet traffic is encapsulated using the L2 overlay. EID detection and mobility with SAVI follows the mechanisms described in Section 3 When a SAVI xTR attempts to discover the location of an IP address and run the ARP ACD/DAD NS exchange, it uses the MAC location. The SAVI xTR resolves the location of the IP using an iterative Map-Resolution process (as described in [I-D.ietf-lisp-eid-mobility]):¶
This model is a co-existence of both L2 and L3 overlay and follows the same interative sequence as the L2-only overlay described above.¶
In this case both intrasubnet and inter-subnet traffic are forwarded using the L3 overlay. IP detection and on-boarding using SAVI follows the sequence described in this document. In this case, the SAVI xTR resolves the candidate location of the IP endpoint using by resolving the IP-RLOC Mapping directly. The SAVI ARP ACD/DAD NS exchange is done using the RLOC resolved through IP Map-Resolution.¶