Roaming Over SAVI Devices
Download
Report
Transcript Roaming Over SAVI Devices
Roaming Over Savi Device
Tao Lin
IETF 79
Outline
•
•
•
•
•
DHCP/NDP Snooping mechanism
Switch implementation
Roaming over switches
WLAN network
Roaming over WLAN devices
NDP Snooping mechanism
• Snooping the protocol packet to establish
binding entry, without modifying protocol.
• Based on the address allocation protocol,
including packet format, interaction,
procedure, etc.
• Filtering the following data packet by the
binding entry.
Focus on binding entry’s
maintenance.
Switch implementation
Many access switches in one local network.
• Establish every host’s binding entry in every
switch.
• Or, the uplink port is used to prevent binding
entry of host directly connected to other switch.
Aggregation
Uplink
port
Uplink
port
Switch A
PCA
Switch B
PCB
Roaming over switches
- Problem
• Establish every host’s binding entry in every switch.
– The number of binding entry will increase fast
when the numbers of host is increasing.
• The uplink port is used to prevent binding entry of host
connected to other switch.
– If PCA roams to switch B, there is a residual
binding entry of PCA for aging (TimeA). It’s
vulnerable, someone maybe exploit it in this
time.
– PCB also can imitate PCA to establish a same
binding entry in switch B (while it attack PCA
to prevent it replying a NA for DAD NS packet),
and there will be two legal host’s bind entries
in two switches.
Roaming over switches
- Possible method
• After PCA roamed to new switch, the original switch
can send a NS packet to ensure the PCA’S
roaming, when it received the DAD NS packet from
PCA, including original position ensuring (TimeB)
and new position ensuring (TimeC).
Aggregation
Switch A
PCA
DAD NS
Switch B
PCA
Roaming over switches
- Possible method. Contd.
Disadvantage
• When ensuring original position, it is
vulnerable in the waiting time (TimeB).
• When ensuring new position, the original
switch must have an IP address as the
original IP address of detecting packet,
otherwise the reply packet can’t return.
WLAN network
Roaming over WLAN devices
- Problem
• All packet are forwarded to AC through
CAPWAP tunnel.
– SAVI should be implemented in AC.
• There isn’t interface up/down event in
AC/AP, like switch, to tiger the roaming
host to send a new DAD NS packet.
Roaming over WLAN devices
- Possible method
• Take advantage of the roaming event of
WLAN
– When the host roams to new AP, this AP will
inform AC, so AC can learn about the host’s
roaming event, and change the binding entry.
• Disadvantage
– Now, there is a new mode that AP can forward
packet upstream bypass AC. In this scenario, the
traffic between the host connected to the same
AP and the traffic bypass AC can’t be filtered.
Discussions
•
•
•
•
The same as IPv4.
Other scenarios? DHCP snooping?
Other methods? Add new option for security?
……
Please give your guidance and comments to this work,
Thanks!
Wish you join it!
http://tools.ietf.org/id/draft-lin-savi-roaming-nd-00.txt