SAVI J. Bi, J. Wu, G. Yao Internet Draft CERNET Intended status: Standard Tracks F. Baker Expires: June 2010 Cisco December 17, 2009 SAVI Solution for DHCPv4/v6 draft-ietf-savi-dhcp-00.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on June 17, 2010. Bi Expires June 17, 2010 [Page 1] Internet-Draft savi-dhcp December 2009 Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This document specifies the procedure for creating bindings between a DHCPv4 [RFC2131]/DHCPv6 [RFC3315] assigned source IP address and an anchor (refer to [SAVI-framework]) on SAVI (Source Address Validation Improvements) device. The bindings can be used to filter packets with forged IP addresses generated on the local link. Table of Contents 1. Introduction ................................................ 3 2. Conventions used in this document............................ 4 3. Mechanism Overview .......................................... 4 4. Background and Related Protocols............................. 4 5. Terminology ................................................. 5 6. Conceptual Data Structures................................... 5 6.1. Binding State Table (BST)............................... 5 6.2. Filtering Table (FT).................................... 5 7. Binding States Description................................... 6 8. DHCP Scenario ............................................... 6 9. Anchor Attributes ........................................... 7 9.1. SAVI-Validation Attribute............................... 7 9.2. SAVI-DHCP-Trust Attribute............................... 7 9.3. SAVI-RA-Trust Attribute................................. 7 9.4. SAVI-SAVI Attribute..................................... 8 10. Prefix Configuration........................................ 8 11. Binding Set Up ............................................. 9 11.1. Process of DHCP Snooping............................... 9 11.1.1. Initialization.................................... 9 11.1.1.1. Trigger Event................................ 9 11.1.1.2. Message Validation........................... 9 11.1.1.3. Following Actions............................ 9 11.1.2. From START to LIVE............................... 10 11.1.2.1. Trigger Event............................... 10 11.1.2.2. Message Validation.......................... 10 Bi Expires June 17, 2010 [Page 2] Internet-Draft savi-dhcp December 2009 11.1.2.3. Following Actions........................... 10 11.1.3. From LIVE to DETECTION........................... 11 11.1.3.2. Message Validation.......................... 11 11.1.3.3. Following Actions........................... 11 11.1.4. From DETECTION to BOUND.......................... 12 11.1.4.1. Trigger Event............................... 12 11.1.4.2. Following Actions........................... 12 11.1.5. After BOUND...................................... 12 11.2. State Machine of DHCP Snooping........................ 13 12. Filtering Specification.................................... 13 12.1. Filter Data Packet.................................... 13 12.2. Filter Control Packet................................. 14 13. Format and Delivery of Probe Messages...................... 14 14. Binding Remove ............................................ 15 15. Handle port DOWN event..................................... 15 16. About Collision in Detection............................... 16 16.1. Whether to notify the DHCP server..................... 16 16.2. The result of detection without host aware............ 16 17. Filtering during detection................................. 16 18. Binding Number Limitation.................................. 16 19. Movement without DHCP Procedure............................ 17 20. MLD Consideration ......................................... 17 21. Constants ................................................. 17 22. Summary of to-be-removed sections and open issues.......... 17 23. Security Considerations.................................... 18 24. IANA Considerations........................................ 18 25. References ................................................ 18 25.1. Normative References.................................. 18 25.2. Informative References................................ 19 26. Acknowledgments ........................................... 19 1. Introduction This document describes the procedure for creating bindings between DHCP assigned addresses and an anchor (refer to [savi-framework]). Other related details about this procedure are also specified in this document. These bindings can be used to filter packets with forged IP addresses. How to use these bindings is specified in [savi-framework], depending on the environment and configuration. The definition and examples of anchor is also specified in [savi-framework]. The binding process is inspired by the work of IP source guard. This specification differs from IP source guard in the specification for collision detection, which is quite useful in an environment with multiple address assignment methods. Bi Expires June 17, 2010 [Page 3] Internet-Draft savi-dhcp December 2009 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Mechanism Overview The mechanism specified in this document is designed to provide a host level source IP address validation granularity, as a supplement to BCP38 [BCP38]. This mechanism is deployed on the access device (including access switch, wireless access point/controller, etc), and performs mainly DHCPv4/v6 snooping to set up bindings between DHCP assigned IP address and corresponding anchors. The bindings can be used to validate the source address in the packets. 4. Background and Related Protocols This mechanism is an instance of a SAVI [savi-framework] solution, specialized for addresses assigned using the DHCP protocol. Dynamic Host Configuration Protocol version 4 [RFC2131] and Dynamic Host Configuration Protocol version 6 [RFC3315] specify the procedures for providing a client with assigned address and other configuration information from a DHCP server. If a client gets an address through the DHCP protocol, the address should be regarded as a potential "authorized" or "registered" address of the client. In IPv6, IPv6 Stateless Autoconfiguration [RFC4862] is used as another address assignment mechanism. A node can use this mechanism to auto-configure an IPv6 address. A DHCPv6 client may use a stateless address to send message to DHCP server. Even in a DHCPv6- only environment, a node must assign its link-local address through this mechanism. [RFC4862] also clearly requires that duplicated address detection must be performed on any IPv6 address, including DHCPv6 address. [RFC4861] specifies the Neighbor Discovery protocol, which is an essential part of IPv6 address assignment. [RFC5227] specifies the procedure to detect IPv4 address collision. It is not required currently. However, this feature is useful to determine the uniqueness of an IPv4 address on the link. Bi Expires June 17, 2010 [Page 4] Internet-Draft savi-dhcp December 2009 5. Terminology The terms used in this document are described in [savi-framework], [RFC2131] and [RFC3315]. 6. Conceptual Data Structures (To be removed and merged with data structures used by other mechanisms in [savi-framework] if possible) This section describes the possible conceptual data structures used in this mechanism. Two main data structures are used to record bindings and their states respectively. There is redundancy between the two structures, for the consideration of separation of data plane and control plane. 6.1. Binding State Table (BST) This table contains the state of binding between source address and anchor. Entries are keyed on the anchor and source IP address. Each entry has a lifetime field recording the remaining lifetime of the entry, a state field recording the state of the binding and a field for recording other information. +---------+----------+-------+-----------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-------+-----------+-------+ | A | IP_1 | Bound | 65535 | | +---------+----------+-------+-----------+-------+ | A | IP_2 | Bound | 10000 | | +---------+----------+-------+-----------+-------+ | B | IP_3 |_Start | 1 | | +---------+----------+-------+-----------+-------+ Figure 1 Instance of BST 6.2. Filtering Table (FT) This table contains the bindings between anchor and address, keyed on anchor. This table doesn't contain any state of the binding. This table is only used to filter packets. An Access Control List can be regarded as a practical instance of this table. Bi Expires June 17, 2010 [Page 5] Internet-Draft savi-dhcp December 2009 +---------+----------+ |Anchor |Address | +---------+----------+ |A |IP_1 | +---------+----------+ |A |IP_2 | +---------+----------+ Figure 2 Instance of FT 7. Binding States Description This section describes the binding states of this mechanism. START A DHCP request (or a DHCPv6 Confirm) has been received from host, and it may trigger a new binding. LIVE A DHCP address has been acknowledged by a DHCP server. DETECTION A gratuitous ARP or Duplicate Address Detection NSOL has been sent by the host (or the SAVI device). BOUND The address has passed duplicate detection and it is bound with the anchor. 8. DHCP Scenario (This section should be removed and merged with other scenarios in [savi-framework]) This section specifies the deployment scenarios of this mechanism. Bi Expires June 17, 2010 [Page 6] Internet-Draft savi-dhcp December 2009 +--------+ | DHCP | | Server | +-------,+ `. `. `. +----'-----+ | SAVI | | Device | +-/------/-+ | | +----\-+ +\-----+ |DHCP | |Client| |Relay | | | +------+ +------+ Figure 3 DHCP Scenario 9. Anchor Attributes This section specifies the anchor attributes involved in this mechanism. 9.1. SAVI-Validation Attribute (This attribute should be described in the [savi-framework]) If and only if source address validation must be performed on the traffic from an anchor, this anchor can be set to have SAVI- Validation attribute. 9.2. SAVI-DHCP-Trust Attribute If and only if an anchor is associated with a trustable DHCP server/relay, it can be set to have this attribute. If DHCP is used to assign address in the network, there MUST be at least one anchor with this attribute. DHCP Reply message not coming from such ports MUST be dropped. 9.3. SAVI-RA-Trust Attribute (This attribute should be described in the [savi-framework]) If and only if an anchor is associated with a trustable router, it can be set to have this attribute. Bi Expires June 17, 2010 [Page 7] Internet-Draft savi-dhcp December 2009 There MAY be no SAVI-RA-Trust anchor on a SAVI device. Router Advertisement not received from a SAVI-RA-Trust anchor MUST be discarded. 9.4. SAVI-SAVI Attribute (This attribute should be described in the [savi-framework]) If and only if an anchor is associated with another SAVI device, it can be set to have this attribute. This attribute is mutually exclusive with SAVI-Validation. 10. Prefix Configuration (This section should be included in [SAVI-framework] but not this document.) Before setting up a host-level granularity binding table, it is important to configure correct prefixes on the SAVI device. At least two prefix scopes must be set: the IPv4 prefix and IPv6 prefixes. This document suggests set 3 prefix scopes: IPv4 Prefix: The allowed scope of any kind of IPv4 addresses. It can be set manually. IPv6 SLAAC Prefixes: The allowed scope of SLAAC and manually configured IPv6 addresses. It can be set through snooping RA message from port with SAVI-RA-Trust attribute, DHCP-PD or manual configuration. FE80::/64 MUST be set to a feasible prefix. IPv6 DHCPv6 Prefixes: The allowed scope of DHCPv6 addresses. It can be set through RA snooping, DHCP-PD protocol, or manual configuration. If some of the prefix scope is set to have non prefix, it implies corresponding address assignment method is not allowed in the network. There is no need to explicitly present these prefix scopes. But these restrictions MUST be used as premier check in binding set up. Bi Expires June 17, 2010 [Page 8] Internet-Draft savi-dhcp December 2009 Refer to security consideration for other discussions. 11. Binding Set Up This section specifies the procedure of setting up bindings based on control packet snooping. 11.1. Process of DHCP Snooping 11.1.1. Initialization This procedure will not be performed if: 1. Option 82 is used to keep anchor in DHCP Request and Reply, or 2. Unspoofable MAC is used as anchor(802.11i,802.1ae/af), or 3. The mapping table from MAC to anchor is secure. If none of these three requirements are satisfied, this procedure MUST be performed. 11.1.1.1. Trigger Event A DHCPv4/v6 Request or a DHCPv6 Confirm is received with an anchor which has the attribute of SAVI-Validation. 11.1.1.2. Message Validation The SAVI device checks the Request or Confirm as follows: 1. Whether the limitation on binding entry number of this anchor will be exceeded. 11.1.1.3. Following Actions Forward the REQUEST message if binding entry limitation will not be exceeded. Generate an entry in the Binding State Table (BST) and set the state field to START. The lifetime of this entry is set to be MAX_DHCP_RESPONSE_TIME. The Transaction ID (Refer to Section 2 in [RFC2131] and Section 4.2 in [RFC3315]) field of the request packet is also recorded in the entry. Bi Expires June 17, 2010 [Page 9] Internet-Draft savi-dhcp December 2009 +---------+----------+-------+-----------------------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-------+-----------------------+-------+ | A | | Start |MAX_DHCP_RESPONSE_TIME | TID | +---------+----------+-------+-----------------------+-------+ Figure 4 Binding entry in BST on initialization The TID is kept for assurance that the response from the DHCP server can be delivered to the request host. This is left as an open issue for future discussion. 11.1.2. From START to LIVE 11.1.2.1. Trigger Event A DHCPv4 DHCPACK or DHCPv6 REPLY message is received. 11.1.2.2. Message Validation The SAVI device checks the message as follows: 1. Whether the message is received with an anchor which has the SAVI- DHCP-Trust attribute; 2. Whether the entry in the BST with corresponding TID is in the START state. 11.1.2.3. Following Actions Deliver the message to the destination. Set the state of the corresponding entry to be LIVE. The lifetime of the entry is set to be MAX_ARP_PREPARE_DELAY or MAX_DAD_PREPARE_DELAY respectively. The lease time is also recorded in the entry. +---------+----------+-------+------------------------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-------+------------------------+-------+ | A | Addr | LIVE |MAX_ARP_PREPARE_DELAY or| Lease | | | | |MAX_DAD_PREPARE_DELAY | Time | +---------+----------+-------+------------------------+-------+ Figure 5 Binding entry in BST on assignment Or set the state of the corresponding entry to be DETECTION, and send an ARP Request or NSOL for the assigned address. Bi Expires June 17, 2010 [Page 10] Internet-Draft savi-dhcp December 2009 +---------+----------+-----------+-----------------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-----------+-----------------+-------+ | A | Addr | DETECTION |MAX_ARP_DELAY or | Lease | | | | |MAX_DAD_DELAY | Time | +---------+----------+-----------+-----------------+-------+ Figure 6 Binding entry in BST on assignment: another case Insert an entry into the Filtering Table if the assigned address is not bound with another anchor. +---------+----------+ |Anchor |Address | +---------+----------+ |A |Addr | +---------+----------+ Figure 7 Binding entry in FT on assignment 11.1.3. From LIVE to DETECTION (This section should be removed or modified if all the DAD related procedures are to be described in SLAAC document) 11.1.3.1. Trigger Event A gratuitous ARP Request or Duplicate Address Detection Neighbor Solicitation is received from the host. Or a timeout event of an entry with state LIVE occurs. 11.1.3.2. Message Validation The SAVI device checks the message as follows: 1. Whether the Target IP address field of the ARP Request or Neighbor Solicitation has been bound with the corresponding anchor in BST or FT. 11.1.3.3. Following Actions If timeout event of an entry with state LIVE happens, send an ARP Request or a DAD NSOL, with target address set to the recorded address in the entry. Set the state of the entry to be DETECTION. The lifetime of the entry is set to be MAX_ARP_DELAY or MAX_DAD_DELAY respectively. Bi Expires June 17, 2010 [Page 11] Internet-Draft savi-dhcp December 2009 +---------+----------+-----------+-----------------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-----------+-----------------+-------+ | A | Addr | DETECTION |MAX_ARP_DELAY or| Lease | | | | |MAX_DAD_DELAY | Time | +---------+----------+-----------+-----------------+-------+ Figure 8 Binding entry in BST on detection 11.1.4. From DETECTION to BOUND 11.1.4.1. Trigger Event A timeout event of an entry with state DETECTION occurs or an ARP Response or NA for an address in BST with state DETECTION is received. 11.1.4.2. Following Actions If a timeout event of an entry with state DETECTION occurs, set the state of the entry to be BOUND. The lifetime of the entry is set to be the Lease time acknowledged by DHCP server. +---------+----------+-----------+----------------+-------+ | Anchor | Address | State | Lifetime |Other | +---------+----------+-----------+----------------+-------+ | A | Addr | BOUND | Lease time | | +---------+----------+-----------+----------------+-------+ Figure 9 Binding entry in BST on finalization If an ARP Response or NA for an address in BST with state DETECTION is received, remove the corresponding entry in BST and FT. 11.1.5. After BOUND Whenever a DHCP Decline is received from the host, delete the entry in BST and FT. Whenever a DHCP Release is received from the host, if the state of the entry is BOUND, delete the entry in BST and FT. If a DHCPv4 Acknowledgement or DHCPv6 Reply with Renew/Rebind sign is received from the server, set lifetime of the entry in BST to be the new lease time. If the lifetime of an entry with state BOUND expires, delete the entry in BST and Filter Table. Bi Expires June 17, 2010 [Page 12] Internet-Draft savi-dhcp December 2009 11.2. State Machine of DHCP Snooping State Packet/Event Action Next State -* REQUEST/CONFIRM Set up new entry START START ACK Record lease time LIVE START Timeout Remove entry - LIVE Gra ARP REQ/DAD NS - DETECTION LIVE DECLINE Remove entry - LIVE Timeout Send ARP Req/DAD NS DETECTION DETECTION Timeout - BOUND DETECTION ARP RESPONSE/DAD NA Remove entry - DETECTION DECLINE Remove entry - BOUND RELEASE/DECLINE Remove entry - BOUND Timeout Remove entry - BOUND RENEW/REBOUND Set new lifetime BOUND *: optional. 12. Filtering Specification This section specifies how to use bindings to filter packets. Considering DHCP may coexist with other address assignment methods, e.g., Stateless Auto-configuration, the specification made here is based on the assumption that other SAVI solutions will also use BST and FT to keep bindings and filter packets. 12.1. Filter Data Packet Data packets with an anchor which has attribute SAVI-Validation MUST be checked. If the source of a packet associated with its anchor is in the FT, this packet SHOULD be forwarded; or else the packet MUST be discarded. Bi Expires June 17, 2010 [Page 13] Internet-Draft savi-dhcp December 2009 12.2. Filter Control Packet For anchors with SAVI-Validation attribute: The source address of DHCPv4 Request/Discovery must be set to all zeros. The source address of DHCPv6 Request/Confirm MUST be an address associated with the corresponding anchor in FT. The source address of DHCPv6 Solicit MUST be the link layer address bound with corresponding anchor. The link layer address MAY be bound based on SAVI-SLAAC solution. The source address of IPv6 NS and IPv6 gratuitous ARP MUST pass the check on FT. The source address of DAD NS MUST be unspecified address. The target address and source address in all the Neighbor Advertisement packets and ARP replies MUST also pass the checks on FT. For other anchors: All DHCP Reply/Ack packets MUST be from anchor with the SAVI-DHCP- Trust attribute. 13. Format and Delivery of Probe Messages 1. Duplicate detection on behavior of host; Message Type: DAD NS, Gratuitous ARP Request Format: Link layer source - link layer address of host; Link layer destination - For IPv6, use multicast address specified in [RFC3307]; For IPv4, use broadcast address; IP source - Unspecified address for IPv6; The tentative address for IPv4; IP destination - For IPv6, multicast address specified in section 5.4.2 of [RFC4861]; For IPv4, the tentative address; Delivery: Bi Expires June 17, 2010 [Page 14] Internet-Draft savi-dhcp December 2009 MUST not deliver to the host which the SAVI device is performing DAD on behavior of. 2. Send reply on behavior of host to hold bound address for inactive node; Message Type: NA, ARP Response Link layer source - link layer address of host; Link layer destination - The source address of the detecting node; IP source - The target address in the detection message; IP destination -The source address of the detecting node; 3. Send probe to detect whether an address is still in use (generally in case of port down/up event). Message Type: NUD, ARP Request Link layer source - link layer address of the SAVI device; Link layer destination - The link layer address of the node; IP source - The manage IP address of the SAVI device; IP destination - The address is suspicious to be inactive. 14. Binding Remove If the lifetime of an entry with state BOUND expires, the entry MUST be removed. When the SAVI device receives a DAD NS/Gra ARP request target at an address bound and there is no replies from the anchor, if the anchor is a SAVI-Validation anchor, hold the binding entry through sending NA/ARP Reply, or remove the binding. 15. Handle port DOWN event Whenever a port with attribute SAVI-Validation turns down, the bindings with the anchor MUST be kept for a short time. To handle movement, if receiving DAD NS/Gra ARP request target at the address during the period, remove the entry. Bi Expires June 17, 2010 [Page 15] Internet-Draft savi-dhcp December 2009 If port turns UP during the period, optionally send probes to SAVI- Validation port to make sure the address is still alive; 16. About Collision in Detection The SAVI device may receive a response in detection. Some related details are specified here. 16.1. Whether to notify the DHCP server It is unnecessary for the SAVI device to notify the DHCP server, because the host will send a DECLINE message to it once it finds the advertised address is conflict. 16.2. The result of detection without host aware In case the SAVI device send detection packet instead of the host, the host will not be aware of the detection result. If the detection succeeds, there is no problem. However, if the detection fails, the packets from the host with the assigned address will be filtered out. This result can be regarded as a reasonable punishment for not performing duplicate detection and using a collision address. 17. Filtering during detection In this mechanism, whenever the DHCP server replies an address, this address will be allowed immediately even before duplicate detection is completed. This design is in consideration of a host may start to send packets straightway without detection. Also this design is to be compatible with optimistic DAD [RFC4429]. However, this feature may allow an attacker to send quantities of packets with source addresses already assigned to other nodes. A practical solution for this vulnerability is configuring the address pool and allocation algorithm of the DHCP server carefully. 18. Binding Number Limitation It is suggested to configure some mechanism in order to prevent a single node from exhausting the binding table entries on the SAVI device. Either of the following mechanism is sufficient to prevent such attack. 1. Set the upper bound of binding number for each anchor with SAVI- Validation. Bi Expires June 17, 2010 [Page 16] Internet-Draft savi-dhcp December 2009 2. Reserve a number of binding entries for each anchor with SAVI- Validation attribute and all anchors share a pool of the other binding entries. 3. Limit DHCP Request rate per anchor, using the bound entry number of each anchor as reverse indicator. 19. Movement without DHCP Procedure This mechanism currently doesn't handle any movement without DHCP procedure, which means the change of anchor without triggering any DHCP procedure. The scenario includes several hosts are attached a SAVI-Validation port through a hub, and the hub changes from its attaching port to another SAVI-Validation port. For handling this situation will necessarily lead to a data packet triggering procedure on SAVI device, and may violate the semantic of DHCP protocol, this situation is not handled in this mechanism. 20. MLD Consideration The SAVI device MUST join the tentative address multicast group whenever perform duplicate detection on behavior of host. 21. Constants MAX_DHCP_RESPONSE_TIME 120s MAX_ARP_PREPARE_DELAY Default 1s but configurable MAX_ARP_DELAY Default 1s but configurable MAX_DAD_PREPARE_DELAY Default 1s but configurable MAX_DAD_DELAY Default 1s but configurable 22. Summary of to-be-removed sections and open issues To-be-removed sections: 1. Section 6: Conceptual data structures 2. Section 8: DHCP scenario 3. Part of Section 9: Anchor attributes 4. Section 10: Prefix configuration Bi Expires June 17, 2010 [Page 17] Internet-Draft savi-dhcp December 2009 Open issues (discussed but not finished): 1. Whether to keep state START Should the procedure be initialized based on client request or server response? From Eric Levy-Abegnoli and Christian Vogt. 2. Whether to keep state DETECTION Should DHCP interact with NDP to detect collision or should all the collision detection be left to NDP and the DHCP solution just snoop DHCP only? From Eric Levy-Abegnoli. 23. Security Considerations For prefix level granularity filtering is the basis of host level granularity filtering, to learn and configure correct prefix is of great importance to this mechanism. Thus, it's important to keep RA and DHCP-PD secure. [draft-ietf-v6ops-ra-guard-03] describes a mechanism to improve the security of RA message. 24. IANA Considerations There is no IANA consideration currently. 25. References 25.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4862] Thomson, S., Narten, T. and Jinmei, T., "IPv6 Stateless Autoconfiguration", RFC4862, September, 2007. [RFC5227] S. Cheshire, "IPv4 Address Conflict Detection", RFC5227, July 2008. Bi Expires June 17, 2010 [Page 18] Internet-Draft savi-dhcp December 2009 25.2. Informative References 26. Acknowledgments Thanks to Christian Vogt, Eric Levy-Abegnoli, Mark Williams, Erik Nordmark, Marcelo Bagnulo Braun, Alberto Garcia, Jari Arkko, David Harrington, Pekka Savola, Xing Li, Lixia Zhang, Robert Raszuk, Greg Daley, Joel M. Halpern and Tao Lin for their valuable contributions. Bi Expires June 17, 2010 [Page 19] Internet-Draft savi-dhcp December 2009 Authors' Addresses Jun Bi CERNET Network Research Center, Tsinghua University Beijing 100084 China Email: junbi@cernet.edu.cn Jianping Wu CERNET Computer Science, Tsinghua University Beijing 100084 China Email: jianping@cernet.edu.cn Guang Yao CERNET Network Research Center, Tsinghua University Beijing 100084 China Email: yaog@netarchlab.tsinghua.edu.cn Fred Baker Cisco Systems Email: fred@cisco.com Bi Expires June 17, 2010 [Page 20]