|WLAN SAVI Technology White Paper-6W100-book.pdf||147.59 KB|
- Table of Contents
- Related Documents
Technology White Paper
Typically, a user can access the WLAN after it obtains an IP address through static configuration or DHCP and passes authentication. The WLAN network becomes vulnerable if an illegal user spoofs the IP address of this user to launch attacks.
To resolve the issue, WLAN Source Address Validation Improvement (SAVI) is introduced. With this feature enabled, the AP records the IP-MAC binding of authenticated users, and uses the IP-MAC bindings to filter packets. Packets sourced from an invalid address are dropped.
WLAN SAVI provides the following benefits:
· IP spoofing prevention—The AP examines the IP and MAC addresses in packets from wireless clients based on IP-MAC bindings and discards the packets that do not match any binding. This efficiently prevents IP spoofing attacks and ensures the security of the WLAN network.
· Support for WLAN roaming—The AC automatically synchronizes the IP-MAC binding for a wireless client between APs when the client roams. This allows WLAN SAVI to seamlessly take effect on the new AP to which a wireless client roams.
As shown in Figure 1, SAVI creates an IP-MAC binding as follows:
1. The client associates with a WLAN, and then obtains a statically assigned or DHCP allocated IP address after passing authentication.
2. The client accesses the WLAN.
3. The AP creates an IP-MAC binding for the client:
¡ For an IPv4 client, the AP reads the IPv4 and MAC addresses from ARP packets sent by the client or DHCPv4 packets exchanged between the client and the DHCPv4 server. Then, the AP creates an IPv4-MAC binding for the client.
¡ For an IPv6 client that obtains an IPv6 address through DHCPv6, the AP reads the IPv6 and MAC addresses from DHCPv6 packets exchanged between the client and the DHCPv6 server. Then, the AP creates an IPv6-MAC binding for the client.
¡ For an IPv6 client that obtains an IPv6 address through ND, the AP reads the IPv6 address from NS and NA messages that pass through. Then, the AP creates an IPv6-MAC binding for the client.
4. The AP reports the IP-MAC binding to the AC for centralized storage.
In a WLAN network, the AP uses the IP-MAC bindings to match the IP and MAC addresses in an incoming packet from a client.
· If a match is found, the packet is forwarded.
· If no match is found, the packet is discarded.
In a wireless network, clients might roam from an AP to another AP while retaining their IP addresses. This requires support for SAVI IP-MAC binding synchronization between APs.
As shown in Figure 2, SAVI operates as follows:
1. The client comes online through AP 1. AP 1 creates an IP-MAC binding for the client as described in “Creation of IP-MAC bindings of wireless clients”.
2. The client roams to AP 2 and comes online again after passing authentication.
3. The AC perceives the roaming of the client from AP 1 to AP 2, and then synchronizes the IP-MAC binding to AP 2. AP 2 can use this binding for packet filtering.
4. The AC instructs AP 1 to delete the IP-MAC binding of the client.
As shown in Figure 3, the clients associate with SSID service to access the WLAN. The switch acts as the DHCP server to assign IP addresses to the clients. Client 1 and Client 2 obtain IP addresses through DHCP, and Client 3 spoofs the IP address of Client 1. With SAVI configured, the AP creates IP-MAC bindings only for Client 1 and Client 2. Packets from Client 1 and Client 2 are forwarded. Packets from Client 3 are discarded because no matching binding can be found for the MAC address of Client 3.