WLAN SAVI Technology White Paper-6W100

HomeSupportResource CenterWLAN SAVI Technology White Paper-6W100
Download Book
Title Size Downloads
WLAN SAVI Technology White Paper-6W100-book.pdf 147.59 KB
Table of Contents
Related Documents

 

WLAN SAVI

Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2020 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Contents

Overview·· 1

Technical background· 1

Benefits· 1

WLAN SAVI implementation· 1

Mechanism·· 1

Creation of IP-MAC bindings of wireless clients· 1

SAVI packet filtering· 2

SAVI for WLAN roaming· 2

Application scenarios· 3

Common WLAN network application· 3

 


Overview

Technical background

Typically, a user can access the WLAN after it obtains an IP address through static configuration or DHCP and passes authentication. The WLAN network becomes vulnerable if an illegal user spoofs the IP address of this user to launch attacks.

To resolve the issue, WLAN Source Address Validation Improvement (SAVI) is introduced. With this feature enabled, the AP records the IP-MAC binding of authenticated users, and uses the IP-MAC bindings to filter packets. Packets sourced from an invalid address are dropped.

Benefits

WLAN SAVI provides the following benefits:

·     IP spoofing preventionThe AP examines the IP and MAC addresses in packets from wireless clients based on IP-MAC bindings and discards the packets that do not match any binding. This efficiently prevents IP spoofing attacks and ensures the security of the WLAN network.

·     Support for WLAN roamingThe AC automatically synchronizes the IP-MAC binding for a wireless client between APs when the client roams. This allows WLAN SAVI to seamlessly take effect on the new AP to which a wireless client roams.

WLAN SAVI implementation

Mechanism

Creation of IP-MAC bindings of wireless clients

As shown in Figure 1, SAVI creates an IP-MAC binding as follows:

1.     The client associates with a WLAN, and then obtains a statically assigned or DHCP allocated IP address after passing authentication.

2.     The client accesses the WLAN.

3.     The AP creates an IP-MAC binding for the client:

¡     For an IPv4 client, the AP reads the IPv4 and MAC addresses from ARP packets sent by the client or DHCPv4 packets exchanged between the client and the DHCPv4 server. Then, the AP creates an IPv4-MAC binding for the client.

¡     For an IPv6 client that obtains an IPv6 address through DHCPv6, the AP reads the IPv6 and MAC addresses from DHCPv6 packets exchanged between the client and the DHCPv6 server. Then, the AP creates an IPv6-MAC binding for the client.

¡     For an IPv6 client that obtains an IPv6 address through ND, the AP reads the IPv6 address from NS and NA messages that pass through. Then, the AP creates an IPv6-MAC binding for the client.

4.     The AP reports the IP-MAC binding to the AC for centralized storage.

Figure 1 Creation of IP-MAC bindings

 

SAVI packet filtering

In a WLAN network, the AP uses the IP-MAC bindings to match the IP and MAC addresses in an incoming packet from a client.

·     If a match is found, the packet is forwarded.

·     If no match is found, the packet is discarded.

SAVI for WLAN roaming

In a wireless network, clients might roam from an AP to another AP while retaining their IP addresses. This requires support for SAVI IP-MAC binding synchronization between APs.

As shown in Figure 2, SAVI operates as follows:

1.     The client comes online through AP 1. AP 1 creates an IP-MAC binding for the client as described in “Creation of IP-MAC bindings of wireless clients”.

2.     The client roams to AP 2 and comes online again after passing authentication.

3.     The AC perceives the roaming of the client from AP 1 to AP 2, and then synchronizes the IP-MAC binding to AP 2. AP 2 can use this binding for packet filtering.

4.     The AC instructs AP 1 to delete the IP-MAC binding of the client.

Figure 2 SAVI for WLAN roaming

 

Application scenarios

Common WLAN network application

As shown in Figure 3, the clients associate with SSID service to access the WLAN. The switch acts as the DHCP server to assign IP addresses to the clients. Client 1 and Client 2 obtain IP addresses through DHCP, and Client 3 spoofs the IP address of Client 1. With SAVI configured, the AP creates IP-MAC bindings only for Client 1 and Client 2. Packets from Client 1 and Client 2 are forwarded. Packets from Client 3 are discarded because no matching binding can be found for the MAC address of Client 3.

Figure 3 Network diagram

http://press.h3c.com/data/infoblade/Comware%20V7%E5%B9%B3%E5%8F%B0B64%E5%88%86%E6%94%AF%E4%B8%AD%E6%96%87/13-%E5%AE%89%E5%85%A8/28-IP%20Source%20Guard/IP%20Source%20Guard%E9%85%8D%E7%BD%AE.files/x_Img_x_png_8.png