WLAN SAVI Technology White Paper-6W101

HomeSupportResource CenterTechnology White PapersWLAN SAVI Technology White Paper-6W101
Download Book
Title Size Downloads
WLAN SAVI Technology White Paper-6W101-book.pdf 144.78 KB
Table of Contents
Related Documents

 

WLAN SAVI Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

This document provides generic technical information, some of which might not be applicable to your products.

The information in this document is subject to change without notice.



Overview

Technical background

WLAN Source Address Validation Improvement (SAVI) filters the packets received by APs to prevent the packets sent by illegal clients from passing through. With WLAN SAVI enabled, an AP records the binding between the MAC address and IP address of each authenticated wireless client. When the AP receives data traffic from a wireless client, it forwards the traffic only if the MAC address and IP address of the wireless client match the binding created for the wireless client.

Benefits

IP spoofing prevention

With WLAN SAVI enabled, an AP records the binding between the MAC address and IP address of each authenticated wireless client. To prevent IP spoofing, the AP forwards the traffic sent by a wireless client only if the MAC address and IP address of the wireless client match the binding created for the wireless client.

Wireless client roaming support

When a wireless client roams between APs, its MAC-IP binding is synchronized to the destination AP.

Flexible validity check based on the IPv6 address assignment method

WLAN SAVI allows you to set the validity check mode on a per-VLAN basis. You can configure WLAN SAVI to perform validity check according to the MAC-IP bindings created based on DHCPv6 packets in a VLAN where wireless clients obtain IPv6 addresses through DHCPv6. For a VLAN where wireless clients generate IPv6 addresses based on the prefix, configure WLAN SAVI to perform validity check according to the MAC-IP bindings created based on ND packets.

WLAN SAVI implementation

Client MAC-IP binding generation

An AP creates MAC-IP bindings for wireless clients as follows:

1.     A wireless client accesses the network, performs authentication, and obtains an IP address through DHCPv4, DHCPv6, or ND.

2.     The AP creates a MAC-IP binding depending on the IP address assignment method.

¡     For an IPv4 client, the AP intercepts the DHCPv4 packets sent by the client to obtain the IPv4 address assigned to the client and create a MAC-IP binding.

¡     For an IPv6 client, the AP acts as follows:

-     In DHCPv6 mode, the AP intercepts the DHCPv6 packets sent between the client and the DHCPv6 server to obtain the IPv6 address assigned to the client and create a MAC-IP binding. The AP cannot create a MAC-IP binding based on the IPv6 prefix obtained from the DHCPv6 packets.

-     In ND mode, the AP listens for RA, NS, and NA packets to obtain the IPv6 address assigned to the client and create a MAC-IP binding.

3.     The AP reports the MAC-IP binding to the AC for central management.

Figure 1 Client MAC-IP binding generation process

 

WLAN SAVI validity check for non-roaming clients

For non-roaming clients, an AP forwards the traffic sent by a wireless client only if the MAC address and IP address of the wireless client match the binding created for the wireless client. If a mismatch occurs, the AP drops the traffic.

WLAN SAVI validity check for roaming clients

When a wireless client roams between APs, its MAC-IP binding is synchronized to the destination AP as follows:

1.     The client connects to AP 1.

2.     AP 1 creates a MAC-IP binding for the client as described in "Client MAC-IP binding generation."

3.     The client roams to AP 2.

4.     The AC sends the MAC-IP binding created for the client to AP 2.

5.     The AC deletes the MAC-IP binding from AP 1.

Figure 2 WLAN SAVI validity check for roaming clients

 

WLAN SAVI configuration example

As shown in Figure 3, the clients access the wireless network with the SSID service, and the switch acts as a DHCP server to assign IP addresses to the clients. WLAN SAVI is enabled to deny access of illegal clients.

After Client 1 and Client 2 obtain IP addresses from the DHCP server, the AP creates MAC-IP bindings for the clients and forwards the packets sent by them. When Client 3 accesses the network by using the IP address of Client 1, the AP drops the packets sent by Client 3.

Figure 3 Network diagram

http://press.h3c.com/data/infoblade/Comware%20V7%E5%B9%B3%E5%8F%B0B64%E5%88%86%E6%94%AF%E4%B8%AD%E6%96%87/13-%E5%AE%89%E5%85%A8/28-IP%20Source%20Guard/IP%20Source%20Guard%E9%85%8D%E7%BD%AE.files/x_Img_x_png_8.png