Building a next generation Internet with source address validation architecture

The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[3]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[4]  Jianping Wu Source Address Validation Architecture (SAVA) Framework , 2007 .

[5]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[6]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[7]  Vrizlynn L. L. Thing,et al.  ICMP Traceback with Cumulative Path, an Efficient Solution for IP Traceback , 2003, ICICS.

[8]  Gang Ren,et al.  A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience , 2008, RFC.

[9]  Gang Ren,et al.  Source Address Validation: Architecture and Protocol Design , 2007, 2007 IEEE International Conference on Network Protocols.

[10]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[11]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[12]  Jianping Wu Source Address Verification Architecture Problem Statement , 2007 .

[13]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[14]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[15]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[16]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[17]  Lixin Gao,et al.  On inferring autonomous system relationships in the Internet , 2000, Globecom '00 - IEEE. Global Telecommunications Conference. Conference Record (Cat. No.00CH37137).