Abstract
The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Kent S, Atkinson R. RFC2401. Security Architecture for the Internet Protocol. IETF, 1998
Bremler-Barr A, Levy H. Spoofing Prevention Method. IEEE INFOCOM, 2005
Ferguson P, Senie D. RFC2827. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. IETF, 2000
Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. ACM SIGCOMM, 2001
Li J, Mirkovic J, Wang M, et al. SAVE: Source address validity enforcement protocol. IEEE INFOCOM, 2002
Jin C, Wang H. Hop-count filtering: an effective defense against spoofed DDoS traffic. ACM CCS, 2003
Snoeren A, Partridge C, Sanchez L, et al. A Hash-based IP traceback. ACM SIGCOMM, 2001
Bellovin S, Leech M, Taylor T. ICMP traceback messages. IETF Internet Draft, draft-ietf-itrace-03, 2003
Lee H, Thing V, Xu Y, et al. ICMP traceback with cumulative path, an efficient solution for IP traceback. Information and Communications Security. LNCS, 2003. 124–135
Savage S, Wetherall D, Karlin A, et al. Practical network support for IP traceback. ACM SIGCOMM, 2000
Belenky A, Ansari N, IP traceback with deterministic packet marking. IEEE Commun Lett, 2003, 7(4): 162–164
Wu J, Ren G, Li X. Source address validation: Architecture and protocol design. ICNP, 2007
Wu J, Bi J, Li X, et al. RFC5210. A source address validation architecture (SAVA) testbed and deployment experience. IETF, 2008
Wu J, Ren G, Bi J, et al. A first-hop source address validation solution for SAVA. IETF Internet Draft, draft-wu-sava-solution-firsthop-eap-00, 2007
Wu J, Bi J, Ren G, et al. Source Address validation architecture (SAVA) framework. IETF Internet Draft, draft-wu-sava-framework-01, 2007
Wu J, Ferguson P, Bi J, et al. Source Address verification architecture problem statement. IETF Internet Draft, draft-sava-problem-statement-02, 2007
Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Network-Ing, 2001, 9(6): 733–745
Author information
Authors and Affiliations
Corresponding author
Additional information
Supported by the National Natural Science Foundation of China (Grant No. 90704001), and the National Basic Research Program of China (973 Program) (Grant No. 2003CB314800)
Rights and permissions
About this article
Cite this article
Wu, J., Ren, G. & Li, X. Building a next generation Internet with source address validation architecture. Sci. China Ser. F-Inf. Sci. 51, 1681–1691 (2008). https://doi.org/10.1007/s11432-008-0142-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-008-0142-x