Network Working Group J. Wu
Internet-Draft Tsinghua University
Intended status: Experimental R. Bonica
Expires: August 9, 2007 Juniper Networks
J. Bi
X. Li
G. Ren
Tsinghua University
M I. Williams
Juniper Networks
February 5, 2007
Source Address Verification Architecture Problem Statement
draft-sava-problem-statement-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 9, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document outlines the problems for the Source Address
Wu, et al. Expires August 9, 2007 [Page 1]
Internet-Draft SAVA Problem Statement February 2007
Verification Architecture (SAVA) initiative to solve. It examines
the current state in the internet, looks at current best practices
and discusses why the current approach is unlikely to ever solve the
problem of IP address spoofing. It also discusses some of the
problems that SAVA should NOT attempt to solve.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Current State of Affairs . . . . . . . . . . . . . . . . . . . 3
3. Best Current Practices . . . . . . . . . . . . . . . . . . . . 4
4. Deficiencies of Ingress-Filter (BCP0038) and uRPF Approach . . 4
5. Why IPSEC is not the Solution to This Problem . . . . . . . . . 5
6. Framework Requirements . . . . . . . . . . . . . . . . . . . . 5
6.1. Direct Benefit to Deployers . . . . . . . . . . . . . . . . 5
6.2. Solution Focus on IPv6 . . . . . . . . . . . . . . . . . . 5
6.3. Performance . . . . . . . . . . . . . . . . . . . . . . . . 5
6.4. Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.5. Multiple-Fence Solution . . . . . . . . . . . . . . . . . . 6
6.6. Incrementally Deployable . . . . . . . . . . . . . . . . . 6
6.7. Loose Coupling . . . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Wu, et al. Expires August 9, 2007 [Page 2]
Internet-Draft SAVA Problem Statement February 2007
1. Introduction
The Internet is a decentralized system which basically provides best
effort, packet-based data forwarding service. In the forwarding
process, the device (router, switch, gateway, etc.) forwards IP
packets based on the destination IP address. In most cases, the
source IP address is not checked. The lack of source IP address
checking makes it easy for the attackers to spoof the source address.
And it has facilitated many existing attacks in the Internet.
In recent years, there have been some efforts in the research
community to design mechanisms on fighting against source address
spoofing. We think it is now a suitable time to summarize the
progress and to standardize some results of research efforts to
protocols, to enhance the authenticity of the source address.
Providing authentic IP address is not only helpful to network
security, but also helpful to some other aspects, e.g., network
application, network management and accounting, etc.
The motivation of this document is to clarify the problem in solving
the spoofing of source address. The general problem of supporting
authenticity of source address in the Internet is divided into three
seperated sub-problems, refered as "inter-AS AIAA problem", "intra-AS
SAVA problem" and "access network SAVA problem". The primary
difference between these three problems is the different level and
scope in network topology. The "inter-AS SAVA problem" considers the
source address spoofing involved with more than one ASes. The
"inter-AS SAVA problem" considers the source address spoofing inside
one AS. The "access network SAVA problem" considers the source
address spoofing inside one access network. There may be multiple
candidate solutions for each sub-problem.
Because the current Internet addressing architecture does not verify
the source address of the packets received and forwarded, has been
formed for many years, it is difficult and not cost-effective to
change from the current Internet infrastructure. The development of
the IPv6 based next generation Internet will give us the opportunity
to implement an authentic addressing architecture. In this memo,
only the issues in IPv6 network are discussed.
2. Current State of Affairs
In the MIT Spoofer Project [Bev05], the authors found that
approximately one-quarter of the observed addresses, netblocks and
autonomous systems (AS) permit full or partial spoofing. And they
suggested that a large portion of the Internet is vulnerable to
spoofing and concerted attacks employing spoofing remain a serious
Wu, et al. Expires August 9, 2007 [Page 3]
Internet-Draft SAVA Problem Statement February 2007
concern.
3. Best Current Practices
The current method of avoiding packets with spoofed source addresses
entering and being propagated on the Internet relies on two methods:
1. Ingress Filtering as per BCP0038 [RFC2827]. This method requires
ISPs and organisations at the edge to apply filters limiting the
source addresses allowed on incoming packets to those
specifically allowed in the stub networks. If BCP0038 were
followed at all ingress points to the Internet, then there would
be no spoofed packets on the Internet.
2. Unicast Reverse Path Forwarding (uRPF) filtering. This is a
feature available on routers that can be used to block incoming
packets if, in the case a packet were constructed with the
incoming packet's source address as its destination address, the
constructed packet would NOT be routed back along the ingress
link for the incoming packet. Assuming random incidence of
spoofed packets and symmetric routing, a router with n links and
with uRPF configured would drop (n-1)/n of all incoming spoofed
packets, greatly mitigating DoS attacks using spoofed packets,
for example. (See [RFC3871])
4. Deficiencies of Ingress-Filter (BCP0038) and uRPF Approach
Ingress filtering is definitely to be recommended, and uRPF filtering
certainly does have its uses, but, at least in the current state of
the Internet, they are insufficient as a protection of the routing
infrastructure.
1. Ingress filtering works, but it only works if all, or at least
the vast majority of ingress points apply ingress filtering. As
can be seen in the Internet today, even when 25% of the Internet
is unsecured, those elements that want access to "spoofable"
connections simply move their connection to unsecured attachment
points.
2. uRPF does not work well in places where assymetric routing
happens. This constitutes a large part of the Internet
Wu, et al. Expires August 9, 2007 [Page 4]
Internet-Draft SAVA Problem Statement February 2007
5. Why IPSEC is not the Solution to This Problem
IPSEC is a solution to many problems, and it is not the intention of
the authors to suggest that it should not be deployed. It is just
not the solution to this particular problem.
Whereas IPSEC solves end-end security problems and allows endpoints
in a connection to verify the identity of connected endpoints, there
is also a need for the infrastructure of the Internet to be able to
protect itself. Many attacks employ spoofed IP addresses to either
conceal the source of an infrastructure attack or to cause the
network infrastructure to, in effect, attack itself.
The network must be able to secure itself from poorly-secured
endpoints. The goal of the solution to the problem must be to
discard spoofed traffic as close to the source of the attack as
possible. (i.e. within the infrastructure rather than at the other
endpoint(s).
6. Framework Requirements
Following is a list of key requirements for any solution/s to the
problem described above. They will be more completely delineated in
the proposed workgroup charter and the framework document.
6.1. Direct Benefit to Deployers
One of the reasons for the less-than-adequate deployment of ingress
filters is that, in deploying the filters, a network operator or
attached private network is mostly protecting the rest of the
Internet rather than itself. It should be a design goal for any
solution to give those that deploy the solution some increased level
of protection from spoofed attacks from outside of their own
adminitrative domain.
6.2. Solution Focus on IPv6
While it is not the intent to develop solutions that cannot be
deployed on an IPv4 network, the focus of the work should be on
solutions for IPv6 networks. In other words, if a solution is
feasible for IPv6 deployment, but infeasible for IPv4 deployment,
that shall not be construed as a disadvantage for the solution.
6.3. Performance
Deployment of SAVA solutions should not place unreasonable stress on
network infrastructure components.
Wu, et al. Expires August 9, 2007 [Page 5]
Internet-Draft SAVA Problem Statement February 2007
6.4. Scaling
SAVA solutions should be feasible for network sizes and no-default
prefix tables many times the size experienced today. SAVA solutions
should scale in a way that is at worst linear with the size of the
Internet.
6.5. Multiple-Fence Solution
Ingress filtering is a single fence solution, in that it is only
applicable only at the access network or at the boundary between an
attached private network and a network provider. Where the attached
network is not a stub, it cannot be deployed effectively. It should
be the goal of the SAVA working group to provide solutions that can
be deployed at the boundaries between ISPs or on intra-ISP links as
well.
6.6. Incrementally Deployable
It must be possible to deploy SAVA solutions incrementally across the
network. In other words, there can be no "flag day".
6.7. Loose Coupling
Components of the overall solution should be able to be deployed in a
"mix and match" fashion. this allows for multiple solutions for a
given component of the overall solution.
7. IANA Considerations
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC.
8. Security Considerations
For this document, no specific security considerations. Many of the
solution elements will need to be examined carefully for robustness
and to see if they do not in themselves introduce security problems.
9. Acknowledgements
10. References
Wu, et al. Expires August 9, 2007 [Page 6]
Internet-Draft SAVA Problem Statement February 2007
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
10.2. Informative References
[Bev05] Beverley, S. and S. Bauer, ""The spoofer project:
inferring the extent of source address filtering on the
Internet", USENIX SRUTI 2005", 2005.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3871] Jones, G., "Operational Security Requirements for Large
Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, September 2004.
Authors' Addresses
Jianping Wu
Tsinghua University
Phone:
Email: jianping@cernet.edu.cn
URI:
Ronald P. Bonica
Juniper Networks
2251 Corporate Park Drive
Herndon, VA 20171
USA
Jun Bi
Tsinghua University
Phone:
Fax:
Email:
URI:
Wu, et al. Expires August 9, 2007 [Page 7]
Internet-Draft SAVA Problem Statement February 2007
Xing Li
Tsinghua University
Email: xing@cernet.edu.cn
Gang Ren
Tsinghua University
Email: rengang@csnet1.cs.tsinghua.edu.cn
URI:
Mark I. Williams
Juniper Networks
Suite 1508, W3 Tower, Oriental Plaza, 1 East Chang'An Ave
Dong Cheng District, Beijing 100738
China
Email: miw@juniper.net
Wu, et al. Expires August 9, 2007 [Page 8]
Internet-Draft SAVA Problem Statement February 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Wu, et al. Expires August 9, 2007 [Page 9]