datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience
RFC 5210

Document type: RFC - Experimental (June 2008)
Was draft-wu-sava-testbed-experience (individual in int area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5210 (Experimental)
Responsible AD: Jari Arkko
Send notices to: jianping@cernet.edu.cn, draft-wu-sava-testbed-experience@tools.ietf.org,fergdawg@netzero.net

Network Working Group                                              J. Wu
Request for Comments: 5210                                         J. Bi
Category: Experimental                                             X. Li
                                                                  G. Ren
                                                                   K. Xu
                                                     Tsinghua University
                                                             M. Williams
                                                        Juniper Networks
                                                               June 2008

        A Source Address Validation Architecture (SAVA) Testbed
                       and Deployment Experience

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   Because the Internet forwards packets according to the IP destination
   address, packet forwarding typically takes place without inspection
   of the source address and malicious attacks have been launched using
   spoofed source addresses.  In an effort to enhance the Internet with
   IP source address validation, a prototype implementation of the IP
   Source Address Validation Architecture (SAVA) was created and an
   evaluation was conducted on an IPv6 network.  This document reports
   on the prototype implementation and the test results, as well as the
   lessons and insights gained from experimentation.

Wu, et al.                    Experimental                      [Page 1]
RFC 5210                      SAVA Testbed                     June 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  A Prototype SAVA Implementation  . . . . . . . . . . . . . . .  4
     2.1.  Solution Overview  . . . . . . . . . . . . . . . . . . . .  4
     2.2.  IP Source Address Validation in the Access Network . . . .  6
     2.3.  IP Source Address Validation at Intra-AS/Ingress Point . .  9
     2.4.  IP Source Address Validation in the Inter-AS Case
           (Neighboring AS) . . . . . . . . . . . . . . . . . . . . .  9
     2.5.  IP Source Address Validation in the Inter-AS Case
           (Non-Neighboring AS) . . . . . . . . . . . . . . . . . . . 12
   3.  SAVA Testbed . . . . . . . . . . . . . . . . . . . . . . . . . 15
     3.1.  CNGI-CERNET2 . . . . . . . . . . . . . . . . . . . . . . . 15
     3.2.  SAVA Testbed on CNGI-CERNET2 Infrastructure  . . . . . . . 16
   4.  Test Experience and Results  . . . . . . . . . . . . . . . . . 17
     4.1.  Test Scenarios . . . . . . . . . . . . . . . . . . . . . . 17
     4.2.  Test Results . . . . . . . . . . . . . . . . . . . . . . . 18
   5.  Limitations and Issues . . . . . . . . . . . . . . . . . . . . 18
     5.1.  General Issues . . . . . . . . . . . . . . . . . . . . . . 18
     5.2.  Security Issues  . . . . . . . . . . . . . . . . . . . . . 20
     5.3.  Protocol Details . . . . . . . . . . . . . . . . . . . . . 20
   6.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 21
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 22
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 23
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 23

Wu, et al.                    Experimental                      [Page 2]
RFC 5210                      SAVA Testbed                     June 2008

1.  Introduction

   By design, the Internet forwards data packets solely based on the
   destination IP address.  The source IP address is not checked during
   the forwarding process in most cases.  This makes it easy for
   malicious hosts to spoof the source address of the IP packet.  We
   believe that it would be useful to enforce the validity of the source
   IP address for all the packets being forwarded.

   Enforcing the source IP address validity would help us achieve the
   following goals:

   o  Since packets which carry spoofed source addresses would not be
      forwarded, it would be impossible to launch network attacks that
      are enabled by using spoofed source addresses and more difficult
      to successfully carry out attacks enhanced or strengthened by the
      use of spoofed source addresses.

   o  Being able to assume that all packet source addresses are correct
      would allow traceback to be accomplished accurately and with
      confidence.  This would benefit network diagnosis, management,

[include full document text]