A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience
RFC 5210
Document | Type |
RFC - Experimental
(June 2008; No errata)
Was draft-wu-sava-testbed-experience (individual in int area)
|
|
---|---|---|---|
Authors | Jianping Wu , Jun Bi , Xing Li , Gang Ren , Mark Williams , Ke Xu | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5210 (Experimental) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Jari Arkko | ||
Send notices to | fergdawg@netzero.net |
Network Working Group J. Wu Request for Comments: 5210 J. Bi Category: Experimental X. Li G. Ren K. Xu Tsinghua University M. Williams Juniper Networks June 2008 A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Abstract Because the Internet forwards packets according to the IP destination address, packet forwarding typically takes place without inspection of the source address and malicious attacks have been launched using spoofed source addresses. In an effort to enhance the Internet with IP source address validation, a prototype implementation of the IP Source Address Validation Architecture (SAVA) was created and an evaluation was conducted on an IPv6 network. This document reports on the prototype implementation and the test results, as well as the lessons and insights gained from experimentation. Wu, et al. Experimental [Page 1] RFC 5210 SAVA Testbed June 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. A Prototype SAVA Implementation . . . . . . . . . . . . . . . 4 2.1. Solution Overview . . . . . . . . . . . . . . . . . . . . 4 2.2. IP Source Address Validation in the Access Network . . . . 6 2.3. IP Source Address Validation at Intra-AS/Ingress Point . . 9 2.4. IP Source Address Validation in the Inter-AS Case (Neighboring AS) . . . . . . . . . . . . . . . . . . . . . 9 2.5. IP Source Address Validation in the Inter-AS Case (Non-Neighboring AS) . . . . . . . . . . . . . . . . . . . 12 3. SAVA Testbed . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1. CNGI-CERNET2 . . . . . . . . . . . . . . . . . . . . . . . 15 3.2. SAVA Testbed on CNGI-CERNET2 Infrastructure . . . . . . . 16 4. Test Experience and Results . . . . . . . . . . . . . . . . . 17 4.1. Test Scenarios . . . . . . . . . . . . . . . . . . . . . . 17 4.2. Test Results . . . . . . . . . . . . . . . . . . . . . . . 18 5. Limitations and Issues . . . . . . . . . . . . . . . . . . . . 18 5.1. General Issues . . . . . . . . . . . . . . . . . . . . . . 18 5.2. Security Issues . . . . . . . . . . . . . . . . . . . . . 20 5.3. Protocol Details . . . . . . . . . . . . . . . . . . . . . 20 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7. Security Considerations . . . . . . . . . . . . . . . . . . . 22 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 9.1. Normative References . . . . . . . . . . . . . . . . . . . 23 9.2. Informative References . . . . . . . . . . . . . . . . . . 23 Wu, et al. Experimental [Page 2] RFC 5210 SAVA Testbed June 2008 1. Introduction By design, the Internet forwards data packets solely based on the destination IP address. The source IP address is not checked during the forwarding process in most cases. This makes it easy for malicious hosts to spoof the source address of the IP packet. We believe that it would be useful to enforce the validity of the source IP address for all the packets being forwarded. Enforcing the source IP address validity would help us achieve the following goals: o Since packets which carry spoofed source addresses would not be forwarded, it would be impossible to launch network attacks that are enabled by using spoofed source addresses and more difficult to successfully carry out attacks enhanced or strengthened by the use of spoofed source addresses. o Being able to assume that all packet source addresses are correct would allow traceback to be accomplished accurately and with confidence. This would benefit network diagnosis, management, accounting, and applications. As part of the effort in developing a Source Address Validation Architecture (SAVA), we implemented a SAVA prototype and deployed theShow full document text