Network Working Group J. Wu
Request for Comments: 5210 J. Bi
Category: Experimental X. Li
G. Ren
K. Xu
Tsinghua University
M. Williams
Juniper Networks
June 2008
A Source Address Validation Architecture (SAVA) Testbed
and Deployment Experience
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Abstract
Because the Internet forwards packets according to the IP destination
address, packet forwarding typically takes place without inspection
of the source address and malicious attacks have been launched using
spoofed source addresses. In an effort to enhance the Internet with
IP source address validation, a prototype implementation of the IP
Source Address Validation Architecture (SAVA) was created and an
evaluation was conducted on an IPv6 network. This document reports
on the prototype implementation and the test results, as well as the
lessons and insights gained from experimentation.
Wu, et al. Experimental [Page 1]RFC 5210 SAVA Testbed June 2008Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. A Prototype SAVA Implementation . . . . . . . . . . . . . . . 4
2.1. Solution Overview . . . . . . . . . . . . . . . . . . . . 4
2.2. IP Source Address Validation in the Access Network . . . . 6
2.3. IP Source Address Validation at Intra-AS/Ingress Point . . 9
2.4. IP Source Address Validation in the Inter-AS Case
(Neighboring AS) . . . . . . . . . . . . . . . . . . . . . 9
2.5. IP Source Address Validation in the Inter-AS Case
(Non-Neighboring AS) . . . . . . . . . . . . . . . . . . . 12
3. SAVA Testbed . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1. CNGI-CERNET2 . . . . . . . . . . . . . . . . . . . . . . . 15
3.2. SAVA Testbed on CNGI-CERNET2 Infrastructure . . . . . . . 16
4. Test Experience and Results . . . . . . . . . . . . . . . . . 17
4.1. Test Scenarios . . . . . . . . . . . . . . . . . . . . . . 17
4.2. Test Results . . . . . . . . . . . . . . . . . . . . . . . 18
5. Limitations and Issues . . . . . . . . . . . . . . . . . . . . 18
5.1. General Issues . . . . . . . . . . . . . . . . . . . . . . 18
5.2. Security Issues . . . . . . . . . . . . . . . . . . . . . 20
5.3. Protocol Details . . . . . . . . . . . . . . . . . . . . . 20
6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7. Security Considerations . . . . . . . . . . . . . . . . . . . 22
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.1. Normative References . . . . . . . . . . . . . . . . . . . 23
9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Wu, et al. Experimental [Page 2]RFC 5210 SAVA Testbed June 20081. Introduction
By design, the Internet forwards data packets solely based on the
destination IP address. The source IP address is not checked during
the forwarding process in most cases. This makes it easy for
malicious hosts to spoof the source address of the IP packet. We
believe that it would be useful to enforce the validity of the source
IP address for all the packets being forwarded.
Enforcing the source IP address validity would help us achieve the
following goals:
o Since packets which carry spoofed source addresses would not be
forwarded, it would be impossible to launch network attacks that
are enabled by using spoofed source addresses and more difficult
to successfully carry out attacks enhanced or strengthened by the
use of spoofed source addresses.
o Being able to assume that all packet source addresses are correct
would allow traceback to be accomplished accurately and with
confidence. This would benefit network diagnosis, management,
datatracker.ietf.org