A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience
RFC 5210
Document Type RFC - Experimental (June 2008; No errata)
Was draft-wu-sava-testbed-experience (individual in int area)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5210 (Experimental)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jari Arkko
Send notices to fergdawg@netzero.net
Email authors IPR References Referenced by Nits 
Network Working Group                                              J. Wu
Request for Comments: 5210                                         J. Bi
Category: Experimental                                             X. Li
                                                                  G. Ren
                                                                   K. Xu
                                                     Tsinghua University
                                                             M. Williams
                                                        Juniper Networks
                                                               June 2008

        A Source Address Validation Architecture (SAVA) Testbed
                       and Deployment Experience

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   Because the Internet forwards packets according to the IP destination
   address, packet forwarding typically takes place without inspection
   of the source address and malicious attacks have been launched using
   spoofed source addresses.  In an effort to enhance the Internet with
   IP source address validation, a prototype implementation of the IP
   Source Address Validation Architecture (SAVA) was created and an
   evaluation was conducted on an IPv6 network.  This document reports
   on the prototype implementation and the test results, as well as the
   lessons and insights gained from experimentation.

Wu, et al.                    Experimental                      [Page 1]
RFC 5210                      SAVA Testbed                     June 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  A Prototype SAVA Implementation  . . . . . . . . . . . . . . .  4
     2.1.  Solution Overview  . . . . . . . . . . . . . . . . . . . .  4
     2.2.  IP Source Address Validation in the Access Network . . . .  6
     2.3.  IP Source Address Validation at Intra-AS/Ingress Point . .  9
     2.4.  IP Source Address Validation in the Inter-AS Case
           (Neighboring AS) . . . . . . . . . . . . . . . . . . . . .  9
     2.5.  IP Source Address Validation in the Inter-AS Case
           (Non-Neighboring AS) . . . . . . . . . . . . . . . . . . . 12
   3.  SAVA Testbed . . . . . . . . . . . . . . . . . . . . . . . . . 15
     3.1.  CNGI-CERNET2 . . . . . . . . . . . . . . . . . . . . . . . 15
     3.2.  SAVA Testbed on CNGI-CERNET2 Infrastructure  . . . . . . . 16
   4.  Test Experience and Results  . . . . . . . . . . . . . . . . . 17
     4.1.  Test Scenarios . . . . . . . . . . . . . . . . . . . . . . 17
     4.2.  Test Results . . . . . . . . . . . . . . . . . . . . . . . 18
   5.  Limitations and Issues . . . . . . . . . . . . . . . . . . . . 18
     5.1.  General Issues . . . . . . . . . . . . . . . . . . . . . . 18
     5.2.  Security Issues  . . . . . . . . . . . . . . . . . . . . . 20
     5.3.  Protocol Details . . . . . . . . . . . . . . . . . . . . . 20
   6.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 21
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 22
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 23
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 23

Wu, et al.                    Experimental                      [Page 2]
RFC 5210                      SAVA Testbed                     June 2008

1.  Introduction

   By design, the Internet forwards data packets solely based on the
   destination IP address.  The source IP address is not checked during
   the forwarding process in most cases.  This makes it easy for
   malicious hosts to spoof the source address of the IP packet.  We
   believe that it would be useful to enforce the validity of the source
   IP address for all the packets being forwarded.

   Enforcing the source IP address validity would help us achieve the
   following goals:

   o  Since packets which carry spoofed source addresses would not be
      forwarded, it would be impossible to launch network attacks that
      are enabled by using spoofed source addresses and more difficult
      to successfully carry out attacks enhanced or strengthened by the
      use of spoofed source addresses.

   o  Being able to assume that all packet source addresses are correct
      would allow traceback to be accomplished accurately and with
      confidence.  This would benefit network diagnosis, management,
      accounting, and applications.

   As part of the effort in developing a Source Address Validation
   Architecture (SAVA), we implemented a SAVA prototype and deployed the
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools