[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Springer Nature Link
Log in

Building a next generation Internet with source address validation architecture

  • Published:
Science in China Series F: Information Sciences Aims and scope Submit manuscript

Abstract

The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Kent S, Atkinson R. RFC2401. Security Architecture for the Internet Protocol. IETF, 1998

  2. Bremler-Barr A, Levy H. Spoofing Prevention Method. IEEE INFOCOM, 2005

  3. Ferguson P, Senie D. RFC2827. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. IETF, 2000

  4. Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. ACM SIGCOMM, 2001

  5. Li J, Mirkovic J, Wang M, et al. SAVE: Source address validity enforcement protocol. IEEE INFOCOM, 2002

  6. Jin C, Wang H. Hop-count filtering: an effective defense against spoofed DDoS traffic. ACM CCS, 2003

  7. Snoeren A, Partridge C, Sanchez L, et al. A Hash-based IP traceback. ACM SIGCOMM, 2001

  8. Bellovin S, Leech M, Taylor T. ICMP traceback messages. IETF Internet Draft, draft-ietf-itrace-03, 2003

  9. Lee H, Thing V, Xu Y, et al. ICMP traceback with cumulative path, an efficient solution for IP traceback. Information and Communications Security. LNCS, 2003. 124–135

  10. Savage S, Wetherall D, Karlin A, et al. Practical network support for IP traceback. ACM SIGCOMM, 2000

  11. Belenky A, Ansari N, IP traceback with deterministic packet marking. IEEE Commun Lett, 2003, 7(4): 162–164

    Article  Google Scholar 

  12. Wu J, Ren G, Li X. Source address validation: Architecture and protocol design. ICNP, 2007

  13. Wu J, Bi J, Li X, et al. RFC5210. A source address validation architecture (SAVA) testbed and deployment experience. IETF, 2008

  14. Wu J, Ren G, Bi J, et al. A first-hop source address validation solution for SAVA. IETF Internet Draft, draft-wu-sava-solution-firsthop-eap-00, 2007

  15. Wu J, Bi J, Ren G, et al. Source Address validation architecture (SAVA) framework. IETF Internet Draft, draft-wu-sava-framework-01, 2007

  16. Wu J, Ferguson P, Bi J, et al. Source Address verification architecture problem statement. IETF Internet Draft, draft-sava-problem-statement-02, 2007

  17. Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Network-Ing, 2001, 9(6): 733–745

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Tsinghua University, Beijing, 100084, China

    JianPing Wu & Gang Ren

  2. Department of Electronic Engineering, Tsinghua University, Beijing, 100084, China

    Xing Li

  3. Tsinghua National Laboratory for Information Science and Technology (TNList), Beijing, 100084, China

    JianPing Wu, Gang Ren & Xing Li

Authors
  1. JianPing Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gang Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xing Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to JianPing Wu.

Additional information

Supported by the National Natural Science Foundation of China (Grant No. 90704001), and the National Basic Research Program of China (973 Program) (Grant No. 2003CB314800)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wu, J., Ren, G. & Li, X. Building a next generation Internet with source address validation architecture. Sci. China Ser. F-Inf. Sci. 51, 1681–1691 (2008). https://doi.org/10.1007/s11432-008-0142-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-008-0142-x

Keywords

Search

Navigation