IETF Logo Mail Archive

[Int-area] Call For Participation and Interest: Source Address Validation Architecture (SAVA)

Mark Williams <miw@juniper.net> Tue, 12 September 2006 07:47 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GN2zJ-0004hv-90; Tue, 12 Sep 2006 03:47:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GN2zH-0004gS-HW; Tue, 12 Sep 2006 03:47:19 -0400
Received: from borg.juniper.net ([207.17.137.119]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GN2zE-0005vV-2H; Tue, 12 Sep 2006 03:47:19 -0400
Received: from unknown (HELO beta.jnpr.net) ([172.24.18.109]) by borg.juniper.net with ESMTP; 12 Sep 2006 00:45:13 -0700
X-IronPort-AV: i="4.09,148,1157353200"; d="scan'208"; a="587700592:sNHT48547718"
Received: from [172.27.8.116] ([172.27.8.116]) by beta.jnpr.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 12 Sep 2006 00:47:14 -0700
Message-ID: <45066601.7090905@juniper.net>
Date: Tue, 12 Sep 2006 15:47:13 +0800
From: Mark Williams <miw@juniper.net>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: int-area@ietf.org, ipv6@ietf.org, routing-discussion@ietf.org, sava@nrc.tsinghua.edu.cn
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 12 Sep 2006 07:47:14.0808 (UTC) FILETIME=[A9E1F780:01C6D63F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc:
Subject: [Int-area] Call For Participation and Interest: Source Address Validation Architecture (SAVA)
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: miw@juniper.net
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

All,

We are calling for interest and participation in a project to devise a 
framework architecture and solutions to the problem of validation of 
source addresses in IPv6 networks in order to protect network 
infrastructure from address spoofing attacks.

The effort is based on the current situation that it would seem that, at 
least as things currently stand, it is unlikely that spoofed source 
addresses will be able to be excluded from the Internet backbones unless 
some further solutions and practices are put into place.

The SAVA effort has roots in research and development to that end for 
IPv6 networks currently being undertaken at Tsinghua University in 
Beijing. A number of papers have been published and code has been 
written, which will be going into test on the CERNET-II backbone in the  
not-too-distant future. We seek the participation and assistance of the 
wider Internet community in order to create a framework of practices and 
solutions which will be deployable on a much wider basis.

A (condensed) draft problem statement is included inline below, and a 
framework document is in early draft.

We will be proposing a BoF session at the upcoming San Diego meeting.

A document repository for drafts and other documents is available at:
http://narl.tsinghua.edu.cn/sava/

An interim mailing list
sava@nrc.tsinghua.edu.cn <mailto:sava@nrc.tsinghua.edu.cn>
has been created and can be joined by going to:
http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava
an archive is also available at the same address.

cheers,

Mark
-----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------


    Problem Description:


      Introduction

In the MIT Spoofer Project, the authors found that approximately 
one-quarter of the observed addresses, netblocks and autonomous systems 
(AS) permit full or partial spoofing.  And they suggested that a large 
portion of the Internet is vulnerable to spoofing. Concerted attacks 
employing spoofing remain a serious concern.

The current method of avoiding packets with spoofed source addresses 
entering and being propagated on the Internet relies on two methods:

a)       Ingress Filtering as per BCP0038 [RFC2827].  This method 
requires    ISPs and organisations at the edge to apply filters limiting 
the    source addresses allowed on incoming packets to those    
specifically allowed in the stub networks.  If BCP0038 were    followed 
at all ingress points to the Internet, then there would    be no spoofed 
packets on the Internet.

b)       Unicast Reverse Path Forwarding (uRPF) filtering.  This is a 
feature available on routers that can be used to block incoming packets 
if, in the case a packet were constructed with the incoming packet's 
source address as its destination address, the constructed packet would 
NOT be routed back along the ingress link for the incoming packet.

Ingress filtering is definitely to be recommended, and uRPF filtering 
certainly does have its uses, but, at least in the current state of the 
Internet, they are insufficient as a protection for the routing 
infrastructure.

a)       Ingress filtering works, but it only works if all, or at least 
the vast majority of ingress points apply ingress filtering.  As can be 
seen in the Internet today, even when 25% of the Internet is unsecured, 
those elements that want access to "spoofable" connections simply move 
their connection to unsecured attachment points.

b)       uRPF does not work well in places where asymmetric routing 
happens.  This constitutes a large part of the Internet

There are many proposed  mechanisms related to the validation of source 
IP addresses, but few of them are widely deployed by the current 
Internet. While it is possibly too late to introduce adequate source 
address checking in the current IPv4-based Internet, the development of 
the next generation Internet using IPv6 gives us the opportunity to 
implement an architecture for effective source address checking.


      Why IPSEC is not the Solution to This Problem

IPSEC is a solution to many problems, and it is not the intention of the 
authors to suggest that it should not be deployed.  It is just not the 
solution to this particular problem.

Whereas IPSEC solves end-end security problems and allows endpoints in a 
connection to verify the identity of other connected endpoints, there is 
also a need for the infrastructure of the Internet to be able to protect 
itself. Many attacks employ spoofed IP addresses either to conceal the 
source of an infrastructure attack or to cause the network 
infrastructure to, in effect, attack itself.

The network must be able to secure itself from poorly-secured 
endpoints.  The goal of the solution to the problem must be to discard 
spoofed traffic as close to the source of the attack as possible. (i.e. 
within the infrastructure rather than at the other endpoint(s).



_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email