[Int-area] Call For Participation and Interest: Source Address Validation Architecture (SAVA)
Mark Williams <miw@juniper.net> Tue, 12 September 2006 07:47 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GN2zJ-0004hv-90; Tue, 12 Sep 2006 03:47:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GN2zH-0004gS-HW; Tue, 12 Sep 2006 03:47:19 -0400
Received: from borg.juniper.net ([207.17.137.119]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GN2zE-0005vV-2H; Tue, 12 Sep 2006 03:47:19 -0400
Received: from unknown (HELO beta.jnpr.net) ([172.24.18.109]) by borg.juniper.net with ESMTP; 12 Sep 2006 00:45:13 -0700
X-IronPort-AV: i="4.09,148,1157353200"; d="scan'208"; a="587700592:sNHT48547718"
Received: from [172.27.8.116] ([172.27.8.116]) by beta.jnpr.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 12 Sep 2006 00:47:14 -0700
Message-ID: <45066601.7090905@juniper.net>
Date: Tue, 12 Sep 2006 15:47:13 +0800
From: Mark Williams <miw@juniper.net>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: int-area@ietf.org, ipv6@ietf.org, routing-discussion@ietf.org, sava@nrc.tsinghua.edu.cn
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 12 Sep 2006 07:47:14.0808 (UTC) FILETIME=[A9E1F780:01C6D63F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc:
Subject: [Int-area] Call For Participation and Interest: Source Address Validation Architecture (SAVA)
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: miw@juniper.net
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
All, We are calling for interest and participation in a project to devise a framework architecture and solutions to the problem of validation of source addresses in IPv6 networks in order to protect network infrastructure from address spoofing attacks. The effort is based on the current situation that it would seem that, at least as things currently stand, it is unlikely that spoofed source addresses will be able to be excluded from the Internet backbones unless some further solutions and practices are put into place. The SAVA effort has roots in research and development to that end for IPv6 networks currently being undertaken at Tsinghua University in Beijing. A number of papers have been published and code has been written, which will be going into test on the CERNET-II backbone in the not-too-distant future. We seek the participation and assistance of the wider Internet community in order to create a framework of practices and solutions which will be deployable on a much wider basis. A (condensed) draft problem statement is included inline below, and a framework document is in early draft. We will be proposing a BoF session at the upcoming San Diego meeting. A document repository for drafts and other documents is available at: http://narl.tsinghua.edu.cn/sava/ An interim mailing list sava@nrc.tsinghua.edu.cn <mailto:sava@nrc.tsinghua.edu.cn> has been created and can be joined by going to: http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava an archive is also available at the same address. cheers, Mark ----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------- Problem Description: Introduction In the MIT Spoofer Project, the authors found that approximately one-quarter of the observed addresses, netblocks and autonomous systems (AS) permit full or partial spoofing. And they suggested that a large portion of the Internet is vulnerable to spoofing. Concerted attacks employing spoofing remain a serious concern. The current method of avoiding packets with spoofed source addresses entering and being propagated on the Internet relies on two methods: a) Ingress Filtering as per BCP0038 [RFC2827]. This method requires ISPs and organisations at the edge to apply filters limiting the source addresses allowed on incoming packets to those specifically allowed in the stub networks. If BCP0038 were followed at all ingress points to the Internet, then there would be no spoofed packets on the Internet. b) Unicast Reverse Path Forwarding (uRPF) filtering. This is a feature available on routers that can be used to block incoming packets if, in the case a packet were constructed with the incoming packet's source address as its destination address, the constructed packet would NOT be routed back along the ingress link for the incoming packet. Ingress filtering is definitely to be recommended, and uRPF filtering certainly does have its uses, but, at least in the current state of the Internet, they are insufficient as a protection for the routing infrastructure. a) Ingress filtering works, but it only works if all, or at least the vast majority of ingress points apply ingress filtering. As can be seen in the Internet today, even when 25% of the Internet is unsecured, those elements that want access to "spoofable" connections simply move their connection to unsecured attachment points. b) uRPF does not work well in places where asymmetric routing happens. This constitutes a large part of the Internet There are many proposed mechanisms related to the validation of source IP addresses, but few of them are widely deployed by the current Internet. While it is possibly too late to introduce adequate source address checking in the current IPv4-based Internet, the development of the next generation Internet using IPv6 gives us the opportunity to implement an architecture for effective source address checking. Why IPSEC is not the Solution to This Problem IPSEC is a solution to many problems, and it is not the intention of the authors to suggest that it should not be deployed. It is just not the solution to this particular problem. Whereas IPSEC solves end-end security problems and allows endpoints in a connection to verify the identity of other connected endpoints, there is also a need for the infrastructure of the Internet to be able to protect itself. Many attacks employ spoofed IP addresses either to conceal the source of an infrastructure attack or to cause the network infrastructure to, in effect, attack itself. The network must be able to secure itself from poorly-secured endpoints. The goal of the solution to the problem must be to discard spoofed traffic as close to the source of the attack as possible. (i.e. within the infrastructure rather than at the other endpoint(s). _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Call For Participation and Interest: S… Mark Williams
- Re: [Int-area] Call For Participation and Interes… Pekka Savola
- Re: [SAVA] Re: [Int-area] Call For Participation … Pekka Savola
- Re: [SAVA] Re: [Int-area] Call For Participation … Fan Ye
- Re: [SAVA] Re: [Int-area] Call For Participation … Jun Bi
- Re: [SAVA] Re: [Int-area] Call For Participation … Jun Bi
- Re: [SAVA] Re: [Int-area] Call For Participation … Jun Bi
- RE: [SAVA] Re: [Int-area] Call For Participation … Barry Greene (bgreene)
- Re: [SAVA] Re: [Int-area] Call For Participation … Mark Williams
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Ron Bonica
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- Re: [SAVA] Re: [Int-area] Call For Participation … Fan Ye
- Re: [SAVA] Re: [Int-area] Call For Participation … Ron Bonica
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Pekka Savola
- RE: [SAVA] Re: [Int-area] Call For Participation … Dave Thaler
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- RE: [SAVA] Re: [Int-area] Call For Participation … Barry Greene (bgreene)
- RE: [SAVA] Re: [Int-area] Call For Participation … Barry Greene (bgreene)
- Re: [SAVA] Re: [Int-area] Call For Participation … Ron Bonica
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- Re: [SAVA] Re: [Int-area] Call For Participation … Ron Bonica
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Mark Williams
- Re: [SAVA] Re: [Int-area] Call For Participation … Sam Hartman
- Re: [SAVA] Re: [Int-area] Call For Participation … Mark Williams
- Re: [SAVA] Re: [Int-area] Call For Participation … Sam Hartman
- Re: [SAVA] Re: [Int-area] Call For Participation … James Kempf
- Re: [SAVA] Re: [Int-area] Call For Participation … Pekka Savola
- Re: [SAVA] Re: [Int-area] Call For Participation … Eliot Lear
- Re: [SAVA] Re: [Int-area] Call For Participationa… Jun Bi
- Re: [SAVA] Re: [Int-area] Call For Participationa… Joel M. Halpern
- Re: [SAVA] Re: [Int-area] Call For Participation … James Kempf
- Re: [SAVA] Re: [Int-area] Call For Participation … Jari Arkko
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- Re: [SAVA] Re: [Int-area] Call For Participation … James Kempf
- Re: [SAVA] Re: [Int-area] Call For Participation … Fred Baker
- Re: [SAVA] Re: [Int-area] Call For Participation … James Kempf
- Re: [SAVA] Re: [Int-area] Call For Participation … Mark Williams
- Re: [SAVA] Re: [Int-area] Call For Participation … Per Heldal
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Eliot Lear
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Eliot Lear
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Ron Bonica
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Iljitsch van Beijnum
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Per Heldal
- Re: [SAVA] Re: [Int-area] Call For Participation … Curtis Villamizar
- Re: [SAVA] Re: [Int-area] Call For Participation … Per Heldal
- Re: [SAVA] Re: [Int-area] Call For Participation … Fan Ye