All,
We are calling for interest and participation in a project to devise a
framework architecture and solutions to the problem of validation of
source addresses in IPv6 networks in order to protect network
infrastructure from address spoofing attacks.
The effort is based on the current situation that it would seem that, at
least as things currently stand, it is unlikely that spoofed source
addresses will be able to be excluded from the Internet backbones unless
some further solutions and practices are put into place.
The SAVA effort has roots in research and development to that end for
IPv6 networks currently being undertaken at Tsinghua University in
Beijing. A number of papers have been published and code has been
written, which will be going into test on the CERNET-II backbone in the
not-too-distant future. We seek the participation and assistance of the
wider Internet community in order to create a framework of practices and
solutions which will be deployable on a much wider basis.
A (condensed) draft problem statement is included inline below, and a
framework document is in early draft.
We will be proposing a BoF session at the upcoming San Diego meeting.
A document repository for drafts and other documents is available at:
http://narl.tsinghua.edu.cn/sava/
An interim mailing list
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
has been created and can be joined by going to:
http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava
an archive is also available at the same address.
cheers,
Mark
-----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
Problem Description:
Introduction
In the MIT Spoofer Project, the authors found that approximately
one-quarter of the observed addresses, netblocks and autonomous systems
(AS) permit full or partial spoofing. And they suggested that a large
portion of the Internet is vulnerable to spoofing. Concerted attacks
employing spoofing remain a serious concern.
The current method of avoiding packets with spoofed source addresses
entering and being propagated on the Internet relies on two methods:
a) Ingress Filtering as per BCP0038 [RFC2827]. This method
requires ISPs and organisations at the edge to apply filters limiting
the source addresses allowed on incoming packets to those
specifically allowed in the stub networks. If BCP0038 were followed
at all ingress points to the Internet, then there would be no spoofed
packets on the Internet.
b) Unicast Reverse Path Forwarding (uRPF) filtering. This is a
feature available on routers that can be used to block incoming packets
if, in the case a packet were constructed with the incoming packet's
source address as its destination address, the constructed packet would
NOT be routed back along the ingress link for the incoming packet.
Ingress filtering is definitely to be recommended, and uRPF filtering
certainly does have its uses, but, at least in the current state of the
Internet, they are insufficient as a protection for the routing
infrastructure.
a) Ingress filtering works, but it only works if all, or at least
the vast majority of ingress points apply ingress filtering. As can be
seen in the Internet today, even when 25% of the Internet is unsecured,
those elements that want access to "spoofable" connections simply move
their connection to unsecured attachment points.
b) uRPF does not work well in places where asymmetric routing
happens. This constitutes a large part of the Internet
There are many proposed mechanisms related to the validation of source
IP addresses, but few of them are widely deployed by the current
Internet. While it is possibly too late to introduce adequate source
address checking in the current IPv4-based Internet, the development of
the next generation Internet using IPv6 gives us the opportunity to
implement an architecture for effective source address checking.
Why IPSEC is not the Solution to This Problem
IPSEC is a solution to many problems, and it is not the intention of the
authors to suggest that it should not be deployed. It is just not the
solution to this particular problem.
Whereas IPSEC solves end-end security problems and allows endpoints in a
connection to verify the identity of other connected endpoints, there is
also a need for the infrastructure of the Internet to be able to protect
itself. Many attacks employ spoofed IP addresses either to conceal the
source of an infrastructure attack or to cause the network
infrastructure to, in effect, attack itself.
The network must be able to secure itself from poorly-secured
endpoints. The goal of the solution to the problem must be to discard
spoofed traffic as close to the source of the attack as possible. (i.e.
within the infrastructure rather than at the other endpoint(s).
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
