IETF BOF Proposal: Source Address Validation Architecture (SAVA) General Discussion: sava@nrc.tsinghua.edu.cn To Subscribe: http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava Mailing List Archive: http://www.nrc.tsinghua.edu.cn/pipermail/sava/ Document Repository: http://narl.tsinghua.edu.cn/sava Problem Description: Introduction In the MIT Spoofer Project, the authors found that approximately one-quarter of the observed addresses, netblocks and autonomous systems (AS) permit full or partial spoofing. And they suggested that a large portion of the Internet is vulnerable to spoofing. Concerted attacks employing spoofing remain a serious concern. The current method of avoiding packets with spoofed source addresses entering and being propagated on the Internet relies on two methods: a) Ingress Filtering as per BCP0038 [RFC2827]. This method requires ISPs and organisations at the edge to apply filters limiting the source addresses allowed on incoming packets to those specifically allowed in the stub networks. If BCP0038 were followed at all ingress points to the Internet, then there would be no spoofed packets on the Internet. b) Unicast Reverse Path Forwarding (uRPF) filtering. This is a feature available on routers that can be used to block incoming packets if, in the case a packet were constructed with the incoming packet's source address as its destination address, the constructed packet would NOT be routed back along the ingress link for the incoming packet. Ingress filtering is definitely to be recommended, and uRPF filtering certainly does have its uses, but, at least in the current state of the Internet, they are insufficient as a protection for the routing infrastructure. a) Ingress filtering works, but it only works if all, or at least the vast majority of ingress points apply ingress filtering. As can be seen in the Internet today, even when 25% of the Internet is unsecured, those elements that want access to "spoofable" connections simply move their connection to unsecured attachment points. b) uRPF does not work well in places where asymmetric routing happens. This constitutes a large part of the Internet There are many proposed mechanisms related to the validation of source IP addresses, but few of them are widely deployed by the current Internet. While it is possibly too late to introduce adequate source address checking in the current IPv4-based Internet, the development of the next generation Internet using IPv6 gives us the opportunity to implement an architecture for effective source address checking. Why IPSEC is not the Solution to This Problem IPSEC is a solution to many problems, and it is not the intention of the authors to suggest that it should not be deployed. It is just not the solution to this particular problem. Whereas IPSEC solves end-end security problems and allows endpoints in a connection to verify the identity of other connected endpoints, there is also a need for the infrastructure of the Internet to be able to protect itself. Many attacks employ spoofed IP addresses either to conceal the source of an infrastructure attack or to cause the network infrastructure to, in effect, attack itself. The network must be able to secure itself from poorly-secured endpoints. The goal of the solution to the problem must be to discard spoofed traffic as close to the source of the attack as possible. (i.e. within the infrastructure rather than at the other endpoint(s).