Source Address Validation Improvements BoF 70 th IETF meeting, - - PowerPoint PPT Presentation

source address validation improvements bof
SMART_READER_LITE
LIVE PREVIEW

Source Address Validation Improvements BoF 70 th IETF meeting, - - PowerPoint PPT Presentation

Dec 07, 2022 230 likes •335 views

Source Address Validation Improvements BoF 70 th IETF meeting, Vancouver 70 th IETF meeting, Vancouver December 5, 2007 Todays Agenda Problems to solve, focus for SAVI 10 min Danny McPherson, Christian Vogt IPv4 Source Guard An

slide-1
SLIDE 1

Source Address Validation Improvements BoF

70th IETF meeting, Vancouver 70th IETF meeting, Vancouver December 5, 2007

slide-2
SLIDE 2

Today’s Agenda Problems to solve, focus for SAVI

10 min Danny McPherson, Christian Vogt

IPv4 Source Guard – An existing technique for IP source address validation on the 1st hop

10 min Fred Baker, draft-baker-sava-cisco-ip-source-guard-00

A Source Guard for IP version 6

15 min

1

Fred Baker, draft-baker-sava-implementation-00

Discussion

25 min

slide-3
SLIDE 3

Problems to solve, focus for SAVI

Danny McPherson

Problems to solve, focus for SAVI

General problem Christian Vogt Existing solutions Scope of SAVI Related work

slide-4
SLIDE 4

Source Address Validation – Why Do We Need It? Internet fails to prevent IP source address spoofing

Packet delivery based on IP destination address only IP source address used by receiver, network entities IP source address used by receiver, network entities

  • Sender identification
  • Destination for return traffic

Resulting threats

Illegitimate authorization to service

3

Illegitimate authorization to service Circumvent accounting Identity/location spoofing Redirect unwanted traffic to 3rd party

slide-5
SLIDE 5

Existing Solutions

Ingress filtering Unicast Reverse Path Forwarding + variants Cisco IPv4 Source Guard Not sufficient

  • Too coarse (IP address prefix validation at aggregated level)
  • Not standardized (as oftentimes demanded for procurement)

4

  • M.I.T. Spoofer project: IP source address spoofing possible

in ¼ of observed addressing space

Need additional protection – standardized

slide-6
SLIDE 6

Possible Solution Scopes

  • n local link

within administrative domain across administrative domains across administrative domains

slide-7
SLIDE 7

Possible Solution Scopes

  • n local link

within administrative domain across administrative domains across administrative domains

Envisioned benefits in focus area

Detect misconfigurations locally Trace IP spoofing attacks Trace IP spoofing attacks Authorization/accounting Localization

slide-8
SLIDE 8

Proposed SAVI solutions will… ensure that hosts attached to the same router cannot spoof each other's IP addresses track IP address configuration traffic work for IPv4 and IPv6 apply to hosts only (not routers) not validate user identities

7

slide-9
SLIDE 9

Selected Related Pre-BoF Work

Pekka Savola: Experiences with Unicast RPF

draft-savola-bcp84-urpf-experiences

  • Deployment of feasible-paths variant
  • Finnish University and Research Network
  • Finnish University and Research Network

Jianping Wu & al.: First-Hop Source Address Validation

draft-wu-sava-solution-firsthop-eap

  • Secure IP address assignment upon access authentication
  • Integratable with EAP, Radius/Diameter
  • IP address enforcement on switch
  • Testbed implementation in CERNET

8

  • Testbed implementation in CERNET

Jun Bi & al.: Signature-based Source Address Validation

draft-bi-sava-solution-ipv6-edge-network-signature

  • Session key exchange during access authentication
  • IP address bound to session key
  • Per-packet signatures in extension header