The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Bas...The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.展开更多
A signature-and-verification-based method, automatic peer-to-peer anti-spoofing (APPA), is pro- posed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer,...A signature-and-verification-based method, automatic peer-to-peer anti-spoofing (APPA), is pro- posed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS ran- dom number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS (autonomous system) level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.展开更多
IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (S...IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.展开更多
基金the National Natural Science Foundation of China(Grant No.90704001)the National Basic Research Program of China(973 Program)(Grant No.2003CB314800)
文摘The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.
基金Supported by the Basic Research Foundation of the Tsinghua National Laboratory for Information Science and Technology (TNList)the National Key Basic Research and Development (973) Program of China (No. 2008BAH37B02)
文摘A signature-and-verification-based method, automatic peer-to-peer anti-spoofing (APPA), is pro- posed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS ran- dom number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS (autonomous system) level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.
基金supported by the National Natural Science Foundation of China Nos.61772307 and 61402257the National Key Basic Research and Development(973) Program of China Nos.2009CB320500 and 2009CB320501Tsinghua University Self-determined Project under grant No.2014z21051
文摘IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.
