Guangwu Hu,Ke Xu,Jianping Wu,Yong Cui,Fan Shi

DOI: https://doi.org/10.1109/mnet.2013.6678929

IF: 10.294

2013-01-01

IEEE Network

Abstract:IP spoofing has nowadays become a research focus, as it has been bothering netizens since the emergence of the Internet. Though many studies have made their contributions to the prevention of IP-spoofing, the most excellent one is the SAVI (Source Address Validation Improvement) proposal advocated by IETF, since it can prevent IP-spoofing from happening by automatically binding the key properties of hosts in layer2 access subnet. Nevertheless, till now, SAVI only focuses on the IPv6 stack and simple network access scenarios. To the best of our knowledge, there is no solution even has paid attention to IPv4/IPv6 transition scenarios. Given the fact that IPv4/IPv6 transition will continue to be adopted for a long period of time, this issue is becoming increasingly urgent. However, since transition schemes are plenty and diverse, hardly can an ordinary solution satisfy all the requirements of various transition scenarios. In this paper, we present an improved general SAVI-based framework of IP source address validation and traceback for IPv4/IPv6 transition scenarios. To achieve this goal, we extract essential and mutual properties from these transition schemes, and create sub-solutions for each property. Naturally, if one transition scheme is proposed by combining some properties, the corresponding sub-solutions would be included into its IP source address validation and traceback solution. Therefore, the advantage of this framework is its capability to adapt to all the transition schemes.

Yu Zhai,CongXiao Bao,Xing Li

DOI: https://doi.org/10.1109/nas.2011.12

2011-01-01

Abstract:IPv4 addresses are already depleted in IANA and will be soon exhausted in RIR while more clients are pouring into the Internet. IPv6, as the only available next generation Internet protocol, is still not commercially successful because a scheme that could solve the migration of IPv4 resources to IPv6 network, as well as mutual communication between the two incompatible protocols, has not been fully developed and deployed. Translation solution provides a proper approach to address this problem. In this article, we propose IVI, an IPv4/IPv6 translation scheme, in order to facilitate resource migration and protocol transition. We explain how it works to translate between IPv4 and IPv6, and how combinations of IVI flavours and various translation scenarios are used in each phase of transition. The evaluation of scalability and robustness, which is important to a widely deployed translation scheme, is also discussed.

Lin He,Gang Ren,Ying Liu,Guanglei Song,E. Jinlong,Jiahai Yang,Mingwei Xu

DOI: https://doi.org/10.1109/MNET.123.2200111

IF: 10.294

2023-01-01

IEEE Network

Abstract:IP spoofing is prevalently used for anonymity and reflection attacks, e.g., distributed denial of service (DDoS) attacks, which have shown increasingly destructive power in recent years because today's Internet lacks validation on source addresses. Moreover, the fast deployment of IPv6 on the Internet may further aggravate the damages of DDoS attacks. This paper proposes a novel source address validation mechanism called SAV6, which leverages the huge IPv6 address space to validate source addresses at an inter-autonomous system (AS) granularity. In SAV6, each IPv6 address contains an AS number (ASN), whose corresponding AS announces the prefix of the address to other ASes. An AS can determine the authenticity of the source address by whether the ASN in the address matches the corresponding prefix after receiving an incoming packet. The performance evaluation of a SAV6 prototype shows that it adds little performance overhead to the deployed infrastructures and is a lightweight and deployable protocol.

Yuncheng Zhu,Maoke Chen,Hong Zhang,Xing Li

DOI: https://doi.org/10.1109/glocom.2008.ecp.433

2008-01-01

Abstract:IPv4 addresses will be soon exhausted while more and more users are pouring into the Internet. It is commonly understood that IPv6 is definitely necessary for connecting new users, but lack of resources in current IPv6 world discourages providers from developing their IPv6 market. Address and packet translations are considered necessary for Internet content resources migrating from IPv4 world to IPv6, but up to now there is no one translation approach scalable enough. We understand the scalability is essentially restricted by the states in routing and those in translation, and accordingly we propose a novel architecture, called IVI, where IPv6 subscriber addresses are mapped from IPv4 with a certain rule that keeps IPv6 routing table well aggregated and makes translation stateless at all. Moreover, we introduce multiplex into the mapping to accommodate the trend of IPv4 addresses being more and more precious. Analysis based on real traffic data proves that the proposed approach is feasible to be deployed by an ISP for its customer networks and the potential degradation in end-to-end performance is acceptable.

SAVI K Xu,G Hu,J Bi,M Xu

2012-01-01

Abstract:IP spoofing always is bothering us along with the Internet invention. With the rapid development of IPv6 next generation Internet, this issue is more prominent. Existing IP anti-spoofing proposals, including SAVI (Source Address Validation Improvement) which was advocated by IETF, only focused on single-stack or simple network scenarios. To the best of our knowledge, none of them has paid attention to the IPv4/IPv6 transition scenarios. However, since transition schemes are plenty and various, one solution cannot meet all requirements of them. In this draft, we present a SAVI-based general frame-work for IP source address validation and traceback in the IPv4/IPv6 transition scenarios, which achieve this by extracting out essential and mutual properties from these schemes, and forming sub-solutions for each property. When one transition scheme is composed from various properties, its IP source address …

Fuliang Li,Changqing An,Jiahai Yang,Ning Jiang,Jianping Wu

DOI: https://doi.org/10.1109/APNOMS.2011.6077038

2011-01-01

Abstract:IPv6 protocol has been widely deployed in the world. As the IANA pool of IPv4 addresses has run out, IPv6 will become increasingly important. Although the IPv6 protocol stack presents considerable advantages compared with the IPv4 protocol stack, IP source address spoofing is still exploited in IPv6 to initiate malicious attacks. Some techniques are proposed and deployed to implement source address validation at fine granularity. In this paper, we investigate the efficiency of fine granularity IP source address validation, e.g. whether filtering technology is deployed to prevent hosts from using forged IP address. We develop a detection tool with controlled spoofing ability which can infer whether the function of filtering spoofing address packets is enabled. We run this tool in 12 famous universities in China and collect the testing data. We gather a total of 41373 probes from 324 clients, and each probe includes sending at least 5 packets with the same spoofing source address to the control server. Results reveal that, 77.02% of the spoofing probes are completely filtered, 0.29% of the spoofing probes are partly filtered and the rest spoofing probes are not filtered at all. Overall, this illustrates that techniques of source address validation have been widely deployed in campus networks. Our statistical results provide practical basis for the deployment and further development of source address validation protocols in IPv6 networks.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Aniruddha Bhattacharjya,Xiaofeng Zhong,Jing Wang,Xing Li

DOI: https://doi.org/10.1504/ijics.2019.099419

2019-01-01

Abstract:Due to the shortage of IPv4 addresses, many hosts are currently assigned to a single IPv4 address by using one or a number of NAT devices. However, numerous NAT devices cannot be upgraded for executing 6to4 due to technical and/or economic reasons. Solutions depending on Double Network Address Translation 64 are a good way to utilise shared IP4 addressing. Mapping of address and port using translation (MAP-T) is a technique that accomplishes double translation on Border Relay (BR) and customer edge (CE) devices. IPv4 and IPv6 forwarding, IPv4 and IPv6 fragmentation functions, and NAT64 translation functions are used by MAP-T. This enables increasing numbers of IPv6 in both clients and servers in order to possess the best defence against certain attacks, such as routing loop attacks, spoofing attacks, denial-of-service attacks. We have here proposed some procedures for creating frameworks and sustaining secure IPv6 networks according to applications, environs and architecture.

SAVI K Xu,G Hu,J Bi,M Xu

2012-01-01

Abstract:Many proposals have been presented for preventing IP spoofing from occurring in network. An outstanding of them is the SAVI (Source Address Validation Improvement) proposal which was advocated by IETF SAVI workgroup for solving this problem from user access switch. SAVI Working Group is developing standardize mechanisms that prevent nodes attached to the same IP link from spoofing each other’s IP addresses, and achieve IP source address validation at a finer granularity. However, up to now, to the best of our knowledge, none of them has focused on the scenarios of 4over6 transition, that is, IPv4 packets transit IPv6 network and arrive at other edge IPv4 network (s). With the boom of IPv6 networks, this issue becomes more and more urgent. In addition, since 4over6 plans are plenty and various, one solution cannot meet all requirements of these plans. This document describes a framework of IP …

Jun Bi,Jianping Wu,Xing Li,Xiangbin Cheng

DOI: https://doi.org/10.1109/ngi.2008.21

2008-01-01

Abstract:Since the Internet uses destination-based packet forwarding, malicious attacks have been launched using spoofed source addresses. In an effort to enhance the Internet with IP source address validation, we prototyped an implementation of the IPv6 source address validation architecture (SAVA) and conducted the evaluation on an IPv6 test-bed. This paper reports our prototype implementation and the test results, as well as the lessons and insights gained from our experimentation.

JianPing Wu,Gang Ren,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0142-x

2008-01-01

Science in China Series F Information Sciences

Abstract:The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

Jianping Wu

2007-01-01

Abstract:This document describes the detail mechanism and protocol definition of a light-weight signature based and end-to-end deployed method for preventing the spoofing of source IPv6 address.

吴建平,任罡,李星

DOI: https://doi.org/10.3969/j.issn.2095-2783.2007.10.003

2007-01-01

Abstract:The current Internet addressing architecture does not verify the source address of a packet received and forwarded.This causes serious security problems.This paper proposed the solutions for Inter-AS source address validation in IPv6 network,which can improve the security of IPv6 network.An AS relation based method is proposed for directly connected AS,and a signature based method is proposed for ASes which are not directly connected.This paper discusses the details of design,implementation and deployment into the CNGI-CERNET2 infrastructure-a large-scale native IPv6 backbone network of the China Next Generation Internet project.

Jianping Wu,Gang Ren,Xing Li

DOI: https://doi.org/10.1109/ICNP.2007.4375858

2007-01-01

Abstract:The current Internet addressing architecture does not verify the source address of a packet received and forwarded. This causes serious security and accounting problems. Based on the drastically increased IPv6 address space; a '' Source Address Validation Architecture '' (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, '' multi-fence support '' and incremental deployment. This paper discusses the details of design and implementation for the architecture, including inter-AS, intra-AS and local subnet. This architecture is deployed into the CNGI-CERNET2 infrastructure - a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the Source Address Validation Architecture will help the transition to a new, more secure and sustainable Internet.

Jun Bi,Guang Yao,Jianping Wu

DOI: https://doi.org/10.4304/jnw.4.2.100-107

2009-01-01

Journal of Networks

Abstract:Since the Internet uses destination-based packet forwarding, malicious attacks have been launched using spoofed source addresses. In an effort to enhance the Internet with IP source address validation, we prototyped an implementation of the IPv6 Source Address Validation Architecture (SAVA) and conducted the evaluation on an IPv6 test-bed. This paper reports our prototype implementation and the test results, as well as the lessons and insights gained from our experimentation. Some enhanced methods are also introduced in this article.

Lizhong Xie,Jun Bi,Jianpin Wu

DOI: https://doi.org/10.1007/978-3-540-72590-9_121

2007-01-01

Abstract:In today's Internet routing architecture, the router doesn't validate the correctness of the source address carried in the packet, nor keep the state information when forwarding the packet. Thus the DDoS attacks with spoofed IP source address can cause security problems. In this paper, we aim to prevent the attackers from attacking somewhere outside the IPv6 edge network with forged source address in the fine granularity. The proposed methods include source address authentication by using session key and hash digest algorithm, and replay attack prevention by combining the sequence number method and the timestamp method. This paper presents the algorithm design and evaluates its feasibility and correctness by simulation experiments.

Guang Yao,Jun Bi

DOI: https://doi.org/10.1109/ICNS.2008.25

2008-01-01

Abstract:The lack of source address validation on the Internet makes attack with IP spoofing a serious problem. Many methods have been proposed to solve this problem, and among them, SPM and ARBIF are effective and feasible ones. We have implemented an IPv6 source address validation device with these two methods embedded, and this device is an open framework for other source address validation mechanisms.

Xiangbin Cheng,Jun Bi,Xing Li,Jianping Wu

DOI: https://doi.org/10.1109/ipc.2007.43

2007-01-01

Abstract:Along with the development of IPv6, native IPv6 networks will begin to appear. It would be helpful if we can provide an effective mechanism for existing IPv4- only applications to work in those native IPv6 networks. In this paper, we analyze the problems of some current transition methods, and present a new mechanism based on Tunnels-Between-Hosts. Our strategy is to provide the IPv4-only application with a temporary IPv4 "virtual address", which is negotiated directly between two communicating hosts using IPv6. We give a detailed description of our mechanism and compare it with some other mechanisms.

Zhu Min,Xu Ke,Li Qi

DOI: https://doi.org/10.1007/978-3-642-24403-2_26

2011-01-01

Abstract:Mobile IPv6 runs high risk of being attacked by IP spoofing due to the introduction of mobility and route optimization. In this paper, an authentic IP address validation scheme is proposed to protect mobile nodes in Mobile IPv6 against IP spoofing attack. The mobile nodes' historical traffic information is leveraged to validate the authenticity of its claimed home address in the scheme. Compared with other authentication schemes, this scheme is much simpler to implement and easier to deploy based on the usage of real data, and does not require additional computational overhead. It also solves the address ownership problem and the unauthenticated binding update issue in Mobile IPv6. Real traces are used to demonstrate the applicability of the scheme in this paper. The experimental results show that only three consecutive historical packet records are required to construct a unique authentication key, which can identify forged home address efficiently.

Jie Li,Jun Bi,Jianping Wu,Wei Zhang

DOI: https://doi.org/10.1109/nca.2012.20

2012-01-01

Abstract:The functional deficiency of the Internet architecture enables attackers the ability to easily to spoof IP source address. The traditional signature-and-verification based anti-spoofing methods are often limited by essential process based on an explicit analysis and process of the IP header and does not adapt to incremental deployment. This paper designs a multi-fence countermeasure based inter-domain source address validation method named VIP. By employing intelligent originating information label and extended MPLS based cloud and network, VIP enables lightweight-label-based packet forwarding and validation. And VIP offers gains in efficiency by reducing the load on both forwarding tables and validation processing without negative influences and complex operations on de facto networks. In addition to enhanced scalability, VIP may facilitate incremental deployment in the long run.