Lancheng Qin,Libin Liu,Li Chen,Dan Li,Yuqian Shi,Hongbing Yang

DOI: https://doi.org/10.1145/3673422.3674888

2024-01-01

Abstract:To mitigate the threats of source address spoofing, many source address validation (SAV) solutions have been proposed over the past few years. However, none of them are widely deployed in practice due to lack of understanding, lack of open source implementation, and performance concerns. To address these problems, we develop a unified framework UniSAV to facilitate the understanding, design, implementation, and evaluation of existing and future SAV solutions. With UniSAV, we implement existing SAV solutions and evaluate their performance in real topologies. UniSAV further helps us to design and implement a new SAV solution to improve the performance upon existing SAV solutions.

Lin He,Gang Ren,Ying Liu,Guanglei Song,E. Jinlong,Jiahai Yang,Mingwei Xu

DOI: https://doi.org/10.1109/MNET.123.2200111

IF: 10.294

2023-01-01

IEEE Network

Abstract:IP spoofing is prevalently used for anonymity and reflection attacks, e.g., distributed denial of service (DDoS) attacks, which have shown increasingly destructive power in recent years because today's Internet lacks validation on source addresses. Moreover, the fast deployment of IPv6 on the Internet may further aggravate the damages of DDoS attacks. This paper proposes a novel source address validation mechanism called SAV6, which leverages the huge IPv6 address space to validate source addresses at an inter-autonomous system (AS) granularity. In SAV6, each IPv6 address contains an AS number (ASN), whose corresponding AS announces the prefix of the address to other ASes. An AS can determine the authenticity of the source address by whether the ASN in the address matches the corresponding prefix after receiving an incoming packet. The performance evaluation of a SAV6 prototype shows that it adds little performance overhead to the deployed infrastructures and is a lightweight and deployable protocol.

Guolong Chen,Guangwu Hu,Yong Jiang,Chaoqin Zhang

DOI: https://doi.org/10.1109/iscc.2016.7543774

2016-01-01

Abstract:Current Internet packet forwarding only relies on destination IP address and thus neglects the validation of packet's IP source address for Internet accountability, which incurs many cyber-security threats. State-of-the-art solutions either have issues in spoofing packet filtering accuracy, e.g., false positive and false negative, or encounter scalability and deployment problems, i.e., end-host TCP/IP stack or router modification. In this article, we propose SAVSH, a practical IP source address validation scheme for Software Defined Networking (SDN) hybrid networks. SAVSH takes advantage of the SDN architecture which possesses global topological view and central control pattern, so that it can locate nodes for the SDN switch replacement and deploy filtering rules onto them with desirable IP prefix-level filtering accuracy. In the meantime, SAVSH also takes network dynamics (e.g., topology changes) into account. Finally, the established prototype experiment and typical topology simulations demonstrate SAVSH not only possesses desirable performance, but also owns the capability that trades the maximal validation effect with the minimal SDN switch deployment cost, which is up to more than 90% prefix coverage benefit to 15% deployment cost on average.

Qizhao Zhou,Junqing Yu,Dong Li

DOI: https://doi.org/10.1016/j.comnet.2021.108075

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>We consider the problem of source address validation implementation (SAVI) in a Software-Defined Network (SDN) environment. The integration of SAVI and SDN can further address the challenges in a typical architecture such as the complexity of SAVI's deployment and the acquisition of security data in the access layer. A key aspect of this campaign consists of filtering forged packets and verifying the authenticity of the source address. A common strategy is to create bindings between the IP address of a node and a property of the host's network attachment. However, problem still accompany with the deployment of SAVI, including the performance cost of the SDN controller caused by the redundant validation process, especially in the case of an overflow of the flow table and other anomalous conditions in the network. Our contribution in this paper is to design and implement a dynamic framework for lightweight SAVI based on SDN (D-SAVI), which is an enhancement of SDN setups to allow proper source address validation on downstream network ingress ports, without incurring a large performance overhead. Initially, we proposed a fine-grained dual-level structure to match flow entry flexibly to complete the dynamic deployment of SAVI. A priority-based validation mechanism was added for further efficiency optimization. We then designed a state partition and transition module to optimize network performance under anomalous conditions, especially the communication performance between the controllers and switches in the SDN-based networks with a global view. Consequently, under the premise of network security, D-SAVI could filter out, with better packet forwarding efficiency, packets that do not match existing binding relationships. The experimental results demonstrate that our implementation provides source address verification with less resource consumption than existing methods.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guangwu Hu,Jianping Wu,Ke Xu,Wenlong Chen

DOI: https://doi.org/10.1109/ICCCN.2011.6005783

2011-01-01

Abstract:In current network, as we all know, packets delivered by routers only rely on destination-address-directed forwarding, but their source addresses are not checked. Consequently, this incurs many serious network security breach events which are hard to trackback. Under this situation, a switch (we call it SAVI switch) followed SAVI (Source Address Validation Improvement) framework proposed by IETF was invented which dedicates to resolving this problem in user local subnet. SAVI switch is a direct and very effective anti-spoofing device, but because it just steps into a phase of industrialization and for economical and incremental deployment reasons, these switches are not fully covered in domain. This results in two issues at the same time: 1)how to filter out and abandon those packets whose source IP addresses belong to SAVI switches coverage, but actually not, otherwise, this will severely compromise the SAVI switch access users' motivation and SAVI's promotion. 2) how to traceback those packets' source router-the first hop routers of spoofed packets. In this paper, we present SAVT, a practical and smart scheme for source address validation and traceback in campus network for all outbound packets, it just need less 25% routers as filter router can resolve those two questions in most condition. Experiments illustrate our proposal keeps the promise of practicality, stability and efficiency.

Guang Yao,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1109/icnp.2011.6089085

2011-01-01

Abstract:Current Internet is lack of validation on source IP address, resulting in many security threats. The future Internet can face the similar routing locator spoofing problem without careful design. The current in-progress source address validation standard, i.e., SAVI, is not of enough protection due to the solution space constraint. In this article, a mechanism named VAVE is proposed to improve the SAVI solutions. VAVE employs OpenFlow protocol, which provides the de facto standard network innovation interface, to solve source address validation problem with a global view. Significant improvements can be found from our evaluation results.

JianPing Wu,Gang Ren,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0142-x

2008-01-01

Science in China Series F Information Sciences

Abstract:The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases. This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a “source address validation architecture” (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, “multi-fence support” and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure—a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

Jianping Wu,Jun Bi,Marcelo Bagnulo,Fred Baker,Christian Vogt

DOI: https://doi.org/10.17487/rfc7039

2013-01-01

Abstract:Source Address Validation Improvement (SAVI) methods were developed to prevent nodes attached to the same IP link from spoofing each other's IP addresses, so as to complement ingress filtering with finer-grained, standardized IP source address validation. This document is a framework document that describes and motivates the design of the SAVI methods. Particular SAVI methods are described in other documents.

Bingyang Liu,Jun Bi,Yu Zhou

DOI: https://doi.org/10.1145/2934872.2960425

2016-01-01

Abstract:ABSTRACTIn this paper, we present the preliminary design and implementation of SDN-SAVI, an SDN application that enables SAVI functionalities in SDN networks. In this proposal, all the functionalities are implemented on the controller without modifying SDN switches. To enforce SAVI on packets in the data plane, the controller installs binding tables in switches using existing SDN techniques, such as OpenFlow. With SDN-SAVI, a network administrator can now enforce SAVI in her network by merely integrating a module on the controller, rather than purchasing SAVI-capable switches and replacing legacy ones.

Linbo Hui,Lei Zhang,Yannan Hu,Jianping Wu,Yong Cui

DOI: https://doi.org/10.1109/mic.2023.3264319

IF: 2.68

2023-01-01

IEEE Internet Computing

Abstract:Large-scale Internet Protocol (IP) spoofing distributed denial-of-service (DDoS) attacks is one of the major cyber threats. Current commercial defenses focus on eliminating attacks at the destination end, which raises concerns about the cost of appliances and the impact on quality of service. As complementaries, source-end schemes using source address validation (SAV) can block IP spoofing traffic from entering the backbone. However, their effectiveness is restricted by incremental deployment. This paper proposes SAV-D, an SAV-based honeynet-like distributed defense architecture against IP spoofing DDoS. Each SAV device functions as a honeypot to capture more threat data. By aggregating these data, SAV-D can accurately detect ongoing attacks and generate defense policies. With the policies, both SAV and non-SAV devices can filter malicious traffic. Our simulation results demonstrate that SAV-D can effectively filter out 80% of attack traffic with a modest deployment ratio of only 10%. To enable broader adoption, we also provide some guidance on standardizing SAV-D.

Hongyan Liu,Xiang Chen,Qun Huang,Haifeng Zhou,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9322112

2020-01-01

Abstract:Programmable switches empower network applications with line-rate packet processing performance by allowing the offloading of applications. However, the resource of a programmable switch is extremely limited, which significantly limits the application offloading. Existing solutions to the problem either provide poor efficiency or suffer from accuracy drop. In this paper, we propose SRA, a system that loosens switch resource constraints for application offloading via resource aggregation. SRA provides administrators with an intuitive compiler directive to customize application offloading by resource aggregation. According to compiler directives, it automatically places the program on the substrate network, while maintaining original packet processing logics. We implement a prototype of SRA in P4, and establish an experimental testbed consisting of three 32x100 Gbps Barefoot switches. The experimental results indicate that SRA enhances two real-world applications with sufficient resources while maintaining high performance.

Xiaoliang Wang,Ke Xu,Yangfei Guo,Haiyang Wang,Songtao Fu,Qi Li,Bin Wu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2024.3377116

2024-01-01

Abstract:The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Jianping Wu,Gang Ren,Xing Li

DOI: https://doi.org/10.1109/ICNP.2007.4375858

2007-01-01

Abstract:The current Internet addressing architecture does not verify the source address of a packet received and forwarded. This causes serious security and accounting problems. Based on the drastically increased IPv6 address space; a '' Source Address Validation Architecture '' (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, '' multi-fence support '' and incremental deployment. This paper discusses the details of design and implementation for the architecture, including inter-AS, intra-AS and local subnet. This architecture is deployed into the CNGI-CERNET2 infrastructure - a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the Source Address Validation Architecture will help the transition to a new, more secure and sustainable Internet.

Dong Zhang,Xiang Chen,Qun Huang,Xiaoyan Hong,Chunming Wu,Haifeng Zhou,Yi Yang,Hongyan Liu,Yuxin Chen

DOI: https://doi.org/10.1109/access.2019.2950446

IF: 3.9

2019-01-01

IEEE Access

Abstract:Network function virtualization allows network functions to be implemented and managed flexibly as a service function chain (SFC) in the data plane to process flows. However, software-based SFCs lead to poor performance compared to proprietary middleboxes. Moreover, existing solutions tackling performance issues suffer from the development complexity incurred by hardware details. To address these problems, we leverage both the high performance of P4-capable devices and the high flexibility of P4 language. In this paper, we present a P4 Service Chaining framework (P4SC), which tackles multiple challenges for P4 to support the SFC implementation. P4SC provides a suite of primitives allowing efficient SFC expression, and a converter and a generator converting input SFC requests to the corresponding P4 program. Here, an algorithm based on longest common subsequence (LCS) is used to allow simultaneously implementing multiple SFCs. Moreover, P4SC offers a runtime manager for flexible SFC management at runtime. It also provides an automatic integration mechanism to integrate P4-based NFs into P4SC. We implement a P4SC prototype, which supports three types of P4-capable devices. The experimental results show that P4SC outperforms state of the arts with orders-of-magnitude SFC performance improvement while maintains high flexibility.

Xiang Chen,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/icnp49622.2020.9259414

2020-01-01

Abstract:Programmable switches empower stateful packet processing, in which incoming packets continuously update states in the data plane, while applications in the control plane read and write states. However, as the data plane and control plane are separated, a consistent view of states in both planes is required for stateful packet processing. Existing approaches suffer from either high latency or low accuracy. In this paper, we propose ApproSync, a framework that offers approximate state synchronization with low latency and high accuracy. To achieve low latency, ApproSync directly transfers states between switch ASICs and the control plane by bypassing switch operating systems. To achieve high accuracy, ApproSync utilizes the resources in the switch ASIC to realize rate control in state synchronization, such that it avoids potential state loss. It also bounds the divergence between the states in the data plane and that in the control plane under limited link capacity. We prototype ApproSync on Barefoot Tofino switches. The experimental results indicate that compared to existing approaches, ApproSync achieves order-of-magnitude latency reduction while maintaining high accuracy.

YiHao Jia,Ying Liu,Gang Ren

DOI: https://doi.org/10.1109/GLOBECOM38437.2019.9013151

2019-01-01

Abstract:IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economicsdriven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.

Jiangyuan Yao,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1145/2089016.2089042

2011-01-01

Abstract:Source Address Validation Architecture(SAVA) is designed for security of Future Internet. Several protocol drafts of SAVA solution for access network, Source Address Validation Improvements(SAVI), already have been submitted to IETF and some manufacturers are working on implements. In SAVI protocols, parallel components with dependence on variables of other components exist. It is infeasible to precisely specify such protocol with single model. In this paper, we extend the Extended Finite State Machine with external variables to form our new model, Parallel Parameterized Extended Finite State Machine (PaP-EFSM), and describe SAVI protocols by a set of PaP-EFSMs. Then we present an approach for tests generation from the new models. Tests are applied on the 10 devices from 4 manufacturers. Many implement faults are exposed.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.26599/tst.2018.9010025

2018-01-01

Tsinghua Science & Technology

Abstract:IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (IETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing. In this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.

Jia Yihao,Ren Gang,Liu Ying

DOI: https://doi.org/10.13245/j.hust.161103

2016-01-01

Abstract:To solve the problem that when IETF (Internet engineering task force) SAVI (source ad‐dress validation improvement) working group focuses on solving the problem of source address valida‐tion in access network ,validation among AS (autonomous systems) still faces enormous challenges , based on Ingress/Egress Filtering technology ,a alliance system was proposed to upgrade the capabili‐ty in inter‐AS source validation .By designing the source declaration method and routing policies ,re‐lated configurations were put forwarded for each AS in alliance to enhance its filtering performance with lightweight costs .By exploring the phenomenon of multi‐path and declaration mistake ,the study of the policy in source declaration could not only avoids the potential false positive ,but also affirm the feasibility in inter‐AS source address validation for AS alliance based on filtering technologies .