Source Address Validation Architecture (SAVA) - PowerPoint PPT Presentation

About This Presentation
Title:

Source Address Validation Architecture (SAVA)

Description:

Protects network resources from traffic with spoofed source addresses ... Both of these mechanisms are prone to the follow types of errors. False positives ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 11
Provided by: JariA8
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Source Address Validation Architecture (SAVA)


1
Source Address Validation Architecture (SAVA)
  • Jianping Wu
  • Ron Bonica
  • Jun Bi
  • Mark William
  • CERNET Juniper

2
What Does SAVA Protect
  • Protects network resources from traffic with
    spoofed source addresses
  • Does not seek to protect end-systems from traffic
    with spoofed source addresses
  • The community already has a mechanism to protect
    the end-systems (i.e., IPSec Authentication.)

3
What Is The Problem
  • A network operator wants to deploy a forwarding
    policy that includes, as one of its inputs, the
    level of trust that the router places in the
    validity of the packet's source address.
  • Currently, when a router receives a packet, the
    level of trust that the router can place in the
    validity of the packet's source address is low.
  • In order to increase that level of trust, the
    router must validate the source address for
    itself.

4
Best Common Practice
  • Mechanisms are available for source address
    validation
  • source address screening
  • reverse path forwarding
  • Both of these mechanisms are prone to the follow
    types of errors
  • False positives
  • False negatives

5
What Are The Constraints
  • False positives are completely unacceptable
  • It is better to deploy a filtering policy that
    generates many false negatives than to deploy a
    filtering policy that generates a single false
    positive.

6
What Are The Gaps Between SAVA and BCP
  • As the distance between the source of a packet
    and the router doing the checking increases, so
    does the likelihood of a false negative.

7
What Do Solutions Look Like
  • SAVA seeks to implement a trust model, in which
    a router that is close to the source of traffic
    verifies the source address using one of the
    existing mechanisms
  • That upstream router forwards the packet to a
    downstream router, and somehow, indicates to the
    downstream router the level of trust that it (the
    upstream router) places in the packet's source
    address.

8
Trust
  • When the downstream router receives the packet,
    the level of trust that the downstream places in
    the packet's source address is a function of the
    following
  • the level of trust that the upstream router
    placed in the validity of the packets source
    address
  • the level of trust that the downstream router
    places in the upstream

9
Problems Remaining To Be Solved
  • How does the upstream modify a packet to indicate
    the level of trust that it places in the packets
    source address
  • How does the downstream know when the upstream
    has really done the checking that it claims to
    have done

10
Whats Next
  • Mailing List
  • http//www.nrc.tsinghua.edu.cn/pipermail/sava
  • Possible IRTF research group
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Source Address Validation Architecture (SAVA)" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!