Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 Source Address Validation and IETF Efforts Jun Bi CERNET/Tsinghua University APAN 26 August, 2008.

Published byMakaila Player Modified over 10 years ago

Similar presentations

Presentation on theme: "IPv6 Source Address Validation and IETF Efforts Jun Bi CERNET/Tsinghua University APAN 26 August, 2008."— Presentation transcript:

1 IPv6 Source Address Validation and IETF Efforts Jun Bi CERNET/Tsinghua University APAN 26 August, 2008

2 Outline Background and Requirements A Source Address Validation Architecture (SAVA) and CNGI-CERNET2 SAVA Testbed – RFC5210: J Wu, J Bi, X Li, et.al. IETF SAVI (Source Address Validation Improvements) WG and Proposed Solutions

3 What Is the problem Current situation in IPv4 and IPv6 is that: –destination address based packet forwarding –In the forwarding process, the source IP address is not checked in most cases. –Easy to spoof the source address of the IP packet. Packets with spoofed source addresses are unwanted. –Security (Attacks such as DNS reflection) –Management (Administration: hard to trace back, measurement) –Accounting (source address based accounting)

4 Some Figures- 2007 Arbor Worldwide Infrastructure Security Report

5 Related Work IETF BCP 38 filtering (needs to be fully deployed), if it were universally applied would solve the problem. Unfortunately this is not the case –about ¼ of the Internet at least allows spoofed source addresses in packets (MIT Spoofer Project) –BCP 38 deployment ratio is less than 50% (Arbort report) Cryptographic based methods –Cost/feasibility Traceback based methods –Reactive, not proactive

6 SAVA Design Principles 1.Hierarchical Architecture (Multi-fence solutions) 2.Solutions for IPv6 first (feasible way to deploy) 3.Proactive protection 4.Incrementally Deployable (Incomplete deployment still be beneficial) 5.Provide incentive for deployment (The source address space of a network that deployed SAVA can not be spoofed by others) 6.Performance, Cost and Scalability

7 SAVA Architecture in CNGI-CERNET2 IP Prefix Level Granularity

8 Current SAVA Solutions in CNGI-CERNET2 Inter-AS (early stage): lightweight signature between the source AS and the destination AS (End-to-end) Inter-AS (neighboring ASes): AS relationship based method deployed in the neighboring AS boarder routers Intra-AS: deploy Ingress filtering on all edge routers in an AS (the ingress filtering relies on fully deployment. it’s not feasible to fully deploy in the whole Internet, but it’s feasible to deploy in a single AS). Access Network (First-Hop, Local Subnet):

9 A End-to-end lightweight signature based solution for Inter-AS SAVA

10 A End-to-end lightweight Signature based Solution for Inter-AS SAVA Add signature check signature, valid Remove signature Ingress filtering Check signature, invalid Unsigned Flow Signed Flow

11 SAVA Testbed: Test Result (1) Before spoofing attack

12 SAVA Testbed: Test Result (2) After spoofing attack

13 SAVA Testbed: Test Result (3) Enable SAVA

14 Test-bed in CERNET2/Tsinghua Univ.

15 SAVA Deployment in CNGI-CERNET2: Prototype implemented and 12 SAVA test AS deployed 用户接入网 SAVA 用户接入网 SAVA

16 IETF Efforts IETF 66 (Montreal, July 2006), SAVA Side Meeting with IAB/IESG IETF 67 (San Diego, Nov 2006), Internet Area Open Meeting IETF 68 (Prague, March 2007), first BoF Discussion IETF 69 (Chicago, July 2007), RFC drafts proposed, Internet Area Open Meeting and SAVA Side Meeting with IESG to prepare the 2nd BoF IETF 70 (Vancouver, Dec. 2007), BoF for SAVI Working Group (Source Address Validation Improvements) IETF 71 (Philadelphia, March 2008), discuss/revise WG charter RFC 5210 and SAVI WG were approved by IESG in May 2008 IETF 72 (Dublin, July 2008), the first SAVI WG meeting To Subscribe: https://www.ietf.org/mailman/listinfo/savihttps://www.ietf.org/mailman/listinfo/savi

17 Why we need host-granularity anti-spoofing

18 IPv6 source address assigned Access request Binding in switch Access network 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A ++{ Port 2 } Access accepted 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A ++{ Port 2 } } 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A ++{ Port 2 = Match ? Assigned address 2001:250:f001:f002: 210:5cff:fec7:1204 Spoof address 2001:250:f001:f002: 210:5cff:fec7:1203 Match ? 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A ++{ Port 2 } 2001:250:f001:f002: 210:5cff:fec7:1204 00-02-3F-B6-DC-9A ++{ Port 2 } ≠ Access denied Switch port based Solution

19 Protocols

20 Special Problems in IPv6 Various Address Allocation Methods –Stateless Auto-configuration –DHCPv6 –Manual Configuration/Static –Cryptographically (CGA) –Private Multiple addresses are assigned to an interface

21 CGA based Solution Phase 1: Address Authorization –Filtering based on the knowledge of address assignment (to adapt all address allocation ways) –Host Identifier (CGA Identifier) without PKI –Binding Host Identifier and address at the first Layer-3 hop –Secure Shared Secret Exchange (Signature seed used in Authentication phase) Phase 2: Address Authentication –Light-weight signature generation –Light-weight signature adding and removal

22 Overview of Procedure Phase1: Address Authorization (5 steps) (4) Check whether identifier H can use the required address A (3) I’m H and I require to use address A (5) Return a “signature seed” for future authentication (2) An identifier is used to show the applicant is H (1) Prepare an address A

23 Overview of Procedure Phase2: Address Authentication Add Signature Check Signature and Remove it Generate Signature based on “signature seed”

24 Phase1: Address Authorization Step 1: Address Preparation –The Node gets an address through the appointed address assignment mechanism Host in IPv4: Manual Configuration, DHCP Host in IPv6: DHCP, Stateless Autoconfiguration, Manual Configuration, Cryptographically Generated Address, Privacy

25 Address Authorization Step 2: Identifier Generation –Node generates a secure identifier For anonymity address owner (DHCP,SCA,CGA,Privacy), identifier = hash(Public Key) [Described in CGA] For any address allocation mechanism involving manual configuration, identifier = hash(Public Key + Share Secret ). The Share Secret is a bit string allocated to the node with the static address by network administrator.

26 Address Authorization Step 3: Address Authorization Request –Nodes send a request packet to the first layer 3 hop (gateway/router) An ICMP packet with source address set to the address prepared in phase 1 The CGA option and RSA signature option are the same as described in [SEND]

27 Address Authorization Step 4: Gateway Authorizing Address –Gateway checks whether the request node has the right to use the address. The knowledge is based on address allocation. –Manual Configuration: Re-compute the identifier using the shared secret of the address owner. –SAC/Privacy/CGA: The address has not been registered by another node. In CGA case, the request address must be a correct CGA address computed on the public key. –DHCP: The identifier in the request packet must be the one which has been used to apply address/prefix from DHCP server/router. [See next page]

28 Address Allocation in DHCP Case Source address set to the CGA identifier Record the CGA identifier Record the address allocated. Bind the identifier and the address. DHCP Solicitation

29 Address Authorization Step 5: Signature Seed Assignment –Gateway returns a bit string named “signature seed” to the applicant, encrypted by the public key in the request packet. –Node decrypts the “signature seed”.

30 Phase 2: Address Authentication Signature Generation (All based on the shared secret “signature seed”) –HMAC –Pseudo Random Number (Preference) Signature sequence, hard to guess and replay Using the sliding window to handle the packet re-order (not a big deal in local subnet) Signature Adding (3 choice to implement) –IPSEC Authentication Header –A new option header (e.g. Hop-by-hop) –Address Rewrite (The signature is used as local address, the router rewrite with the authorized address for out world, to save the cost of memory copy and locating header) Signature Verification (matching the random number)

31 SAVA Deployment Plan Phase 1: –Prototypes implemented and 12 SAVA test ASes deployed in CNGI-CERNET2 –Supported by “863” High-tech project and CNGI project Phase 2: –Collaborating with vendors to implement SAVA in router/switch products (Cisco, Juniper, Huawei, and Bitway showed interests). –Deploy 100 SAVA campus networks in CNGI- CERNET2 and to protect 1 Million users with source address spoofing prevention methods –Collaborate with China Telecom, China Mobile, etc. to deploy SAVA on the whole CNGI network in the future. –IETF efforts: solutions revision/RFC standardization. –Supported by MOST 11th 5-year Plan Project

32 Thank You!

Download ppt "IPv6 Source Address Validation and IETF Efforts Jun Bi CERNET/Tsinghua University APAN 26 August, 2008."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
CNGI/CERNET2 Updates Jilong Wang, Tsinghua U. 2007-01-23.

CNGI/CERNET2 Updates Jilong Wang, Tsinghua U
1 IPv6 Development in China Xing Li 2003-10-31. 2 Outline l A brief history l Experience l CNGI project l CERNET2 design.

1 IPv6 Development in China Xing Li Outline l A brief history l Experience l CNGI project l CERNET2 design.
Security Issues In Mobile IP

Security Issues In Mobile IP
FI Research in China Jun Bi Tsinghua Univ./CERNET Beijing China.

FI Research in China Jun Bi Tsinghua Univ./CERNET Beijing China.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
SAVI Requirements and Solutions for ISP IPv6 Access Network ISP-access-01.txt.

SAVI Requirements and Solutions for ISP IPv6 Access Network ISP-access-01.txt.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
Secure Mobile IP Communication

Secure Mobile IP Communication
Windows® Deployment Services

Windows® Deployment Services
Public IPv4 over Access IPv6 network draft-cui-softwire-host-4over6-06 draft-cui-softwire-dhcp-over-tunnel-01 Y. Cui, J. Wu, P. Wu Tsinghua Univ. C. Metz.

Public IPv4 over Access IPv6 network draft-cui-softwire-host-4over6-06 draft-cui-softwire-dhcp-over-tunnel-01 Y. Cui, J. Wu, P. Wu Tsinghua Univ. C. Metz.
1 IPv6 Advantages May 2001 May 2001

1 IPv6 Advantages May 2001 May 2001
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

Similar presentations

Ads by Google