SAVE: source address validity enforcement protocol
Proceedings - IEEE INFOCOM - Tập 3 - Trang 1557-1566
Tóm tắt
Forcing all IP packets to carry correct source addresses can greatly help network security, attack tracing, and network problem debugging. However, due to asymmetries in today's Internet routing, routers do not have readily available information to verify the correctness of the source address for each incoming packet. In this paper we describe a new protocol, named SAVE, that can provide routers with the information needed for source address validation. SAVE messages propagate valid source address information from the source location to all destinations, allowing each router along the way to build an incoming table that associates each incoming interface of the router with a set of valid source address blocks. This paper presents the protocol design and evaluates its correctness and performance by simulation experiments. The paper also discusses the issues of protocol security, the effectiveness of partial SAVE deployment, and the handling of unconventional forms of network routing, such as mobile IP and tunneling.
Từ khóa
#Routing protocols #Internet #Information filtering #Information filters #Information security #Debugging #Position measurement #Tunneling #Traffic control #Computer crimeTài liệu tham khảo
rekhter, 1994, A border gateway protocol 4 (BGP-4), 10.17487/rfc1654
stone, 0, CenterTrack: An IP overlay network for tracking DoS floods, 9th USENIX Security Symposium August 2000
10.1145/383059.383061
1998, CERT advisory CA-1998-01 smurf IP denial-of-service attacks
paxson, 0, End-to-end routing behavior in the internet, Proc ACM SIGCOMM 1996
2000, CERT Advisory CA-2000-01 denial-of-service developments
10.17487/rfc2453
montenegro, 1998, Reverse tunneling for mobile IP, 10.17487/rfc2344
li, 2001, SAVE: Source address validity enforcement protocol
halabi, 1997, Internet Routing Architectures
kent, 1998, Security architecture for the internet protocol, 10.17487/rfc2401
lee, 0, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, Infocom 2001
10.1109/SECPRI.1997.601338
bellovin, 2000, ICMP traceback messages
10.1109/90.929847
ballardie, 0, Core based trees (CBT): An architecture for scalable inter-domain multicast routing, Proc ACM SIGCOMM 1993
baker, 1995, Requirements for IP version 4 routers, 10.17487/rfc1812
10.1109/ICNP.2000.896287
10.1145/78952.78953
10.1109/INM.1999.770717
10.1109/35.587723
burch, 0, Tracing anonymous packets to their approximate source, Proceedings of 2000 Systems Administration Conference December 2000
ferguson, 2000, Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, 10.17487/rfc2827
10.1109/90.490743