Please address the information to the IETF at [email protected] The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. The authors would like to thank everyone involved in this effort in these universities. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
The tests have demonstrated that benefit is derived even when deployment is incomplete, thus giving providers an incentive to be early adopters.
It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested. Abstract Because the Internet forwards packets according to the IP destination address, packet forwarding typically takes place without inspection of the source address and malicious attacks have been launched using spoofed source addresses.
o Protocol design issues, such as integration to existing address allocation mechanisms, use of hop-by-hop headers, etc. o Trust establishment issue and study of false positives. Some security considerations of the solution mechanisms of the testbed are mentioned in the document, but are not the main problem to be described in this document. Zhang, "SAVE: Source Address Validity Enforcement Protocol", INFOCOM 2002. [Snoe01] Snoeren, A., Partridge, C., Sanchez, L., and C. Authors' Addresses Jianping Wu Tsinghua University Computer Science, Tsinghua University Beijing 100084 China EMail: [email protected] Jun Bi Tsinghua University Network Research Center, Tsinghua University Beijing 100084 China EMail: [email protected] Xing Li Tsinghua University Electronic Engineering, Tsinghua University Beijing 100084 China EMail: [email protected] Gang Ren Tsinghua University Computer Science, Tsinghua University Beijing 100084 China EMail: [email protected] Ke Xu Tsinghua University Computer Science, Tsinghua University Beijing 100084 China EMail: [email protected] Mark I.
Some of the key issues going forward include: o Scalability questions and per-packet operations. These may be ultimately answered only by actually employing some of these technologies in production networks. The purpose of the document is to report experimental results. [Li02] Li,, J., Mirkovic, J., Wang, M., Reiher, P., and L. Lee, "On the effectiveness of route-based packet filtering for distributed Do S attack prevention in power-law internets", SIGCOMM 2001. Li, "Source Address Validation: Architecture and Protocol Design", ICNP 2007. Wu, "An Authentication based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network", ICCS 2007.
The solution allows different validation granularities, and also allows different providers to use different solutions.