NETSEC

Internet Source Address Validity Enforcement

One compelling and far-reaching problem that today's Internet faces is the lack of a practical, incrementally deployable approach that can enable routers to check the source address of Internet packets and make sure they are from a valid incoming direction. As the Internet continues to evolve, this problem has not only led to IP spoofing-when attackers stamp forged source addresses on their packets to hide themselves and make the innocent be both blamed and attacked-but has also impeded many key functions at routers, such as per-source fair queuing, source-based traffic management, congestion control, or reverse path forwarding used in many IP multicast protocols, from performing reliably.

This research proposes ID-SAVE, a protocol that will not only allow routers to check whether a packet is from the valid incoming direction based on its source address, but will also be incrementally deployable. Unlike alternative approaches that try to detect whether a packet carries its real source address or trace where the packet is from, ID-SAVE focuses on discovering what the valid incoming direction for a given source address is-even if not all routers employ ID-SAVE. This new, easy-to-deploy capability will make many source-based functions more reliable, and as spoofing packets usually arrive from an invalid direction, addresses the root cause of IP spoofing. In one of our earlier research projects, we collaborated with members from the Internet Research Laboratory and Laboratory for Advanced Systems Research at UCLA and developed an IP source address validity enforcement protocol, dubbed SAVE.

Documents:

• Toby Ehrenkranz and Jun Li, "An incrementally deployable protocol for learning the valid incoming direction of IP packets," Tech. Rep. CIS-TR-2007-05, University of Oregon, March 2007.
• Jun Li, Jelena Mirkovic, Toby Ehrenkranz, Mengqiu Wang, Peter Reiher, and Lixia Zhang, "Learning the valid incoming direction of IP packets," Computer Networks, 2007, Under Review.
• Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter L. Reiher, and Lixia Zhang, "SAVE: Source address validity enforcement protocol," in IEEE INFOCOM, New York, June 2002, pp. 1557-66, acceptance rate 20.5%.
• Toby Ehrenkranz and Jun Li, "On the state of IP spoofing and spoofing defense," ACM Transactions on Internet Technology, In submission.
• Jelena Mirkovic, Zhiguo Xu, Jun Li, Mattew Schneider, Peter Reiher, and Lixia Zhang, "iSAVE: Incrementally deployable source address validation," Tech. Rep. UCLA-CSD-020030, UCLA Computer Science Department, 2004.
• Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter L. Reiher, and Lixia Zhang, "SAVE: Source address validity enforcement protocol," Tech. Rep. UCLA-CSD-010004, UCLA Computer Science Department, 2001.
• Toby Ehrenkranz and Jun Li, "ID-SAVE: Incrementally deployable source address validity enforcement," in USENIX Security Symposium, August 2006, work-in-progress.
• Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang, "SAVE: Source address validity enforcement protocol," in USENIX Security Symposium, Washington, D.C., August 2001, work-in-progress.