Building a next generation Internet with source address validation architecture  被引量：8

作　　者：WU JianPing1,3,REN Gang1,3 & LI Xing2,3 1 Department of Computer Science,Tsinghua University,Beijing 100084,China 2 Department of Electronic Engineering,Tsinghua University,Beijing 100084,China 3 Tsinghua National Laboratory for Information Science and Technology(TNList) ,Beijing 100084,China 

出　　处：《Science in China(Series F)》2008年第11期1681-1691,共11页中国科学（F辑英文版）

基　　金：the National Natural Science Foundation of China (Grant No. 90704001);the National Basic Research Program of China (973 Program) (Grant No. 2003CB314800)

摘　　要：The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases.This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a ＂source address validation architecture＂ （SAVA） is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, ＂multi-fence support＂ and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases.This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a ＂source address validation architecture＂ （SAVA） is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, ＂multi-fence support＂ and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

关 键 词：IP source address validation network architecture network security 

分 类 号：TP393.02[自动化与计算机技术—计算机应用技术]