运营商网络源地址验证能力增强方案  

作　　者：佟恬 王南 赵菁 秦壮壮 庞冉[1] Tong Tian;Wang Nan;Zhao Jing;Qin Zhuangzhuang;Pang Ran(China Unicom Research Institution,Beijing 100048,China;Beijing Branch of China United Network Communications Co.,Ltd.,Beijing 100038,China)

机构地区：[1]中国联通研究院,北京100048 [2]中国联合网络通信有限公司北京分公司,北京100038

出　　处：《信息通信技术》2024年第4期37-43,共7页Information and communications Technologies

摘　　要：互联网架构设计之初未考虑对IP数据包中源地址进行可信验证,这在后续网络发展中逐渐凸显为安全风险。源地址验证技术不断推陈出新,近年来业界提出了基于路由协议扩展通告消息并生成独立源地址验证表的分布式源地址验证机制,但仍受限于非对称路由、设备异构及局部升级等问题,同时缺乏可视化与能力开放。文章结合运营商网络实际情况,提出一种基于网络控制器的源地址验证能力增强方案,旨在自适应地提升自治域内和自治域间的源地址验证准确性,强化网络的感知、检测与分析能力。文章首先概述源地址验证的技术体系与发展历程,其次分析运营商网络源地址验证技术的部署情况与能力要求,再次阐述所提方案的系统架构与关键技术,最后对未来源地址验证技术发展给予展望,为构建更安全、高效的下一代网络架构提供方向建议。At the beginning of the Internet architecture design,no consideration was given to the trusted validation of the source address in IP packets,which gradually became a security risk in the subsequent development of the network.Source address validation technologies are constantly updated.In recent years,the industry has proposed a distributed source address validation mechanism based on the routing protocol to extend the notification message and generate an independent source address validation table.However,it is limited by the problems of asymmetric routing,device heterogeneity,and local upgrades.At the same time,it lacks visualization and capability openness.Combined with the actual situation of carrier networks,the article proposes a network controller-based source address validation capability enhancement scheme.It is designed to adaptively improve the accuracy of source address validation within and between inter-domain and intra-domains and strengthen the perception,detection,and analysis network capabilities.The article firstly outlines the technical system and development history of source address validation,secondly analyses the deployment situation and capability requirements of source address validation technology in carrier networks,then describes the system architecture and key technologies of the proposed scheme,and finally gives an outlook on the future development of source address validation technology to provide direction suggestions for building a more secure and efficient next-generation network architecture.

关 键 词：网络安全 源地址验证 自治域内 自治域间 SAVA SAVI SAVNET 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]