SAVE: Source Address Validity Enforcement

1. SAVE:Source Address Validity Enforcement Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {lijun, sunshine, wangmq, reiher, lixia}@cs.ucla.edu

2. Our Approach • Provide information to the routers what is valid range of addresses for each incoming link • Filter out packets with source address not from valid range

3. Motivation • Eliminate IP spoofing • Enhance some other protocols: multicast, fair queuing

4. How is this different from ingress filtering? C A from A B

5. Why not augment routing protocol? C A F D B

6. Why not augment routing protocol? C A F D B

7. Our Approach - More Detail • Every router is associated with range of addresses he “takes care of” • For every destination from his forwarding table router generates SAVE update • This update is forwarded to destination and state is stored in intermediate routers associating addresses from update with incoming link • Updates are generated periodically and whenever forwarding entry changes

8. Challenges • Security • Partial deployment • Overhead (memory, bandwidth)

9. For More Info... http://fmg-www.cs.ucla.edu/adas