1 / 9

Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2

Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2. Jianping Wu CERNET/Tsinghua University IETF 68 Prague March 2007. Outline. CNGI-CERNET2 CNGI-CERNET2's SAVA requirements Deployment steps Lessons learned. CNGI-CERNET2.

gilda
Download Presentation

Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2 Jianping Wu CERNET/Tsinghua University IETF 68 Prague March 2007

  2. Outline • CNGI-CERNET2 • CNGI-CERNET2's SAVA requirements • Deployment steps • Lessons learned

  3. CNGI-CERNET2 • The 2nd generation of China Education and Research Network • A nationwide native IPv6 network, part of CNGI (China Next Generation Internet) project • Launched in Dec 2004. • 25 core nodes in 20 major cities. • ~200 universities (stub access networks) • IPv6 Core routers and switches from Juniper, Cisco, Huawei, and Bitway

  4. HeiLongJiang JiLin 长春 NeiMengGu 北京 XinJiang 沈阳 LiaoNing GanSu 天津 大连 HeBei ShanDong NingXia 青岛 ShanXi ShaanXi 济南 QingHai 兰州 HeNan JiangSu 南京 AnHui 郑州 西安 SiChuan 武汉 上海 XiZang 合肥 成都 重庆 HuBei 杭州 ZheJiang JiangXi 长沙 FuJian 福州 HuNan GuiZhou 昆明 台湾 GuangDong 厦门 GuangXi CERNET CERNET YunNan 深圳 ChinaTelecom 广州 香港 CNC/CST HaiNan ChinaMobile Unicom ChinaRail CNGI Backbones

  5. CNGI-CERNET2 Backbones

  6. CERNET2's SAVA requirements(1) Regulatory Compliance • Governments may require network operators to vouch for the source of each packet that they carry • Protection of the legitimate owner of a spoofed source address Security Requirement • Spoofed source addresses are used in some types of DoS attacks

  7. CERNET2's SAVA requirements(2) Accounting Requirements • Facilitate the measurement of end-to-end network usage such as normal telephony. Application Requirements • Spoofed addresses and spoofed application identifiers lead to application problems such as spam E-mail. • The performance of end-to-endapplications such as VoIP using SIP needs to be improved.

  8. Deployment Steps • Step1: Tsinghua University SAVA Testbed • Step2: Prototypes implemented and 7 SAVA test AS deployed on CNGI-CERNET2. The observed results are so far good . • Step3: SAVA will be deployed in CNGI backbone, including China Telecom, China Netcom, China Mobile, China Unicom, etc.

  9. Lessons Learned • BCP 38 limitation • Full deployment • Asymmetric routing environment • Not very incentive to network operators • Basic Design Principle of SAVA • Focus on IPv6 • Performance • Scaling • Multi-fence solution • Incrementally deployable • Incomplete deployment still has benefits • Loose coupling of components

More Related