Enhance Security of IP Network using New Architecture of Address Validation Xiaodong Duan China Mobile
Background • After years of practice , traditional telecom services are evolving to All IP architecture • China Mobile has built the largest soft-switch network in the world • More than 70 percent of long-distance GSM voice • More than 200 millions of subscribers • Traditional circuit switch will be no longer introduced. • High security & availability requirement of services • Telecom service require carrier-grade quality (e.g. 5 nine) • Quality should keep unchanged after transferred to IP bearer • Demand to control, charge and manage all users who access the network • Widely use of NAT/NAPT on ipv4 network make a big trouble to Telecom operators • Hard to identify users • Hard to track hackers
Problem description • IP address spoofing make a big trouble to operators like China Mobile. • Because of IP address limitation, NAT/NAPT is widely used. It’s almost impossible to track the hackers behind NAT. • On ipv6 network, address space will be no problem any more. An economy way to identify users is required.
Existing solution analysis • To avoid impact by spoofing, we also deploy some technology solution, including: • Ingress filtering (through ACL. etc) • uRPF • There are problems for two solutions. • we can just deploy the solution at the edge of our network, but can not guarantee the IP address ingress from other operators' network. • if the number of IP address is very huge, large amount of configuration (ACL/uRPF) at the ingress point will damage the performance of network. And it also cause big complexity for operators' network maintenance.
Why SAVA? • Security is still a critical problem in the current Internet • Most currently security solutions focus more on • End-point security • Security of application level • Security of protocol itself • Weak infrastructure security solutions • Weak user identify and address validation • Maybe we need some new design from aspect of Architecture of IP network • SAVA is a good idea to enhance security by implementing source address validation
Suggestions for the next step • SAVA should focus on or pay attention to • Supporting Mobile IP and consider of Muilt-homing • Work properly when just deployed in a part of network. Or the solution do not force operators to deploy the solution in their network thoroughly. • The solution should be embedded into the entire network architecture, or it is better to be a inborn function of networks architecture to validate source address. • Won’t damage the performance of network or add much complexity to network maintenance • More flexible on the edge • Suit for kinds of access equipments, such as switch/router/BRAS • We think SAVA should meet the concerns above.
Q&A?Thank you email@example.com