Download
enhance security of ip network using new architecture of address validation n.
Skip this Video
Loading SlideShow in 5 Seconds..
Enhance Security of IP Network using New Architecture of Address Validation PowerPoint Presentation
Download Presentation
Enhance Security of IP Network using New Architecture of Address Validation

Enhance Security of IP Network using New Architecture of Address Validation

0 Views Download Presentation
Download Presentation

Enhance Security of IP Network using New Architecture of Address Validation

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Enhance Security of IP Network using New Architecture of Address Validation Xiaodong Duan China Mobile

  2. Background • After years of practice , traditional telecom services are evolving to All IP architecture • China Mobile has built the largest soft-switch network in the world • More than 70 percent of long-distance GSM voice • More than 200 millions of subscribers • Traditional circuit switch will be no longer introduced. • High security & availability requirement of services • Telecom service require carrier-grade quality (e.g. 5 nine) • Quality should keep unchanged after transferred to IP bearer • Demand to control, charge and manage all users who access the network • Widely use of NAT/NAPT on ipv4 network make a big trouble to Telecom operators • Hard to identify users • Hard to track hackers

  3. Problem description • IP address spoofing make a big trouble to operators like China Mobile. • Because of IP address limitation, NAT/NAPT is widely used. It’s almost impossible to track the hackers behind NAT. • On ipv6 network, address space will be no problem any more. An economy way to identify users is required.

  4. Existing solution analysis • To avoid impact by spoofing, we also deploy some technology solution, including: • Ingress filtering (through ACL. etc) • uRPF • There are problems for two solutions. • we can just deploy the solution at the edge of our network, but can not guarantee the IP address ingress from other operators' network. • if the number of IP address is very huge, large amount of configuration (ACL/uRPF) at the ingress point will damage the performance of network. And it also cause big complexity for operators' network maintenance.

  5. Why SAVA? • Security is still a critical problem in the current Internet • Most currently security solutions focus more on • End-point security • Security of application level • Security of protocol itself • Weak infrastructure security solutions • Weak user identify and address validation • Maybe we need some new design from aspect of Architecture of IP network • SAVA is a good idea to enhance security by implementing source address validation

  6. Suggestions for the next step • SAVA should focus on or pay attention to • Supporting Mobile IP and consider of Muilt-homing • Work properly when just deployed in a part of network. Or the solution do not force operators to deploy the solution in their network thoroughly. • The solution should be embedded into the entire network architecture, or it is better to be a inborn function of networks architecture to validate source address. • Won’t damage the performance of network or add much complexity to network maintenance • More flexible on the edge • Suit for kinds of access equipments, such as switch/router/BRAS • We think SAVA should meet the concerns above.

  7. Q&A?Thank you duanxiaodong@chinamobile.com