Building a next generation Internet with source address validation architecture 被引量：8

Building a next generation Internet with source address validation architecture

导出

摘要 The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases.This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a ＂source address validation architecture＂（SAVA） is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, ＂multi-fence support＂ and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet. The IP packet forwarding of current Internet is mainly destination based. In the forwarding process, the source IP address is not checked in most cases.This causes serious security, management and accounting problems. Based on the drastically increased IPv6 address space, a ＂source address validation architecture＂（SAVA） is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, ＂multi-fence support＂ and incremental deployment. This paper discusses the design and implementation for the architecture, including inter-AS, intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new, more secure and dependable Internet.

作者 WU JianPing1,3,REN Gang1,3 & LI Xing2,3 1 Department of Computer Science,Tsinghua University,Beijing 100084,China 2 Department of Electronic Engineering,Tsinghua University,Beijing 100084,China 3 Tsinghua National Laboratory for Information Science and Technology(TNList) ,Beijing 100084,China

出处《Science in China(Series F)》 2008年第11期1681-1691,共11页 中国科学（F辑英文版）

基金 the National Natural Science Foundation of China (Grant No. 90704001) the National Basic Research Program of China (973 Program) (Grant No. 2003CB314800)

关键词 IP source address validation network architecture network security IP source address validation, network architecture, network security

分类号 TP393.02 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献10

1Ferguson P,Senie D.Network ingress filtering: Defeating denial of service attacks which employ IP source ad- dress spoofing[].RFC.2000
2Park K,Lee H.On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets[]..2001
3Li J,Mirkovic J,Wang M, et al.SAVE: Source address validity enforcement protocol[].IEEE Infocom.2002
4Jin C,Wang H.Hop-count filtering: an effective defense against spoofed DDoS traffic[].ACM CCS.2003
5Snoeren A,Partridge C,Sanchez L, et al.A Hash-based IP traceback[].ACM SIGCOMM.2001
6Bellovin S,Leech M,Taylor T.ICMP traceback messages. IETF Internet Draft, draft-ietf-itrace-03 . 2003
7Lee H,Thing V,Xu Y, et al.ICMP traceback with cumulative path, an efficient solution for IP traceback[].Information and Communications Security.2003
8Savage S,Wetherall D,Karlin A, et al.Practical network support for IP traceback[]..2000
9Belenky A,Ansari N.IP traceback with deterministic packet marking[].IEEE Communications Letters.2003
10Wu J,Ren G,Li X.Source address validation: Architecture and protocol design[].ICNP.2007

同被引文献19

1周志成,王卓,汪秉文,秦肖臻.基于SNMP++类库的简单网络管理平台的实现[J].计算机技术与发展,2006,16(3):158-160. 被引量：4
2王芬,赵梗明.基于SNMPv3网络管理系统的研究和应用[J].计算机技术与发展,2006,16(4):199-202. 被引量：7
3张宏科,苏伟.新网络体系基础研究——一体化网络与普适服务[J].电子学报,2007,35(4):593-598. 被引量：127
4姚广,毕军.互联网中IP源地址伪造及防护技术[J].电信科学,2008,24(1):26-32. 被引量：4
5武海燕,谭成翔,汪海航.I/O复用代理在网络隔离系统中的应用研究[J].计算机科学,2008,35(7):22-24. 被引量：1
6吴昊,杨凯,胡术,李娜娜.SNMP跨平台移植和交换机端口IP探测[J].计算机技术与发展,2008,18(11):18-21. 被引量：4
7WU JianPing1,2,3,LIU Ying2,3 & WU Qian2,3 1 Department of Computer Science,Tsinghua University,Beijing 100084,China,2 Network Research Center,Tsinghua University,Beijing 100084,China,3 Tsinghua National Laboratory for Information Science and Technology(TNList) ,Beijing 100084,China.Theoretical research progress in new-generation Internet architecture[J].Science in China(Series F),2008,51(11):1634-1660. 被引量：5
8XU Ke XU MingWei LI Qi LIN Song.Analysis and case study on multi-dimensional scalability of the Internet architecture[J].Science in China(Series F),2008,51(11):1661-1680. 被引量：6
9吴建平,任罡,李星.构建基于真实IPv6源地址验证体系结构的下一代互联网[J].中国科学（E辑）,2008,38(10):1583-1593. 被引量：22
10白建东,孙志刚.基于Bloom Filter的报文分类算法[J].计算机工程,2009,35(5):108-110. 被引量：4

引证文献8

1杨冬,张宏科,宋飞,李世勇.网络分层优先映射理论[J].中国科学：信息科学,2010,40(5):653-667.
2YANG Dong,ZHANG HongKe,SONG Fei,LI ShiYong.Network layered priority mapping theory[J].Science China(Information Sciences),2010,53(9):1713-1726.
3丁明,胡术.SNMP++开发包协议实现分析[J].计算机技术与发展,2012,22(4):1-4. 被引量：1
4吴建平,李贺武,孙文琦,吴茜,江卓,赵玮.Technology Trends and Architecture Research for Future Mobile Internet[J].China Communications,2013,10(6):14-27.
5肖佩瑶,毕军.基于OpenFlow架构的域内源地址验证方法[J].小型微型计算机系统,2013,34(9):1999-2003. 被引量：7
6LIU Ying,WU JianPing,ZHANG Zhou,XU Ke.Research achievements on the new generation Internet architecture and protocols[J].Science China(Information Sciences),2013,56(11):129-153. 被引量：2
7孙鹏.面向SDN的源地址验证方法研究[J].电光与控制,2016,23(3):49-53. 被引量：3
8Yangyang WANG,Jun BI,Keyao ZHANG.A tool for tracing network data plane via SDN/OpenFlow[J].Science China(Information Sciences),2017,60(2):70-82.

二级引证文献13

1王文涛,王奇枫,郭峰,唐菀.基于Open vSwitch的SDN网络平台构建方法[J].中南民族大学学报（自然科学版）,2014,33(4):99-104. 被引量：3
2NING HuanSheng,LIU Hong.Cyber-physical-social-thinking space based science and technology framework for the Internet of Things[J].Science China(Information Sciences),2015,58(3):14-32. 被引量：16
3刘权,王涛.云计算环境下移动互联网安全问题研究[J].中兴通讯技术,2015,21(3):4-6. 被引量：9
4张世轩,刘静,赖英旭,何运,杨盼.基于SDN构架的DoS/DDoS攻击检测与防御体系[J].电子技术应用,2015,41(12):113-115. 被引量：6
5何亨,黄伟,李涛,曾朋,董新华.基于SDS架构的多级DDoS防护机制[J].计算机工程与应用,2016,52(1):81-88. 被引量：10
6翟瑞,李丁蓬,付顺顺.IPv6下基于源地址验证的DRDoS攻击防御方案研究[J].软件导刊,2018,17(1):199-201. 被引量：2
7蔡佳晔,张红旗,高坤.基于Sibson距离的OpenFlow网络DDoS攻击检测方法研究[J].计算机应用研究,2018,35(7):2176-2179. 被引量：7
8秦晰,唐国栋,常朝稳,王瑞云.软件定义网络中基于密码标识的报文转发验证机制[J].电子与信息学报,2018,40(9):2042-2049. 被引量：3
9李宏佳,王利明,徐震,杨畅.5G安全:通信与计算融合演进中的需求分析与架构设计[J].信息安全学报,2018,3(5):1-14. 被引量：15
10姚刚,陈青华,乔勇军.SDN架构下的防ARP攻击系统设计[J].计算机与数字工程,2019,47(6):1426-1431. 被引量：2

1杭办.关于杭州市应对新一代互联网发展的对策建议[J].杭州科技,2008,29(3):29-30.
2Gu Zhongyu, Liu Jumei (Data Division of ZTE Corporation, Nanjing 210012, China).ZTE's Solution to China Next Generation Internet (CNGI)[J].ZTE Communications,2005,3(3):37-40.
3Ling Miao, Qin Hao (Data Division of ZTE Corporation, Nanjing 210012, China).Development of IPv6 Capabilities for Next Generation Internet[J].ZTE Communications,2005,3(3):2-5.
4马文会.让生活更美好的下一代网络[J].中等职业教育,2004(11):41-41.
5亚太中国又一项核心技术国际标准获IETF批准[J].中国教育网络,2008(8):21-21.
6沈卫强.南方电网CNGI驻地网的设计与实现[J].广东电力,2009,22(6):37-40. 被引量：2
7WANG JiLong,LI ZhongHui,LV GuoHan,JIANG CaiPing,LI Xing,ZHANG QianLi.DRAGON-Lab―Next generation internet technology experiment platform[J].Science in China(Series F),2008,51(11):1908-1918. 被引量：6
8WANG Wendong.Next Generation Internet and IPv6 Transition[J].China Communications,2015,12(3):151-152.
9实现真实源地址验证体系结构[J].中国教育网络,2009(10):20-22.
10下一代互联网（NGI）技术[J].通信世界,2006(13B).

Science in China(Series F)

2008年第11期

浏览历史

内容加载中请稍等...

Building a next generation Internet with source address validation architecture 被引量：8

参考文献10

同被引文献19

引证文献8

二级引证文献13

相关作者

相关机构

相关主题

浏览历史