1 / 7

Enhance Security of IP Network using New Architecture of Address Validation

Explore a new architecture to enhance the security of IP networks by implementing source address validation. This solution addresses the challenges of IP address spoofing and NAT/NAPT complications, providing a secure and efficient network environment.

irenekelley
Download Presentation

Enhance Security of IP Network using New Architecture of Address Validation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhance Security of IP Network using New Architecture of Address Validation Xiaodong Duan China Mobile

  2. Background • After years of practice , traditional telecom services are evolving to All IP architecture • China Mobile has built the largest soft-switch network in the world • More than 70 percent of long-distance GSM voice • More than 200 millions of subscribers • Traditional circuit switch will be no longer introduced. • High security & availability requirement of services • Telecom service require carrier-grade quality (e.g. 5 nine) • Quality should keep unchanged after transferred to IP bearer • Demand to control, charge and manage all users who access the network • Widely use of NAT/NAPT on ipv4 network make a big trouble to Telecom operators • Hard to identify users • Hard to track hackers

  3. Problem description • IP address spoofing make a big trouble to operators like China Mobile. • Because of IP address limitation, NAT/NAPT is widely used. It’s almost impossible to track the hackers behind NAT. • On ipv6 network, address space will be no problem any more. An economy way to identify users is required.

  4. Existing solution analysis • To avoid impact by spoofing, we also deploy some technology solution, including: • Ingress filtering (through ACL. etc) • uRPF • There are problems for two solutions. • we can just deploy the solution at the edge of our network, but can not guarantee the IP address ingress from other operators' network. • if the number of IP address is very huge, large amount of configuration (ACL/uRPF) at the ingress point will damage the performance of network. And it also cause big complexity for operators' network maintenance.

  5. Why SAVA? • Security is still a critical problem in the current Internet • Most currently security solutions focus more on • End-point security • Security of application level • Security of protocol itself • Weak infrastructure security solutions • Weak user identify and address validation • Maybe we need some new design from aspect of Architecture of IP network • SAVA is a good idea to enhance security by implementing source address validation

  6. Suggestions for the next step • SAVA should focus on or pay attention to • Supporting Mobile IP and consider of Muilt-homing • Work properly when just deployed in a part of network. Or the solution do not force operators to deploy the solution in their network thoroughly. • The solution should be embedded into the entire network architecture, or it is better to be a inborn function of networks architecture to validate source address. • Won’t damage the performance of network or add much complexity to network maintenance • More flexible on the edge • Suit for kinds of access equipments, such as switch/router/BRAS • We think SAVA should meet the concerns above.

  7. Q&A?Thank you duanxiaodong@chinamobile.com

More Related