90 likes | 295 Views
Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2. Jianping Wu CERNET/Tsinghua University IETF 68 Prague March 2007. Outline. CNGI-CERNET2 CNGI-CERNET2's SAVA requirements Deployment steps Lessons learned. CNGI-CERNET2.
E N D
Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2 Jianping Wu CERNET/Tsinghua University IETF 68 Prague March 2007
Outline • CNGI-CERNET2 • CNGI-CERNET2's SAVA requirements • Deployment steps • Lessons learned
CNGI-CERNET2 • The 2nd generation of China Education and Research Network • A nationwide native IPv6 network, part of CNGI (China Next Generation Internet) project • Launched in Dec 2004. • 25 core nodes in 20 major cities. • ~200 universities (stub access networks) • IPv6 Core routers and switches from Juniper, Cisco, Huawei, and Bitway
HeiLongJiang JiLin 长春 NeiMengGu 北京 XinJiang 沈阳 LiaoNing GanSu 天津 大连 HeBei ShanDong NingXia 青岛 ShanXi ShaanXi 济南 QingHai 兰州 HeNan JiangSu 南京 AnHui 郑州 西安 SiChuan 武汉 上海 XiZang 合肥 成都 重庆 HuBei 杭州 ZheJiang JiangXi 长沙 FuJian 福州 HuNan GuiZhou 昆明 台湾 GuangDong 厦门 GuangXi CERNET CERNET YunNan 深圳 ChinaTelecom 广州 香港 CNC/CST HaiNan ChinaMobile Unicom ChinaRail CNGI Backbones
CERNET2's SAVA requirements(1) Regulatory Compliance • Governments may require network operators to vouch for the source of each packet that they carry • Protection of the legitimate owner of a spoofed source address Security Requirement • Spoofed source addresses are used in some types of DoS attacks
CERNET2's SAVA requirements(2) Accounting Requirements • Facilitate the measurement of end-to-end network usage such as normal telephony. Application Requirements • Spoofed addresses and spoofed application identifiers lead to application problems such as spam E-mail. • The performance of end-to-endapplications such as VoIP using SIP needs to be improved.
Deployment Steps • Step1: Tsinghua University SAVA Testbed • Step2: Prototypes implemented and 7 SAVA test AS deployed on CNGI-CERNET2. The observed results are so far good . • Step3: SAVA will be deployed in CNGI backbone, including China Telecom, China Netcom, China Mobile, China Unicom, etc.
Lessons Learned • BCP 38 limitation • Full deployment • Asymmetric routing environment • Not very incentive to network operators • Basic Design Principle of SAVA • Focus on IPv6 • Performance • Scaling • Multi-fence solution • Incrementally deployable • Incomplete deployment still has benefits • Loose coupling of components