SAVE: Source Address Validity Enforcement

1
SAVESource Address Validity Enforcement

• Jun Li, Jelena Mirkovic, Mengqiu Wang,
• Peter Reiher and Lixia Zhang
• UCLA
• USENIX Work-In Progress Session
• Washington DC, 08/17/2001

lijun, sunshine, wangmq, reiher,
lixia_at_cs.ucla.edu
2
Our Approach

• Provide information to the routers what is valid
  range of addresses for each incoming link
• Filter out packets with source address not from
  valid range

3
Motivation

• Eliminate IP spoofing
• Enhance some other protocols
• multicast, fair queuing

4
How is this different from ingress filtering?
C
A
from A
B
5
Why not augment routing protocol?
C
A
F
D
B
6
Why not augment routing protocol?
C
A
F
D
B
7
Our Approach - More Detail

• Every router is associated with range of
  addresses he takes care of
• For every destination from his forwarding table
  router generates SAVE update
• This update is forwarded to destination and state
  is stored in intermediate routers associating
  addresses from update with incoming link
• Updates are generated periodically and whenever
  forwarding entry changes

8
Challenges

• Security
• Partial deployment
• Overhead (memory, bandwidth)

9
For More Info...
http//fmg-www.cs.ucla.edu/adas
10
Storage Cost - single domain
11
Storage Cost - multiple domains
12
Triggered BW Cost - multiple domains
13
Periodic BW Cost - single domain
14
Periodic BW Cost - multiple domains