Toward Practical Inter-Domain Source Address Validation

Xiaoliang Wang, Ke Xu, Yangfei Guo, Haiyang Wang, Songtao Fu, Qi Li, Bin Wu, Jianping Wu

Research output: Contribution to journalArticlepeer-review

Abstract

The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.

Original languageEnglish (US)
Pages (from-to)3126-3141
Number of pages16
JournalIEEE/ACM Transactions on Networking
Volume32
Issue number4
StatePublished - 2024

Bibliographical note

Publisher Copyright:
© 2024 IEEE.

Keywords

  • Network security
  • hierarchical validation
  • source address validation

Fingerprint

Dive into the research topics of 'Toward Practical Inter-Domain Source Address Validation'. Together they form a unique fingerprint.

Cite this