Abstract
The Internet Protocol (IP) is the most fundamental building block of the Internet. However, it provides no explicit notion of packet-level authenticity. Such a weakness allows malicious actors to spoof IP packet headers and launch a wide variety of attacks. Meanwhile, the highly decentralized management of Internet infrastructure makes large-scale source address validation challenging in terms of overhead, validity, and flexibility. This paper presents a practical anti-spoofing approach, Source Address Validation Architecture eXternal (SAVA-X). SAVA-X introduces the concept of Address Domain to enable address validation in finer, prefix-level granularity. The address domains are organized in nested hierarchies to provide higher scalability and lower maintenance costs for partial deployment. We implement SAVA-X on commercial backbone routers and the P4 platform. The experiments indicate that the hardware implementation of SAVA-X can achieve 98% throughput on 100 Gbps links and close to the native IP forwarding in per-packet overhead, with less than 10 microseconds additional processing latency.
Original language | English (US) |
---|---|
Pages (from-to) | 3126-3141 |
Number of pages | 16 |
Journal | IEEE/ACM Transactions on Networking |
Volume | 32 |
Issue number | 4 |
State | Published - 2024 |
Bibliographical note
Publisher Copyright:© 2024 IEEE.
Keywords
- Network security
- hierarchical validation
- source address validation