Source Address Validation Architecture (SAVA) Requirements of CNGI-CERENT2 Jianping Wu CERNET/Tsinghua University IETF 68 Prague March 2007
Outline CNGI-CERNET2 CNGI-CERNET2's SAVA requirements Deployment steps Lessons learned
CNGI-CERNET2 The 2nd generation of China Education and Research Network A nationwide native IPv6 network, part of CNGI (China Next Generation Internet) project Launched in Dec –25 core nodes in 20 major cities. –~200 universities (stub access networks) –IPv6 Core routers and switches from Juniper, Cisco, Huawei, and Bitway
CNGI Backbones
CNGI-CERNET2 Backbones
CERNET2's SAVA requirements(1) Regulatory Compliance Governments may require network operators to vouch for the source of each packet that they carry Protection of the legitimate owner of a spoofed source address Security Requirement Spoofed source addresses are used in some types of DoS attacks
CERNET2's SAVA requirements(2) Accounting Requirements –Facilitate the measurement of end-to-end network usage such as normal telephony. Application Requirements –Spoofed addresses and spoofed application identifiers lead to application problems such as spam . –The performance of end-to-end applications such as VoIP using SIP needs to be improved.
Deployment Steps Step1: Tsinghua University SAVA Testbed Step2: Prototypes implemented and 7 SAVA test AS deployed on CNGI- CERNET2. The observed results are so far good. Step3: SAVA will be deployed in CNGI backbone, including China Telecom, China Netcom, China Mobile, China Unicom, etc.
Lessons Learned BCP 38 limitation –Full deployment –Asymmetric routing environment –Not very incentive to network operators Basic Design Principle of SAVA –Focus on IPv6 –Performance –Scaling –Multi-fence solution –Incrementally deployable –Incomplete deployment still has benefits –Loose coupling of components