Transcript sava-5
Enhance Security of IP Network using New Architecture of Address Validation Xiaodong Duan China Mobile Background • After years of practice , traditional telecom services are evolving to All IP architecture – China Mobile has built the largest soft-switch network in the world • More than 70 percent of long-distance GSM voice • More than 200 millions of subscribers – Traditional circuit switch will be no longer introduced. • High security & availability requirement of services – Telecom service require carrier-grade quality (e.g. 5 nine) – Quality should keep unchanged after transferred to IP bearer – Demand to control, charge and manage all users who access the network • Widely use of NAT/NAPT on ipv4 network make a big trouble to Telecom operators – Hard to identify users – Hard to track hackers Problem description • IP address spoofing make a big trouble to operators like China Mobile. • Because of IP address limitation, NAT/NAPT is widely used. It’s almost impossible to track the hackers behind NAT. • On ipv6 network, address space will be no problem any more. An economy way to identify users is required. Existing solution analysis • To avoid impact by spoofing, we also deploy some technology solution, including: – Ingress filtering (through ACL. etc) – uRPF • There are problems for two solutions. – we can just deploy the solution at the edge of our network, but can not guarantee the IP address ingress from other operators' network. – if the number of IP address is very huge, large amount of configuration (ACL/uRPF) at the ingress point will damage the performance of network. And it also cause big complexity for operators' network maintenance. Why SAVA? • Security is still a critical problem in the current Internet • Most currently security solutions focus more on – End-point security – Security of application level – Security of protocol itself • Weak infrastructure security solutions • Weak user identify and address validation • Maybe we need some new design from aspect of Architecture of IP network • SAVA is a good idea to enhance security by implementing source address validation Suggestions for the next step • SAVA should focus on or pay attention to – Supporting Mobile IP and consider of Muilt-homing – Work properly when just deployed in a part of network. Or the solution do not force operators to deploy the solution in their network thoroughly. – The solution should be embedded into the entire network architecture, or it is better to be a inborn function of networks architecture to validate source address. – Won’t damage the performance of network or add much complexity to network maintenance – More flexible on the edge • Suit for kinds of access equipments, such as switch/router/BRAS • We think SAVA should meet the concerns above. Q&A? Thank you [email protected]