Transcript sava-5
Enhance Security of IP Network using
New Architecture of Address Validation
Xiaodong Duan
China Mobile
Background
• After years of practice , traditional telecom services are evolving to
All IP architecture
– China Mobile has built the largest soft-switch network in the world
• More than 70 percent of long-distance GSM voice
• More than 200 millions of subscribers
– Traditional circuit switch will be no longer introduced.
• High security & availability requirement of services
– Telecom service require carrier-grade quality (e.g. 5 nine)
– Quality should keep unchanged after transferred to IP bearer
– Demand to control, charge and manage all users who access the
network
• Widely use of NAT/NAPT on ipv4 network make a big trouble to
Telecom operators
– Hard to identify users
– Hard to track hackers
Problem description
• IP address spoofing make a big trouble to
operators like China Mobile.
• Because of IP address limitation, NAT/NAPT is
widely used. It’s almost impossible to track the
hackers behind NAT.
• On ipv6 network, address space will be no
problem any more. An economy way to identify
users is required.
Existing solution analysis
• To avoid impact by spoofing, we also deploy some
technology solution, including:
– Ingress filtering (through ACL. etc)
– uRPF
• There are problems for two solutions.
– we can just deploy the solution at the edge of our network, but
can not guarantee the IP address ingress from other operators'
network.
– if the number of IP address is very huge, large amount of
configuration (ACL/uRPF) at the ingress point will damage the
performance of network. And it also cause big complexity for
operators' network maintenance.
Why SAVA?
• Security is still a critical problem in the current Internet
• Most currently security solutions focus more on
– End-point security
– Security of application level
– Security of protocol itself
• Weak infrastructure security solutions
• Weak user identify and address validation
• Maybe we need some new design from aspect of
Architecture of IP network
• SAVA is a good idea to enhance security by
implementing source address validation
Suggestions for the next step
• SAVA should focus on or pay attention to
– Supporting Mobile IP and consider of Muilt-homing
– Work properly when just deployed in a part of network. Or the
solution do not force operators to deploy the solution in their
network thoroughly.
– The solution should be embedded into the entire network
architecture, or it is better to be a inborn function of networks
architecture to validate source address.
– Won’t damage the performance of network or add much
complexity to network maintenance
– More flexible on the edge
• Suit for kinds of access equipments, such as switch/router/BRAS
• We think SAVA should meet the concerns above.
Q&A?
Thank you
[email protected]