1 / 6

A Solution For Source Address Validation in First Hop, Local Subnet Environment

This work presents a comprehensive solution for source address validation in local subnet environments, specifically within the Tsinghua University network. The proposed mechanism integrates a new source validation function alongside existing forwarding capabilities. Key components include the Source Validation Info Generating Mechanism for the control plane and the Source Validation Engine for the data plane, aimed at combating address spoofing in 802.1x environments. The framework supports future enhancements to accommodate nodes with multiple IP addresses or link-layer addresses on a single interface.

colette-leach
Télécharger la présentation

A Solution For Source Address Validation in First Hop, Local Subnet Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Solution For Source Address Validation in First Hop, Local Subnet Environment Ren Gang Tsinghua University

  2. Network Node to Support Source Address Validation • Current forwarding function & new source validation function • “Source Validation Info Generating Mechanism”: control plane component, implemented either in the control planes of existing forwarding elements or in an external servers. • “Source Validation Engine”: data plane component, typically need to be implemented on line cards.

  3. Address-Port Binding Based Solution For 802.1x Environment

  4. 2001:250:f001:f002:210:5cff:fec7:1204 Access accepted = Access denied Spoof address2001:250:f001:f002:210:5cff:fec7:1203 ≠ Assigned address2001:250:f001:f002:210:5cff:fec7:1204 Match ? Match ? 00-02-3F-B6-DC-9A 2001:250:f001:f002:210:5cff:fec7:1204 2001:250:f001:f002:210:5cff:fec7:1204 2001:250:f001:f002:210:5cff:fec7:1204 2001:250:f001:f002:210:5cff:fec7:1204 2001:250:f001:f002:210:5cff:fec7:1204 { { + + + + } 00-02-3F-B6-DC-9A 00-02-3F-B6-DC-9A Port 2 Port 2 { { { + + + + + + } } } 00-02-3F-B6-DC-9A 00-02-3F-B6-DC-9A 00-02-3F-B6-DC-9A Port 2 Port 2 Port 2 } 2001:250:f001:f002:210:5cff:fec7:1204 Example IPv6 source address assigned Access request Binding in switch Access network

  5. Limitation and Future Work • Limitation • A simple model of a host connecting to a network via the same single interface and address. • Extension of existing protocols • Future Work • Problem to be solved according to the Charter: Nodes with multiple IP addresses on the same interface, Nodes that use multiple link-layer addresses on the same interface, etc. • A common framework for different solutions

  6. Thanks.

More Related