Source Address Validation Architecture Based On Stateless Core Approach

The addressing and forwarding architecture based on destination of packets in current Internet typically does not check the authenticity of packets'source addresses; therefore, it causes a considerable challenge in security to prevent the attackers from launching attacks by forging source addresses and trace the real sources which sent the malicious traffic. The source address validation technology has been considered as an essential component for the design and development of next generation Internet architecture.Enforcing the source address validation would help us achieve the goals:(1) since packets which carry spoofed source addresses would not be forwarded, it would be impossible to launch network attacks by using spoofed source addresses; (2) the authenticated source addresses would benefit network diagnosis, management, accounting, and applications. In this paper, a new protocol/architecture design is described to enhance network security by separately verifying the authenticity of source IP addresses in the ingress of access network and the credibility of packet path on the border of every domain. The access validation bases on the label generated by host; the path verification is implemented by an indicator of accumulated information of domains which the packets pass through, and this mechanism intrinsically provides the capability of tracing the attacker who sends the malicious packets. This architecture greatly reduces the network complexity and system overhead which is introduced by the source address validation. In addition, in the design and implementation of prototype, we presents a simplified model based on IPv6 Flow Label field which is used to carry the host-generated random tags to enhance the existing address binding mechanism in the access network and bear the path validation information in autonomous domain boundary by developing the BGP protocol extension. The prototype design based on PATH-ATTRIBUTE of BGP UPDATE message facilitates the development and deployment of source address validation architecture.