Research And Implementation Of Switch-based Source Address Validation

With the development and application of the next-generation internet, it is hoped that thenew network can provide safer and more reliable service. At the same time, the re-deploymentof the network let new network mechanisms become possible.In traditional Internet, packets are forwarded based only on the destination IP address butwithout checking the source IP address. This mechanism leads to various kinds of attackslaunched by spoofing the source address. Additionally, it is difficult to track due to the forgedsource address, resulting in great harm.In order to strengthen management of Internet host, authentication techniques such asPPPOE and802.1x are usually used. These authentication methods need to install the clientand enter user information, which is not like by all users. South China University ofTechnology manage Internet users by binding a triad of IP, MAC and switch por t. This way toa certain extent, prevent the forged source address and does not need to install the client. Buteach binding is manually inputted by the administrator, which is too much trouble.Tsinghua University proposed source address validation a rchitecture (SAVA) in RFC5210[1]. The purpose is to guarantee the authenticity of the source address of network packets,to prevent the forged source address, and to make the tracking of malicious network attacksbecome easier. This architecture divides the so urce address validation into three levelsincluding the source address authenticity of access network, the source address authenticityinside autonomy system, and the source address authenticity between different autonomysystems. Authenticate different levels with different granularities, finally achieve the guaranty ofsource address validat ion in the who le Internet. The research of source address validation in thenext-generation network is of great significance to the establishment of a safer and morereliable next-generation internet environment. SAVI Working Group is dedicated to the studyof the access network source address validation solution.This dissertation focuses on the mechanism and the system implementation of sourceaddress validation in access network level authentication based on switch. This dissertationintroduces the IPv4dynamic address allocation protocol DHCPv4, as well as the IPv6dynamic allocation protocol DHCPv6and SLAAC. This dissertation studies the operating mechanism of these protocols, and proposes method to implement source address validationin the environment with these protocols deployed.In this dissertation using embedded development platform, a switch based source addressvalidation framework is designed, an IPv4and IPv6source address validation system run in amultiple address allocation environment is implemented and tested. This system is based onthe existing address allocation protocol, and does not require additional protocol. Operation ofthe system is transparent to normal network users, but can effectively prevent attacks based onspoofing source address. When ensuring the authenticity of the source address, this systemalso this system also prevents the forwarding of some fake address configuration packets, inorder to ensure the correctness of the address configuration process of users.This system is tested in Communication&Computer Network Lab of GuangdongProvince for half year, and keeping a small-scale trail in the campus. It achieves initial results.