IPv4/IPv6 Anti-Spoofing through Source Address Validation (SAV) is one of the most promoted security best practices. We have achieved a wide range of SAV deployment, but we also run into the tedious 20% of the Internet that takes more human-intensive SAV deployment work. This guide is provided to help operators, engineers, policymakers, and executive decision-makers have a “reference list” of materials to help with their SAV architecture.
SAV Efforts, Reference Presentations, Papers, Standards, & Guides
Mutually Agreed Norms for Routing Security (MANRS)
Mutually Agreed Norms for Routing Security (MANRS) is a global initiative that helps reduce the most common routing threats. Operators created MANRS for network operators, ISPs, CSPs, and other telecom companies to deploy essential security measures to protect the globally interconnected routing architecture. MANRS works with DNS-OARC to collaborate on the security of the core IP and DNS infrastructure. If you are new to SAV work, start with the MANRS Primers. These guides help organizations within the context of their environment (enterprise, government, CSP, etc). Then explore the MANRS Observatory. This is a dashboard with measurements from networks all over the world.
- MANRS Community Report 2021
- Internet Routing with MANRS
- Routing Security for Policymakers
- MANRS Project Study Report
- Primers
MANRS Presentations
MANRS staff and volunteers advocate, educate, and empower their peers worldwide. Here is a list of some of the presentations. Contact the MANRS team if you wish to present.
- PACNOG 2021 – MANRS (Mutually Agreed Norms for Routing Security) Pacific Network Operators Group (PacNOG 29)
CAIDA’s Spoofer Project
Founded in 1997, the Center for Applied Internet Data Analysis (CAIDA) conducts network research and builds research infrastructure to support large-scale data collection, curation, and data distribution to the scientific research community. CAIDA is based at the San Diego Supercomputer Center, located on the UC San Diego campus in La Jolla, CA. The Spoofer Project @ CAIDA (https://spoofer.caida.org/) is round two of the effort to deploy tools to effectively measure SAV deployment, encourage deployment, and provide the industry with empirical data.
The Closed Resolver Project
IP address spoofing has been a well-known security issue for a long time. It enables potential attackers to change their genuine IP addresses and become untraceable. The most efficient way to fight this problem is to perform packet filtering at the network edge, known as Source Address Validation (SAV). We evaluate the SAV deployment of inbound traffic by sending DNS A requests to local resolvers on behalf of other tested network hosts. Not only do we check filtering policies, but we also reveal closed resolvers, not seen from outside otherwise. We periodically (twice per month) scan the whole routable IPv4 address space and a targeted list of IPv6 addresses to identify vulnerable networks. If you want to test your own network, please contact us.
- Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic by Maciej Korczyński
Presentations & Videos of Tutorials
This is a collection of presentations done on Source Address Validation (SAV) and related network security.
- DDOSD-NIST-2016-08-v3 – Evaluation and Deployment of DDoS Mitigation Techniques – Doug Montgomery, Kotikalapudi Sriram ({dougm | ksriram}@nist.gov) Joint work with Mark Carson and Okhee Kim {carson | okim}@nist.gov Advanced Network Technologies Division – Information Technology Laboratory – http://www.antd.nist.gov/
- APRICOT 2022 – Session 5 – SAV and BCP38 – Hard Realities of Source Address Validation – 99% of the Internet does not need to send a source address that does not belong to them. “Spoofing” IP source addresses are one of the core problems with miscreant activities on the Internet. Source Address Validation (SAV) is applied to packets at an organizational boundary. This module walks through the SAV, why it is a threat, how organizations can plug the hole, and what to ask the upstream organizations. Find out more about the key “Network Operations” conference in the Asia Pacific at https://2022.apricot.net. All the tutorials and conference talks are online. * APRICOT 2022 – Zoom Recording –https://2022.apricot.net/program/sche… * Slides (Google Slides) – https://docs.google.com/presentation/…
- Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers – What are you doing to prepare for the next “scanning malware” and “Internet Worm?” – Barry Greene @ bgreene@senki.org
- SANOG 37 – MANRS for Network Operators
- Tackling Spoofing Attacks in Broadband Access Networks by Bharat Joshi (bharat_joshi@infosys.com), Pavan Kurapati (pavan_kurapati@infosys.com) & Ramakrishna Rao DTV (ramakrishnadtv@infosys.com)
IP Anti-Spoofing Papers, Studies, and Research
We have a rich field of academic study exploring the risk, technique, tools, and deployment of IP anti-spoofing throughout the Internet. This page works to collect all these in one place. You can find the list of IP Anti-Spoofing Research Papers here.
Standards and Regulatory Guidelines
Many countries and institutions slowly require organizations to deploy and maintain source address validation. We’re collecting the list here.
NIST Special Publication 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation by Kotikalapudi Sriram Doug Montgomery – This NIST publication received widespread assistance from industry experts. It is a good summary work with section descriptions provided for some of the SAV techniques These include:
- SAV Using Access Control Lists
- SAV Using Strict Unicast Reverse Path Forwarding
- SAV Using Feasible-Path Unicast Reverse Path Forwarding
- SAV Using Loose Unicast Reverse Path Forwarding
- SAV Using VRF Table
- SAV Using Enhanced Feasible-Path uRPF (Emerging/Future)
US FCC CSRIC – Final Report – Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols.
Federal Financial Institutions Examination Council (FFIEC) DDoS Joint Statement
FCC Communications Security, Reliability and Interoperability Council (CSRIC) WG-5 Remediation of Server‐Based DDoS Attacks– September 2014
NSTAC Report to the President on Internet and Communications Resilience – November 16, 2017
IETF RFCs
- RFC 2827 aka BCP38 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
- RFC 3024 – Reverse Tunneling for Mobile IP
- RFC 3882 = Configuring BGP to Block Denial-of-Service Attacks
- RFC 3704, BCP 84 – Ingress Filtering for Multihomed Networks
- RFC 4388 – DHCPv4 Lease Query by Relay Agent Remote ID
- RFC 4778- Current Operational Security Practices in Internet Service Provider Environments – January 2007
- RFC 4948 – Report from the IAB workshop on Unwanted Traffic March 9-10, 2006
- RFC 5635- Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)- August 2009
- RFC 6148 – DHCPv4 Lease Query by Relay Agent Remote ID (see https://www.ietf.org/proceedings/72/slides/dhc-8.pdf)
- RFC 8704, BCP 84 – Enhanced Feasible-Path Unicast Reverse Path Forwarding
Operator SAV Interconnection Policies
Many operators have codes of conduct, acceptable use, and methods of operations that enforce SAV. These are applied to their customers, their business partners, and their peers. Business Resiliency and Reduction of Risk are the core SAV objectives in these organizations.
Ask your ISP, Mobile Operator, CSP, Cloud Operator, or Edge Operator about their SAV policies. Also, ask where their public documentation is located and how they enforce these policies.
- Internet Initiative Japan (IIJ) – Source Address Validation Policy
- Xfinity – Comcast Network Management – Preventing Network Spoofing – PUBLISHED: MARCH 13, 2014
Historical & MISC SAV Reference Materials
The work to secure the Internet has been going on for decades, with many people and organizations contributing to the work. Here are some general references:
- ICANN SSAC004 – Securing the Edge http://www.icann.org/committees/security/sac004.txt
- ICANN SSAC008 – DNS Distributed Denial of Service (DDoS) Attacks http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
- ISOC Anti-Spoofing Page http://www.Internetsociety.org/deploy360/anti-spoofing/
- “RIPE Anti-Spoofing Task Force HOW-TO”, https://www.ripe.net/publications/docs/ripe-431
- ISOC: Addressing the challenge of IP spoofing SEPTEMBER 2015
Vendor SAV Documentation
Each vendor has a range of techniques for source address validation. It is best to have meaningful conversations with your vendors to understand the performance envelop for how SAV features will perform, how they are monitored, what impact needs to be considered when upgrading software (or configurations), and the latest Best Deployment Practices for how to roll out SAV in your network.
General SAV Guides
- MANRS Anti-Spoofing Guide
- Source Address Validation Improvements (SAVI) Solution for DHCP
https://tools.ietf.org/html/rfc7513 - Setting Access Lists with Radius
http://blog.ipspace.net/2010/09/setting-access-lists-with-radius.html
Cisco Systems
- Cisco: IPv6 First-Hop Security Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6f-15-sy-book.html - Cisco: Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/dhcp.html - Cisco: Configuring DHCP Features and IP Source Guard
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html - Cisco: Cable Source-Verify and IP Address Security
http://www.cisco.com/c/en/us/support/docs/broadband-cable/cable-security/20691-source-verify.html - Cisco Prime Cable Provisioning User Guide, 5.0
https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/cable_provisioning/5-0/user/guide/user_guide/prov_leasequery.html