IPv4/IPv6 Anti-Spoofing – Source Address Validation (SAV) – Techniques & Tools

IPv4/IPv6 Anti-Spoofing through Source Address Validation (SAV) is one of the most promoted security best practices. We have achieved a wide range of SAV deployment, but we also run into the tedious 20% of the Internet that takes more human-intensive SAV deployment work. This guide is provided to help operators, engineers, policymakers, and executive decision-makers have a “reference list” of materials to help with their SAV architecture.

SAV Efforts, Reference Presentations, Papers, Standards, & Guides

Mutually Agreed Norms for Routing Security (MANRS)

Mutually Agreed Norms for Routing Security (MANRS) is a global initiative that helps reduce the most common routing threats. Operators created MANRS for network operators, ISPs, CSPs, and other telecom companies to deploy essential security measures to protect the globally interconnected routing architecture. MANRS works with DNS-OARC to collaborate on the security of the core IP and DNS infrastructure. If you are new to SAV work, start with the MANRS Primers. These guides help organizations within the context of their environment (enterprise, government, CSP, etc). Then explore the MANRS Observatory. This is a dashboard with measurements from networks all over the world.

MANRS Presentations

MANRS staff and volunteers advocate, educate, and empower their peers worldwide. Here is a list of some of the presentations. Contact the MANRS team if you wish to present.

CAIDA’s Spoofer Project 

Founded in 1997, the Center for Applied Internet Data Analysis (CAIDA) conducts network research and builds research infrastructure to support large-scale data collection, curation, and data distribution to the scientific research community. CAIDA is based at the San Diego Supercomputer Center, located on the UC San Diego campus in La Jolla, CA. The Spoofer Project @ CAIDA (https://spoofer.caida.org/) is round two of the effort to deploy tools to effectively measure SAV deployment, encourage deployment, and provide the industry with empirical data.

The Closed Resolver Project

IP address spoofing has been a well-known security issue for a long time. It enables potential attackers to change their genuine IP addresses and become untraceable. The most efficient way to fight this problem is to perform packet filtering at the network edge, known as Source Address Validation (SAV). We evaluate the SAV deployment of inbound traffic by sending DNS A requests to local resolvers on behalf of other tested network hosts. Not only do we check filtering policies, but we also reveal closed resolvers, not seen from outside otherwise. We periodically (twice per month) scan the whole routable IPv4 address space and a targeted list of IPv6 addresses to identify vulnerable networks. If you want to test your own network, please contact us.

Presentations & Videos of Tutorials

This is a collection of presentations done on Source Address Validation (SAV) and related network security.

IP Anti-Spoofing Papers, Studies, and Research

We have a rich field of academic study exploring the risk, technique, tools, and deployment of IP anti-spoofing throughout the Internet. This page works to collect all these in one place. You can find the list of IP Anti-Spoofing Research Papers here.

Standards and Regulatory Guidelines

Many countries and institutions slowly require organizations to deploy and maintain source address validation. We’re collecting the list here.

NIST Special Publication 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation by Kotikalapudi Sriram Doug Montgomery – This NIST publication received widespread assistance from industry experts. It is a good summary work with section descriptions provided for some of the SAV techniques These include:

  • SAV Using Access Control Lists
  • SAV Using Strict Unicast Reverse Path Forwarding
  • SAV Using Feasible-Path Unicast Reverse Path Forwarding
  • SAV Using Loose Unicast Reverse Path Forwarding
  • SAV Using VRF Table
  • SAV Using Enhanced Feasible-Path uRPF (Emerging/Future)

US FCC CSRIC – Final Report – Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols.

Federal Financial Institutions Examination Council (FFIEC) DDoS Joint Statement

FCC Communications Security, Reliability and Interoperability Council (CSRIC) WG-5 Remediation of Server‐Based DDoS Attacks– September 2014

NSTAC Report to the President on Internet and Communications Resilience – November 16, 2017


Operator SAV Interconnection Policies

Many operators have codes of conduct, acceptable use, and methods of operations that enforce SAV. These are applied to their customers, their business partners, and their peers. Business Resiliency and Reduction of Risk are the core SAV objectives in these organizations.

Ask your ISP, Mobile Operator, CSP, Cloud Operator, or Edge Operator about their SAV policies. Also, ask where their public documentation is located and how they enforce these policies.

Historical & MISC SAV Reference Materials

The work to secure the Internet has been going on for decades, with many people and organizations contributing to the work. Here are some general references:

Vendor SAV Documentation

Each vendor has a range of techniques for source address validation. It is best to have meaningful conversations with your vendors to understand the performance envelop for how SAV features will perform, how they are monitored, what impact needs to be considered when upgrading software (or configurations), and the latest Best Deployment Practices for how to roll out SAV in your network.

General SAV Guides

Cisco Systems