Source Address Validation (SAV) – Techniques & Tools

Source Address Validation (SAV) is one of the most promoted security best practices. We have achieved a wide range of SAV deployment, but we also run into the tedious 20% of the Internet that takes more human-intensive SAV deployment work. This guide is provided to help operators, engineers, policymakers, and executive decision-makers have a “reference list” of materials to help with their SAV architecture.

SAV Efforts, Reference Presentations, Papers, Standards, & Guides

Mutually Agreed Norms for Routing Security (MANRS)

Mutually Agreed Norms for Routing Security (MANRS) is a global initiative that helps reduce the most common routing threats. Operators created MANRS for network operators, ISPs, CSPs, and other telecom companies to deploy essential security measures to protect the globally interconnected routing architecture. MANRS works with DNS-OARC to collaborate on the security of the core IP and DNS infrastructure. If you are new to SAV work, start with the MANRS Primers. These guides help organizations within the context of their environment (enterprise, government, CSP, etc). Then explore the MANRS Observatory. This is a dashboard with measurements from networks all over the world.

MANRS Presentations

MANRS staff and volunteers advocate, educate, and empower their peers worldwide. Here is a list of some of the presentations. Contact the MANRS team if you wish to present.

CAIDA’s Spoofer Project 

Founded in 1997, the Center for Applied Internet Data Analysis (CAIDA) conducts network research and builds research infrastructure to support large-scale data collection, curation, and data distribution to the scientific research community. CAIDA is based at the San Diego Supercomputer Center, located on the UC San Diego campus in La Jolla, CA. The Spoofer Project @ CAIDA (https://spoofer.caida.org/) is round two of the effort to deploy tools to effectively measure SAV deployment, encourage deployment, and provide the industry with empirical data.

The Closed Resolver Project

IP address spoofing has been a well-known security issue for a long time. It enables potential attackers to change their genuine IP addresses and become untraceable. The most efficient way to fight this problem is to perform packet filtering at the network edge, known as Source Address Validation (SAV). We evaluate the SAV deployment of inbound traffic by sending DNS A requests to local resolvers on behalf of other tested network hosts. Not only do we check filtering policies, but we also reveal closed resolvers, not seen from outside otherwise. We periodically (twice per month) scan the whole routable IPv4 address space and a targeted list of IPv6 addresses to identify vulnerable networks. If you want to test your own network, please contact us.

Presentations & Videos of Tutorials

This is a collection of presentations done on Source Address Validation (SAV) and related network security.

Papers, Studies, and Research

asdegreestats.eps

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering by Robert Beverly, Arthur Berger, Young Hyun, and k claffy

The Evolution of Cable Network Security by Matt Tooley – NCTA, Matt Carothers – Cox Communications, Michael Glenn – Cable Labs Michael O’Reirdan – Comcast, Chris Roosenraad – Time-Warner Cable, Bill Sweeney – Comcast

Deployment of Source Address Validation by Network Operators: A Randomized Control Trial by Qasim Lone∗, Alisa Frik†, Matthew Luckie‡, Maciej Korczyn ́ski§, Michel van Eeten∗, Carlos Gan ̃a ́n∗ – One of the many efforts to measure the SAV deployment and then explore the incentification gaps that are “headwinds” to SAV deployment (or SAV maintenance).

Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet by Matthew Luckie, Robert Beverly, Ryan Koga, Ryan Koga, Joshua A. Kroll, and k claffy

Source Address Validation (and means to infer deployment) by Maciej Korczyn ́ski and Yevheniya Nosyk University Grenoble Alpes, CNRS, Grenoble INP, LIG, Grenoble, France

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers by Yevheniya Nosyk  Contributors: Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, Andrzej Duda, Maciej Korczynski

SAVing the Internet: Explaining the Adoption of Source Address Validation by Internet Service Providers by Qasim Lone, Maciej Korczyn ́ski, Carlos H. Gan ̃ ́an, and Michel van Eeten

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering by Robert Beverly, Arthur Berger, Young Hyun, and k claffy

Comparative Evaluation of Spoofing Defenses – Ezra Kissel, University of Delaware and Jelena Mirkovic, USC/ISI

“Network Hygiene Pays Off” – The Business Case for IP Source Address Verification – Joao Luis Silva Damas & Daniel Karrenberg, https://www.ripe.net/publications/docs/ripe-432

Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet by Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and k claffy

Challenges in Inferring Spoofed Traffic at IXPs by Lucas Müller, Matthew Luckie, Bradley Huffaker, kc Claffy, and Marinho Barcellos

Spoofed traffic inference at IXPs: Challenges, methods and analysis by Lucas Müller, Matthew Luckie, Bradley Huffaker, KC Claffy, and Marinho Barcellos

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security by Casey Deccio, Alden Hilton, Michael Briggs, Trevin Avery, and Robert Richardson

Attacking Data Center Networks from the Inside by Anurag Khandelwal, Navendu Jain, and Seny Kamara

On the State of IP Spoofing Defense by Toby Ehrenkranz, and Jun Li

iSAVE: Incrementally Deployable Source Address Validation by Jelena Mirkovi ́c, Zhiguo Xu, Jun Li, Matthew Schnaider, Peter Reiher, and Lixia Zhang

Standards and Regulatory Guidelines

Many countries and institutions slowly require organizations to deploy and maintain source address validation. We’re collecting the list here.

NIST Special Publication 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation by Kotikalapudi Sriram Doug Montgomery – This NIST publication received widespread assistance from industry experts. It is a good summary work with section descriptions provided for some of the SAV techniques These include:

  • SAV Using Access Control Lists
  • SAV Using Strict Unicast Reverse Path Forwarding
  • SAV Using Feasible-Path Unicast Reverse Path Forwarding
  • SAV Using Loose Unicast Reverse Path Forwarding
  • SAV Using VRF Table
  • SAV Using Enhanced Feasible-Path uRPF (Emerging/Future)

US FCC CSRIC – Final Report – Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols.

Federal Financial Institutions Examination Council (FFIEC) DDoS Joint Statement

FCC Communications Security, Reliability and Interoperability Council (CSRIC) WG-5 Remediation of Server‐Based DDoS Attacks– September 2014

NSTAC Report to the President on Internet and Communications Resilience – November 16, 2017

IETF RFCs

Operator SAV Interconnection Policies

Many operators have codes of conduct, acceptable use, and methods of operations that enforce SAV. These are applied to their customers, their business partners, and their peers. Business Resiliency and Reduction of Risk are the core SAV objectives in these organizations.

Ask your ISP, Mobile Operator, CSP, Cloud Operator, or Edge Operator about their SAV policies. Also, ask where their public documentation is located and how they enforce these policies.

Historical & MISC SAV Reference Materials

The work to secure the Internet has been going on for decades, with many people and organizations contributing to the work. Here are some general references:

Vendor SAV Documentation

Each vendor has a range of techniques for source address validation. It is best to have meaningful conversations with your vendors to understand the performance envelop for how SAV features will perform, how they are monitored, what impact needs to be considered when upgrading software (or configurations), and the latest Best Deployment Practices for how to roll out SAV in your network.

General SAV Guides

Cisco Systems