Download sava-5

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
Transcript
Enhance Security of IP Network using
New Architecture of Address Validation
Xiaodong Duan
China Mobile
Background
• After years of practice , traditional telecom services are evolving to
All IP architecture
– China Mobile has built the largest soft-switch network in the world
• More than 70 percent of long-distance GSM voice
• More than 200 millions of subscribers
– Traditional circuit switch will be no longer introduced.
• High security & availability requirement of services
– Telecom service require carrier-grade quality (e.g. 5 nine)
– Quality should keep unchanged after transferred to IP bearer
– Demand to control, charge and manage all users who access the
network
• Widely use of NAT/NAPT on ipv4 network make a big trouble to
Telecom operators
– Hard to identify users
– Hard to track hackers
Problem description
• IP address spoofing make a big trouble to
operators like China Mobile.
• Because of IP address limitation, NAT/NAPT is
widely used. It’s almost impossible to track the
hackers behind NAT.
• On ipv6 network, address space will be no
problem any more. An economy way to identify
users is required.
Existing solution analysis
• To avoid impact by spoofing, we also deploy some
technology solution, including:
– Ingress filtering (through ACL. etc)
– uRPF
• There are problems for two solutions.
– we can just deploy the solution at the edge of our network, but
can not guarantee the IP address ingress from other operators'
network.
– if the number of IP address is very huge, large amount of
configuration (ACL/uRPF) at the ingress point will damage the
performance of network. And it also cause big complexity for
operators' network maintenance.
Why SAVA?
• Security is still a critical problem in the current Internet
• Most currently security solutions focus more on
– End-point security
– Security of application level
– Security of protocol itself
• Weak infrastructure security solutions
• Weak user identify and address validation
• Maybe we need some new design from aspect of
Architecture of IP network
• SAVA is a good idea to enhance security by
implementing source address validation
Suggestions for the next step
• SAVA should focus on or pay attention to
– Supporting Mobile IP and consider of Muilt-homing
– Work properly when just deployed in a part of network. Or the
solution do not force operators to deploy the solution in their
network thoroughly.
– The solution should be embedded into the entire network
architecture, or it is better to be a inborn function of networks
architecture to validate source address.
– Won’t damage the performance of network or add much
complexity to network maintenance
– More flexible on the edge
• Suit for kinds of access equipments, such as switch/router/BRAS
• We think SAVA should meet the concerns above.
Q&A?
Thank you
[email protected]