Internet Engineering Task Force (IETF)                      D. McPherson
Request for Comments: 6959                                VeriSign, Inc.
Category: Informational                                         F. Baker
ISSN: 2070-1721                                            Cisco Systems
                                                              J. Halpern
                                                                Ericsson
                                                                May 2013
        
Internet Engineering Task Force (IETF)                      D. McPherson
Request for Comments: 6959                                VeriSign, Inc.
Category: Informational                                         F. Baker
ISSN: 2070-1721                                            Cisco Systems
                                                              J. Halpern
                                                                Ericsson
                                                                May 2013
        

Source Address Validation Improvement (SAVI) Threat Scope

源地址验证改进(SAVI)威胁范围

Abstract

摘要

The Source Address Validation Improvement (SAVI) effort aims to complement ingress filtering with finer-grained, standardized IP source address validation. This document describes threats enabled by IP source address spoofing both in the global and finer-grained context, describes currently available solutions and challenges, and provides a starting point analysis for finer-grained (host granularity) anti-spoofing work.

源地址验证改进(SAVI)旨在通过更细粒度、标准化的IP源地址验证来补充入口过滤。本文档描述了IP源地址欺骗在全局和细粒度环境中所带来的威胁,描述了当前可用的解决方案和挑战,并提供了细粒度(主机粒度)反欺骗工作的起点分析。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6959.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6959.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Overview ........................................................3
   2. Glossary of Terms ...............................................5
   3. Spoof-Based Attack Vectors ......................................6
      3.1. Blind Attacks ..............................................6
           3.1.1. Single-Packet Attacks ...............................6
           3.1.2. Flood-Based DoS .....................................7
           3.1.3. Poisoning Attacks ...................................8
           3.1.4. Spoof-Based Worm/Malware Propagation ................8
           3.1.5. Reflective Attacks ..................................8
           3.1.6. Accounting Subversion ...............................9
           3.1.7. Other Blind Spoofing Attacks ........................9
      3.2. Non-blind Attacks ..........................................9
           3.2.1. Man in the Middle (MITM) ............................9
           3.2.2. Third-Party Recon ..................................10
           3.2.3. Other Non-blind Spoofing Attacks ...................10
   4. Current Anti-spoofing Solutions ................................11
      4.1. Topological Locations for Enforcement .....................13
           4.1.1. Host to Link-Layer Neighbor via Switch .............13
           4.1.2. Upstream Switches ..................................13
           4.1.3. Upstream Routers ...................................14
           4.1.4. ISP Edge PE Router .................................14
           4.1.5. ISP NNI Router to ISP NNI Router ...................15
           4.1.6. Cable Modem Subscriber Access ......................15
           4.1.7. DSL Subscriber Access ..............................15
      4.2. Currently Available Tools .................................16
           4.2.1. BCP 38 .............................................16
           4.2.2. Unicast RPF ........................................16
           4.2.3. Port-Based Address Binding .........................16
           4.2.4. Cryptographic Techniques ...........................17
           4.2.5. Residual Attacks ...................................18
        
   1. Overview ........................................................3
   2. Glossary of Terms ...............................................5
   3. Spoof-Based Attack Vectors ......................................6
      3.1. Blind Attacks ..............................................6
           3.1.1. Single-Packet Attacks ...............................6
           3.1.2. Flood-Based DoS .....................................7
           3.1.3. Poisoning Attacks ...................................8
           3.1.4. Spoof-Based Worm/Malware Propagation ................8
           3.1.5. Reflective Attacks ..................................8
           3.1.6. Accounting Subversion ...............................9
           3.1.7. Other Blind Spoofing Attacks ........................9
      3.2. Non-blind Attacks ..........................................9
           3.2.1. Man in the Middle (MITM) ............................9
           3.2.2. Third-Party Recon ..................................10
           3.2.3. Other Non-blind Spoofing Attacks ...................10
   4. Current Anti-spoofing Solutions ................................11
      4.1. Topological Locations for Enforcement .....................13
           4.1.1. Host to Link-Layer Neighbor via Switch .............13
           4.1.2. Upstream Switches ..................................13
           4.1.3. Upstream Routers ...................................14
           4.1.4. ISP Edge PE Router .................................14
           4.1.5. ISP NNI Router to ISP NNI Router ...................15
           4.1.6. Cable Modem Subscriber Access ......................15
           4.1.7. DSL Subscriber Access ..............................15
      4.2. Currently Available Tools .................................16
           4.2.1. BCP 38 .............................................16
           4.2.2. Unicast RPF ........................................16
           4.2.3. Port-Based Address Binding .........................16
           4.2.4. Cryptographic Techniques ...........................17
           4.2.5. Residual Attacks ...................................18
        
   5. Topological Challenges Facing SAVI .............................18
      5.1. Address Provisioning Mechanisms ...........................18
      5.2. LAN Devices with Multiple Addresses .......................18
           5.2.1. Routers ............................................18
           5.2.2. NATs ...............................................19
           5.2.3. Multi-instance Hosts ...............................19
           5.2.4. Multi-LAN Hosts ....................................20
           5.2.5. Firewalls ..........................................20
           5.2.6. Mobile IP ..........................................20
           5.2.7. Other Topologies ...................................21
      5.3. IPv6 Considerations .......................................21
   6. Analysis of Host Granularity Anti-spoofing .....................21
   7. Security Considerations ........................................22
      7.1. Privacy Considerations ....................................23
   8. Acknowledgments ................................................24
   9. References .....................................................24
      9.1. Normative References ......................................24
      9.2. Informative References ....................................24
        
   5. Topological Challenges Facing SAVI .............................18
      5.1. Address Provisioning Mechanisms ...........................18
      5.2. LAN Devices with Multiple Addresses .......................18
           5.2.1. Routers ............................................18
           5.2.2. NATs ...............................................19
           5.2.3. Multi-instance Hosts ...............................19
           5.2.4. Multi-LAN Hosts ....................................20
           5.2.5. Firewalls ..........................................20
           5.2.6. Mobile IP ..........................................20
           5.2.7. Other Topologies ...................................21
      5.3. IPv6 Considerations .......................................21
   6. Analysis of Host Granularity Anti-spoofing .....................21
   7. Security Considerations ........................................22
      7.1. Privacy Considerations ....................................23
   8. Acknowledgments ................................................24
   9. References .....................................................24
      9.1. Normative References ......................................24
      9.2. Informative References ....................................24
        
1. Overview
1. 概述

The Internet Protocol, specifically IPv4 [RFC0791] and IPv6 [RFC2460], employs a connectionless hop-by-hop packet forwarding paradigm. A host connected to an IP network that wishes to communicate with another host on the network generates an IP packet with source and destination IP addressing information, among other options.

互联网协议,特别是IPv4[RFC0791]和IPv6[RFC2460],采用无连接逐跳数据包转发模式。连接到希望与网络上的另一主机通信的IP网络的主机生成具有源和目的IP地址信息以及其他选项的IP分组。

At the IP network layer, or Internet layer, there is typically no required transactional state when communicating with other hosts on the network. In particular, the network does not track any state about the hosts using the network. This is normally a benefit. However, as a consequence of this, hosts generating packets for transmission have the opportunity to spoof (forge) the source address of packets that they transmit, as the network does not have any way to tell that some of the information is false.

在IP网络层或Internet层,与网络上的其他主机通信时通常不需要事务状态。特别是,网络不跟踪使用网络的主机的任何状态。这通常是一种好处。然而,因此,生成用于传输的数据包的主机有机会欺骗(伪造)它们传输的数据包的源地址,因为网络无法判断某些信息是假的。

Source address validation is necessary in order to detect and reject spoofed IP packets in the network, and contributes to the overall security of IP networks. This document deals with the subset of such validation done by the network based on observed traffic and policy. Such source address validation techniques enable detection and rejection of many spoofed packets, and also implicitly provide some assurances that the source address in an IP packet is legitimately assigned to the system that generated the packet.

为了检测和拒绝网络中的伪造IP数据包,源地址验证是必要的,并且有助于IP网络的整体安全。本文件涉及网络根据观察到的流量和策略进行的验证子集。这种源地址验证技术能够检测和拒绝许多伪造的分组,并且还隐含地提供一些保证,即IP分组中的源地址被合法地分配给生成分组的系统。

Solutions such as those described in BCP 38 [RFC2827] provide guidelines for one such technique for network ingress filtering. However, if these techniques are not implemented at the ingress point of the IP network, then the validity of the source address cannot be positively ascertained. Furthermore, BCP 38 only implies source address validation at the Internet layer and is most often implemented on IP subnetwork address boundaries. One of the difficulties in encouraging the deployment of BCP 38 is that there is relatively little benefit until it is very widely deployed, which is not yet the case.

BCP 38[RFC2827]中描述的解决方案为一种网络入口过滤技术提供了指南。然而,如果这些技术没有在IP网络的入口点实现,则不能肯定地确定源地址的有效性。此外,BCP 38仅意味着在Internet层进行源地址验证,并且通常在IP子网地址边界上实现。鼓励部署BCP 38的困难之一是,在广泛部署之前,效益相对较小,但目前还不是这样。

Hence, in order to try to get better behavior, it is helpful to look for an application like that described in BCP 38, but one that can be applied locally and give locally beneficial results. The local benefit would provide a reason for the site to deploy, while moving the Internet as a whole towards an environment where BCP 38 is widely effected. SAVI is aimed at providing more specific protection locally, with the benefit of better local behavior and, in conjunction with appropriate logging, better local traceability, while also providing better compliance with the cases dealt with by BCP 38.

因此,为了尝试获得更好的行为,寻找像BCP 38中描述的应用程序是很有帮助的,但是可以在本地应用并提供本地有益的结果。本地利益将为站点部署提供一个理由,同时将互联网作为一个整体移动到一个广泛影响BCP 38的环境中。SAVI旨在提供更具体的本地保护,有利于更好的本地行为,结合适当的日志记录,更好的本地可追溯性,同时更好地遵守BCP 38处理的案例。

It should be noted that while BCP 38 directs providers to provide protection from spoofed prefixes, it is clearly desirable for enterprise operators to provide that protection more locally, and with better traceability. This allows the enterprise to be a better Internet participant and to quickly detect and remedy problems when they occur. For example, when an enterprise receives a report of an attack originating within that enterprise, the operational staff desires to be able to track from the IP address sourcing the attack to the particular machine within the enterprise that is the source. This is typically simpler and more reliable than other techniques, such as trying to find the attack in ongoing outbound traffic. To do this, the enterprise needs usable address assignment and usage information (appropriate logging), as well as accurate information (SAVI), to determine that no other machine could have been using that address.

应该注意的是,虽然BCP 38指示提供商提供防止伪造前缀的保护,但企业运营商显然希望提供更本地的保护,并具有更好的可跟踪性。这使企业能够成为更好的互联网参与者,并在出现问题时快速检测和纠正问题。例如,当一个企业收到来自该企业的攻击报告时,操作人员希望能够从发起攻击的IP地址跟踪企业内作为攻击源的特定机器。这通常比其他技术更简单、更可靠,例如尝试在正在进行的出站流量中查找攻击。要做到这一点,企业需要可用的地址分配和使用信息(适当的日志记录)以及准确的信息(SAVI),以确定没有其他机器可以使用该地址。

Also, there is a possibility that in a LAN environment where multiple hosts share a single LAN or IP port on a switch or router, one of those hosts may spoof the source addresses of other hosts within the local subnet. Understanding these threats and the relevant topologies in which they're introduced is critical when assessing the threats that exist with source address spoofing.

此外,在多台主机共享交换机或路由器上的单个LAN或IP端口的LAN环境中,其中一台主机可能会欺骗本地子网内其他主机的源地址。在评估源地址欺骗存在的威胁时,了解这些威胁及其引入的相关拓扑至关重要。

This document provides additional details regarding spoof-based threat vectors and discusses implications of various network topologies.

本文档提供了有关基于欺骗的威胁向量的更多详细信息,并讨论了各种网络拓扑的含义。

2. Glossary of Terms
2. 术语表

The following acronyms and terms are used throughout this memo.

本备忘录中使用了以下首字母缩略词和术语。

Binding Anchor: The relationship used by a device performing source address enforcement to perform the validation and enforcement. Examples in different situations include Layer 2 addresses or physical ports.

绑定锚:执行源地址强制的设备用于执行验证和强制的关系。不同情况下的示例包括第2层地址或物理端口。

BGP: The Border Gateway Protocol, used to manage routing policy between large networks.

BGP:边界网关协议,用于管理大型网络之间的路由策略。

CPE Router: Customer Premises Equipment router. The router on the customer premises, whether owned by the customer or the provider. Also called the Customer Edge, or CE, router.

CPE路由器:客户场所设备路由器。客户场所的路由器,无论是由客户还是提供商所有。也称为客户边缘或CE路由器。

IP Address: An Internet Protocol address, whether IPv4 or IPv6.

IP地址:Internet协议地址,无论是IPv4还是IPv6。

ISP: Internet Service Provider. Any person or company that delivers Internet service to another.

ISP:互联网服务提供商。向他人提供互联网服务的任何个人或公司。

MAC Address: An Ethernet address or comparable IEEE 802 series address.

MAC地址:以太网地址或类似的IEEE 802系列地址。

NNI Router: Network-to-Network Interface router. This router interface faces a similar system operated by another ISP or other large network.

NNI路由器:网络到网络接口路由器。该路由器接口面向由另一ISP或其他大型网络运营的类似系统。

PE Router: Provider Edge router. This router faces a customer of an ISP.

PE路由器:提供商边缘路由器。此路由器面向ISP的客户。

Spoofing: The act of sending a datagram header whose contents at the link layer or network layer do not match the network policies and activities on address assignment or claiming. Generally, this corresponds to sending messages with source network or link-layer information that is assigned to or currently properly claimed by some other devices in the network.

欺骗:发送数据报报头的行为,其在链路层或网络层的内容与地址分配或声明的网络策略和活动不匹配。通常,这对应于发送带有源网络或链路层信息的消息,源网络或链路层信息被分配给网络中的一些其他设备或当前由网络中的一些其他设备正确声明。

TCP: The Transmission Control Protocol, used on end systems to manage data exchange.

TCP:传输控制协议,用于终端系统管理数据交换。

uRPF: Unicast Reverse Path Forwarding. A procedure in which the route table, which is usually used to look up destination addresses and route towards them, is used to look up the source address and ensure that one is routing away from it. When this test fails, the event may be logged, and the traffic is commonly dropped.

uRPF:单播反向路径转发。一种过程,在这种过程中,路由表(通常用于查找目的地地址并路由到目的地地址)用于查找源地址并确保一个地址正在路由到另一个地址。当此测试失败时,可能会记录事件,并且通常会丢弃通信量。

3. Spoof-Based Attack Vectors
3. 基于欺骗的攻击向量

Spoofing is employed on the Internet for a number of reasons, most of which are in some manner associated with malicious or otherwise nefarious activities. In general, two classes of spoof-based attack vectors exist: blind attacks and non-blind attacks. The following sections provide some information on blind and non-blind attacks; these sections also include information on attacks where the spoofing is primarily intended to interfere with tracing the attacks, as well as attacks where spoofing the source address is a necessary component to the damage or interference.

互联网上使用欺骗的原因有很多,其中大多数都与恶意或其他邪恶活动有某种联系。通常,存在两类基于欺骗的攻击向量:盲攻击和非盲攻击。以下部分提供了有关盲攻击和非盲攻击的一些信息;这些部分还包括有关攻击的信息,其中欺骗主要是为了干扰对攻击的跟踪,以及欺骗源地址是造成损害或干扰的必要组成部分的攻击。

3.1. Blind Attacks
3.1. 盲目攻击

Blind attacks typically occur when an attacker isn't on the same local area network as a source or target, or when an attacker has no access to the data path between the attack source(s) and the target systems. In this situation, the attacker has no access to the source and target systems.

当攻击者与源或目标不在同一局域网上时,或者当攻击者无法访问攻击源和目标系统之间的数据路径时,通常会发生盲攻击。在这种情况下,攻击者无法访问源系统和目标系统。

3.1.1. Single-Packet Attacks
3.1.1. 单包攻击

One type of blind attacks, which we'll refer to here as "single-packet DoS (Denial of Service) attacks", involves an attacking system injecting spoofed information into the network, which either results in a complete crash of the target system, or in some manner poisons some network configuration or other information on a target system so as to impact network or other services.

一种类型的盲攻击,我们在这里称之为“单包DoS(拒绝服务)攻击”,涉及攻击系统向网络中注入伪造信息,这会导致目标系统完全崩溃,或者以某种方式毒害目标系统上的某些网络配置或其他信息,从而影响网络或其他服务。

An example of an attack that can cause a receiving system to crash is what is called a LAND (Local Area Network Denial) attack. A LAND attack would consist of an attacking system sending a packet (e.g., TCP SYN) to a target system that contains both a source and destination address of that target system. The packet would also contain a single value for the port number, used as both the source and destination port number. Certain target systems will then "lock up" when creating connection state associated with the packet or would get stuck in a state where a target system continuously replies to itself. As this is an attack that relies on bugs in the target, it is possible, but by no means certain, that this threat is no longer viable.

可导致接收系统崩溃的攻击的一个例子是所谓的LAND(局域网拒绝)攻击。地面攻击包括攻击系统向目标系统发送数据包(如TCP SYN),该数据包包含目标系统的源地址和目标地址。数据包还将包含端口号的单个值,用作源端口号和目标端口号。某些目标系统在创建与数据包关联的连接状态时会“锁定”,或者会陷入目标系统不断回复自身的状态。由于这是一种依赖于目标中的bug的攻击,因此这种威胁可能不再存在,但绝不确定。

Another form of blind attack is a RST (reset) probe ([RFC4953], Section 2.3). The attacker sends a series of packets to a destination that is engaged in a long-lived TCP session. The packets are RST packets, and the attacker uses the known source and destination addresses and port numbers, along with guesses at the sequence number. If he can send a packet close enough to the right

另一种形式的盲攻击是RST(重置)探测([RFC4953],第2.3节)。攻击者向参与长期TCP会话的目标发送一系列数据包。这些数据包是RST数据包,攻击者使用已知的源地址、目标地址和端口号,并猜测序列号。如果他能把包裹送到离右边足够近的地方

value, in theory he can terminate the TCP connection. While there are various steps that have been developed to ameliorate this attack, preventing the spoofing of source addresses completely prevents the attack from occurring.

值,理论上他可以终止TCP连接。虽然已经制定了各种步骤来改进此攻击,但防止源地址欺骗完全可以防止攻击的发生。

3.1.2. Flood-Based DoS
3.1.2. 基于洪水的DoS

Flood-based DoS attack vectors are particularly effective attacks on the Internet today. They usually entail flooding a large number of packets towards a target system, with the hopes of either exhausting connection state on the target system, consuming all packet processing capabilities of the target or intermediate systems, or consuming a great deal of bandwidth available to the target system such that they are essentially inaccessible.

基于洪水的DoS攻击向量是当今互联网上特别有效的攻击。它们通常需要大量数据包涌入目标系统,希望耗尽目标系统上的连接状态,消耗目标或中间系统的所有数据包处理能力,或者消耗目标系统可用的大量带宽,使其基本上无法访问。

Because these attacks require no reply from the target system and require no legitimate transaction state, attackers often attempt to obfuscate the identity of the systems that are generating the attack traffic by spoofing the source IP address of the attacking traffic flows. Because ingress filtering isn't applied ubiquitously on the Internet today, spoof-based flooding attack vectors are typically very difficult to trace back. In particular, there may be one or more attacking sources beyond a network's border, and the attacking sources may or may not be legitimate sources; it's difficult to determine if the sources are not directly connected to the local routing system. These attacks might be seen as primarily needing to be addressed by BCP 38 deployment, which is not in scope for this document. However, as noted earlier, deployment of SAVI can help remediate lack of BCP 38 deployment, and even when BCP 38 is deployed, SAVI can help provide useful information for responding to such attacks.

由于这些攻击不需要目标系统的回复,也不需要合法的事务状态,攻击者通常试图通过欺骗攻击流量的源IP地址来混淆生成攻击流量的系统的身份。由于入口过滤在互联网上的应用并不普遍,基于欺骗的洪水攻击向量通常很难追溯。特别是,网络边界之外可能存在一个或多个攻击源,并且这些攻击源可能是合法源,也可能不是合法源;很难确定源是否未直接连接到本地路由系统。这些攻击可能被视为主要需要由BCP 38部署来解决,这不在本文档的范围内。然而,如前所述,SAVI的部署有助于弥补BCP 38部署的不足,即使部署了BCP 38,SAVI也有助于提供有用的信息来应对此类攻击。

Common flood-based DoS attack vectors today include SYN floods, ICMP floods, and IP fragmentation attacks. Attackers may use a single legitimate or spoofed fixed attacking source address, although frequently they cycle through large swaths of address space. As a result, mitigating these attacks on the receiving end with source-based policies is extremely difficult.

目前常见的基于洪水的DoS攻击向量包括SYN洪水、ICMP洪水和IP碎片攻击。攻击者可以使用单个合法或伪造的固定攻击源地址,尽管他们经常在大片地址空间中循环。因此,使用基于源代码的策略缓解接收端的这些攻击非常困难。

If an attacker can inject messages for a protocol that requires control-plane activity, it may be possible to deny network control services at a much lower attack level. While there are various forms of protection deployed against this, they are by no means complete. Attacks that are harder to trace (such as with spoofed addresses) are of course of more concern.

如果攻击者可以为需要控制平面活动的协议注入消息,则有可能以更低的攻击级别拒绝网络控制服务。尽管针对这一点部署了各种形式的保护,但它们绝不是完整的。更难追踪的攻击(如伪造地址)当然更值得关注。

Furthermore, the motivator for spoof-based DoS attacks may actually be to encourage the target to filter explicitly on a given set of source addresses, in order to disrupt access to the target system by legitimate owner(s).

此外,基于欺骗的DoS攻击的动机实际上可能是鼓励目标明确过滤给定的源地址集,以中断合法所有者对目标系统的访问。

3.1.3. Poisoning Attacks
3.1.3. 中毒袭击

While poisoning attacks can often be done with single packets, it is also true that a stream of packets can be used to find a window where the target will accept the incorrect information. In general, this can be used to perform broadly the same kinds of poisonings as above, with more versatility.

虽然中毒攻击通常可以通过单个数据包完成,但也确实可以使用数据包流来查找一个窗口,在该窗口中目标将接受不正确的信息。一般来说,这可以用于执行大致相同种类的中毒,具有更多的通用性。

One important class of poisoning attacks are attacks aimed at poisoning network or DNS cache information, perhaps to simply break a given host's connection or to enable MITM (Man in the Middle) or other attacks. Network-level attacks that could involve single-packet DoS include Address Resolution Protocol (ARP) cache poisoning and ICMP redirects. The most obvious example, which depends upon falsifying an IP source address, is an on-link attacker poisoning a router's ARP or Neighbor Discovery (ND) cache. The ability to forge a source address can also be helpful in causing a DNS cache to accept and use incorrect information.

一类重要的中毒攻击是针对中毒网络或DNS缓存信息的攻击,可能只是为了破坏给定主机的连接或启用MITM(中间人)或其他攻击。可能涉及单包拒绝服务的网络级攻击包括地址解析协议(ARP)缓存中毒和ICMP重定向。最明显的例子是,通过伪造IP源地址,链路上的攻击者毒害路由器的ARP或邻居发现(ND)缓存。伪造源地址的能力也有助于导致DNS缓存接受和使用不正确的信息。

3.1.4. Spoof-Based Worm/Malware Propagation
3.1.4. 基于欺骗的蠕虫/恶意软件传播

Self-propagating malware has been observed that spoofs its source address when attempting to propagate to other systems. Presumably, this was done to obfuscate the actual source address of the infected system. This attack is important both in terms of an attack vector that SAVI may help prevent and as a problem that SAVI can help solve by tracing back to find infected systems.

已观察到自传播恶意软件在试图传播到其他系统时欺骗其源地址。这样做大概是为了混淆受感染系统的实际源地址。这种攻击在Savi可能帮助防止的攻击向量方面是重要的,并且SAVI可以通过追溯找到被感染的系统来帮助解决这个问题。

3.1.5. Reflective Attacks
3.1.5. 反射攻击

Reflective amplification attacks -- wherein a sender sends a single packet to an intermediary, resulting in the intermediary sending a large number of packets, or much larger packets, to the target -- are a particularly potent DoS attack vector on the Internet today. Many of these attacks rely on using a false source address, so that the amplifier attacks the target by responding to the messages.

反射式放大攻击——其中发送者向中间人发送一个数据包,导致中间人向目标发送大量数据包或更大的数据包——这是当今互联网上特别有效的DoS攻击向量。许多攻击依赖于使用错误的源地址,因此放大器通过响应消息来攻击目标。

DNS is one of the common targets of such attacks. The amplification factor observed for attacks targeting DNS root and other top-level domain name infrastructures in early 2006 was on the order of 72:1 [VRSN-REPORT]. The result was that just 27 attacking sources with 512 kbps of upstream attack bandwidth could generate 1 Gbps of response attack traffic towards a target system.

DNS是此类攻击的常见目标之一。2006年初,针对DNS根和其他顶级域名基础设施的攻击所观察到的放大系数约为72:1[VRSN-REPORT]。结果是,只有27个上游攻击带宽为512 kbps的攻击源可以向目标系统产生1 Gbps的响应攻击流量。

Smurf attacks employ a similar reflective amplification attack vector, exploiting traditional default IP-subnet-directed broadcast address behaviors that would result in all the active hosts on a given subnet responding to a (spoofed) ICMP echo request from an attacker and generating a large amount of ICMP echo response traffic directed towards a target system. These attacks have been particularly effective in large campus LAN environments where 50K or more hosts might reside on a single subnet.

蓝精灵攻击采用类似的反射放大攻击向量,利用传统的默认IP子网定向广播地址行为,将导致给定的子网上的所有活动主机响应(欺骗)。来自攻击者的ICMP回显请求,并生成大量指向目标系统的ICMP回显响应流量。这些攻击在大型校园局域网环境中尤其有效,其中50K或更多主机可能位于单个子网中。

3.1.6. Accounting Subversion
3.1.6. 会计颠覆

If an attacker wishes to distribute content or other material in a manner that employs protocols that require only unidirectional flooding and generate no end-to-end transactional state, they may desire to spoof the source IP address of that content in order to avoid detection or accounting functions enabled at the IP layer. While this particular attack has not been observed, it is included here to reflect the range of power that spoofed addresses may have, even without the ability to receive responses.

如果攻击者希望以仅需要单向泛洪且不生成端到端事务状态的协议的方式分发内容或其他材料,则他们可能希望欺骗该内容的源IP地址,以避免在IP层启用检测或记帐功能。虽然尚未观察到这种特殊的攻击,但此处包含它是为了反映欺骗地址可能具有的能力范围,即使没有接收响应的能力。

3.1.7. Other Blind Spoofing Attacks
3.1.7. 其他盲欺骗攻击

Other blind spoofing attacks might include spoofing in order to exploit source routing or other policy-based routing implemented in a network. It may also be possible in some environments to use spoofing techniques to perform blind or non-blind attacks on the routers in a site or in the Internet. There are many techniques to mitigate these attacks, but it is well known that there are vulnerabilities in this area.

其他盲欺骗攻击可能包括利用源路由或网络中实现的其他基于策略的路由进行欺骗。在某些环境中,也可能使用欺骗技术对站点或Internet中的路由器执行盲或非盲攻击。有许多技术可以缓解这些攻击,但众所周知,这方面存在漏洞。

3.2. Non-blind Attacks
3.2. 非盲攻击

Non-blind attacks often involve mechanisms such as eavesdropping on connections, resetting state so that new connections may be hijacked, and an array of other attack vectors. Perhaps the most common of these attack vectors are known as man-in-the-middle attacks. In this case, we are concerned not with an attacker who can modify a stream, but rather with one who has access to information from the stream and uses that information to launch his own attacks.

非盲攻击通常涉及窃听连接、重置状态以便新连接可能被劫持等机制,以及一系列其他攻击向量。也许这些攻击中最常见的是中间人攻击。在本例中,我们关注的不是能够修改流的攻击者,而是能够访问流中信息并使用该信息发起自己攻击的攻击者。

3.2.1. Man in the Middle (MITM)
3.2.1. 中间人(米特)

Connection hijacking is one of the more common man-in-the-middle attack vectors. In order to hijack a connection, an attacker usually needs to be in the forwarding path and oftentimes employs TCP RST or other attacks in order to reset a transaction. The attacker may have already compromised a system that's in the forwarding path, or they may wish to insert themselves in the forwarding path.

连接劫持是较为常见的中间人攻击手段之一。为了劫持连接,攻击者通常需要位于转发路径中,并且常常使用TCP RST或其他攻击来重置事务。攻击者可能已经破坏了位于转发路径中的系统,或者他们可能希望将自己插入转发路径。

For example, an attacker with access to a host on a LAN segment may wish to redirect all the traffic on the local segment destined for a default gateway address (or all addresses) to itself in order to perform man-in-the-middle attacks. In order to accomplish this in IPv4, the attacker might transmit gratuitous ARP [RFC0826] messages or ARP replies to the Ethernet broadcast address ff:ff:ff:ff:ff:ff, notifying all the hosts on the segment that the IP address(es) of the target(s) now maps to its own Layer 2 address. The source IP address in this case is spoofed. Similar vulnerabilities exist in the IPv6 ND protocol [RFC4861], although the multicast requirements of the IPv6 ND protocol make this harder to perform with the same generality.

例如,能够访问LAN网段上主机的攻击者可能希望将本地网段上预定为默认网关地址(或所有地址)的所有流量重定向到自身,以便执行中间人攻击。为了在IPv4中实现这一点,攻击者可能会向以太网广播地址ff:ff:ff:ff:ff:ff:ff:ff发送免费的ARP[RFC0826]消息或ARP回复,通知网段上的所有主机目标的IP地址现在映射到自己的第2层地址。本例中的源IP地址是伪造的。IPv6 ND协议[RFC4861]中也存在类似的漏洞,尽管IPv6 ND协议的多播要求使其在同样的通用性下更难执行。

3.2.2. Third-Party Recon
3.2.2. 第三方侦察

Another example of a non-blind attack is third-party reconnaissance. The use of spoofed addresses, while not necessary for this, can often provide additional information and helps mask the traceability of the activity. The attack involves sending packets towards a given target system and observing either target or intermediate system responses. For example, if an attacker were to source spoof TCP SYN packets towards a target system from a large set of source addresses and observe responses from that target system or some intermediate firewall or other middlebox, they would be able to identify what IP-layer filtering policies may be in place to protect that system.

非盲攻击的另一个例子是第三方侦察。使用伪造地址虽然不是必需的,但通常可以提供额外的信息,并有助于掩盖活动的可追溯性。攻击包括向给定的目标系统发送数据包,并观察目标系统或中间系统的响应。例如,如果攻击者从大量源地址向目标系统发送欺骗TCP SYN数据包,并观察来自该目标系统或某个中间防火墙或其他中间盒的响应,则他们将能够确定可能存在哪些IP层过滤策略来保护该系统。

3.2.3. Other Non-blind Spoofing Attacks
3.2.3. 其他非盲欺骗攻击

There are presumably many other attacks that can be performed based on the ability to spoof source addresses while seeing the target. Among other attacks, if there are multiple routers on-link with hosts, a host may be able to cause problems for the routing system by replaying modified or unmodified routing packets as if they came from another router.

基于在看到目标时欺骗源地址的能力,可以执行许多其他攻击。在其他攻击中,如果在与主机的链路上有多个路由器,则主机可能会通过重放修改或未修改的路由数据包(就好像它们来自另一个路由器一样)来给路由系统造成问题。

4. Current Anti-spoofing Solutions
4. 当前的反欺骗解决方案

The goal of this work is to reduce datagrams with spoofed IP addresses from the Internet. This can be aided by identifying and dropping datagrams whose source address binding is incompatible with the Internet topology and learned information. This can be done at sites where the relationship between the source address and topology and binding information can be checked. For example, with these bindings, in many networks Internet devices can confirm that:

这项工作的目标是减少来自互联网的伪造IP地址的数据报。这可以通过识别和删除源地址绑定与Internet拓扑和学习信息不兼容的数据报来实现。这可以在可以检查源地址与拓扑和绑定信息之间关系的站点上完成。例如,通过这些绑定,在许多网络中,Internet设备可以确认:

o The IP source address is appropriate for the lower-layer address (they both identify the same system).

o IP源地址适用于较低层地址(它们都标识相同的系统)。

o The IP source address is explicitly identified as appropriate for the physical topology; for example, the source address is appropriate for the Layer 2 switch port through which the datagram was received.

o IP源地址被明确标识为适合物理拓扑;例如,源地址适用于接收数据报的第2层交换机端口。

o The prefix to which the IP source address belongs is appropriate for the part of the network topology from which the IP datagram was received (while the individual system may be unknown, it is reasonable to believe that the system is located in that part of the network).

o IP源地址所属的前缀适用于从中接收IP数据报的网络拓扑部分(虽然单个系统可能未知,但有理由相信系统位于网络的该部分)。

In general, this involves two kinds of inspection. The primary action is checking the source IP address in the IP header of IP packets. In order to support such checking, the claimed or assigned IP addresses in messages concerned with such claims or assignments (IP ARP Requests and Responses, DHCP Replies, IPv6 ND Duplicate Address Detection (DAD) messages, etc.) must also be examined and, where appropriate, verified. SAVI is not concerned with verifying IP addresses in the contents of arbitrary higher-level protocol messages.

一般来说,这涉及两种检查。主要操作是检查IP数据包的IP报头中的源IP地址。为了支持此类检查,还必须检查与此类声明或分配相关的消息(IP ARP请求和响应、DHCP回复、IPv6 ND重复地址检测(DAD)消息等)中声明或分配的IP地址,并在适当情况下进行验证。SAVI不涉及验证任意高级协议消息内容中的IP地址。

Filtering points farther away from the source of the datagram can make decreasingly authoritative assertions about the validity of the source address in the datagram. Nonetheless, there is value in dropping traffic that is clearly inappropriate and in maintaining knowledge of the level of trust one can place in an address.

远离数据报源的过滤点可以对数据报中源地址的有效性做出递减的权威断言。尽管如此,丢弃显然不合适的通信量以及保持对地址信任级别的了解是有价值的。

             Edge Network 1            CPE-ISP _.------------.
           _.----------------.         Ingress/   ISP A       `--.
      ,--''                   `---.      ,'                       `.
    ,'  +----+  +------+  +------+ `.   /  +------+       +------+  \\
   (    |Host+--+Switch+--+ CPE  +---)-(---+  PE  +- - - -+ NNI  |   )
    `.  +----+  +------+  |Router| ,'   \\ |Router|       |Router|  /
      `---. Host-neighbor +------+'      `.+------+       +--+---+,'
           `----------------''             '--.              |_.-'
                                               `------------'|
                                                             |
             Edge Network 2                  ISP-ISP Ingress |
           _.----------------.                  _.----------.|
      ,--''                   `---.         ,-''             |--.
    ,'  +----+  +------+  +------+ `.     ,+------+       +--+---+.
   (    |Host+--+Switch+--+ CPE  +---)---+-+  PE  +- - - -+ NNI  | \\
    `.  +----+  +------+  |Router| ,'   (  |Router|       |Router|  )
      `---.               +------+'      \\+------+       +------+ /
           `----------------''            `.                     ,'
                                            '--.   ISP B     _.-'
                                                `----------''
        
             Edge Network 1            CPE-ISP _.------------.
           _.----------------.         Ingress/   ISP A       `--.
      ,--''                   `---.      ,'                       `.
    ,'  +----+  +------+  +------+ `.   /  +------+       +------+  \\
   (    |Host+--+Switch+--+ CPE  +---)-(---+  PE  +- - - -+ NNI  |   )
    `.  +----+  +------+  |Router| ,'   \\ |Router|       |Router|  /
      `---. Host-neighbor +------+'      `.+------+       +--+---+,'
           `----------------''             '--.              |_.-'
                                               `------------'|
                                                             |
             Edge Network 2                  ISP-ISP Ingress |
           _.----------------.                  _.----------.|
      ,--''                   `---.         ,-''             |--.
    ,'  +----+  +------+  +------+ `.     ,+------+       +--+---+.
   (    |Host+--+Switch+--+ CPE  +---)---+-+  PE  +- - - -+ NNI  | \\
    `.  +----+  +------+  |Router| ,'   (  |Router|       |Router|  )
      `---.               +------+'      \\+------+       +------+ /
           `----------------''            `.                     ,'
                                            '--.   ISP B     _.-'
                                                `----------''
        

Figure 1: Points Where an Address Can Be Validated

图1:可以验证地址的点

Figure 1 illustrates five related paths where a source address can be validated:

图1说明了可以验证源地址的五个相关路径:

o Host to switch, including host to host via the switch

o 主机到交换机,包括通过交换机的主机到主机

o Host to enterprise CPE router

o 主机到企业CPE路由器

o Enterprise CPE router to ISP edge PE router, and the reverse

o 企业CPE路由器到ISP边缘PE路由器,反之亦然

o ISP NNI router to ISP NNI router

o ISP NNI路由器到ISP NNI路由器

In general, datagrams with spoofed IP addresses can be detected and discarded by devices that have an authoritative mapping between IP addresses and the network topology. For example, a device that has an authoritative table between link-layer and IP addresses on a link can discard any datagrams in which the IP address is not associated with the link-layer address in the datagram. The degree of confidence in the source address depends on where the spoofing detection is performed, as well as the prefix aggregation in place between the spoofing detection and the source of the datagram.

通常,IP地址和网络拓扑之间具有权威映射的设备可以检测并丢弃具有伪造IP地址的数据报。例如,在链路层和链路上的IP地址之间具有权威表的设备可以丢弃其中IP地址与数据报中的链路层地址不关联的任何数据报。源地址的置信度取决于执行欺骗检测的位置,以及欺骗检测和数据报源之间的前缀聚合。

4.1. Topological Locations for Enforcement
4.1. 执法地点

There are a number of kinds of places, which one might call topological locations, where solutions may or should be deployed. As can be seen in the details below, as the point of enforcement moves away from a single cable attached directly to the host being validated, additional complications arise. It is likely that fully addressing many of these cases may require additional coordination mechanisms across the device that covers the disparate paths.

有许多种地方,人们可以称之为拓扑位置,在这些地方可以或应该部署解决方案。从下面的详细信息中可以看出,当强制执行点从直接连接到被验证主机的单一电缆移开时,会出现额外的复杂情况。完全解决其中许多情况可能需要设备上覆盖不同路径的额外协调机制。

4.1.1. Host to Link-Layer Neighbor via Switch
4.1.1. 通过交换机的主机到链路层邻居

The first point at which a datagram with a spoofed address can be detected is on the link to which the source of the datagram is connected. At this point in the network, the source link-layer and IP addresses are both available and can be validated against each other, and potentially against the physical port being used. A datagram in which the IP source address does not match the corresponding link-layer address can be discarded. Of course, the trust in the filtering depends on the trust in the method through which the mappings are developed. This mechanism can be applied by a first-hop router, or switch on the link. The first-hop switch has the most precise information for this.

可以检测到具有伪造地址的数据报的第一个点位于数据报源所连接的链路上。在网络中的这一点上,源链路层和IP地址都是可用的,并且可以相互验证,也可能验证正在使用的物理端口。IP源地址与相应链路层地址不匹配的数据报可以被丢弃。当然,对过滤的信任取决于对开发映射的方法的信任。这种机制可以由第一跳路由器或链路上的交换机应用。第一跳交换机具有最精确的信息。

On a truly shared medium link, such as classic Ethernet, the best that can be done is to validate the link-layer and IP addresses against the mappings. When the link is not shared, such as when the hosts are connected through a switch, the source host can be identified precisely based on the port through which the datagram is received or the Layer 2 address if it is known to the switch. Port identification prevents transmission of malicious datagrams whose link-layer and IP addresses are both spoofed to mimic another host.

在真正共享的介质链路(如经典以太网)上,最好是根据映射验证链路层和IP地址。当链路不共享时,例如当主机通过交换机连接时,可以根据接收数据报的端口或交换机已知的第2层地址精确地识别源主机。端口标识可防止恶意数据报的传输,这些数据报的链路层和IP地址都被欺骗以模拟另一台主机。

Other kinds of links may fall at different places in this spectrum, with some wireless links having easier ways of identifying individual devices than others, for example.

其他类型的链路可能位于该频谱中的不同位置,例如,一些无线链路具有比其他链路更容易识别单个设备的方法。

4.1.2. Upstream Switches
4.1.2. 上游交换机

In many topologies, there can be additional switches between the host-attached switch and the first router in the network. In these cases, additional issues can arise that affect SAVI operations. If the bridging topologies that connect the switches change, or if the Link Aggregation Control Protocol (LACP) [IEEE802.1AX], the Virtual Router Redundancy Protocol (VRRP), or link management operations change the links that are used to deliver traffic, the switch may need to move the SAVI state to a different port, or the state may need to be moved or reestablished on a different switch.

在许多拓扑中,在主机连接的交换机和网络中的第一个路由器之间可以有额外的交换机。在这些情况下,可能会出现影响SAVI运营的其他问题。如果连接交换机的桥接拓扑发生变化,或者如果链路聚合控制协议(LACP)[IEEE802.1AX]、虚拟路由器冗余协议(VRRP)或链路管理操作改变了用于传输流量的链路,则交换机可能需要将SAVI状态移到其他端口,或者,可能需要在不同的交换机上移动或重新建立状态。

4.1.3. Upstream Routers
4.1.3. 上行路由器

Beyond the first-hop router, subsequent routers may additionally filter traffic from downstream networks. Because these routers do not have access to the link-layer address of the device from which the datagram was sent, they are limited to confirming that the source IP address is within a prefix that is appropriate for a downstream router from which the datagram was received.

除了第一跳路由器之外,后续路由器还可以过滤来自下游网络的流量。因为这些路由器不能访问发送数据报的设备的链路层地址,所以它们被限制为确认源IP地址在适合接收数据报的下游路由器的前缀内。

Options include the use of simple access lists or the use of Unicast Reverse Path Forwarding (uRPF). Access lists are generally appropriate only for the simplest cases, as management can be difficult. Strict uRPF accepts the source address on a datagram if and only if it comes from a direction that would be rational to send a datagram directed to the address, which means that the filter is derived from routing information. These filtering procedures are discussed in more detail in [RFC3704].

选项包括使用简单访问列表或使用单播反向路径转发(uRPF)。访问列表通常只适用于最简单的情况,因为管理可能很困难。严格uRPF接受数据报上的源地址,当且仅当源地址来自发送指向该地址的数据报的合理方向时,这意味着过滤器来自路由信息。[RFC3704]中详细讨论了这些过滤程序。

In many cases, this router has access to information about what IP prefixes are to be used on a given subnet. This might be because it delegated that prefix through DHCP or monitored such a delegation. It may have advertised that prefix in IPv6 Neighbor Discovery Router Advertisement messages, or monitored such an advertisement. These can be seen as generalizations of the access lists above. When the topology permits, the router can enforce that these prefixes are used by the hosts.

在许多情况下,此路由器可以访问关于给定子网上要使用的IP前缀的信息。这可能是因为它通过DHCP委派该前缀,或者监视这样的委派。它可能已经在IPv6邻居发现路由器公告消息中公告了该前缀,或者监视了这样的公告。这些可以看作是上述访问列表的概括。当拓扑允许时,路由器可以强制主机使用这些前缀。

4.1.4. ISP Edge PE Router
4.1.4. ISP边缘PE路由器

An obvious special case of the discussion is with an ISP PE router, where it provides its customer with access. BCP 38 specifically encourages ISPs to use ingress filtering to limit the incidence of spoofed addresses in the network.

讨论的一个明显的特例是ISP PE路由器,它为客户提供访问权限。BCP 38特别鼓励ISP使用入口过滤来限制网络中伪造地址的发生。

The question that the ISP must answer for itself is the degree to which it trusts its downstream network. A contract might be written between an ISP and its customer requiring that the customer apply the procedures of network ingress filtering to the customer's own network, although there's no way upstream networks would be able to validate this.

ISP必须自己回答的问题是它对下游网络的信任程度。ISP与其客户之间可能会签订合同,要求客户将网络入口过滤程序应用于客户自己的网络,尽管上游网络无法对此进行验证。

Conversely, if the provider has assigned a single IP address to the customer (for example, with IPv4 NAT in the CPE), PE enforcement of BCP 38 can be on the full address, simplifying many issues.

相反,如果提供商已将单个IP地址分配给客户(例如,在CPE中使用IPv4 NAT),则BCP 38的PE强制可在完整地址上执行,从而简化了许多问题。

4.1.5. ISP NNI Router to ISP NNI Router
4.1.5. ISP NNI路由器到ISP NNI路由器

The considerations explicitly related to customer networks can also be applied to neighboring ISPs. An interconnection agreement might be written between two companies requiring that network ingress filtering policy be implemented on all customer connections. ISPs might, for example, mark datagrams from neighboring ISPs that do not sign such a contract or demonstrably do not behave in accordance with it as 'untrusted'. Alternatively, the ISP might place untrusted prefixes into a separate BGP community [RFC4271] and use that to advertise the level of trust to its BGP peers.

与客户网络明确相关的注意事项也可以应用于相邻的ISP。两个公司之间可能会签订互连协议,要求在所有客户连接上实施网络入口过滤策略。例如,ISP可能会将未签署此类合同或明显不按照合同行事的相邻ISP的数据报标记为“不受信任”。或者,ISP可以将不受信任的前缀放入单独的BGP社区[RFC4271],并使用该社区向其BGP对等方公布信任级别。

In this case, uRPF is less effective as a validation tool, due to asymmetric routing. However, when it can be shown that spoofed addresses are present, the procedure can be applied.

在这种情况下,由于非对称路由,uRPF作为验证工具的效率较低。但是,当可以显示存在伪造地址时,可以应用该过程。

Part of the complication here is that in the abstract, it is very difficult to know what addresses should appear in packets sent from one ISP to another. Hence, packet-level filtering and enforcement are very difficult at this point in the network. Whether one views this as specific to the NNI, or a general property of the Internet, it is still a major factor that needs to be taken into account.

这里的复杂性部分在于,抽象地说,很难知道从一个ISP发送到另一个ISP的数据包中应该出现哪些地址。因此,在网络中的这一点上,包级过滤和实施是非常困难的。无论人们认为这是NNI特有的,还是互联网的一般属性,它仍然是需要考虑的一个主要因素。

4.1.6. Cable Modem Subscriber Access
4.1.6. 有线调制解调器用户接入

Cable Modem Termination Systems (CMTS) employ Data Over Cable Service Interface Specification (DOCSIS) Media Access Control (MAC) domains. These share some properties with general switched networks, as described above in Section 4.1.1, and some properties with DSL access networks, as described below in Section 4.1.7. They also often have their own provisioning and monitoring tools that may address some of the issues described here.

电缆调制解调器终端系统(CMTS)采用电缆服务接口规范(DOCSIS)媒体访问控制(MAC)域上的数据。如上文第4.1.1节所述,它们与一般交换网络共享一些属性,如下文第4.1.7节所述,与DSL接入网络共享一些属性。他们通常也有自己的资源调配和监控工具,可以解决这里描述的一些问题。

4.1.7. DSL Subscriber Access
4.1.7. DSL用户接入

While DSL subscriber access can be bridged or routed, as seen by the service provider's device, it is generally the case that the protocols carry enough information to validate which subscriber is sending packets. Thus, for ensuring that one DSL subscriber does not spoof another, enforcement can generally be done at the aggregation router. This is true even when there is a bridged infrastructure among the subscribers, as DSL access generally requires all subscriber traffic to go through the access aggregation router.

虽然DSL订户接入可以桥接或路由,如服务提供商的设备所示,但通常情况下,协议携带足够的信息以验证哪个订户正在发送分组。因此,为了确保一个DSL订户不会欺骗另一个DSL订户,通常可以在聚合路由器上执行。即使在订阅者之间存在桥接基础设施时也是如此,因为DSL访问通常需要所有订阅者流量通过访问聚合路由器。

If it is desirable to provide spoofing protection among the devices within a residence, that would need to be provided by the CPE device, as the ISP's router does not have enough visibility to do that. It is not clear at this time that this problem is seen as a relevant threat.

如果希望在住宅内的设备之间提供欺骗保护,则需要由CPE设备提供,因为ISP的路由器没有足够的可见性来实现这一点。目前尚不清楚这一问题是否被视为相关威胁。

4.2. Currently Available Tools
4.2. 当前可用的工具

There are a number of tools that have been developed, and have seen some deployment, for addressing these attacks.

有许多工具已经开发出来,并且已经部署,用于解决这些攻击。

4.2.1. BCP 38
4.2.1. BCP 38

If BCP 38 [RFC2827] is implemented in LAN segments, it is typically done so on subnetwork boundaries and traditionally relates only to network-layer ingress filtering policies. The result is that hosts within the segment cannot spoof packets from address space outside of the local segment itself; however, they may still spoof packets using sources' addresses that exist within the local network segment.

如果BCP 38[RFC2827]在LAN段中实现,则通常在子网边界上实现,并且传统上仅与网络层入口过滤策略相关。结果是,段内的主机无法从本地段本身之外的地址空间欺骗数据包;然而,它们仍然可能使用本地网段中存在的源地址欺骗数据包。

4.2.2. Unicast RPF
4.2.2. 反向路径转发

Unicast RPF is a crude mechanism to automate definition of BCP 38 style filters based on routing table information. Its applicability parallels that of BCP 38, although deployment caveats exist, as outlined in [RFC3704].

单播RPF是一种基于路由表信息自动定义BCP 38样式过滤器的粗糙机制。其适用性与BCP 38相似,尽管存在部署注意事项,如[RFC3704]所述。

4.2.3. Port-Based Address Binding
4.2.3. 基于端口的地址绑定

Much of the work of SAVI is initially targeted at minimizing source address spoofing in the LAN. In particular, if mechanisms can be defined to accommodate configuration of port binding information for IP, either to a port, to an unchangeable or authenticated MAC address, or to other credentials in the packet such that an impostor cannot create the needed values, a large portion of the spoofing threat space in the LAN can be marginalized.

SAVI的大部分工作最初旨在最大限度地减少局域网中的源地址欺骗。特别是,如果可以定义机制以适应IP的端口绑定信息的配置,无论是到端口、到不可更改或已验证的MAC地址,还是到分组中的其他凭据,从而冒名顶替者无法创建所需的值,那么LAN中的大部分欺骗威胁空间都可能被边缘化。

However, establishing this binding is not trivial and varies across both topology types and address allocation mechanisms.

然而,建立这种绑定并不简单,并且在拓扑类型和地址分配机制中都有所不同。

4.2.3.1. Manual Binding
4.2.3.1. 手工装订

Binding of a single link-layer and network-layer address to a port may initially seem trivial. However, two primary areas exist that can complicate such techniques. In particular, these areas involve topologies where more than a single IP-layer address may be associated with a MAC address on a given port, or where multiple hosts are connected via a single physical port. Furthermore, if one

将单个链路层和网络层地址绑定到端口最初可能看起来很简单。然而,有两个主要领域会使这类技术复杂化。特别是,这些领域涉及的拓扑中,多个IP层地址可能与给定端口上的MAC地址相关联,或者多个主机通过单个物理端口连接。此外,如果有

or more dynamic address allocation mechanisms such as DHCP are employed, then some mechanism must exist to associate those IP-layer addresses with the appropriate link-layer ports as addresses are allocated or reclaimed.

如果使用了一个或多个动态地址分配机制(如DHCP),则必须存在某种机制,以便在分配或回收地址时将这些IP层地址与适当的链路层端口相关联。

4.2.3.2. Automated Binding
4.2.3.2. 自动装订

For IPv4, the primary and very widely used automated address assignment technique is DHCP-based address assignment. This can be coupled with filtering policies that control which hosts can originate DHCP replies. Under such circumstances, SAVI switches can treat DHCP replies as authoritative sources of IP address binding information. By eavesdropping on the DHCP exchanges, the SAVI switch can create the bindings needed for address usage enforcement.

对于IPv4,主要且应用非常广泛的自动地址分配技术是基于DHCP的地址分配。这可以与控制哪些主机可以发起DHCP应答的筛选策略相结合。在这种情况下,SAVI交换机可以将DHCP应答视为IP地址绑定信息的权威来源。通过窃听DHCP交换,SAVI交换机可以创建地址使用强制所需的绑定。

For IPv6, there are two common automated address assignment techniques. While there are many variations and details, for purposes of understanding the threats and basic responses, these are Stateless Address Autoconfiguration (SLAAC) and DHCP-based IPv6 address assignment. For DHCP-based IPv6 address assignment, the techniques above are applicable and suitable.

对于IPv6,有两种常见的自动地址分配技术。虽然存在许多变体和细节,但为了了解威胁和基本响应,这些变体和细节包括无状态地址自动配置(SLAAC)和基于DHCP的IPv6地址分配。对于基于DHCP的IPv6地址分配,上述技术是适用的。

When SLAAC is used for IPv6 address assignment, the switches can observe the duplicate address detection messages and use those to create the enforcement bindings. This enables the switches to ensure that only properly claimed IP addresses are used for data traffic. It does not enforce that these addresses are assigned to the hosts, since SLAAC does not have a notion of address assignment.

当SLAAC用于IPv6地址分配时,交换机可以观察重复的地址检测消息,并使用这些消息创建强制绑定。这使交换机能够确保只有正确声明的IP地址用于数据通信。它不强制将这些地址分配给主机,因为SLAAC没有地址分配的概念。

4.2.3.3. IEEE 802.1x
4.2.3.3. IEEE 802.1x

IEEE 802.1x is an authentication protocol that permits a network to determine the identity of a user seeking to join it and apply authorization rules to permit or deny the action. In and of themselves, such tools confirm only that the user is authorized to use the network, but they do not enforce what IP address the user is allowed to use. It is worth noting that elements of 802.1x may well be useful as binding anchors for SAVI solutions.

IEEE 802.1x是一种身份验证协议,允许网络确定试图加入该协议的用户的身份,并应用授权规则来允许或拒绝该操作。就其本身而言,此类工具仅确认用户有权使用网络,但它们不强制执行允许用户使用的IP地址。值得注意的是,802.1x的元素很可能用作SAVI解决方案的绑定锚。

4.2.4. Cryptographic Techniques
4.2.4. 密码技术

MITM and replay attacks can typically be mitigated with cryptographic techniques. However, many of the applications today either don't or can't employ cryptographic authentication and protection mechanisms. ARP for IPv4 does not use such protection. While Secure Neighbor Discovery (SEND) provides such protection for the IPv6 ND protocol, SEND is not widely used to date. Usage of such techniques is outside the scope of this document.

MITM和重播攻击通常可以通过加密技术缓解。然而,今天的许多应用程序要么没有,要么不能采用加密身份验证和保护机制。IPv4的ARP不使用这种保护。虽然安全邻居发现(SEND)为IPv6 ND协议提供了此类保护,但迄今为止,SEND并未得到广泛应用。此类技术的使用不在本文件的范围内。

While DNSSEC will significantly help protect DNS from the effects of spoof-based poisoning attacks, such protection does not help protect the rest of the network from spoofed attacks.

虽然DNSSEC将大大有助于保护DNS免受基于欺骗的中毒攻击的影响,但这种保护无助于保护网络的其余部分免受欺骗攻击。

4.2.5. Residual Attacks
4.2.5. 剩余攻击

It should be understood that not all combinations of network, service, and enforcement choices will result in a protectable network. For example, if one uses conventional SLAAC in a switched network, but tries to only provide address enforcement on the routers on the network, then the ability to provide protection is severely limited.

应该理解的是,并非所有网络、服务和实施选择的组合都会产生可保护的网络。例如,如果在交换网络中使用传统的SLAAC,但试图仅在网络上的路由器上提供地址强制,那么提供保护的能力将受到严重限制。

5. Topological Challenges Facing SAVI
5. 萨维面临的拓扑挑战

As noted previously, topological components and address allocation mechanisms have significant implications on what is feasible with regard to link-layer address and IP address port bindings. The following sections discuss some of the various topologies and address allocation mechanisms that proposed SAVI solutions should attempt to address.

如前所述,拓扑组件和地址分配机制对链路层地址和IP地址端口绑定的可行性具有重要影响。以下各节将讨论建议的SAVI解决方案应尝试解决的一些不同拓扑和地址分配机制。

5.1. Address Provisioning Mechanisms
5.1. 地址供应机制

In a strictly static environment, configuration management for access filters that map link-layer and network-layer addresses on a specific switch port might be a viable option. However, most networks, certainly those that accommodate actual human users, are much more dynamic in nature. As such, mechanisms that provide port-MAC-IP bindings need to accommodate dynamic address allocation schemes enabled by protocols such as DHCP, DHCPv6 for address allocation, and IPv6 Stateless Address Autoconfiguration.

在一个严格的静态环境中,访问过滤器的配置管理(映射特定交换机端口上的链路层和网络层地址)可能是一个可行的选项。然而,大多数网络,当然是那些容纳实际人类用户的网络,在本质上更具动态性。因此,提供端口MAC IP绑定的机制需要适应由协议(如DHCP、用于地址分配的DHCPv6和IPv6无状态地址自动配置)启用的动态地址分配方案。

5.2. LAN Devices with Multiple Addresses
5.2. 具有多个地址的局域网设备

From the perspective of network topology, consider hosts connected to switch ports that may have one or more IP addresses, and devices that forward packets from other network segments. It is much harder to enforce port-MAC-IP bindings on traffic from such hosts and devices than for traffic from more simply connected devices.

从网络拓扑的角度,考虑连接到可能具有一个或多个IP地址的交换机端口的主机,以及转发来自其他网络段的分组的设备。对来自此类主机和设备的流量实施端口MAC IP绑定要比对来自更简单连接设备的流量实施端口MAC IP绑定困难得多。

5.2.1. Routers
5.2.1. 路由器

Routers are the most obvious examples of devices for which it is problematic to implement port-MAC-IP bindings. Routers not only originate packets themselves and often have multiple interfaces, but also forward packets from other network segments. As a result, it's

路由器是实现端口MAC IP绑定有问题的设备的最明显例子。路由器不仅自己发起数据包,而且通常有多个接口,还转发来自其他网段的数据包。因此,它是

difficult for port-MAC-IP binding rules to be established a priori, because it's likely that many addresses and IP subnets should be associated with the port-MAC in question.

很难预先建立端口MAC IP绑定规则,因为可能有许多地址和IP子网应该与所讨论的端口MAC相关联。

5.2.2. NATs
5.2.2. 纳茨

Validating traffic from prefix-based and multi-address NATs is also problematic, for the same reasons as for routers. Because they may forward traffic from an array of addresses, validation requires advance knowledge of the IPs that should be associated with a given port-MAC pair.

验证来自基于前缀和多地址NAT的流量也有问题,原因与路由器相同。因为它们可能转发来自地址数组的流量,所以验证需要预先了解应该与给定端口MAC对关联的IP。

5.2.3. Multi-instance Hosts
5.2.3. 多实例主机

Another example that introduces complexities is that of multi-instance hosts attached to a switch port. These are single physical devices that internally run multiple physical or logical hosts. When the device is a blade server, e.g., with internal blades each hosting a physical machine, there is essentially a physical switch inside the blade server. While feasible, this creates some complexity for determining where enforcement logic can or should live.

另一个引入复杂性的示例是连接到交换机端口的多实例主机。这些是在内部运行多个物理或逻辑主机的单个物理设备。当设备是刀片服务器时(例如,内部刀片服务器上各有一台物理机器),刀片服务器内部基本上有一个物理交换机。虽然可行,但这为确定强制逻辑可以或应该存在于何处带来了一些复杂性。

Logically distinct hosts, such as are provided by many varieties of virtualization logic, result in a single physical host and connect to a single port on the Ethernet switch in the topology, actually having multiple internal virtual machines. Each virtual machine may have its own IP and MAC addresses. These are connected by what is essentially (or sometimes literally) an internal LAN switch. While this internal switch may be a SAVI enforcement point to help control threats among the virtual hosts, or between virtual hosts and other parts of the network, such enforcement cannot be counted on in all implementations. If the virtual machines are interconnected by the internal switch, then that logical device is the first switch for the purposes of this analysis.

逻辑上不同的主机(如由多种虚拟化逻辑提供的主机)会产生一个物理主机,并连接到拓扑中以太网交换机上的一个端口,实际上有多个内部虚拟机。每个虚拟机都可能有自己的IP和MAC地址。它们通过本质上(有时是字面上的)内部LAN交换机进行连接。虽然此内部交换机可能是一个SAVI实施点,以帮助控制虚拟主机之间或虚拟主机与网络其他部分之间的威胁,但在所有实现中都不能指望这种实施。如果虚拟机通过内部交换机互连,则该逻辑设备是本分析中的第一个交换机。

A further complication with multi-instance hosts is that in many environments, these hosts may move while retaining their IP addresses. This can be an actual relocation of the running software, or a backup instance taking over the functions of the software. In both cases, the IP address will appear at a new topological location. Depending upon the protocols used, it may have the same MAC address or a different one, and the system may or may not issue a gratuitous ARP request after relocation. When such a move is done without changing the MAC address, the SAVI switches will need to update their state. While ARP may be helpful, traffic detection, switch-based neighbor solicitation, interaction with an orchestration system, or other means may be used.

多实例主机的另一个复杂性是,在许多环境中,这些主机可能会移动,同时保留其IP地址。这可以是正在运行的软件的实际重新定位,也可以是接管软件功能的备份实例。在这两种情况下,IP地址将出现在新的拓扑位置。根据所使用的协议,它可能具有相同的MAC地址或不同的MAC地址,并且系统在重新定位后可能会或可能不会发出免费的ARP请求。如果在不更改MAC地址的情况下完成此移动,SAVI交换机将需要更新其状态。虽然ARP可能有帮助,但可以使用流量检测、基于交换机的邻居请求、与编排系统的交互或其他方式。

5.2.4. Multi-LAN Hosts
5.2.4. 多局域网主机

Multi-interface hosts, in particular those that are multihomed and may forward packets from any of a number of source addresses, can be problematic as well. In particular, if a port-MAC-IP binding is made on each of the interfaces, and then either a loopback IP or the address of a third interface is used as the source address of a packet forwarded through an interface for which the port-MAC-IP binding doesn't map, the traffic may be discarded. Static configuration of port-MAC-IP bindings may accommodate this scenario, although some a priori knowledge of address assignment and topology is required.

多接口主机,特别是那些多址主机,可以从多个源地址中的任何一个转发数据包,也可能有问题。特别是,如果在每个接口上进行端口MAC IP绑定,然后将环回IP或第三接口的地址用作通过端口MAC IP绑定未映射的接口转发的分组的源地址,则可以丢弃通信量。端口MAC IP绑定的静态配置可以适应这种情况,尽管需要一些关于地址分配和拓扑的先验知识。

While it is rare to use loopback addressing or to send packets out of one interface with the source address of another, these rarities do legitimately occur. Some servers, particularly ones that have underlying virtualization, use loopback techniques for management.

虽然使用环回寻址或从一个接口向另一个接口的源地址发送数据包是很少见的,但这些罕见情况确实是合法发生的。一些服务器,特别是那些具有底层虚拟化的服务器,使用环回技术进行管理。

5.2.5. Firewalls
5.2.5. 防火墙

Firewalls that forward packets from other network segments, or serve as a source for locally originated packets, suffer from the same issues as routers.

转发来自其他网段的数据包或作为本地数据包来源的防火墙与路由器面临相同的问题。

5.2.6. Mobile IP
5.2.6. 移动IP

Mobile IP hosts in both IPv4 and IPv6 are proper members of the site where they are currently located. Their care-of address is a properly assigned address that is on the link they are using, and their packets are sent and received using that address. Thus, they do not introduce any additional complications. (There was at one time consideration of allowing mobile hosts to use their home address when away from home. This was not done, precisely to ensure that mobile hosts comply with source address validity requirements.) Mobile hosts with multiple physical interfaces fall into the cases above.

IPv4和IPv6中的移动IP主机都是其当前所在站点的适当成员。他们的转交地址是在他们使用的链路上正确分配的地址,他们的数据包是使用该地址发送和接收的。因此,它们不会带来任何额外的并发症。(曾经考虑过允许移动主机在离家时使用其家庭地址。这并不是为了确保移动主机符合源地址有效性要求)具有多个物理接口的移动主机属于上述情况。

Mobile IP Home Agents (HAs) are somewhat more interesting. Although they are (typically) fixed devices, they are required to send and receive packets addressed from or to any currently properly registered mobile node. From an analysis point of view, even though the packets that an HA handles are actually addressed to or from the link the HA is on, it is probably best to think of them as routers, with a virtual interface to the actual hosts they are serving. Thus, if the Mobile IP HA is trusted, it can itself perform IP source address checking on the packets it forwards on behalf of mobile nodes. This would utilize bindings established by the Mobile IP registration mechanisms.

移动IP家庭代理(HAs)更有趣一些。尽管它们(通常)是固定设备,但它们需要发送和接收来自或到任何当前正确注册的移动节点的数据包。从分析的角度来看,即使HA处理的数据包实际上是发送到HA所在的链路或从HA所在的链路发送的,但最好将它们视为路由器,并与它们所服务的实际主机具有虚拟接口。因此,如果移动IP HA是可信的,则其本身可以对其代表移动节点转发的分组执行IP源地址检查。这将利用移动IP注册机制建立的绑定。

5.2.7. Other Topologies
5.2.7. 其他拓扑

Any topology that results in the possibility that a device connected to a switch port may forward packets with more than a single source address for a packet that it originated may be problematic. Additionally, address allocation schemas introduce additional considerations when examining a given SAVI solutions space.

任何导致连接到交换机端口的设备可能转发具有多个源地址的数据包的拓扑都可能是有问题的。此外,在检查给定的SAVI解决方案空间时,地址分配模式引入了其他注意事项。

5.3. IPv6 Considerations
5.3. IPv6注意事项

IPv6 introduces additional capabilities that indirectly complicate the spoofing analysis. IPv6 introduces and recommends the use of SLAAC [RFC4862]. This allows hosts to determine their IP prefix, select an Interface Identifier (IID), and then start communicating. While there are many advantages to this, the absence of control interactions complicates the process of behavioral enforcement.

IPv6引入了间接使欺骗分析复杂化的附加功能。IPv6引入并推荐使用SLAAC[RFC4862]。这允许主机确定其IP前缀,选择接口标识符(IID),然后开始通信。虽然这样做有很多好处,但缺少控制交互会使行为实施过程复杂化。

An additional complication is the very large IID space. Again, this 64-bit IID space provided by IPv6 has many advantages. It provides the opportunity for many useful behaviors. However, it also means that in the absence of controls, hosts can mint anonymous addresses as often as they like, modulo the idiosyncrasies of the duplicate address procedure. Like many behaviors, this is a feature for some purposes and a problem for others. For example, without claiming the entire IID space, an on-link attacker may be able to generate enough IP addresses to fill the Neighbor Discovery table space of the other Layer 3 (L3) devices on the link, including switches that are monitoring L3 behavior. This could seriously interfere with the ability of other devices on the link to function.

另一个复杂因素是非常大的IID空间。同样,IPv6提供的64位IID空间有许多优点。它为许多有用的行为提供了机会。然而,这也意味着,在没有控件的情况下,主机可以随意创建匿名地址,以模拟重复地址过程的特性。与许多行为一样,这在某些方面是一个特性,而在其他方面则是一个问题。例如,在不占用整个IID空间的情况下,链路上的攻击者可能能够生成足够的IP地址来填充链路上其他第3层(L3)设备的邻居发现表空间,包括监视L3行为的交换机。这可能会严重干扰链路上其他设备的功能。

6. Analysis of Host Granularity Anti-spoofing
6. 主机粒度反欺骗分析

Applying anti-spoofing techniques at the host level enables a site to achieve several valuable objectives. While it is likely the case that for many site topologies and policies full source spoofing protection is not possible, it is also true that for many sites there are steps that can be taken that provide benefit.

在主机级别应用反欺骗技术可以使站点实现几个有价值的目标。虽然对于许多站点拓扑和策略来说,完全源欺骗保护可能是不可能的,但对于许多站点来说,确实可以采取一些措施来提供好处。

One important class of benefit is masquerade prevention. Security threats involving one machine masquerading as another, for example, in order to hijack an apparently secure session, can occur within a site with significant impact. Having mechanisms such that host-facing devices prevent this is a significant intra-site security improvement. Given that security experts report that most security breaches are internal, this can be valuable. One example of this is that such techniques should mitigate internal attacks on the site routing system.

一个重要的好处是防止伪装。安全威胁涉及一台机器伪装成另一台机器,例如,为了劫持一个明显安全的会话,可能会在具有重大影响的站点内发生。拥有面向主机的设备能够防止这种情况发生的机制是一项重大的站点内安全改进。鉴于安全专家报告大多数安全漏洞都是内部的,这可能是有价值的。这方面的一个例子是,此类技术应能减轻对站点路由系统的内部攻击。

A second class of benefit is related to the traceability described above. When a security incident is detected, either within a site or externally (and traced to the site), it can be critical to determine the actual source of the incident. If address usage can be tied to the kinds of anchors described earlier, this can help in responding to security incidents.

第二类好处与上述可追溯性有关。当在现场或外部(并追踪到现场)检测到安全事件时,确定事件的实际来源至关重要。如果地址的使用可以与前面描述的锚类型相关联,那么这将有助于响应安全事件。

In addition to these local observable benefits, there can be more global benefits. For example, if address usage is tied to anchors, it may be possible to prevent or control the use of large numbers of anonymous IPv6 addresses for attacks, or at least to trace even those attacks back to their source.

除了这些局部可观察到的好处外,还有更多的全球好处。例如,如果地址使用绑定到锚,则可以防止或控制使用大量匿名IPv6地址进行攻击,或者至少可以将这些攻击追溯到其源。

As described below in the security considerations, these operational behaviors need to be evaluated in the context of the reduction in user privacy implied if one logs traffic bindings. In particular, in addition to the architectural trade-offs, the network administrator must plan for the proper handling of this relevant privacy information about his users.

如以下安全注意事项中所述,需要在记录流量绑定时所隐含的用户隐私降低的上下文中评估这些操作行为。特别是,除了架构权衡之外,网络管理员还必须计划如何正确处理有关其用户的相关隐私信息。

7. Security Considerations
7. 安全考虑

This document provides limited discussion of some security threats that source address validation improvements will help to mitigate. It is not meant to be all-inclusive, either from a threat analysis perspective or from the source address validation application side.

本文档对源地址验证改进将有助于缓解的一些安全威胁进行了有限的讨论。无论是从威胁分析的角度还是从源地址验证应用程序的角度来看,它都不是包罗万象的。

It is seductive to think of SAVI solutions as providing the ability to use this technology to trace a datagram to the person, or at least end system, that originated it. For several reasons, the technology can be used to derive circumstantial evidence, but does not actually solve that problem.

将SAVI解决方案视为提供了使用该技术跟踪数据报至发起该数据报的人(或至少是终端系统)的能力,这是很诱人的。出于几个原因,这项技术可以用来获得间接证据,但实际上并不能解决这个问题。

In the Internet layer, the source address of a datagram should be the address of the system that originated it and to which any reply is expected to come. But systems fall into several broad categories. Many are single-user systems, such as laptops and PDAs. Multi-user systems are commonly used in industry, and a wide variety of middleware systems and application servers have no users at all, but by design relay messages or perform services on behalf of users of other systems (e.g., SMTP and peer-to-peer file sharing).

在Internet层中,数据报的源地址应该是发起该数据报的系统的地址,并且任何回复都应该来自该系统的地址。但系统可分为几大类。许多是单用户系统,如笔记本电脑和PDA。工业上通常使用多用户系统,各种各样的中间件系统和应用服务器根本没有用户,而是通过设计中继消息或代表其他系统的用户执行服务(例如SMTP和对等文件共享)。

Even if every Internet-connected network implements source address validation at the ultimate network ingress, and assurances exist that intermediate devices are to never modify datagram source addresses, source addresses cannot be used as an authentication mechanism. The

即使每个连接到Internet的网络在最终的网络入口执行源地址验证,并且存在中间设备永远不会修改数据报源地址的保证,源地址也不能用作身份验证机制。这个

only techniques for unquestionably validating source addresses of a received datagram are cryptographic authentication mechanisms such as IPsec.

毫无疑问,验证接收到的数据报的源地址的唯一技术是加密身份验证机制,如IPsec。

It must be presumed that there will be some failure modes in any SAVI deployment, given the history of technical security mechanisms. A possible attack to be considered by network administrators is an inside attack probing the network for modes of spoofing that can be accomplished. If the probes are conducted at a level below alarm thresholds, this might allow an internal attacker to safely determine what spoof modes he can use. Thus, the use of these techniques must be managed in such a way as to avoid giving a false sense of security to the network administrator.

鉴于技术安全机制的历史,必须假定在任何SAVI部署中都会有一些故障模式。网络管理员要考虑的一种可能的攻击是内部攻击,它探测网络中可以实现的欺骗模式。如果探测是在低于报警阈值的级别进行的,这可能会使内部攻击者安全地确定他可以使用什么样的欺骗模式。因此,必须以避免给网络管理员错误的安全感的方式来管理这些技术的使用。

7.1. Privacy Considerations
7.1. 隐私考虑

It should be understood that enforcing and recording IP address bindings have privacy implications. In some circumstances, this binding data may be considered to be personally identifying information. In general, collecting private information about users brings ethical and legal responsibilities to the network administrator.

应该理解的是,强制执行和记录IP地址绑定具有隐私影响。在某些情况下,这些具有约束力的数据可能被视为个人识别信息。一般来说,收集用户的私人信息会给网络管理员带来道德和法律责任。

For this reason, collection and retention of logged binding information need to be considered carefully. Prevention of spoofing does not in itself require such retention. Analysis of immediate events may rely on having logs of current bindings. Thus, privacy issues can be ameliorated by removing binding logs after the binding lifetimes expire. Logs of apparent spoof attempts are a separate matter and may require longer retention to detect patterns of deliberate or accidental abuse.

因此,需要仔细考虑日志绑定信息的收集和保留。防止欺骗本身并不需要这样的保留。即时事件的分析可能依赖于当前绑定的日志。因此,可以通过在绑定生存期到期后删除绑定日志来改善隐私问题。明显的欺骗企图日志是一个单独的问题,可能需要更长的保留时间来检测故意或意外滥用的模式。

With operations of the type described here, the network administrator is collecting information about where on his network the user is active. In addition, the recorded bindings supplement address usage information about users that is available from DHCP logs. For example, if IPv6 SLAAC is being used, and IP to Layer 2 address bindings are being logged, the administrator will have access to information associating users with their IP addresses even if IPv6 privacy addresses are used.

使用此处描述的操作类型,网络管理员将收集有关用户在其网络上的活动位置的信息。此外,记录的绑定补充了DHCP日志中提供的有关用户的地址使用信息。例如,如果正在使用IPv6 SLAAC,并且正在记录IP到第2层的地址绑定,则即使使用IPv6隐私地址,管理员也可以访问将用户与其IP地址关联的信息。

In addition to this, care must be taken in attributing actions to users on the basis of this sort of information. Whatever the theoretical strength of the tools, administrators should always allow for such information being wrong and should be careful about any actions taken on the basis of apparent attribution. These techniques do nothing about address spoofing from other sites, so any evaluation of attribution also needs to allow for such cases.

除此之外,还必须注意根据此类信息将操作归因于用户。无论这些工具在理论上有多强大,管理员都应该始终考虑到这些信息是错误的,并且应该注意根据明显的归因采取的任何行动。这些技术对来自其他网站的地址欺骗没有任何作用,因此,对归属的任何评估也需要考虑到此类情况。

8. Acknowledgments
8. 致谢

A portion of the primer text in this document came directly from [SAVA], authored by Fred Baker and Ralph Droms. Many thanks to Christian Vogt, Suresh Bhogavilli, and Pekka Savola for contributing text and a careful review of this document.

本文件中的一部分初级文本直接来自[SAVA],由Fred Baker和Ralph Droms撰写。非常感谢Christian Vogt、Suresh Bhogavilli和Pekka Savola对本文件的贡献和仔细审查。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.

[RFC0791]Postel,J.,“互联网协议”,STD 5,RFC 7911981年9月。

[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.

[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。

9.2. Informative References
9.2. 资料性引用

[IEEE802.1AX] IEEE, "IEEE Standard for Local and metropolitan area networks - Link Aggregation", IEEE 802.1AX, 2008.

[IEEE802.1AX]IEEE,“局域网和城域网的IEEE标准-链路聚合”,IEEE 802.1AX,2008年。

[RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware", STD 37, RFC 826, November 1982.

[RFC0826]Plummer,D.,“以太网地址解析协议:或将网络协议地址转换为48位以太网地址,以便在以太网硬件上传输”,STD 37,RFC 826,1982年11月。

[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.

[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。

[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004.

[RFC3704]Baker,F.和P.Savola,“多宿网络的入口过滤”,BCP 84,RFC 37042004年3月。

[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.

[RFC4271]Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。

[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007.

[RFC4861]Narten,T.,Nordmark,E.,Simpson,W.,和H.Soliman,“IP版本6(IPv6)的邻居发现”,RFC 48612007年9月。

[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007.

[RFC4862]Thomson,S.,Narten,T.,和T.Jinmei,“IPv6无状态地址自动配置”,RFC 48622007年9月。

[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC 4953, July 2007.

[RFC4953]Touch,J.“保护TCP免受欺骗攻击”,RFC 4953,2007年7月。

[SAVA] Baker, F. and R. Droms, "IPv4/IPv6 Source Address Verification", Work in Progress, June 2007.

[SAVA]Baker,F.和R.Droms,“IPv4/IPv6源地址验证”,正在进行的工作,2007年6月。

[VRSN-REPORT] Silva, K., Scalzo, F., and P. Barber, "Anatomy of Recent DNS Reflector Attacks from the Victim and Reflector Point of View", VeriSign White Paper, April 2006.

[VRSN-REPORT]Silva,K.,Scalzo,F.,和P.Barber,“从受害者和反射器的角度剖析最近的DNS反射器攻击”,VeriSign白皮书,2006年4月。

Authors' Addresses

作者地址

Danny McPherson VeriSign, Inc.

丹尼·麦克弗森公司。

   EMail: dmcpherson@verisign.com
        
   EMail: dmcpherson@verisign.com
        

Fred Baker Cisco Systems

弗雷德·贝克思科系统公司

   EMail: fred@cisco.com
        
   EMail: fred@cisco.com
        

Joel M. Halpern Ericsson

乔尔·M·哈珀·爱立信

   EMail: joel.halpern@ericsson.com
        
   EMail: joel.halpern@ericsson.com