Building a next generation Internet with source address validation architecture

The IP packet forwarding of current Internet is mainly destination based. In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems. Based on the drastically increased IPv6 address space,a "source address validation architecture"(SAVA) is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight,loose coupling,"multi-fence support" and incremental deployment. This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet. The performance and scalability of SAVA are described. This architecture is deployed into the CNGI-CERNET2 infrastructure―a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the SAVA will help the transition to a new,more secure and dependable Internet.