Routers in today’s Internet do not know which direction a packet with a given source address should come from. This problem not only allows IP spoofing to run wild—as routers cannot check the validity of a packet’s source address based on its incoming direction—but also hinders the reliability of many source-relevant functions at routers, such as per-source fair queuing, source-based traffic management, source-based congestion control, or reverse path forwarding. This research designs and evaluates an incrementally deployable protocol, ID-SAVE, that enables a subset of routers on the Internet to learn the valid incoming direction of packets from each other. With such knowledge, these routers can check whether a packet is from a valid direction based on its source address, thus determining whether the source address of the packet is valid—even when not all routers employ this new protocol. ID-SAVE not only makes source-based functions more reliable, but also addresses the root cause of IP spoofing prevalence. The evaluation also shows that ID-SAVE is effective and accurate in catching spoofed packets while incurring a low overhead. 1
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.