TY - GEN
T1 - Source address filtering for large scale network
T2 - 2012 21st International Conference on Computer Communications and Networks, ICCCN 2012
AU - Yang, Shu
AU - Xu, Mingwei
AU - Wang, Dan
AU - Wu, Jianping
PY - 2012/10/29
Y1 - 2012/10/29
N2 - Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers. In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network. We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.
AB - Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers. In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network. We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.
UR - http://www.scopus.com/inward/record.url?scp=84867820024&partnerID=8YFLogxK
U2 - 10.1109/ICCCN.2012.6289219
DO - 10.1109/ICCCN.2012.6289219
M3 - Conference article published in proceeding or book
AN - SCOPUS:84867820024
SN - 9781467315449
T3 - 2012 21st International Conference on Computer Communications and Networks, ICCCN 2012 - Proceedings
BT - 2012 21st International Conference on Computer Communications and Networks, ICCCN 2012 - Proceedings
Y2 - 30 July 2012 through 2 August 2012
ER -