EZ-SAVE: Evaluation of Easy-to-Deploy Source Address Validation Policies

The lack of Source Address Validation (SAV) is a significant vulnerability of the Internet, which is abused in many Denial-of-Service (DoS) and other attacks. Several IETF RFCs define easy-to-deploy, non-interactive SAV designs; the IETF is currently developing another SAV mechanism, BAR-SAV, which, as its name suggests, uses BGP, ASPA (Autonomous System Provider Authorization), and ROA (Route Origin Authorization) data. However, no comparative evaluation of the potential impact of their large-scale deployment has been done. A recent survey of network vendors and operators indicates that more efficacy data and usage guidelines are necessary to motivate their adoption.

We present EZ-SAVE, the first simulation-based analysis evaluating easy-to-deploy SAV policies. We measure both the spoofed traffic detection rates and the legitimate traffic filtering (false-positive) rates for each standard and proposed design at different adoption rates, using a realistic Internet topology and traffic engineering policies. Our results reveal several significant insights that may assist and guide the standardization process as well as developers and operators. In particular, we find that BAR-SAV proves to be the most effective design that features high spoof detection rates and low (or even zero) false-positive rates, motivating its standardization and deployment. Our results also provide operators with guidance on other SAV mechanisms that are effective for specific scenarios. In addition, our results highlight the importance of using realistic export policies for SAV evaluation.