[RACI-list] Routine Monitoring of Source Address Validation Deployment by Operators

Dear MANRS and RIPE members,

My name is Gaoxing Zhang, and I am a computer enthusiast from the High
School Competition Team at Hangzhou Dongfang High School.

Recently, I've observed that although MANRS requirements mandate Source
Address Validation(SAV) for its members, some operators have not fully
implemented this practice in their networks. Therefore, I propose to
routinely monitor the deployment status of SAV across ASNs to ensure
compliance with MANRS guidelines and enhance network security. I am
currently unaware of any existing projects with a similar focus.

It has come to my attention that operators at IXP facilities, even
including major entities like Google, fail to enable SAV. This issue also
persists in-home broadband services obtained through PPPoE, which could
lead to Infected Home Routers becoming sources of DDoS Attacks and Are
Difficult to Trace. In my tests, I announced my IP thought tunnel on a
different operator’s network and configured the Next-hop Address to a home
broadband gateway obtained via PPPoE. The results indicated that Source
Address Validation by China Telecom’s home broadband is only partially
implemented in Mainland China, with most IP addresses from the region being
accessible through this method.

Here are some methods I have considered for ongoing monitoring:

1. Announce a new IP block upstream to receive inbound traffic.
2. Deploy a tunnel on the device connected to the ISP being tested, which
will link to the upstream receiving the inbound traffic.
3. The IP block will not be announced to the ISP being tested but only to
the upstream used to receive inbound traffic. Check the connectivity to
major public DNS servers when the Next-hop address is set to the ISP being
tested.
4. If it is reachable, it indicates that the ISP’s device lacks Source
Address Validation.

I plan to deploy test equipment at major IXPs (currently seeking equipment
sponsors) and access points for some residential ISPs (with the assistance
of volunteers). The testing environment will be a Linux-based VM, utilizing
Python to switch Next-hop based on test targets and assess the
accessibility to major public DNS servers, as well as to upload data to a
backend system.

I would really appreciate it if you could share your valuable suggestions
or feedback on this initiative.

Best regards,
*Brandon Zhang*
Huicast Telecom Limited
www.huicast.com | Twitter

This e-mail and any attachments or any reproduction of this e-mail in
whatever manner are confidential and for the use of the addressee(s) only.
Huicast Telecom Limited can’t take any liability and guarantee of the text
of the email message and virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/raci-list/attachments/20240426/4ef236ca/attachment.html>