Analysis: Super-SAVA or super spy?

China has forged ahead with Source Address Validation Architecture technology in its IPv6 internet backbone. But will it prevent abuses or is it just another attack on internet privacy?

In China, they do everything so much more quickly and efficiently, it seems. In the time it takes the UK to conduct a planning inquiry, China can construct a high-speed railway line from one end of the country to the other, for example. And so it is with technology.

While the rest of the world has largely twiddled its fingers over IPv6 network upgrades, China has already upgraded its national internet backbone enabling, for example, the streaming of high-definition television over the internet in major cities. Indeed, everything from security cameras to taxis and traffic are connected over the China Next Generation Internet (CNGI) in the capital, Beijing.

The key benefit of IPv6, of course, is the numbering system that enables the IP address space to be boosted from a mere 4.3 billion to 340,282,366,920,938,463,463,374, 607,431,768,211,456 – which ought to be enough for even the most populous country on Earth for the foreseeable future.

But perhaps one of the most eye-opening features of China’s IPv6 development is the incorporation of Source Address Validation Architecture (SAVA) security features, after trialling it in 2008.

SAVA was first mooted in around 2000 as a potential remedy for denial of service (DoS) attacks, which typically forge IP sender addresses so that the location of the attacking machines cannot easily be identified. Take away this ability to spoof traffic origin details and a DoS attack can quickly and easily be dealt with.

Under BCP 38, a May 2000 discussion document from the Internet Engineering Task Force, a system was proposed whereby internet service providers (ISPs) would be obliged to block any outward-bound traffic from a PC or other device with a source address in the packet header that did not correspond with the address given to the device by the ISP.

“It sounds quite trivial, but actually it’s quite difficult to do,” says Alan Woodward, professor of computing at the University of Surrey. ISPs, he adds, have resisted the extra responsibility – and infrastructure spending – that source address validation systems imply.

“If an ISP is checking every packet and their routers need to keep a log of the IP address they have assigned to a particular device, check every packet coming out to ensure that the source address is consistent, that obviously has an overhead and there’s bound to be a [financial] cost,” says Woodward.

ISPs, at least in the UK, are typically focused on wringing every cost out of their business so that they can compete on price, while disclaiming any responsibility for the activities of users, which would negatively affect their reputations and add to their overheads.

But China, when its CERNET education network was upgraded, built a testbed for a SAVA standard, to check source addresses as they were transmitted. “As China has built-out its backbone, that’s been built into it,” says Woodward.

No doubt, in addition to securing the network against DoS attacks, it may also aid authorities against other cyber attacks – especially cyber-espionage conducted by other state-sponsored agencies.

However, while there are undoubted security benefits, they come at the cost of privacy. Source address validation means that people are even less anonymous online than ever. “It’s best practice and, in some ways, they did it because they could. But the downside is that you can be sure of tracking,” says Woodward.

At one level, the profusion of IP addresses available under IPv6 means that every device could have its own unique IP address. Indeed, in time, that will no doubt become the default, but it could also therefore be used to build up immense profiles of individual online activity by both organisations and governments.

However, adds Woodward, in China it doesn’t add a great deal more to the online tracking abilities that the authorities already enjoy. “Furthermore, it doesn’t stop people using VPNs and obfuscation techniques like TOR,” he says. Indeed, he adds, the IPSec public-key infrastructure is an integrated part of the IPv6 standard, which ought to make encrypted communications easier.

But in the absence of a commercial “killer application”, all IPv6 offers is more addressing space, a problem already overcome in IPv4 by network address translation. As a result, IPv6 has failed to take-off outside of China.

That said, uptake is accelerating and, when the tipping point is achieved, there will no doubt be many new privacy issues that will need to be considered – or maybe everyone will just have to learn how to browse more securely.