IPv6 Source Address Validation Improvement

We learned how to deal with ARP and IP spoofing in IPv4 networks. Every decent switch has DHCP snooping, ARP protection, and IP source guard (or whatever the features are called), but validating source IPv6 addresses in security-conscious environments or public multi-access networks remains a major headache.

It would be pretty easy to solve the problem with a central controller, but IETF decided to go another way and developed yet another framework: Source Address Validation Improvements (SAVI). For more information, watch the following video from IPv6 Security webinar in which Eric Vyncke describes the intricacies of SAVI in great details.


  1. SAVI is pretty dangerous toy, governments are currently looking into using it to control and follow the devices around (China).
  2. In China SAVI is reality for years: http://www.ietf.org/proceedings/76/slides/savi-7.pdf
  3. "Strictly Anti-spoofing at host granularity" is a great excuse to deploy a tracking mechanism ;)
Add comment