IPv8 Security
The IPv8 draft separates security into east-west and north-south traffic control.
East-West Security
Section titled “East-West Security”East-west traffic is traffic between devices inside a network. The draft describes ACL8 zone isolation as the main control. Devices communicate with designated service gateways, and service gateways communicate with designated cloud services.
The draft lists three enforcement layers:
- NIC firmware ACL8.
- Zone Server gateway ACL8.
- Switch port OAuth2 hardware VLAN enforcement.
North-South Security
Section titled “North-South Security”North-south traffic is traffic from internal devices to the internet. The draft describes two validation steps at Zone Server egress:
- The outbound connection must have a corresponding DNS8 lookup.
- The destination ASN must validate against WHOIS8 active route registration.
The draft frames this as a way to block connections to hardcoded IP addresses that bypass DNS.
Route Security
Section titled “Route Security”The draft says BGP8 route advertisements are validated against WHOIS8 before installation. A route that cannot be validated is not installed.
Prefix Protection
Section titled “Prefix Protection”The Security Considerations section covers several prefix protections:
- ASN prefix spoofing.
- Internal zone prefix protection.
- RINE prefix protection.
- Interior link convention protection.
- RFC 1918 address privacy.
- Cross-ASN multicast filtering.
/16minimum prefix enforcement.
Reading Note
Section titled “Reading Note”Security behavior in this wiki is a summary of the draft. For exact requirements language, read the original text in Original Draft -02.