现有互联网对接收和转发的IP分组的源地址并不进行严格的检查,由此引发了很多安全、管理和计费的问题.基于IPv6协议提供的巨大的IP地址空间,提出了一种“真实IPv6源地址验证体系结构”(SAVA:source add-ress validation architecture),用以验证互联网中转发的每一个分组的IP地址的真实性.这一体系结构的主要设计原则是轻权、松耦合、多重防御和支持增量部署.本文阐述了这一体系结构的设计,实现和部署的细节,包括接入子网内、自治系统内、自治系统间3个组成部分.重点介绍了自治体系间IP源地址验证的协议设计.这一体系结构已经部署在CNGI-CERNET2,一个大规模纯IPv6主干网上.这一体系结构将有助于提高互联网的安全性和可信任性. The existing Internet does not strictly examine the source IP addresses of the received and forwarded IP packets, which raises many security, management and accounting problems.Based on the huge IP address space provided by the IPv6 protocol, this paper proposes a (SAVA: source add-ress validation architecture) to verify the authenticity of the IP address of each packet forwarded on the Internet.The main design principles of this architecture are light weight, Loosely coupled, multiple defenses and support for incremental deployments.This article describes the details of the design, implementation and deployment of this architecture, including access to subnets, autonomous systems, autonomous systems, three components.This article focuses on the local government The protocol design for inter-system IP source address verification has been deployed on CNGI-CERNET2, a large-scale pure IPv6 backbone that will help improve the security and trustworthiness of the Internet.