Fast inter-domain mobility with in-packet bloom filters
Proceedings of the fifth ACM international workshop on Mobility in the evolving internet architecture
On content-centric router design and implications
Proceedings of the Re-Architecting the Internet Workshop
Security design for an inter-domain publish/subscribe architecture
The future internet
BloomCasting: security in bloom filter based multicast
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Designing, implementing and evaluating a new internetworking architecture
Computer Communications
Survey Bloom filter applications in network security: A state-of-the-art survey
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.