High-performance capabilities for 1-hop containment of network attacks

Authors:
Tilman Wolf;Sriram Natarajan;Kamlesh T. Vasudevan
Affiliations:
Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA;NTT Multimedia Communications Laboratories, Inc., San Mateo, CA and Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA;Acme Packet, Bedford, MA and Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2013

Citing 31
Cited 0

Message authentication with one-way hash functions

ACM SIGCOMM Computer Communication Review
Building a high-performance, programmable secure coprocessor

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on computer network security
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Network support for IP traceback

IEEE/ACM Transactions on Networking (TON)
Identity-Based Encryption from the Weil Pairing

SIAM Journal on Computing
A Generalized Birthday Problem

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Preventing Internet denial-of-service with capabilities

ACM SIGCOMM Computer Communication Review
Overcoming the Internet Impasse through Virtualization

Computer
An integrated experimental environment for distributed systems and networks

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Cryptography and Network Security (4th Edition)

Cryptography and Network Security (4th Edition)
A DoS-limiting network architecture

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
In VINI veritas: realistic and controlled network experimentation

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
OpenID 2.0: a platform for user-centric identity management

Proceedings of the second ACM workshop on Digital identity management
A proposed architecture for the GENI backbone platform

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
An integrated approach to federated identity and privilege management in open systems

Communications of the ACM - Spam and the ongoing battle for the inbox
Scalable Bloom Filters

Information Processing Letters
An edge-to-edge filtering architecture against DoS

ACM SIGCOMM Computer Communication Review
Active internet traffic filtering: real-time response to denial-of-service attacks

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Ethane: taking control of the enterprise

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Portcullis: protecting connection setup from denial-of-capability attacks

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Design of a network architecture with inherent data path security

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Data path credentials for high-performance capabilities-based networks

Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Secure network coding for wireless mesh networks: Threats, challenges, and directions

Computer Communications
The zodiac policy subsystem: a policy-based management system for a high-security MANET

POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
SSLShader: cheap SSL acceleration with commodity processors

Proceedings of the 8th USENIX conference on Networked systems design and implementation
Network information flow

IEEE Transactions on Information Theory
Policy-based management of networked computing systems

IEEE Communications Magazine
Visa protocols for controlling interorganizational datagram flow

IEEE Journal on Selected Areas in Communications
An overview of PKI trust models

IEEE Network: The Magazine of Global Internetworking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Capabilities-based networks present a fundamental shift in the security design of network architectures. Instead of permitting the transmission of packets from any source to any destination, routers deny forwarding by default. For a successful transmission, packets need to positively identify themselves and their permissions to the router. A major challenge for a high-performance implementation of such a network is an efficient design of the credentials that are carried in the packet and the verification procedure on the router. We present a capabilities system that uses packet credentials based on Bloom filters. The credentials are of fixed length (independent of the number of routers that are traversed by the packet) and can be verified by routers with a few simple operations. This high-performance design of capabilities makes it feasible that traffic is verified on every router in the network, and most attack traffic can be contained within a single hop. We present an analysis of our design and a practical protocol implementation that can effectively limit unauthorized traffic with only a small per-packet overhead.