Message authentication with one-way hash functions
ACM SIGCOMM Computer Communication Review
Building a high-performance, programmable secure coprocessor
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on computer network security
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
Identity-Based Encryption from the Weil Pairing
SIAM Journal on Computing
A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Preventing Internet denial-of-service with capabilities
ACM SIGCOMM Computer Communication Review
An integrated experimental environment for distributed systems and networks
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Cryptography and Network Security (4th Edition)
Cryptography and Network Security (4th Edition)
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
In VINI veritas: realistic and controlled network experimentation
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
OpenID 2.0: a platform for user-centric identity management
Proceedings of the second ACM workshop on Digital identity management
A proposed architecture for the GENI backbone platform
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
An integrated approach to federated identity and privilege management in open systems
Communications of the ACM - Spam and the ongoing battle for the inbox
Information Processing Letters
An edge-to-edge filtering architecture against DoS
ACM SIGCOMM Computer Communication Review
Active internet traffic filtering: real-time response to denial-of-service attacks
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Ethane: taking control of the enterprise
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Design of a network architecture with inherent data path security
Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Data path credentials for high-performance capabilities-based networks
Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Secure network coding for wireless mesh networks: Threats, challenges, and directions
Computer Communications
The zodiac policy subsystem: a policy-based management system for a high-security MANET
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
SSLShader: cheap SSL acceleration with commodity processors
Proceedings of the 8th USENIX conference on Networked systems design and implementation
IEEE Transactions on Information Theory
Policy-based management of networked computing systems
IEEE Communications Magazine
Visa protocols for controlling interorganizational datagram flow
IEEE Journal on Selected Areas in Communications
An overview of PKI trust models
IEEE Network: The Magazine of Global Internetworking
Hi-index | 0.00 |
Capabilities-based networks present a fundamental shift in the security design of network architectures. Instead of permitting the transmission of packets from any source to any destination, routers deny forwarding by default. For a successful transmission, packets need to positively identify themselves and their permissions to the router. A major challenge for a high-performance implementation of such a network is an efficient design of the credentials that are carried in the packet and the verification procedure on the router. We present a capabilities system that uses packet credentials based on Bloom filters. The credentials are of fixed length (independent of the number of routers that are traversed by the packet) and can be verified by routers with a few simple operations. This high-performance design of capabilities makes it feasible that traffic is verified on every router in the network, and most attack traffic can be contained within a single hop. We present an analysis of our design and a practical protocol implementation that can effectively limit unauthorized traffic with only a small per-packet overhead.