Capability-based egress network access control by using DNS server

  • Authors:

  • Shinichi Suzuki;Yasushi Shinjo;Toshio Hirotsu;Kozo Itano;Kazuhiko Kato

  • Affiliations:

  • Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan;Department of Information and Computer Sciences, Toyohashi University of Technology, Toyohashi, Aichi 441-8580, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan

  • Venue:
  • Journal of Network and Computer Applications
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

In conventional egress network access control (NAC) based on access control lists (ACLs), modifying the ACLs is a heavy task for administrators. To enable configuration without a large amount of administrators' effort, we introduce capabilities to egress NAC. In our method, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize our method, we use a DNS cache server and a router. A resolver of the client sends the user name, domain name, and service name to the DNS cache server. The DNS server issues capabilities according to a policy and sends them to the client. The client puts these capabilities into the IP options of packets and sends them to the router. The router verifies the capabilities, and determines whether to pass or block the packets. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router's performance.