The increasing use of internetworking protocols to connect administratively heterogeneous networks has raised the question of how an organization can control the flow of information across its network boundaries. One method for doing so is the use of visas, a cryptographic technique for authenticating and authorizing a flow of datagrams. This report presents and evaluates two visa protocols ---- one that requires distributed state information in gateways and one that uses additional encryption operations instead of distributed state. Applications for such visa protocols include access control, accounting and billing for packet transit, and network resource management. This technical report is based, in large part, upon a shorter paper [8]. We have extended the discussion of design issues and added an appendix describing a visa protocol using dual-key (public key) encryption. Key Words: Computer networks, network interconnection, network security, access control, authentication, crypt...

Routing mechanisms for inter-autonomous region communication require distribution of policy-sensitive information as well as algorithms that operate on such information. Without such Policy Routing mechanisms, it is not possible for interconnected regions to retain their autonomy in setting and enforcing policy while still achieving desired connectivity. This problem of interconnecting and navigating across autonomous regions is of inherent interest to the security community because the policies in question concern control of resource access and usage. Moreover, the security of the Policy Routing protocols themselves must be considered if they are to be applicable in sensitive environments. On the other hand, as usual, the security mechanisms take a toll in overall system complexity and performance. Most routing protocols, including proposed Policy Routing protocols [l], focus on environments where detection of an attack after it has taken place is sufficient. The purpose of this paper is to explore the design of Policy Routing mechanisms for sensitive environments where more aggressive preventative measures are mandated. In particular, we detail the design of four secure protocol versions that prevent abuse through cryptographic checks of data integrity. We analyse and compare these schemes in terms of their per-packet processing overhead. We conclude that preventative security is feasible, although the overhead cost is quite high. Consequently, it is critical that prevention-based schemes coexist with detection-based schemes. 1

This paper discusses a proposed framework for specifying access control policy for very large distributed processing systems. These typically consist of multiple interconnected networks and span the computer systems belonging to different organisations. This implies the need for cooperation between independent managers to specify access control policy. The policy specification should permit interaction between organisations while limiting the scope of what objects can be accessed and what operations can be performed on them. The large numbers of objects in such systems make it impractical to specify access control policy in terms of individual objects. The paper explains how domains can be used to group objects and structure the management of access control policy. Access Rules are introduced as a means of specifying the access rights between a domain of user objects and a domain of target object in terms of the permitted operations as well as constraints such as user location and time...

In large-scale networked information systems (e.g. the World-Wide Web), the community of subjects who may make requests to a service provider such as a digital library will often extend beyond the local community to include individuals about whom little prior knowledge, if any, exists at the provider. This poses challenges for resource protection which do not exist in traditional computing environments. This paper presents a formal framework for secure access to information and services in such systems, where both the size of the user base and a variety of local enterprise--dependent representations of user attributes must be considered. In our framework, an individual supplies digital credentials akin to traditional paper credentials with a request for service. To decide whether to grant the request, the recipient interprets the credentials using knowledge about the credential issuers (more precisely, of what conditions must hold for the issuers to have issued the credentials) rather ...

In the absence of special mechanisms, network interconnection using DOD or OSI Internet Protocols achieve full connectivity among internet components. However, independent administrative domains (ADs) should be able to interconnect without exposing their internal resources to unrestricted access. Moreover, ADs should be able to protect incoming and outgoing data by specifying or constraining the ADs to, and through, which the data travels. Given these requirements, what layer is most appropriate for the placement of access controls? In this paper we propose a framework for placement and design of access control mechanisms in an environment of interconnected ADs. To the extent network resources require protection, the highest relevant endpoint is the network router and associated packet forwarding and routing protocols. In this sense the end-to-end argument supports implementing these controls at the network layer. We describe the security services that are required by interconnected AD...

In this paper, a number of mechanisms are described that can be used in the design of a protocol convertor for authentication and key distribution protocols. First, the scope of the mechanisms is defined: we mark out the class of authentication systems that were considered during the design of the mechanisms. A first mechanism, based on proxies and a synchronization protocol, allows for a transparant protocol conversion. It is generic, and can easily be tailored to different specific situations. The second mechanism addresses the problem of the statefulness of the protocol convertor. It can be used to offload state from the convertor to the principals of the interconnected domains, thus making the convertor more robust. Both mechanisms can be used separately or in combination. When properly combined, they provide for a robust, transparant, and safe protocol convertor for authentication and key distribution protocols. Keywords: security, authentication protocols, inter-domain autentica...