research relevant to the design and application of high performance scientific computers. We test our ideas by designing, building, and using real systems. The systems we build are research prototypes; they are not intended to become products. There is a second research laboratory located in Palo Alto, the Systems Research Center (SRC). Other Digital research groups are located in Paris (PRL) and in Cambridge,

The increasing use of internetworking protocols to connect administratively heterogeneous networks has raised the question of how an organization can control the flow of information across its network boundaries. One method for doing so is the use of visas, a cryptographic technique for authenticating and authorizing a flow of datagrams. This report presents and evaluates two visa protocols ---- one that requires distributed state information in gateways and one that uses additional encryption operations instead of distributed state. Applications for such visa protocols include access control, accounting and billing for packet transit, and network resource management. This technical report is based, in large part, upon a shorter paper [8]. We have extended the discussion of design issues and added an appendix describing a visa protocol using dual-key (public key) encryption. Key Words: Computer networks, network interconnection, network security, access control, authentication, crypt...

Routing mechanisms for inter-autonomous region communication require distribution of policy-sensitive information as well as algorithms that operate on such information. Without such Policy Routing mechanisms, it is not possible for interconnected regions to retain their autonomy in setting and enforcing policy while still achieving desired connectivity. This problem of interconnecting and navigating across autonomous regions is of inherent interest to the security community because the policies in question concern control of resource access and usage. Moreover, the security of the Policy Routing protocols themselves must be considered if they are to be applicable in sensitive environments. On the other hand, as usual, the security mechanisms take a toll in overall system complexity and performance. Most routing protocols, including proposed Policy Routing protocols [l], focus on environments where detection of an attack after it has taken place is sufficient. The purpose of this paper is to explore the design of Policy Routing mechanisms for sensitive environments where more aggressive preventative measures are mandated. In particular, we detail the design of four secure protocol versions that prevent abuse through cryptographic checks of data integrity. We analyse and compare these schemes in terms of their per-packet processing overhead. We conclude that preventative security is feasible, although the overhead cost is quite high. Consequently, it is critical that prevention-based schemes coexist with detection-based schemes. 1

Abstract-This paper analyzes the technical implications of interconnecting networks across organization boundaries. Such Interorgunizational Networks (ION’s) are used increasingly to support exchange of CAD/CAM data between manufacturers and subcontractors, software distribution from vendors to users, customer input to suppliers ’ orderentry systems, and the shared use of expensive computational resources by research laboratories, as examples. We begin by demonstrating that interorganization connections are not satisfied by traditional network design criteria of connectivity and transparency. A primary high-level requirement is access control, and therefore, participating organizations must be able to limit connectivity and make network boundaries visible. We summarize an approach to access control in ION’S, based on nondiscretionary control, that allows interconnecting organizations to combine gateway, network, and system-level mechanisms to enforce cross-boundary control over invocation