Fast message integrity and authentication services are very important in today's high-speed network protocols. Current message authentication techniques are mostly encryption-based which is undesirable for several reasons. In this brief paper, we introduce encryption-free message authentication based entirely on the use of one-way hash functions. Two methods are presented and their strength is analyzed. The security of the proposed methods is based on the strength of the underlying one-way hash function. Keywords: message authentication, data integrity, one-way hash functions, network protocols, communication security. 1 Introduction Message authentication is a an important feature in many of today's network protocols. As network speeds increase, higher demands are made for processing speeds. However, encryption technology is still unable to match the bandwidth requirements of high-speed protocols in a costeffective manner. For this reason, alternative approaches are being considered...

Internet end users and ISPs alike have little control over how packets are routed outside of their own AS, restricting their ability to achieve levels of performance, reliability, and utility that might otherwise be attained. While researchers have proposed a number of source-routing techniques to combat this limitation, there has thus far been no way for independent ASes to ensure that such traffic does not circumvent local traffic policies, nor to accurately determine the correct party to charge for forwarding the traffic. We present Platypus, an authenticated source routing system built around the concept of network capabilities. Network capabilities allow for accountable, fine-grained path selection by cryptographically attesting to policy compliance at each hop along a source route. Capabilities can be composed to construct routes through multiple ASes and can be delegated to third parties. Platypus caters to the needs of both end users and ISPs: users gain the ability to pool their resources and select routes other than the default, while ISPs maintain control over where, when, and whose packets traverse their networks. We describe how Platypus can be used to address several well-known issues in wide-area routing at both the edge and the core, and evaluate its performance, security, and interactions with existing protocols. Our results show that incremental deployment of Platypus can achieve immediate gains.

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : xii 1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 1. The problem : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 2. Overview of thesis : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 3. Contribution of our work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 2 Taxonomy of traffic characteristics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1. Aggregation granularity : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 2. Host versus network centric perspective : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 3. Host centric perspective : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 1. Delay and jitter : : : : : ...

Policy Routing (PR) is a new area of devleopment that attempts to incorporate policy related constraints on inter-Administrative Domain (AD) communication into the route computation and forwarding of inter-AD packets. Proposals for inter-AD routing mechansims are discussed in the context of a design space defined by three design parameters: location of routing decision (i.e., source or hop-by-hop), algorithm used (i.e., link state or distance vector), and expression of policy in topology or in link status. We conclude that an architecture based upon source routing, a link state algorithm, and policy information in the link state advertisements, is best able to address the long-term policy requirements of inter-AD routing. However, such an architecture raises several new and challenging research issues related to scaling. 1

Multicast is rapidly becoming an important mode of communication as well as a good platform for building group-oriented services. However, to be used for trusted communication, current multicast schemes must be supplemented by mechanisms for protecting traffic, controlling participation, and restricting access of unauthorized users to the data exchanged by the participants. In this paper, we consider fundamental security issues in building a trusted multicast facility. We discuss techniques for group-based data encryption, authentication of participants, and preventing unauthorized transmissions and receptions. 1 Introduction Emerging distributed applications, such as multimedia teleconferencing, computer-supported collaborative work, and remote consultation and diagnosis systems for medical applications, depend on efficient information exchange among multiple participants. Network-based multi-destination switching is an essential mode of communication for such applications. Little co...

Indirection-based overlay networks (IONs) are a promising approach for countering distributed denial of service (DDoS) attacks. Such mechanisms are based on the assumption that attackers will attack a fixed and bounded set of overlay nodes causing service disruption to a small fraction of the users. In addition, attackers cannot eavesdrop on links inside the network or otherwise gain information that can help them focus their attacks on overlay nodes that are critical for specific communication flows. We develop an analytical model and a new class of attacks that considers both simple and advanced adversaries. We show that the impact of these simple attacks on IONs can severely disrupt communications. We propose a stateless spread-spectrum paradigm to create perpacket path diversity between each pair of end-nodes using a modified ION access protocol. Our system protects end-to-end communications from DoS attacks without sacrificing strong client authentication or allowing an attacker with partial connectivity information to repeatedly disrupt communications. Through analysis, we show that an Akamai-sized overlay can withstand attacks involving over 1.3M “zombie ” hosts while providing uninterrupted endto-end connectivity. By using packet replication, the system can resist attacks that render up to 40 % of the nodes inoperable. Surprisingly, our experiments on PlanetLab demonstrate that in many cases end-to-end latency decreases when packet replication is used, with a worst-case increase by a factor of 2.5. Similarly, our system imposes less than 15 % performance degradation in the end-to-end throughput, even when subjected to a large DDoS attack.

Efforts are now underway to develop a new generation of routing protocol that will allow each Administrative Domain (AD) in the growing Internet (and internets in general) to independently express and enforce policies regarding the flow of packets to, from, and through its resources. 1 This document articulates the requirements for policy based routing and should be used as input to the functional specification and evaluation of proposed protocols. Two critical assumptions will shape the type of routing mechanism that is devised: (1) the topological organization of ADs, and (2) the type and variability of policies expressed by ADs. After justifying our assumptions regarding AD topology we present a taxonomy, and specific examples, of policies that must be supported by a PR protocol. We conclude with a brief discussion of policy routing mechanisms proposed in previous RFCs (827, 1102, 1104, 1105). Future RFCs will elaborate on the architecture and protocols needed to support the requi...

We present a solution to the denial of service (DoS) problem that does not rely on network infrastructure support, conforming to the end-to-end (e2e) design principle. Our approach is to combine an overlay network, which allows us to treat authorized traffic preferentially, with a lightweight process-migration environment that allows us to move services easily between different parts of a distributed system. Functionality residing on a part of the system that is subjected to a DoS attack migrates to an unaffected location. The overlay network ensures that traffic from legitimate users, who are authenticated before they are allowed to access the service, is routed to the new location. We demonstrate the feasibility and effectiveness of our approach by measuring the performance of an experimental prototype against a series of attacks using PlanetLab, a distributed experimental testbed. Our preliminary results show that the end-toend latency remains at acceptable levels during regular operation, increasing only by a factor of 2 to 3, even for large overlays. When a process migrates due to a DoS attack, the disruption of service for the end user is in the order of a few seconds, depending on the network proximity of the servers involved in the migration.

This paper investigates the design of resource usage feedback mechanisms for packet switched internetworks. After a discussion of the motivations for feedback mechanisms, feedback channels and policies are described. We then outline issues raised by the design of mechanisms to realize these policies, including: network service disciplines, accounting granularity, metrics, authentication, and coordination among transit carriers.

Routing mechanisms for inter-autonomous region communication require distribution of policy-sensitive information as well as algorithms that operate on such information. Without such Policy Routing mechanisms, it is not possible for interconnected regions to retain their autonomy in setting and enforcing policy while still achieving desired connectivity. This problem of interconnecting and navigating across autonomous regions is of inherent interest to the security community because the policies in question concern control of resource access and usage. Moreover, the security of the Policy Routing protocols themselves must be considered if they are to be applicable in sensitive environments. On the other hand, as usual, the security mechanisms take a toll in overall system complexity and performance. Most routing protocols, including proposed Policy Routing protocols [l], focus on environments where detection of an attack after it has taken place is sufficient. The purpose of this paper is to explore the design of Policy Routing mechanisms for sensitive environments where more aggressive preventative measures are mandated. In particular, we detail the design of four secure protocol versions that prevent abuse through cryptographic checks of data integrity. We analyse and compare these schemes in terms of their per-packet processing overhead. We conclude that preventative security is feasible, although the overhead cost is quite high. Consequently, it is critical that prevention-based schemes coexist with detection-based schemes. 1