IP easy-pass: edge resource access control

Providing real-time communication services to multimedia applications and subscription-based Internet access often requires sufficient network resources to be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at ISP (Internet service provider) edge routers cannot protect the reserved network resource from embezzlement. On the contrary, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. We propose a fast and light-weighted IP network-edge resource access control mechanism, called IP easy-pass to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of an incoming IP packet very quickly and simply by checking its pass. We present the generation of easy-pass, its embedding, and verification procedures. We implement the IP easy-pass mechanism in the Linux kernel, analyze its effectiveness against packet forgery and resource embezzlement attempts. Finally, we measure the overhead incurred by easy-pass.

[1]  Kang G. Shin,et al.  Statistical characterization for per-hop QoS , 2003, IWQoS'03.

[2]  Kang G. Shin,et al.  Adaptive packet filters , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[3]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[4]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[5]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[6]  Scott F. Midkiff,et al.  IPSec overhead in wireline and wireless networks for Web and email applications , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[7]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[8]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[9]  Larry L. Peterson,et al.  Defensive programming , 2002, OSDI.

[10]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[11]  Larry L. Peterson,et al.  Defending against denial of service attacks in Scout , 1999, OSDI '99.

[12]  Peter B. Danzig,et al.  A measurement-based admission control algorithm for integrated service packet networks , 1997, TNET.

[13]  A. Mena,et al.  An empirical study of real audio traffic , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[14]  Mark Claypool,et al.  MediaPlayer#8482; versus RealPlayer#8482;: a comparison of network turbulence , 2002, IMW '02.

[15]  Stan Zachary,et al.  Distributed admission control , 2000, IEEE Journal on Selected Areas in Communications.

[16]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[17]  Naganand Doraswamy,et al.  IP Security Document Roadmap , 1998, RFC.

[18]  Lixia Zhang,et al.  RSVP: A New Reservation Protocol , 1993, The 8th IEEE Workshop on Computer Communications.

[19]  Hannes Tschofenig,et al.  Security Threats for NSIS , 2004 .

[20]  Hui Zhang,et al.  Endpoint admission control: architectural issues and performance , 2000, SIGCOMM 2000.

[21]  Danilo Bruschi,et al.  Voice over IPsec: analysis and solutions , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[22]  Peter B. Danzig,et al.  A measurement-based admission control algorithm for integrated services packet networks , 1995, SIGCOMM '95.

[23]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[24]  Ronald L. Rivest,et al.  The RC5 Encryption Algorithm , 1994, FSE.

[25]  Angelos D. Keromytis,et al.  A Study of the Relative Costs of Network Security Protocols , 2002, USENIX Annual Technical Conference, FREENIX Track.

[26]  Kang G. Shin,et al.  Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[27]  Arne A. Nilsson,et al.  On service level agreements for IP networks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[28]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[29]  David Moore,et al.  Beyond folklore: observations on fragmented traffic , 2002, TNET.

[30]  Deborah Estrin,et al.  RSVP: a new resource ReSerVation Protocol , 1993 .

[31]  Chin-Tser Huang,et al.  Hop integrity in computer networks , 2002, TNET.

[32]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[33]  Jean-Yves Le Boudec,et al.  An Expedited Forwarding PHB (Per-Hop Behavior) , 2002, RFC.