A security framework for protecting traffic between collaborative domains

In this paper, we propose a novel Secure Name Service (SNS) framework for enhancing the service availability between collaborative domains (e.g., extranets). The key idea is to enforce packet authentication through resource virtualization and utilize dynamic name binding to protect servers from unauthorized accesses, denial of service (DOS) and other attacks. Dieren t from traditional static network security schemes such as VPN, the dynamic name binding of SNS allows us to actively protect critical resources through distributed ltering mechanisms built in collaborative domains. In this paper, we present the architecture of the SNS framework, the design of SNS naming scheme, and the design of authenticated packet forwarding. We have implemented the prototype of authenticated packet forwarding mechanism on Linux platforms. Our experimental results demonstrate that regular Linux platforms are sucien t to support the SNS authenticated packet forwarding for 100Mbps and 1Gbps Ethernet LANs. To further improve the performance and scalability, we have also designed and implemented unique two-layer fast name lookup schemes.

[1]  Stefan Mangard,et al.  A new approach to DNS security (DNSSEC) , 2001, CCS '01.

[2]  John Wu,et al.  Organic Techniques for Protecting Virtual Private Network (VPN) Services from Access Link Flooding Attacks , 2002 .

[3]  T. Dierks,et al.  The TLS protocol , 1999 .

[4]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[5]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[6]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[7]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[8]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[9]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[10]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[11]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[12]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[13]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[14]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[15]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.