In conventional egress network access control (NAC) based on access control lists (ACLs), modifying the ACLs is a heavy task for administrators. To enable configuration without a large amount of administrators' effort, we introduce capabilities to egress NAC. In our method, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize our method, we use a DNS cache server and a router. A resolver of the client sends the user name, domain name, and service name to the DNS cache server. The DNS server issues capabilities according to a policy and sends them to the client. The client puts these capabilities into the IP options of packets and sends them to the router. The router verifies the capabilities, and determines whether to pass or block the packets. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router's performance.
[1]
Yasushi Shinjo,et al.
Capability-Based Egress Network Access Control for Transferring Access Rights
,
2005,
Third International Conference on Information Technology and Applications (ICITA'05).
[2]
Kenzi Watanabe,et al.
An User Authentication Gateway System with Simple User Interface, Low Administration Cost and Wide Applicability
,
2001
.
[3]
Brian Wellington,et al.
Secret Key Transaction Authentication for DNS (TSIG)
,
2000,
RFC.
[4]
Marcus Leech.
Username/Password Authentication for SOCKS V5
,
1996,
RFC.
[5]
Matt Ganis,et al.
SOCKS Protocol Version 5
,
1996,
RFC.
[6]
Paul Resnick,et al.
PICS: Internet access controls without censorship
,
1996,
CACM.
[7]
Robbert van Renesse,et al.
Amoeba A Distributed Operating System for the 1990 s Sape
,
1990
.