Preventing theft of quality of service on open platforms

As multiple types of traffic converge onto one network, frequently wireless, enterprises face a tradeoff between effectiveness and security. Some types of traffic, such as voice-over-IP (VoIP), require certain quality of service (QoS) guarantees to be effective. The end client platform is in the best position to know which packets deserve this special handling. In many environments (such as universities), end users relish having control over their own machines. However, if end users administer their own machines, nothing stops dishonest ones from marking undeserving traffic for high QoS. How can an enterprise ensure that only appropriate traffic receives high QoS, while also allowing end users to retain control over their own machines? In this paper, we present the design and prototype of a solution, using SELinux, TCPA/TCG hardware, Diffserv, 802.1x, and EAP-TLS.

[1]  Fred Baker,et al.  Integrated Services Management Information Base using SMIv2 , 1997, RFC.

[2]  Scott Shenker,et al.  Network Element Service Specification Template , 1997, RFC.

[3]  John Wroclawski,et al.  The Use of RSVP with IETF Integrated Services , 1997, RFC.

[4]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.

[5]  John Wroclawski,et al.  Specification of the Controlled-Load Network Element Service , 1997, RFC.

[6]  Fred Baker,et al.  Integrated Services Management Information Base Guaranteed Service Extensions using SMIv2 , 1997, RFC.

[7]  Scott Shenker,et al.  General Characterization Parameters for Integrated Service Network Elements , 1997, RFC.

[8]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[9]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[10]  David L. Black,et al.  Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers , 1998, RFC.

[11]  Dan Simon,et al.  PPP EAP TLS Authentication Protocol , 1999, RFC.

[12]  Vanish Talwar,et al.  Securing RSVP for multimedia applications , 2000, MULTIMEDIA '00.

[13]  John Wroclawski,et al.  Integrated Services in the Presence of Compressible Flows , 2000, RFC.

[14]  Fred Baker,et al.  RSVP Cryptographic Authentication , 2000, RFC.

[15]  Angelos D. Keromytis,et al.  Secure quality of service handling: SQoSH , 2000, IEEE Commun. Mag..

[16]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[17]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[18]  Jean-Yves Le Boudec,et al.  An Expedited Forwarding PHB (Per-Hop Behavior) , 2002, RFC.

[19]  Dan Grossman,et al.  New Terminology and Clarifications for Diffserv , 2002, RFC.

[20]  Fred Baker,et al.  Management Information Base for the Differentiated Services Architecture , 2002, RFC.

[21]  Brian E. Carpenter,et al.  A Delay Bound alternative revision of RFC 2598 , 2002, RFC.

[22]  K. K. Ramakrishnan,et al.  Supplemental Information for the New Definition of the EF PHB (Expedited Forwarding Per-Hop Behavior) , 2002, RFC.

[23]  Andrew Smith,et al.  An Informal Management Model for Diffserv Routers , 2002, RFC.

[24]  Sean W. Smith,et al.  Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear , 2003 .

[25]  Nitin H. Vaidya,et al.  Detection and handling of MAC layer misbehavior in wireless networks , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[26]  Stefan Savage,et al.  802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions , 2003, USENIX Security Symposium.

[27]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[28]  Maxim Raya,et al.  DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots , 2004, MobiSys '04.

[29]  Sean W. Smith,et al.  Open-source applications of TCPA hardware , 2004, 20th Annual Computer Security Applications Conference.

[30]  Imrich Chlamtac,et al.  A survey of quality of service in IEEE 802.11 networks , 2004, IEEE Wirel. Commun..

[31]  Heng Yin,et al.  Building an Application-Aware IPsec Policy System , 2005, IEEE/ACM Transactions on Networking.