Lightweight source authentication and path validation

In-network source authentication and path validation are fundamental primitives to construct higher-level security mechanisms such as DDoS mitigation, path compliance, packet attribution, or protection against flow redirection. Unfortunately, currently proposed solutions either fall short of addressing important security concerns or require a substantial amount of router overhead. In this paper, we propose lightweight, scalable, and secure protocols for shared key setup, source authentication, and path validation. Our prototype implementation demonstrates the efficiency and scalability of the protocols, especially for software-based implementations.

[1]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[2]  Ítalo S. Cunha,et al.  Measuring and Characterizing End-to-End Route Dynamics in the Presence of Load Balancing , 2011, PAM.

[3]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  Pekka Nikander,et al.  Host Identity Protocol (HIP) Architecture , 2006, RFC.

[5]  Srinivasan Seshan,et al.  XIA: Efficient Support for Evolvable Internetworking , 2012, NSDI.

[6]  Adrian Perrig,et al.  Flooding-resilient broadcast authentication for VANETs , 2011, MobiCom.

[7]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[8]  Amir Herzberg,et al.  Plug-and-Play IP Security - Anonymity Infrastructure instead of PKI , 2013, ESORICS.

[9]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[10]  Daniel R. Simon,et al.  Secure traceroute to detect faulty or malicious routing , 2003, CCRV.

[11]  Scott Shenker,et al.  Internet indirection infrastructure , 2004, IEEE/ACM Transactions on Networking.

[12]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[13]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[14]  Yih-Chun Hu,et al.  Coward attacks in vehicular networks , 2010, MOCO.

[15]  Alex C. Snoeren,et al.  A system for authenticated policy-compliant routing , 2004, SIGCOMM '04.

[16]  Xin Zhang,et al.  Secure and efficient network fault localization , 2012 .

[17]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[18]  David Mazières,et al.  Separating key management from file system security , 2000, OPSR.

[19]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[20]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[21]  Brighten Godfrey,et al.  Pathlet routing , 2009, SIGCOMM '09.

[22]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[23]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[24]  Arun Venkataramani,et al.  iPlane Nano: Path Prediction for Peer-to-Peer Applications , 2009, NSDI.

[25]  Bobby Bhattacharjee,et al.  Accountability as a Service , 2007, SRUTI.

[26]  Andreas Haeberlen,et al.  The Nebula Future Internet Architecture , 2013, Future Internet Assembly.

[27]  Adrian Perrig,et al.  SNAPP: stateless network-authenticated path pinning , 2008, ASIACCS '08.

[28]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[29]  Yih-Chun Hu,et al.  Mechanized Network Origin and Path Authenticity Proofs , 2014, CCS.

[30]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[32]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[33]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.