Secure quality of service handling: SQoSH

Proposals for programmable network infrastructures, such as active networks and open signaling, provide programmers with access to network resources and data structures. The motivation for providing these interfaces is accelerated introduction of new services, but exposure of the interfaces introduces many new security risks. We describe some of the security issues raised by active networks. We then describe our secure active network environment (SANE) architecture. SANE was designed as a security infrastructure for active networks, and was implemented in the SwitchWare architecture. SANE restricts the actions that loaded modules can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credentials. SANE can be extended to support restricted control of quality of service in a programmable network element. The Piglet lightweight device kernel provides a "virtual clock" type of scheduling discipline for network traffic, and exports several tuning knobs with which the clock can be adjusted. The ALIEN active loader provides safe access to these knobs to modules that operate on the network element. Thus, the proposed SQoSH architecture is able to provide safe, secure access to network resources, while allowing these resources to be managed by end users needing customized networking services. A desirable consequence of SQoSH's integration of access control and resource control is that a large class of denial-of-service attacks, unaddressed solely with access control and cryptographic protocols, can now be prevented.

[1]  Angelos D. Keromytis,et al.  Active network encapsulation protocol (anep) , 1997 .

[2]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[3]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[4]  Giovanni Pacifici,et al.  Integrating resource control and performance management in multimedia networks , 1995, Proceedings IEEE International Conference on Communications ICC '95.

[5]  Aurel A. Lazar,et al.  A Binding Architecture for Multimedia Networks , 1994, J. Parallel Distributed Comput..

[6]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[7]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[8]  Jonathan M. Smith,et al.  Protocol boosters , 1998, IEEE J. Sel. Areas Commun..

[9]  Ralph Howard,et al.  Data encryption standard , 1987 .

[10]  Richard F. Rashid,et al.  Extending a capability based system into a network environment , 1986, SIGCOMM '86.

[11]  G.J. Minden,et al.  A survey of active network research , 1997, IEEE Communications Magazine.

[12]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13]  Carl A. Gunter,et al.  PLAN : A Programming Language for Active Networkssubmitted to PLDI ' 98 , 1998 .

[14]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[15]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[16]  Jonathan M. Smith,et al.  Alien: a generalized computing model of active networks , 1998 .

[17]  Paul Syverson,et al.  Fail-Stop Protocols: An Approach to Designing Secure Protocols (Preprint) , 1995 .

[18]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[19]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[20]  William A. Arbaugh,et al.  The SwitchWare active network architecture , 1998, IEEE Netw..

[21]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[22]  Jonathan M. Smith,et al.  Functional divisions in the Piglet multiprocessor operating system , 1998, EW 8.

[23]  John H. Hartman,et al.  Joust: A Platform for Communication-Oriented Liquid Software , 1997 .

[24]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[25]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[26]  Lance J. Hoffman,et al.  BITS: a smartcard protected operating system , 1994, CACM.

[27]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[28]  Larry L. Peterson,et al.  Scout: a communications-oriented operating system , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[29]  Eugene H. Spafford,et al.  A reference model for firewall technology , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[30]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[31]  Jacobus E. van der Merwe,et al.  Switchlets and Dynamic Virtual ATM Networks , 1997, Integrated Network Management.

[32]  Bennet S. Yee,et al.  Dyad : a system for using physically secure coprocessors , 1991 .

[33]  Henning Schulzrinne The Impact of Resource Reservation for Real-Time Internet Services , 1998 .

[34]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[35]  Angelos D. Keromytis,et al.  A secure active network environment architecture: realization in SwitchWare , 1998, IEEE Netw..

[36]  Richard Black,et al.  Protocol implementation in a vertically structured operating system , 1997, Proceedings of 22nd Annual Conference on Local Computer Networks.

[37]  Tim Owen,et al.  Designing a Programming Language for Active Networks , 1998 .

[38]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[39]  Paul Innella Asynchronous Transfer Mode , 2001 .

[40]  Jonathan T. Moore,et al.  Mobile Code Security Techniques , 1998 .

[41]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[42]  Stamatios V. Kartalopoulos Asynchronous Transfer Mode , 1999 .

[43]  Angelos D. Keromytis,et al.  Automated Recovery in a Secure Bootstrap Process , 1998, NDSS.

[44]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[45]  Angelos D. Keromytis,et al.  A Secure Active Network Environment Architecture , 1997 .

[46]  Angelos D. Keromytis,et al.  Firewalls in active networks , 1998 .

[47]  Communism,et al.  University of Pennsylvania , 1847, Medical History.

[48]  Paul Menage RCANE: A Resource Controlled Framework for Active Network Services , 1999, IWAN.

[49]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[50]  Jonathan M. Smith,et al.  Switchware: accelerating network evolution , 1996 .

[51]  Butler W. Lampson,et al.  Simple Public Key Certificate , 1998 .

[52]  Marianne Shaw,et al.  Active bridging , 1997, SIGCOMM '97.

[53]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[54]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[55]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.