More Web Proxy on the site http://driver.im/

research-article

Verifying and enforcing network paths with icing

Authors:

Michael Walfish,

Antonio Nicolosi,

David Mazières,

Michael Miller,

Arun SeehraAuthors Info & Claims

CoNEXT '11: Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies

Article No.: 30, Pages 1 - 12

https://doi.org/10.1145/2079296.2079326

Published: 06 December 2011 Publication History

Abstract

We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service.

While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.

References

[1]

The 32-bit autonomous system number report. http://www.potaroo.net/tools/asn32/index.html.

[2]

NetFPGA: Programmable networking hardware. http://netfpga.org.

[3]

Packet traces from wide backbone. http://mawi.wide.ad.jp/mawi/samplepoint-F/2011/201101231400.html.

[4]

Sync SRAMs overview. http://www.cypress.com/?id=95.

[5]

Digital signature standard (DSS). Federal Information Processing Standards Publication, November 2008. DRAFT FIPS PUB 186--3.

[6]

W. Aiello, J. Ioannidis, and P. McDaniel. Origin authentication in interdomain routing. In ACM CCS, Oct. 2003.

Digital Library

[7]

D. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet protocol. In SIGCOMM, Aug. 2008.

Digital Library

[8]

K. Argyraki and D. R. Cheriton. Loose source routing as a mechanism for traffic policies. In SIGCOMM Wkshp. on Future Directions in Net. Arch., Sept. 2004.

Digital Library

[9]

K. Argyraki and D. R. Cheriton. Network capabilities: The good, the bad and the ugly. In HotNets, Nov. 2005.

[10]

I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy. Highly secure and efficient routing. In INFOCOM, Mar. 2004.

[11]

A. Aziz, M. Patterson, and G. Baehr. Simple key-management for Internet Protocol (SKIP). In Proc of the INET Conference, June 1995.

[12]

H. Ballani, Y. Chawathe, S. Ratnasamy, T. Roscoe, and S. Shenker. Off by default! In HotNets, Nov. 2005.

[13]

B. Barak, S. Goldberg, and D. Xiao. Protocols and lower bounds for failure localization in the Internet. In Proc. EUROCRYPT, Apr. 2008.

Digital Library

[14]

J. C. R. Bennett and H. Zhang. Hierarchical packet fair queueing algorithms. ACM/IEEE Trans. on Networking, 5(5):675--689, Oct. 1997.

Digital Library

[15]

J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. In Proc. EUROCRYPT, Apr. 2002.

Digital Library

[16]

K. Butler, T. Farley, P. McDaniel, and J. Rexford. A survey of BGP security issues and solutions. Proceedings of the IEEE, 98(1):100--122, Jan. 2010.

[17]

M. Caesar, D. Caldwell, N. Feamster, J. Rexford, A. Shaikh, and J. van der Merwe. Design and implementation of a routing control platform. In NSDI, May 2005.

Digital Library

[18]

K. Calvert, J. Griffioen, and L. Poutievski. Separating routing and forwarding: A clean-slate network layer design. In Proc. IEEE Broadnets, Sept. 2007.

[19]

M. Casado, M. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In SIGCOMM, Aug. 2007.

Digital Library

[20]

G. A. Covington, G. Gibb, J. W. Lockwood, and N. McKeown. A packet generator on the NetFPGA platform. IEEE Symposium on Field-Programmable Custom Computing Machines, 2009.

Digital Library

[21]

R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onion router. In USENIX SECURITY, 2004.

Digital Library

[22]

C. Dixon, T. Anderson, and A. Krishnamurthy. Phalanx: Withstanding multimillion-node botnets. In NSDI, Apr. 2008.

Digital Library

[23]

M. Dobrescu, N. Egi, K. Argyraki, B.-G. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. Routebricks: exploiting parallelism to scale software routers. In SOSP, 2009.

Digital Library

[24]

D. Estrin, J. Mogul, and G. Tsudik. VISA protocols for controlling inter-organizational datagram flow. IEEE JSAC, 7(4), May 1989.

[25]

A. Farrel, A. Ayyangar, and J. Vasseur. Inter-domain MPLS and GMPLS traffic engineering -- resource reservation protocol-traffic engineering (RSVP-TE) extensions. RFC 5151, Feb. 2008.

[26]

N. G. Feamster. Proactive Techniques for Correct and Predictable Internet Routing. PhD thesis, M. I. T., Sept. 2005.

Digital Library

[27]

P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000.

Digital Library

[28]

P. B. Godfrey, I. Ganichev, S. Shenker, and I. Stoica. Pathlet routing. In SIGCOMM, Aug. 2009.

Digital Library

[29]

S. Goldberg, D. Xiao, E. Tromer, B. Barak, and J. Rexford. Path-quality monitoring in the presence of adversaries. In SIGMETRICS, June 2008.

Digital Library

[30]

A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Myers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A clean slate 4D approach to network control and management. ACM CCR, 35(5), Oct. 2005.

Digital Library

[31]

N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: Towards an Operating System for Networks. ACM CCR, 38(3):105--110, July 2008.

Digital Library

[32]

S. Guha and P. Francis. An end-middle-end approach to connection establishment. In SIGCOMM, Aug. 2007.

Digital Library

[33]

K. P. Gummadi, H. V. Madhyastha, S. D. Gribble, H. M. Levy, and D. Wetherall. Improving the reliability of Internet paths with one-hop source routing. In OSDI, Dec. 2004.

Digital Library

[34]

M. Handley and A. Greenhalgh. Steps towards a DoS-resistant Internet architecture. In SIGCOMM Wkshp. on Future Directions in Net. Arch., 2004.

Digital Library

[35]

P. Hawkes and C. McDonald. Submission to the SHA-3 competition: The CHI family of cryptographic hash algorithms. Submission to NIST, 2008. http://ehash.iaik.tugraz.at/uploads/2/2c/Chi_submission.pdf.

[36]

Y. Hu and A. Perrig. A survey of secure wireless ad hoc routing. IEEE Security and Privacy Magazine, 2:28--39, 2004.

Digital Library

[37]

Y.-C. Hu, A. Perrig, and D. Johnson. Efficient security mechansims for routing protocols. In NDSS, Feb. 2003.

[38]

Y.-C. Hu, A. Perrig, and M. Sirbu. SPV: Secure path vector routing for securing BGP. In SIGCOMM, Sept. 2004.

Digital Library

[39]

J. Katz and A. Y. Lindell. Aggregate message authentication codes. In Topics in Cryptology -- CT-RSA, volume 4964 of Lecture Notes in Computer Science, pages 155--169, April 2008.

Digital Library

[40]

S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol (S-BGP). IEEE JSAC, 18(4), Apr. 2000.

Digital Library

[41]

A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure overlay services. In SIGCOMM, Aug. 2002.

Digital Library

[42]

E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click modular router. ACM TOCS, 18(4):263--297, Nov. 2000.

Digital Library

[43]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefix hijack alert system. In USENIX SECURITY, July 2006.

Digital Library

[44]

A. Li, X. Liu, and X. Yang. Bootstrapping accountability in the Internet we have. In NSDI, Apr. 2011.

Digital Library

[45]

X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and adoptable source authentication. In NSDI, Apr. 2008.

Digital Library

[46]

X. Liu, X. Yang, and Y. Lu. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. In SIGCOMM, Aug. 2008.

Digital Library

[47]

R. Mahajan, D. Wetherall, and T. Anderson. Mutually controlled routing with independent ISPs. In NSDI, Apr. 2007.

Digital Library

[48]

Z. M. Mao, J. Rexford, J. Wang, and R. H. Katz. Towards an accurate AS-level traceroute tool. In SIGCOMM, Aug. 2003.

Digital Library

[49]

D. Mazières, M. Kaminsky, M. F. Kaashoek, and E. Witchel. Separating key management from file system security. In SOSP, Dec. 1999.

Digital Library

[50]

M. Miller. PoComON: A POlicy-COMpliant Overlay Network. Technical Report HR-11-04 (honors thesis), CS Dept, UT Austin, Oct. 2011.

[51]

R. Moskowitz and P. Nikander. Host identity protocol (HIP) architecture. RFC 4423, May 2006.

[52]

J. Naous. Path-policy Compliant Networking and a Platform for Heterogeneous IAAS Management. PhD thesis, Mar. 2011.

[53]

V. N. Padmanabhan and D. R. Simon. Secure traceroute to detect faulty or malicious routing. In SIGCOMM, Aug. 2003.

Digital Library

[54]

R. Perlman. Network layer protocols with Byzantine robustness. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, 1988.

[55]

L. Popa, N. Egi, S. Ratnasamy, and I. Stoica. Building extensible networks with rule-based forwarding. In OSDI, Oct. 2010.

Digital Library

[56]

Prolexic Technologies, Inc. http://www.prolexic.com.

[57]

B. Raghavan and A. C. Snoeren. A system for authenticated policy-compliant routing. In SIGCOMM, Sept. 2004.

Digital Library

[58]

E. Rosen, A. Viswanathan, and R. Callon. Multiprotocol label switching. RFC 3031, Network Working Group, Jan. 2001.

Digital Library

[59]

RouteScience PathControl. http://www.networkworld.com/reviews/2002/0415rev.html.

[60]

M. Scott. Miracl library. https://www.shamus.ie/index.php?page=Downloads.

[61]

A. Seehra, J. Naous, M. Walfish, D. Mazières, A. Nicolosi, and S. Shenker. A policy framework for the future Internet. In HotNets, Oct. 2009.

[62]

I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana. Internet Indirection Infrastructure. In SIGCOMM, Aug. 2002.

Digital Library

[63]

M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In OSDI, Dec. 2004.

Digital Library

[64]

W. Xu and J. Rexford. MIRO: Multi-path interdomain routing. In SIGCOMM, Sept. 2006.

Digital Library

[65]

A. Yaar, A. Perrig, and D. Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In IEEE Symposium on Security and Privacy, May 2004.

[66]

A. Yaar, A. Perrig, and D. Song. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE JSAC, 24(10):1853--1863, Oct. 2006.

Digital Library

[67]

X. Yang, D. Clark, and A. W. Berger. NIRA: A new inter-domain routing architecture. ACM/IEEE Trans. on Networking, 15(4), Aug. 2007.

Digital Library

[68]

X. Yang and D. Wetherall. Source selectable path diversity via routing deflections. In SIGCOMM, Sept. 2006.

Digital Library

[69]

X. Yang, D. Wetherall, and T. Anderson. TVA: A DoS-limiting network architecture. ACM/IEEE Trans. on Networking, 16(6):1267--1280, Dec. 2008.

Digital Library

[70]

X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. G. Andersen. SCION: Scalability, control, and isolation on next-generation networks. In IEEE Symposium on Security and Privacy, May 2011.

Digital Library

[71]

X. Zhang, A. Jain, and A. Perrig. Packet-dropping adversary identification for data plane security. In CoNEXT, Dec. 2008.

Digital Library

[72]

E. Zmijewski. You can't get there from here. http://www.renesys.com/blog/2008/03/you-cant-get-there-from-here-1.shtml, Mar. 2008.

Cited By

Borges EMartinello MBonella Vdos Santos AGomes RDominicini CGuimarães RMenegueti GBarcellos MRuffini M(2024)PoT-PolKA: Let the Edge Control the Proof-of-Transit in Path-Aware NetworksIEEE Transactions on Network and Service Management10.1109/TNSM.2024.338945721:4(3681-3691)Online publication date: Aug-2024
https://doi.org/10.1109/TNSM.2024.3389457
Martinello MGomes RBorges ELayber HBonella VDominicini CGuimarães RRibeiro MBarcellos M(2024)PathSec: Path-Aware Secure Routing with Native Path Verification and Auditability2024 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN61811.2024.10807493(1-7)Online publication date: 5-Nov-2024
https://doi.org/10.1109/NFV-SDN61811.2024.10807493
Hu BBi YWu KFu RHuang Z(2024)A Lightweight Path Validation Scheme in Software-Defined NetworksIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621099(731-740)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621099
Show More Cited By

Index Terms

Verifying and enforcing network paths with icing
1. Networks
  1. Network architectures
  2. Network protocols
2. Security and privacy

Recommendations

Experimental study of router buffer sizing
IMC '08: Proceedings of the 8th ACM SIGCOMM conference on Internet measurement

During the past four years, several papers have proposed rules for sizing buffers in Internet core routers. Appenzeller et al. suggest that a link needs a buffer of size O(C/√N), where C is the capacity of the link, and N is the number of flows sharing ...
Enforcing layered multicast congestion control using ECN-nonce

This paper describes a new protocol using explicit congestion notification (ECN) that protects hosts from the effects of multicast receivers that seek to acquire more than a fair share of network capacity. The technique is described for the IETF ...
OpenFlow MPLS and the open source label switched router
ITC '11: Proceedings of the 23rd International Teletraffic Congress

Multiprotocol Label Switching (MPLS) [3] is a protocol widely used in commercial operator networks to forward packets by matching link-specific labels in the packet header to outgoing links rather than through standard IP longest prefix matching. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '11: Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies

December 2011

364 pages

ISBN:9781450310413

DOI:10.1145/2079296

General Chairs:
Kenjiro Cho
IIJ/Keio University, Japan
,
Mark Crovella
Boston University

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

Co-NEXT '11

Sponsor:

SIGCOMM

Co-NEXT '11: Conference on emerging Networking Experiments and Technologies

December 6 - 9, 2011

Tokyo, Japan

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

102
Total Citations
View Citations
549
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)8

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Borges EMartinello MBonella Vdos Santos AGomes RDominicini CGuimarães RMenegueti GBarcellos MRuffini M(2024)PoT-PolKA: Let the Edge Control the Proof-of-Transit in Path-Aware NetworksIEEE Transactions on Network and Service Management10.1109/TNSM.2024.338945721:4(3681-3691)Online publication date: Aug-2024
https://doi.org/10.1109/TNSM.2024.3389457
Martinello MGomes RBorges ELayber HBonella VDominicini CGuimarães RRibeiro MBarcellos M(2024)PathSec: Path-Aware Secure Routing with Native Path Verification and Auditability2024 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN61811.2024.10807493(1-7)Online publication date: 5-Nov-2024
https://doi.org/10.1109/NFV-SDN61811.2024.10807493
Hu BBi YWu KFu RHuang Z(2024)A Lightweight Path Validation Scheme in Software-Defined NetworksIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621099(731-740)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621099
Ge XWang XFu SChen W(2024)SR-SL: A Secure and Low-Cost Path Validation Based on SRv6ICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622407(4602-4607)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622407
Krähenbühl CWyss MBasin DLenders VPerrig AStrohmeier MCalandrino JTroncoso C(2023)FABRIDProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620559(5755-5772)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620559
Mohammed SRalescu A(2023)Future Internet Architectures on an Emerging Scale—A Systematic ReviewFuture Internet10.3390/fi1505016615:5(166)Online publication date: 29-Apr-2023
https://doi.org/10.3390/fi15050166
Klenze TSprenger CBasin D(2023)IsaNetJournal of Computer Security10.3233/JCS-22002131:3(217-259)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.3233/JCS-220021
Sowmya RNandhini MPriyanga M(2023)SDN Data Plane Egress Peer Authentication Using DH-CHAP2023 IEEE Women in Technology Conference (WINTECHCON)10.1109/WINTECHCON58518.2023.10277297(1-6)Online publication date: 21-Sep-2023
https://doi.org/10.1109/WINTECHCON58518.2023.10277297
Fu SLi QZhu MWang XYao SGuo YDu XXu K(2023)MASK: Practical Source and Path Verification Based on Multi-AS-KeyIEEE/ACM Transactions on Networking10.1109/TNET.2022.322261031:4(1478-1493)Online publication date: Aug-2023
https://doi.org/10.1109/TNET.2022.3222610
He ALi XFu JHu HBu KMiao CRen K(2023)Hummingbird: Dynamic Path Validation With Hidden Equal-Probability SamplingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.323680618(1268-1282)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3236806
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents