Upload
colin-lawrence
View
217
Download
1
Embed Size (px)
Citation preview
The role of network capabilities
Xiaowei [email protected]
UC Irvine
NSF FIND PI meeting, June 28 2007
Root cause of unwanted traffic
Any host can send to any destination without obtaining permissions
Network capabilities: ask-before-send
• [Anderson03], TVA, SIFF1. Source requests permission to send. 2. Destination authorizes source for a limited transfer,
e.g, 32KB in 10 secs• A capability is the proof of a destination’s
authorization.3. Source places capabilities on packets and sends
them.4. Network filters packets based on capabilities.
cap
But attackers can flood request packets !
Request packets do not carry capabilities
Protecting request channel is different
Request packets can be rate limited Protect established connections
cap capcap
Protecting request channel is different
Fair resource allocation to prevent attackers from overwhelming legitimate requests
Fair queuing, puzzles [Parno07]
Protecting request channel is different
Reliable filters close to attack sources Cryptographic secure identifiers
The role of capabilities
Allow comprehensive DoS protection mechanisms to be deployed on a slow channel
Enable traffic authorization
Protect existing connections during attack
cap