Building accountability into the future Internet

This paper proposes a future Internet architecture whose security foundations prevent todaypsilas major threats - IP spoofing, distributed denial-of-service attacks, distributed scanning and intrusions, and wide-spread worm infections.The core of the architecture are source signatures that are attached to each packet by its creator host. These lightweight, unforgeable signatures make senders accountable for traffic they originate. They also enable spoofing elimination close to sources since they are verified at each router hop. The second layer of the architecture introduces route- independent, lightweight, unforgeable and short-lived packet tickets that act as capabilities. They indicate that the packet's destination agrees to receive traffic from a given source and eliminate some common denial-of-service attacks close to sources because they are verified at each router hop. The top layer contains a reputation system that collects server reports about malicious client behaviors. Reports include verifiable proofs of malicious behavior, which prevents lying, and are aggregated into a client's reputation. Reputations provide information about previously unseen clients to servers that can use it to decide whether a client should be granted a ticket. Jointly, these three architectural layers introduce strong accountability into the future Internet.