System Maintenance:
There may be intermittent impact on performance while updates are in progress. We apologize for the inconvenience.
By Topic

High-Performance Capabilities for 1-Hop Containment of Network Attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Wolf, T. ; Dept. of Electr. & Comput. Eng., Univ. of Massachusetts, Amherst, MA, USA ; Natarajan, S. ; Vasudevan, K.T.

Capabilities-based networks present a fundamental shift in the security design of network architectures. Instead of permitting the transmission of packets from any source to any destination, routers deny forwarding by default. For a successful transmission, packets need to positively identify themselves and their permissions to the router. A major challenge for a high-performance implementation of such a network is an efficient design of the credentials that are carried in the packet and the verification procedure on the router. We present a capabilities system that uses packet credentials based on Bloom filters. The credentials are of fixed length (independent of the number of routers that are traversed by the packet) and can be verified by routers with a few simple operations. This high-performance design of capabilities makes it feasible that traffic is verified on every router in the network, and most attack traffic can be contained within a single hop. We present an analysis of our design and a practical protocol implementation that can effectively limit unauthorized traffic with only a small per-packet overhead.

Published in:

Networking, IEEE/ACM Transactions on  (Volume:21 ,  Issue: 6 )