An incrementally deployable path address scheme

MyungKeun Yoon, Shigang Chen
2012 Journal of Parallel and Distributed Computing  
The research community has proposed numerous network security solutions, each dealing with a specific problem such as address spoofing, denial-of-service attacks, denial-of-quality attacks, reflection attacks, viruses, or worms. However, due to the lack of fundamental support from the Internet, individual solutions often share little common ground in their design, which causes a practical problem: deploying all these vastly different solutions will add exceedingly high complexity to the
more » ... routers. In this paper, we propose a simple generic extension to the Internet, providing a new type of information, called path addresses, that simplify the design of security systems for packet filtering, fair resource allocation, packet classification, IP traceback, filter push-back, etc. IP addresses are owned by end hosts; path addresses are owned by the network core, which is beyond the reach of the hosts. We describe how to enhance the Internet protocols for path addresses that meet the uniqueness requirement, completeness requirement, safety requirement, and incrementally deployable requirement. We evaluate the performance of our scheme both analytically and by simulations, which show that, at small overhead, the false positive ratio and the false negative ratio can both be made negligibly small. (S. Chen). remaining at the edge, the network core, which provides applicationindependent information, can be kept simple and stable. What is the new information that the network can provide to assist the development of security applications at the Internet edge? There can be many. The one we propose here is called the path address. A host on the Internet is identified by an IP address; a routing path on the Internet will be identified by a path address. The big question is, can path addresses help us in ways that IP addresses cannot? Below, we use a few examples to illustrate their differences. In the first example, suppose that a server under DoS attack attempts to identify the IP addresses of flooding sources and block the packets carrying those addresses. However, this approach will fail if malicious packets carry forged source addresses or a reflection attack is used to cover the true sources. In the second example, imagine that a server under DoQ attack tries to distribute its processing capacity fairly among the clients. It cannot perform such distribution based on IP addresses because there are too many of them. A certain kind of aggregation will be necessary. In the third example, suppose that a victim has managed to capture an attack packet (say, containing a virus). Based on this single packet, before triggering law enforcement actions, how can the victim trace across the Internet back to the attacker, given that the source address in the packet may be a forged one? All the above problems cannot be reliably solved based on IP addresses in the packet header, which are set by the sender and may not be genuine. We need address information that is beyond the reach of end hosts. This new address 0743-7315/$ -see front matter
doi:10.1016/j.jpdc.2012.05.001 fatcat:7plhb6o7xncc3mwwnxzqhffsmy