ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
SNAPP: stateless network-authenticated path pinning
Full text PdfPdf (274 KB)
Source ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 2008 ACM symposium on Information, computer and communications security table of contents
Tokyo, Japan
SESSION: Network security (II) table of contents
Pages 168-178  
Year of Publication: 2008
ISBN:978-1-59593-979-1
Authors
Bryan Parno  Carnegie Mellon University
Adrian Perrig  Carnegie Mellon University
Dave Andersen  Carnegie Mellon University
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 22,   Downloads (12 Months): 75,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1368310.1368336
What is a DOI?

ABSTRACT

This paper examines a new building block for next-generation networks: SNAPP, or Stateless Network-Authenticated Path Pinning. SNAPP-enabled routers securely embed their routing decisions in the packet headers of a stream of traffic, effectively pinning a flow's path between sender and receiver. A sender can use the pinned path (even if routes subsequently change) by including the path embedding in later packet headers. This architectural building block decouples routing from forwarding, which greatly enhances the availability of a path in the face of routing misconfigurations or malicious attacks. To demonstrate the extreme flexibility of SNAPP, we show how it can support a wide range of applications, including sender-controlled paths, expensive route lookups, sender anonymity, and sender accountability. Our analysis shows that SNAPP's overhead is low, and the system is easily implemented in hardware. We believe that SNAPP is a worthy addition to the network architect's toolbox, enabling a variety of new designs and trade-offs.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
William Adjie-Winoto , Elliot Schwartz , Hari Balakrishnan , Jeremy Lilley, The design and implementation of an intentional naming system, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.186-201, December 12-15, 1999, Charleston, South Carolina, United States
2
David Andersen , Hari Balakrishnan , Frans Kaashoek , Robert Morris, Resilient overlay networks, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
 
3
T. Anderson, T. Roscoe, and D. Wetherall. Preventing Internet denial-of-service with capabilities. In Proceedings of Hotnets-II, Nov. 2003.
4
Katerina Argyraki , David R. Cheriton, Loose source routing as a mechanism for traffic policies, Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture, August 30-30, 2004, Portland, Oregon, USA  [doi>10.1145/1016707.1016718]
 
5
D. Awduche , L. Berger , D. Gan , T. Li , V. Srinivasan , G. Swallow, RSVP-TE: Extensions to RSVP for LSP Tunnels, RFC Editor, 2001
 
6
Mihir Bellare , Chanathip Namprempre, Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.531-545, December 03-07, 2000
 
7
John Black , Phillip Rogaway, A Block-Cipher Mode of Operation for Parallelizable Message Authentication, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, p.384-397, May 02, 2002
 
8
V. J. Bono. 7007 explanation and apology. http://www.merit.edu/mail.archives/anog/1997-04/msg00444.html, Apr. 1997.
 
9
R. Braden , L. Zhang , S. Berson , S. Herzog , S. Jamin, Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification, RFC Editor, 1997
 
10
Girish P. Chandranmenon , George Varghese, Trading packet headers for packet processing, IEEE/ACM Transactions on Networking (TON), v.4 n.2, p.141-152, April 1996  [doi>10.1109/90.490742]
 
11
D. Chaum, The dining cryptographers problem: unconditional sender and recipient untraceability, Journal of Cryptology, v.1 n.1, p.65-75, 1988
 
12
B. Fortz and M. Thorup. Optimizing OSPF/IS-IS weights in a changing world. IEEE J-SAC, 20(4):756--767, May 2002.
 
13
Helion Technology Limited. High performance AES (Rijndael) cores for ASIC. Cambridge, England. Available at http://www.heliontech.com/. March 2007.
 
14
J. Jannotti. Network layer support for overlay networks. In Proc. 5th International Conference on Open Architectures and Network Programming (OPENARCH), New York, NY, June 2002.
15
Srikanth Kandula , Dina Katabi , Bruce Davie , Anna Charny, Walking the tightrope: responsive yet stable traffic engineering, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
16
Lun Li , David Alderson , Walter Willinger , John Doyle, A first-principles approach to understanding the internet's router-level topology, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
 
17
S. Machiraju, M. Seshadri, and I. Stoica. A scalable and robust solution for bandwidth allocation. Technical Report UCB//CSD02-1176, University of California at Berkeley, 2002.
 
18
NSF workshop report. Overcoming barriers to disruptive innovation in networking, Jan. 2005.
19
Bryan Parno , Dan Wendlandt , Elaine Shi , Adrian Perrig , Bruce Maggs , Yih-Chun Hu, Portcullis: protecting connection setup from denial-of-capability attacks, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan
20
Barath Raghavan , Alex C. Snoeren, A system for authenticated policy-compliant routing, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
21
Michael K. Reiter , Aviel D. Rubin, Crowds: anonymity for Web transactions, ACM Transactions on Information and System Security (TISSEC), v.1 n.1, p.66-92, Nov. 1998  [doi>10.1145/290163.290168]
 
22
E. Rosen , A. Viswanathan , R. Callon, Multiprotocol Label Switching Architecture, RFC Editor, 2001
 
23
S. Sinha, S. Kandula, and D. Katabi. Harnessing TCP's burstiness with flowlet switching. In Proc. 3rd ACM Workshop on Hot Topics in Networks (Hotnets-III), San Diego, CA, Nov. 2004.
24
Ion Stoica , Daniel Adkins , Shelley Zhuang , Scott Shenker , Sonesh Surana, Internet indirection infrastructure, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
25
I. Stoica and H. Zhang. Lira: An approach for service differentiation in the internet. In Proceedings of NOSSDAV, June 1998.
 
26
Paul F. Syverson , David M. Goldschlag , Michael G. Reed, Anonymous Connections and Onion Routing, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.44, May 04-07, 1997
 
27
J. Touch and S. Hotz. The X-Bone. In Proc. 3rd Global Internet Mini-Conference in conjunction with IEEE Globecom, 1998.
 
28
A. Yaar, A. Perrig, and D. Song. SIFF: An endhost capability mechanism to mitigate DDoS flooding attacks. In Proceedings of IEEE Symposium on Security and Privacy, May 2004.
 
29
Xiaowei Yang , David Clark, Nira: a new internet routing architecture, Massachusetts Institute of Technology, Cambridge, MA, 2004
30
Xiaowei Yang , David Wetherall , Thomas Anderson, A DoS-limiting network architecture, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
 
31
Ming Zhang , Brad Karp , Sally Floyd , Larry Peterson, RR-TCP: A Reordering-Robust TCP with DSACK, Proceedings of the 11th IEEE International Conference on Network Protocols, p.95, November 04-07, 2003
32
Xiaoliang Zhao , Dan Pei , Lan Wang , Dan Massey , Allison Mankin , S. Felix Wu , Lixia Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505207]

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.1 Network Architecture and Design


General Terms:
Design, Reliability, Security


Keywords:
next-generation networks, path pinning

Collaborative Colleagues:
Bryan Parno: colleagues
Adrian Perrig: colleagues
Dave Andersen: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player