TY - GEN
T1 - Verifying and enforcing network paths with icing
AU - Naous, Jad
AU - Walfish, Michael
AU - Nicolosi, Antonio
AU - Mazières, David
AU - Miller, Michael
AU - Seehra, Arun
PY - 2011
Y1 - 2011
N2 - We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.
AB - We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.
KW - NetFPGA
KW - consent
KW - default-off
KW - path enforcement
UR - http://www.scopus.com/inward/record.url?scp=84889753542&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84889753542&partnerID=8YFLogxK
U2 - 10.1145/2079296.2079326
DO - 10.1145/2079296.2079326
M3 - Conference contribution
AN - SCOPUS:84889753542
SN - 9781450310413
T3 - Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11
BT - Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11
T2 - 7th ACM International Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11
Y2 - 6 December 2011 through 9 December 2011
ER -