NSDI '08 – Abstract
Pp. 365–378 of the Proceedings
Passport: Secure and Adoptable Source Authentication
Xin Liu, Ang Li, and Xiaowei Yang, University of California, Irvine; David Wetherall, Intel Research Seattle and University of Washington
Abstract
We present the design and evaluation of Passport, a system that allows
source addresses to be validated within the network. Passport uses
efficient, symmetric-key cryptography to place tokens on packets that
allow each autonomous system (AS) along the network path to
independently verify that a source address is valid. It leverages the
routing system to efficiently distribute the symmetric keys used for
verification, and is incrementally deployable without upgrading
hosts. We have implemented Passport with Click and XORP and evaluated the
design via micro-benchmarking, experiments on the Deterlab, security
analysis, and adoptability modeling. We find that Passport is
plausible for gigabit links, and can mitigate reflector attacks even
without separate denial-of-service defenses. Our adoptability modeling
shows that Passport provides stronger security and deployment
incentives than alternatives such as ingress filtering. This is
because the ISPs that adopt it protect their own addresses from being
spoofed at each other's networks even when the overall deployment is
small.
- View the full text of this paper in HTML and PDF. Listen to the presentation in
MP3 format.
The Proceedings are published as a collective work, © 2008 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|
