Abstract: We propose that accountability be a first-class network service, independent of addressing and routing. We design a scheme for allowing accountability services, rather than connectivity-providing ISPs, to vouch for traffic, allowing victims to report abuse, filter abusive traffic, and isolate malicious senders. We discuss how accountability services may evolve, how they may facilitate new applications, and the implications of shifting the burden of network policing to a dedicated service.
To identify an ISP that does not check certificates in packets, R may trace packets it receives back to their source ISP using Passports [15]. P1 arranges a shared key, ki, between itself and each ISP Pi on the path to R. To do so, P1 must have each Pi's public key, which is distributed in BGP. The public key infrastructure (PKI) used by Passports is separate from any accountability service's PKI. P1 inserts into each packet from S to R Pi's AS number and hash hi = h(pkt, ts, certS, ki). When Pi receives the packet, it checks the hash and drops the packet if it is invalid or missing. R may examine its incoming packets' list of ISPs to not only trace the packet back to P1, but to present evidence of non-compliance to ISPs that presumably have a shared key with P1. If R receives a packet with an invalid certificate, it can show to any Pi on the S-R path a packet from S that was hashed by P1 using the shared key of P1 and Pi. Pi would be able to verify that certS is invalid (by using Apub), thereby proving that P1 did not check it. Pi could in turn issue an abuse report to P1 or, in an extreme case, not accept any further traffic from P1.
Figure 1: Ensuring the source ISP verifies certificates and enforcing that certificate holders compute valid signatures. Shaded regions represent pieces not verified at the next hop. A firewall operating on the receiver's behalf filters incoming traffic; the firewall may be colocated with the receiver or protect an access link.
Accountability may be proxied (and thus used in overlay networks). S can request that entity S' act as a proxy for S, then arrange a shared key k' with the ISP of S' and give S' the accountability information that it needs to send packets through its ISP: gs, certS, and h(pkt, ts, certS, k'). ISPs may have incentive to offer accountability services to their customers as it would eliminate the necessary proxying and reduce accountability request messages. Also, peering agreements would influence ISPs; if an ISP is forced to do excessive proxying for its customer ISP, for example, it could impose penalties as defined in a service-level agreement.
Figure 2: When S wants to send to R, and S's ISP does not support accountability, S must find the first ISP on the path to R that does, ISPi. ISPi then verifies S's signatures and inserts Passports.
This document was translated from LATEX by HEVEA.