Verifying and enforcing network paths with ICING
Proceedings of the ACM International Conference on Emerging Networking Experiments and Technologies (CoNEXT) 2011.
View
PDF or BibTeX.
areas
Security,
Networking
abstract
We describe a new networking primitive, called a Path Verification
Mechanism (PVM). There has been much recent work about how senders and
receivers express policies about the paths that their packets take.
For instance, a company might want fine-grained control over which
providers carry which traffic between its branch offices, or a receiver
may want traffic sent to it to travel through an intrusion detection
service.
While the ability to express policies has been well-studied, the ability
to enforce policies has not. The core challenge is: if we assume an
adversarial, decentralized, and high-speed environment, then when a
packet arrives at a node, how can the node be sure that the packet
followed an approved path? Our solution, ICING, incorporates an
optimized cryptographic construction that is compact, and requires
negligible configuration state and no PKI. We demonstrate ICING's
plausibility with a NetFPGA hardware implementation. At 93% more costly
than an IP router on the same platform, its cost is significant but
affordable. Indeed, our evaluation suggests that ICING can scale to
backbone speeds.