David G. Andersen
Hari Balakrishnan
Scott Shenker
ABSTRACT
This paper presents AIP (Accountable Internet Protocol), a network architecture that provides accountability as a first-order property. AIP uses a hierarchy of self-certifying addresses, in which each component is derived from the public key of the corresponding entity. We discuss how AIP enables simple solutions to source spoofing, denial-of-service, route hijacking, and route forgery. We also discuss how AIP's design meets the challenges of scaling, key management, and traffic engineering.
- ITRS international technology roadmap for semiconductors, 2006.Google Scholar
- D. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Holding the Internet accountable. In Proc. 6th ACM Workshop on Hot Topics in Networks (Hotnets-VI), Nov. 2007. Google ScholarDigital Library
- APNIC. The APNIC Resource Certification Page. http://mirin.apnic.net/resourcecerts/.Google Scholar
- K. Argyraki and D. R. Cheriton. Active Internet traffic filtering: Real-time response to denial-of-service attacks. In Proc. USENIX Annual Technical Conference, Apr. 2005. Google ScholarDigital Library
- T. Aura. Cryptographically Generated Addresses (CGA). Internet Engineering Task Force, Mar. 2005. RFC 3972.Google ScholarCross Ref
- R. Beverly and S. Bauer. The Spoofer project: Inferring the extent of source address filtering on the Internet. In Proc. SRUTI Workshop, July 2005. Google ScholarDigital Library
- CNET News.com. Router Glitch Cuts Net Access. http://news.com.com/2100-1033-279235.html, Apr. 1997.Google Scholar
- Z. Duan, X. Yuan, and J. Chandrashekar. Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates. In Proc. IEEE INFOCOM, Mar. 2006.Google ScholarCross Ref
- D. Farinacci, V. Fuller, D. Oran, and D. Meyer. Locator/ID Separation Protocol (LISP). Internet Engineering Task Force, Apr. 2008. Internet Draft (http://tools.ietf.org/html/draft-farinacci-lisp-07). Work in progress, expires October 2008.Google Scholar
- P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Internet Engineering Task Force, Jan. 1998. RFC 2267. Google ScholarDigital Library
- P. Ferguson and D. Senie. Network Ingress Filtering. Internet Engineering Task Force, May 2000. BCP 38, RFC 2827.Google Scholar
- V. Fuller. Scaling issues with routing+multihoming, Feb. 2007. Plenary session at APRICOT, the Asia Pacific Regional Internet Conference on Operational Technologies.Google Scholar
- G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin. Working around BGP: An incremental approach to improving security and accuracy in interdomain routing. In Proc. NDSS, Feb. 2003.Google Scholar
- G. Huston, G. Michaelson, and R. Loomans. A Profile for Resource Certificate Repository Structure. Internet Engineering Task Force, June 2006. http://mirin.apnic.net/resourcecerts/project-notes/draft-ietf-sidr-repos-struct-00.html.Google Scholar
- J. Karlin, S. Forrest, and J. Rexford. Pretty Good BGP: Protecting BGP by cautiously selecting routes. Technical report, University of New Mexico, Oct. 2005. TR-CS-2005-37.Google Scholar
- F. Kastenholz. ISLAY: A New Routing and Addressing Architecture. Internet Engineering Task Force, May 2002. http://ietfreport.isoc.org/idref/draft-irtf-routing-islay/.Google Scholar
- S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. Internet Engineering Task Force, Nov. 1998. RFC 2401. Google ScholarDigital Library
- S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol (S-BGP). IEEE JSAC, 18 (4): 582--592, Apr. 2000. Google ScholarDigital Library
- T. Killalea. Internet Service Provider Security Services and Procedures. Internet Engineering Task Force, Nov. 2000. RFC 3013. Google ScholarDigital Library
- D. Krioukov, kc claffy, K. Fall, and A. Brady. On Compact Routing for the Internet. ACM Computer Communications Review, 37 (3): 41--52, July 2007. Google ScholarDigital Library
- M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. AS: A prefix hijack alert system. In Proc. 15th USENIX Security Symposium, Aug. 2006. Google ScholarDigital Library
- J. Leskovec, J. Kleinberg, and C. Faloutsos. Graphs over time: Densification laws, shrinking diameters and possible explanations. In Proc. 11th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Aug. 2005. Google ScholarDigital Library
- J. Li, R. Bush, Z. M. Mao, T. Griffin, M. Roughan, D. Stutzbach, and E. Purpus. Watching data streams toward a multi-homed sink under routing changes introduced by a BGP beacon. In Passive & Active Measurement (PAM), Mar. 2006.Google Scholar
- X. Liu, X. Yang, D. Wetherall, and A. Li. Passport: Secure and Adoptable Source Authentication. In Proc. 5th USENIX NSDI, Apr. 2008. Google ScholarDigital Library
- D. Mazières, M. Kaminsky, M. F. Kaashoek, and E. Witchel. Separating key management from file system security. In Proc. 17th ACM Symposium on Operating Systems Principles (SOSP), pages 124--139, Dec. 1999. Google ScholarDigital Library
- D. McCullagh. How Pakistan knocked YouTube offline. http://news.cnet.com/8301-10784_3-9878655-7.html, Feb. 2008.Google Scholar
- D. Meyer, L. Zhang, and K. Fall. Report from the IAB Workshop on Routing and Addressing. Internet Engineering Task Force, Sept. 2007. RFC 4984.Google ScholarCross Ref
- R. Moskowitz and P. Nikander. Host Identity Protocol (HIP) Architecture. Internet Engineering Task Force, May 2006. RFC 4423.Google ScholarCross Ref
- M. Ohta. 8+8 Addressing for IPv6 End to End Multihoming, Jan. 2004. draft-ohta-multi6-8plus8-00 (Expired IETF Draft).Google Scholar
- K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proc. ACM SIGCOMM, Aug. 2001. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proc. ACM SIGCOMM, Aug. 2006. An earlier version appeared as Georgia Tech TR GT-CSS-2006-001. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proc. ACM SIGCOMM, Aug. 2006. Google ScholarDigital Library
- Renesys. Renesys Routing Intelligence. http://www.renesys.com/products_services/routing_intelligence.shtml.Google Scholar
- M. Shaw. Leveraging good intentions to reduce unwanted network traffic. In Proc. USENIX Steps to Reduce Unwanted Traffic on the Internet workshop, July 2006. Google ScholarDigital Library
- G. Siganos and M. Faloutsos. Analyzing BGP Policies: Methodology and Tool. In Proc. IEEE INFOCOM, Mar. 2004.Google ScholarCross Ref
- T. L. Simon. oof. panix sidelined by incompetence... again. http://merit.edu/mail.archives/nanog/2006-01/msg00483.html, Jan. 2006.Google Scholar
- A. C. Snoeren and H. Balakrishnan. An end-to-end approach to host mobility. In Proc. ACM Mobicom, pages 155--166, Aug. 2000. Google ScholarDigital Library
- Spammer-X. Inside the SPAM Cartel. Syngress, 2004. Page 40. Google ScholarDigital Library
- G. Varghese. Network Algorithmics. Morgan Kaufmann, 2007.Google Scholar
- P. Verkaik, A. Broido, kc claffy, R. Gao, Y. Hyun, and R. van der Pol. Beyond CIDR aggregation. Technical Report TR-2004-01, CAIDA, Feb. 2004.Google Scholar
- Q. Vohra and E. Chen. BGP Support for Four-octet AS Number Space. Internet Engineering Task Force, May 2007. RFC 4893.Google ScholarCross Ref
- M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In Proc. 6th USENIX OSDI, Dec. 2004. Google ScholarDigital Library
- R. White. Securing BGP through secure origin BGP. The Internet Protocol Journal, 6 (3), Sept. 2003. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/ipj_6-3.pdf.Google Scholar
- Q. Wu, Y. Liao, T. Wolf, and L. Gao. Benchmarking BGP routers. In Proc. IEEE International Symposium on Workload Characterization (IISWC), Sept. 2007. Google ScholarDigital Library
- X. Zhang, P. Francis, J. Wang, and K. Yoshida. Scaling IP routing with the core router-integrated overlay. In IEEE International Conference on Network Protocols (ICNP), Nov. 2006. Google ScholarDigital Library
Index Terms
- Accountable internet protocol (aip)
Recommendations
Accountable internet protocol (aip)
This paper presents AIP (Accountable Internet Protocol), a network architecture that provides accountability as a first-order property. AIP uses a hierarchy of self-certifying addresses, in which each component is derived from the public key of the ...
Accountable Anonymity: A Proxy Re-Encryption Based Anonymous Communication System
ICPADS '12: Proceedings of the 2012 IEEE 18th International Conference on Parallel and Distributed SystemsWhile several well-developed anonymous services have been made available on-line to protect Internet user's privacy, we have seen that due to the lack of accountability, they have often been exploited by criminals to conduct various illegal activities (...
Duck Attack on Accountable Distributed Systems
MobiQuitous 2017: Proceedings of the 14th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and ServicesAccountability plays a key role in dependable distributed systems. It allows to detect, isolate and churn malicious/selfish nodes that deviate from a prescribed protocol. To achieve these properties, several accountable systems use at their core ...
Comments