Verifying and enforcing network paths with icing

Jad Naous, Michael Walfish, Antonio Nicolosi, David Mazières, Michael Miller, Arun Seehra

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.

Original languageEnglish (US)
Title of host publicationProceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11
DOIs
StatePublished - 2011
Event7th ACM International Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11 - Tokyo, Japan
Duration: Dec 6 2011Dec 9 2011

Other

Other7th ACM International Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11
CountryJapan
CityTokyo
Period12/6/1112/9/11

Fingerprint

Intrusion detection
Routers
Hardware
Costs
Industry

Keywords

  • consent
  • default-off
  • NetFPGA
  • path enforcement

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Naous, J., Walfish, M., Nicolosi, A., Mazières, D., Miller, M., & Seehra, A. (2011). Verifying and enforcing network paths with icing. In Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11 https://doi.org/10.1145/2079296.2079326

Verifying and enforcing network paths with icing. / Naous, Jad; Walfish, Michael; Nicolosi, Antonio; Mazières, David; Miller, Michael; Seehra, Arun.

Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11. 2011.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Naous, J, Walfish, M, Nicolosi, A, Mazières, D, Miller, M & Seehra, A 2011, Verifying and enforcing network paths with icing. in Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11. 7th ACM International Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11, Tokyo, Japan, 12/6/11. https://doi.org/10.1145/2079296.2079326
Naous J, Walfish M, Nicolosi A, Mazières D, Miller M, Seehra A. Verifying and enforcing network paths with icing. In Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11. 2011 https://doi.org/10.1145/2079296.2079326
Naous, Jad ; Walfish, Michael ; Nicolosi, Antonio ; Mazières, David ; Miller, Michael ; Seehra, Arun. / Verifying and enforcing network paths with icing. Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11. 2011.
@inproceedings{c397a6cb04094328966923ea032ea12e,
title = "Verifying and enforcing network paths with icing",
abstract = "We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93{\%} more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.",
keywords = "consent, default-off, NetFPGA, path enforcement",
author = "Jad Naous and Michael Walfish and Antonio Nicolosi and David Mazi{\`e}res and Michael Miller and Arun Seehra",
year = "2011",
doi = "10.1145/2079296.2079326",
language = "English (US)",
isbn = "9781450310413",
booktitle = "Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11",

}

TY - GEN

T1 - Verifying and enforcing network paths with icing

AU - Naous, Jad

AU - Walfish, Michael

AU - Nicolosi, Antonio

AU - Mazières, David

AU - Miller, Michael

AU - Seehra, Arun

PY - 2011

Y1 - 2011

N2 - We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.

AB - We describe a new networking primitive, called a Path Verification Mechanism (pvm). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, icing, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate icing's plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that icing can scale to backbone speeds.

KW - consent

KW - default-off

KW - NetFPGA

KW - path enforcement

UR - http://www.scopus.com/inward/record.url?scp=84889753542&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84889753542&partnerID=8YFLogxK

U2 - 10.1145/2079296.2079326

DO - 10.1145/2079296.2079326

M3 - Conference contribution

SN - 9781450310413

BT - Proceedings of the 7th Conference on Emerging Networking EXperiments and Technologies, CoNEXT'11

ER -