Permission-Based Sending (PBS) is a signaling architecture for network traffic authorization. This architecture aims to prevent Denial-of-Service (DoS) attacks and other forms of unauthorized traffic.
PBS uses an explicit permission to give legitimate packets the authority to send. The explicit permission can differentiate benign traffic from malicious one, and can limit the severity of attacks. To install permission state at routers along the data path, PBS uses a suite of IP signaling protocols that have been developed by the IETF Next Steps in Signaling (NSIS) working group, and introduces a new signaling application protocol in NSIS. The NSIS protocol suite consists of two protocol layers: NSIS Transport Layer Protocol (NTLP) and NSIS Signaling Layer Protocols (NSLPs). The main purposes of NTLP are to determine how to reach the next node along the data path (routing) and deliver signaling messages to the peer (transport). We propose a new NSLP, the PBS NSLP, for network traffic authorization.
PBS encrypts signaling message objects by public key cryptography for the secure permission setup and revocation. The IPsec Authentication Header (AH) is used to ensure authentication and integrity of data packets. PBS functionality allows routers to check the IPsec that uses transport mode between two end hosts.
A compromised router on the data path that knows the shared key for the IPsec can flood the receiver. The compromised route can also drop legitimate packets. Furthermore, an attacker might obtain the shared key for IPsec by controlling compromised routers. To prevent these attacks in Byzantine networks, PBS monitors network traffic and detects attacks. The detection algorithm is called PBS Detection Algorithm (PDA). The PDA uses existing signaling messages and soft-state of the system. A sender periodically sends the signaling message that contains a volume of data that it has sent after the permission is granted. The receiver compares the volume of data in the signaling message with the volume of data that has been received. If both of the volumes are different, the receiver suspects that there is an attack. Based on the detection, a receiver requests the sender to react against the attack.
We built PBS NSLP on the GIST implementation (NTLP). PBS NSLP parses and creates signaling messages at each node. OpenSSL is used for implementing cryptography algorithmes. The communication between GIST and PBS NSLP is performed by Unix sockets. Authorization component manages the permission and IPsec state table for each flow. Those tables are implemented by a hashtable. We implement a userspace IPsec module which is a modular IPsec stack that relies on user space by using Netfilter.
Se Gi Hong
Swen Weiland (University of Goettingen, Germany)
Userspace IPsec module