lecture7-clean-slate-intro

lecture7-clean-slate-intro - Lecture 7 Clean-Slate Secure...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 1 Lecture 7 Clean-Slate Secure Network Design Introduction Adrian Perrig 18-731: Network Security Spring 2009 2 Overview Administrative issues Steelers victory Any other issues?
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 3 Sample Reading Critique HOLDING THE INTERNET ACCOUNTABLE Summary: The paper basically says that today’s IP architecture does not provide any accountability which leads the attackers to be confident that they will not be identified or thwarted easily. Thus in order to provide security accountability is must. AIP provides authenticity of routing messages and provenance of the data packets which makes the attacks to be traceable or difficult to mount. Things Learned: AIP detects and prevent spoofing of the source address, it also throttle unwanted messages by sending explicit “shut-off” messages, and detect the unauthorized route advertisements. In order to detect the forgeries or errors, and provide origin and path authentication in the routing messages, we need accountability in the control plane and source accountability would make the packet filters, intrusion detection and prevention system more robust as they don’t have to worry about source address forgeries. The address of the hosts are in the form AD:EID, where AD is the autonomous domain and EID is the endpoint identifier. In order to make the address self-certifying, AD is the hash of the public key of the domain and EID is the hash of the public key of the corresponding host. Because of the self-certification of the addresses, the security mechanisms does not have to deal with undesirable trust relationship or manual configuration. Suggestion/Improvements For the path verification it suggests that each route advertisements should be signed by each AD along the path and the receiving router should verify all the N-1 signatures. However this will take a considerable amount of time, and the protocol will be beaten by performance. Each router who does not send packets often will have to get itself verified every time before sending packets, and also it will have to resend the first packet every time, this would again be inefficient. As the path length grows, the update volume will also grow, and the subsequent amount of time
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 11

lecture7-clean-slate-intro - Lecture 7 Clean-Slate Secure...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online