PBS: Signaling architecture for network traffic authorization

Abstract

We propose a signaling architecture for network traffic authorization, called Permission-Based Sending (PBS), aiming to prevent DoS attacks and other forms of unauthorized traffic. Toward this goal, PBS takes a hybrid approach: a proactive approach of explicit permissions and a reactive approach of monitoring and countering attacks. PBS uses a concept similar to existing capability-based systems in the manner in which the sender should get authorization (permission) from a receiver for flows. However, PBS introduces new and practical approaches to overcome the deficiencies (the difficulty of obtaining permission and incompatibility with current network architecture) of those systems. On-path signaling enables easy installation and management of the permission state. Working on current network protocols supports compatibility and allows PBS to be deployed in existing networks. In addition, a monitoring mechanism provides a second line of defense against attacks. Our analysis and performance evaluation show that PBS is an effective and scalable solution to prevent several kinds of attacks, and improves the resilience of the system against network failure by using soft-state mechanisms.