Capability-Based Egress Network Access Control for Transferring Access Rights

In conventional egress network access control (NAC) using access control lists (ACLs), modifying ACLs is a heavy task for administrators. To enable rapid configuration without a large amount of effort by administrators, we introduce capabilities to egress NAC. In our egress NAC, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize capability-based egress NAC, we use DNS messages and IP options to carry capabilities. A resolver of the client sends the user name, domain name, and service name as DNS query messages to a DNS cache server, which issues capabilities according to a policy and sends them as DNS answer messages to the client. The client kernel includes these capabilities in the IP options of packets and sends them to the router. The router checks the capabilities of the packets to determine whether to pass or block them. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router´s performance