IP easy-pass: edge resource access control

Providing real-time communication services to multimedia applications and subscription-based Internet access often requires sufficient network resources to be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at ISP (Internet service provider) edge routers cannot protect the reserved network resource from embezzlement. On the contrary, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. We propose a fast and light-weighted IP network-edge resource access control mechanism, called IP easy-pass to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of an incoming IP packet very quickly and simply by checking its pass. We present the generation of easy-pass, its embedding, and verification procedures. We implement the IP easy-pass mechanism in the Linux kernel, analyze its effectiveness against packet forgery and resource embezzlement attempts. Finally, we measure the overhead incurred by easy-pass.