Signaling Architecture for Network Traffic Authorization

Capability-based systems that use explicit authorization (permission) for flows have been proposed in order to prevent Denial-of-Service (DoS) attacks. Even though the performance analyses of these systems show that they are efficient in preventing the attacks, they suffer from the difficulty of obtaining permission, incompatibility with current network architecture, and attacks that circumvent the permission rules. We propose a signaling architecture for network traffic authorization, called Permission-Based-Sending (PBS), aiming to prevent DoS attacks. PBS uses the concept similar to existing capability-based systems in the manner that the sender should get authorization (permission) from a receiver for flows. However, PBS introduces new and practical approaches to overcome the deficiencies of those systems. On-path signaling enables easy installation and management of the permission state. Working on current network protocols supports compatibility and allows PBS to be deployed in existing networks. In addition, a monitoring mechanism provides a second line of defense against attacks. Our analysis and performance evaluation show that PBS is an effective and scalable solution to prevent several kinds of attacks, and improves the resilience of the system against network failure by using soft-state mechanisms.