Abstract :
We describe Secure Network Attribution and Prioritization (SNAP), a system architecture, protocol specification, and prototype implementation for augmenting Internet Protocol with services for fine-grained attribution, attribution-based prioritization with controlled sharing, and autoconfiguration. We define attribution as a security service that identifies the source of traffic on a network. SNAP has per-packet attribution using a header analogous to IPsec Authentication Header (AH) inserted by the first router. Succeeding routers validate the header. SNAP contains a novel prioritization scheme, Priority-Dropped Queuing, which assigns micro-priorities from a range (band) to each flow at the first-hop router. The range is determined by a combination of user identity and traffic class, allowing the network operator rather than the user to set the priorities. SNAP´s third component is an autoconfiguration system. Rather than generating configuration files for each router, a network operator writes a network-wide configuration plan. Once configured, plan updates can be rapidly distributed to change the prioritization plan or security policies. Together, these three key attributes allow us to identify traffic and prioritize it, all with reduced configuration effort. BBN has constructed two prototypes of SNAP at 100 Mb/s and 1 Gb/s. One is based on a COTS 1U PC, running a version of NetBSD with kernel-level attribution and prioritization processing. The second, jointly developed with ViaSat, is a 1U board with FPGAs that implement the per-packet processing, running the same version of NetBSD on the control processor.
Keywords :
Internet; computer network security; field programmable gate arrays; queueing theory; routing protocols; telecommunication network planning; telecommunication services; telecommunication traffic; AH; BBN; COTS 1U PC board; FPGA; IPsec authentication header; Internet protocol specification; NetBSD version; SNAP; ViaSat; autoconfiguration system; bit rate 1 Gbit/s; bit rate 100 Mbit/s; controlled sharing; fine-grained attribution; first-hop telecommunication routing; kernel-level attribution; network-wide configuration planning; priority-dropped queuing; secure network attribution and prioritization; telecommunication service; telecommunication traffic; Authentication; Field programmable gate arrays; Internet; Process control; Routing protocols; attribution; autoconfiguration; prioritization;