Secure Network Attribution and Prioritization: A Coordinated Architecture for Critical Infrastructure

We describe Secure Network Attribution and Prioritization (SNAP), a system architecture, protocol specification, and prototype implementation for augmenting Internet Protocol with services for fine-grained attribution, attribution-based prioritization with controlled sharing, and autoconfiguration. We define attribution as a security service that identifies the source of traffic on a network. SNAP has per-packet attribution using a header analogous to IPsec Authentication Header (AH) inserted by the first router. Succeeding routers validate the header. SNAP contains a novel prioritization scheme, Priority-Dropped Queuing, which assigns micro-priorities from a range (band) to each flow at the first-hop router. The range is determined by a combination of user identity and traffic class, allowing the network operator rather than the user to set the priorities. SNAP´s third component is an autoconfiguration system. Rather than generating configuration files for each router, a network operator writes a network-wide configuration plan. Once configured, plan updates can be rapidly distributed to change the prioritization plan or security policies. Together, these three key attributes allow us to identify traffic and prioritize it, all with reduced configuration effort. BBN has constructed two prototypes of SNAP at 100 Mb/s and 1 Gb/s. One is based on a COTS 1U PC, running a version of NetBSD with kernel-level attribution and prioritization processing. The second, jointly developed with ViaSat, is a 1U board with FPGAs that implement the per-packet processing, running the same version of NetBSD on the control processor.