research-article

ROFL: routing as the firewall layer

Authors:

Steven M. BellovinAuthors Info & Claims

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

Pages 23 - 31

https://doi.org/10.1145/1595676.1595681

Published: 22 September 2008 Publication History

Abstract

We propose a new firewall architecture that treats port numbers as part of the IP address. Hosts permit connectivity to a service by advertising the IPaddr:port/48 address; they block connectivity by ensuring that there is no route to it. This design, which is especially well-suited to MANETs, provides greater protection against insider attacks than do conventional firewalls, but drops unwanted traffic far earlier than distributed firewalls do.

References

[1]

A.V. Aho, J.E. Hopcroft, and J.D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974.

Digital Library

[2]

S. Bellovin. On many addresses per host. RFC 1681, Internet Engineering Task Force, Aug. 1994.

[3]

S.M. Bellovin. Distributed firewalls. ;login:, pages 39--47, November 1999.

[4]

S.M. Bellovin. A look back at "Security problems in the TCP/IP protocol suite". In Annual Computer Security Applications Conference, December 2004. Invited paper.

Digital Library

[5]

S.M. Bellovin, A. Keromytis, and B. Cheswick. Worm propagation strategies in an IPv6 Internet. ;login:, pages 70--76, February 2006.

[6]

D.R. Boggs, J.F. Shoch, E.A. Taft, and R.M. Metcalfe. Pup: An internetwork architecture. IEEE Transactions on Communications, COM-28(4):612--624, April 1980.

[7]

A.L. Buchsbaum, G.S. Fowler, B. Krishnamurthy, K.-P. Vo, and J. Wang. Fast prefix matching of bounded strings. In Proceedings of ACM SIGACT ALENEX03, Baltimore, Maryland, January 2003.

Digital Library

[8]

M. Casado, M.J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In Proc. ACM SIGCOMM, August 2007.

Digital Library

[9]

M. Casado, T. Garfinkel, A. Akella, M. Freedman, D. Boneh, N. McKeown, and S. Shenker. Sane: A protection architecture for enterprise networks. In Usenix Security, August 2006.

Digital Library

[10]

V. Cerf, 2004. Private conversation.

[11]

C.-K. Chau. Policy-based Routing with Non-strict Preferences. In Proc. ACM SIGCOMM, September 2006.

Digital Library

[12]

C.-K. Chau. A Game-theoretical Study of Robust Networked Systems. To appear in IEEE Journal on Selected Areas in Communications, Special Issue of Game Theory in Communication Systems, 2008.

Digital Library

[13]

C.-K. Chau, R. Gibbens, and T.G. Griffin. Towards a unifying theory for policy-based routing. In Proc. IEEE INFOCOM, April 2006.

[14]

W.R. Cheswick and S.M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, first edition, 1994.

Digital Library

[15]

W.R. Cheswick, S.M. Bellovin, and A.D. Rubin. Firewalls and Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003.

Digital Library

[16]

Remotely triggered black hole filter -- destination based and source based. Cisco Systems, 2005. White paper.

[17]

R. Coltun, D. Ferguson, and J. Moy. OSPF for IPv6. RFC 2740, Internet Engineering Task Force, Dec. 1999.

[18]

S. Deering and R. Hinden. Internet protocol, version 6 (IPv6) specification. RFC 2460, Internet Engineering Task Force, Dec. 1998.

[19]

E.W. Dijkstra. A note on two problems in connexion with graphs. Numerische Mathematik, 1:269--271, 1959.

Digital Library

[20]

D. Estrin and M. Steenstrup. Inter domain policy routing: overview of architecture and protocols. SIGCOMM Comput. Commun. Rev., 21(1):71--78, 1991.

Digital Library

[21]

G.G. Finn. Reducing the vulnerability of dynamic computer networks. ISI Research Report ISI/RR-88-201, University of Southern California Information Sciences Institute, June 1988.

[22]

V. Fuller and T. Li. Classless inter-domain routing (CIDR). RFC 4632, Internet Engineering Task Force, Aug. 2006.

[23]

V. Gill, J. Heasley, D. Meyer, P. Savola, and C. Pignataro. The generalized ttl security mechanism (GTSM). RFC 5082, Internet Engineering Task Force, Oct. 2007.

[24]

P.M. Gleitz and S.M. Bellovin. Transient addressing for related processes: Improved firewalling by using IPv6 and multiple addresses per host. In Proceedings of the Eleventh Usenix Security Symposium, August 2001.

Digital Library

[25]

B.R. Greene, C.L. Morrow, and B.W. Gemberling. ISP security -- real world techniques: Remote triggered black hole filtering and backscatter traceback. NANOG, October 2001.

[26]

T.G. Griffin and G. Huston. RFC 4264: BGP wedgies, November 2005.

[27]

T.G. Griffin, F.B. Shepherd, and G. Wilfong. The stable paths problem and interdomain routing. IEEE/ACM Trans. Networking, 10(2):232--243, April 2002.

Digital Library

[28]

T.G. Griffin and J.L. Sobrinho. Metarouting. SIGCOMM Comput. Commun. Rev., 35(4):1--12, September 2005.

Digital Library

[29]

T. Hain. Architectural implications of NAT. RFC 2993, Internet Engineering Task Force, Nov. 2000.

[30]

A. Heffernan. Protection of BGP sessions via the TCP MD5 signature option. RFC 2385, Internet Engineering Task Force, Aug. 1998.

[31]

M. Holdrege and P. Srisuresh. Protocol complications with the IP network address translator. RFC 3027, Internet Engineering Task Force, Jan. 2001.

[32]

J. Ioannidis and S.M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proc. Internet Society Symposium on Network and Distributed System Security, 2002.

[33]

D.B. Johnson. Efficient algorithms for shortest paths in sparse networks. J. ACM, 24(1):1--13, 1977.

Digital Library

[34]

L. Joncheray. A simple active attack against TCP. In Proceedings of the Fifth Usenix Unix Security Symposium, Salt Lake City, UT, 1995.

Digital Library

[35]

S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol (Secure-BGP). IEEE Journal on Selected Areas in Communications, 18(4):582--592, April 2000.

Digital Library

[36]

S. Kent and K. Seo. Security architecture for the Internet Protocol. RFC 4301, Internet Engineering Task Force, Dec. 2005.

[37]

R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. Computer Communications Review, 32(3):62--73, July 2002.

Digital Library

[38]

P. Marques, N. Sheth, R. Raszuk, B. Greene, J. Mauch, and D. McPherson. Dissemination of flow specification rules. Internet draft; work in progress, April 2008. (draft-ietf-idr-flow-spec-01.txt).

[39]

D. McPherson, V. Gill, D. Walton, and A. Retana. RFC 3345: Border Gateway Protocol (BGP) persistent route oscillation condition, August 2002.

[40]

R.T. Morris. A weakness in the 4.2BSD unix TCP/IP software. Computing Science Technical Report 117, AT&T Bell Laboratories, Murray Hill, NJ, February 1985.

[41]

J. Moy. OSPF version 2. RFC 2328, Internet Engineering Task Force, Apr. 1998.

[42]

S. Murphy, M. Badger, and B. Wellington. OSPF with digital signatures. RFC 2154, Internet Engineering Task Force, June 1997.

[43]

R. Perlman. Incorporation of service classes into a network architecture. SIGCOMM Comput. Commun. Rev., 11(4):204--210, 1981.

Digital Library

[44]

R. Perlman. Network Layer Protocols with Byzantine Robustness. PhD thesis, M.I.T., 1988.

[45]

J. Postel. User datagram protocol. RFC 768, Internet Engineering Task Force, Aug. 1980.

[46]

J. Postel. Transmission control protocol. RFC 793, Internet Engineering Task Force, Sept. 1981.

Digital Library

[47]

Y. Rekhter, T. Li, and S. Hares. A border gateway protocol 4 (BGP-4). RFC 4271, Internet Engineering Task Force, Jan. 2006.

[48]

J. Rexford, S. Bellovin, and R. Bush. Some initial measurements of prefix length phyltreing. NANOG, May 2001.

[49]

A. Shaikh and A. Greenberg. Experience in black-box ospf measurement. In ACM SIGCOMM Internet Measurement Workshop (IMW), November 2001.

Digital Library

[50]

J. Sobrinho. An algebraic theory of dynamic network routing. IEEE/ACM Trans. Networking, 13(5):1160--1173, October 2005.

Digital Library

[51]

P. Srisuresh and K. Egevang. Traditional IP network address translator (traditional NAT). RFC 3022, Internet Engineering Task Force, Jan. 2001.

[52]

M. Steenstrup. An architecture for Inter-Domain policy routing. RFC 1478, Internet Engineering Task Force, June 1993.

Digital Library

[53]

WANIPConnection:1. Service Template Version 1.01, UPnP Forum, 12 November 2001. Standardized DCP.

[54]

M. Waldvogel. Fast Longest Prefix Matching: Algorithms, Analysis, and Applications. PhD thesis, Swiss Federal Institute of Technology, Zurich, 2000.

[55]

Xerox System Integration Standard. Internet transport protocols. XSIS 028112, Xerox Corporation, December 1981.

[56]

H. Zhao and S.M. Bellovin. Policy algebras for hybrid firewalls. Technical Report CUCS-017-07, Department of Computer Science, Columbia University, March 2007. Also presented at the Annual Conference of the ITA, 2007.

Cited By

Maccari LCigno R(2012)Privacy in the pervasive era: A distributed firewall approach2012 9th Annual Conference on Wireless On-Demand Network Systems and Services (WONS)10.1109/WONS.2012.6152229(23-26)Online publication date: Jan-2012
https://doi.org/10.1109/WONS.2012.6152229
Zhao HLobo JRoy ABellovin S(2011)Policy refinement of network services for MANETs12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops10.1109/INM.2011.5990681(113-120)Online publication date: May-2011
https://doi.org/10.1109/INM.2011.5990681
Zhao HBellovin S(2010)High Performance Firewalls in MANETsProceedings of the 2010 Sixth International Conference on Mobile Ad-hoc and Sensor Networks10.1109/MSN.2010.30(154-160)Online publication date: 20-Dec-2010
https://dl.acm.org/doi/10.1109/MSN.2010.30

Index Terms

ROFL: routing as the firewall layer
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

A Protocol and Simulation for Distributed Communicating Firewalls
COMPSAC '99: 23rd International Computer Software and Applications Conference

The concept of distributing firewalls into the Internet was previously presented for the purpose of pushing LAN attacks away from a single firewall [1, 2]. This paper presents a protocol for firewalls to communicate information to enable distributed ...
Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the 'Tree-Rule Firewall', which offers various benefits and is applicable for large networks such as 'cloud' networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their ...
Cascade of Distributed and Cooperating Firewalls in a Secure Data Network

Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The theme of this paper is to address such ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

August 2009

144 pages

ISBN:9781605583419

DOI:10.1145/1595676

General Chairs:
Matt Bishop
University of California, Davis, USA
,
Christian W. Probst
Technical University of Denmark, Denmark
,
Program Chairs:
Angelos Keromytis
Columbia University, USA
,
Anil Somayaji
Carleton University, Canada

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 September 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NSPW '08

Sponsor:

ACM

NSPW '08: 2008 New Security Paradigms Workshop

September 22 - 25, 2008

California, Lake Tahoe, USA

Acceptance Rates

Overall Acceptance Rate 62 of 170 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
349
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Maccari LCigno R(2012)Privacy in the pervasive era: A distributed firewall approach2012 9th Annual Conference on Wireless On-Demand Network Systems and Services (WONS)10.1109/WONS.2012.6152229(23-26)Online publication date: Jan-2012
https://doi.org/10.1109/WONS.2012.6152229
Zhao HLobo JRoy ABellovin S(2011)Policy refinement of network services for MANETs12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops10.1109/INM.2011.5990681(113-120)Online publication date: May-2011
https://doi.org/10.1109/INM.2011.5990681
Zhao HBellovin S(2010)High Performance Firewalls in MANETsProceedings of the 2010 Sixth International Conference on Mobile Ad-hoc and Sensor Networks10.1109/MSN.2010.30(154-160)Online publication date: 20-Dec-2010
https://dl.acm.org/doi/10.1109/MSN.2010.30

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents