Article

Free access

A flow-based approach to datagram security

Authors:

Thomas Y. C. WooAuthors Info & Claims

SIGCOMM '97: Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication

Pages 221 - 234

https://doi.org/10.1145/263105.263170

Published: 01 October 1997 Publication History

Abstract

Datagram services provide a simple, flexible, robust, and scalable communication abstraction; their usefulness has been well demonstrated by the success of IP, UDP, and RPC. Yet, the overwhelming majority of network security protocols that have been proposed are geared towards connection-oriented communications. The few that do cater to datagram communications tend to either rely on long term host-pair keying or impose a session-oriented (i.e., requiring connection setup) semantics.Separately, the concept of flows has received a great deal of attention recently, especially in the context of routing and QoS. A flow characterizes a sequence of datagrams sharing some pre-defined attributes. In this paper, we advocate the use of flows as a basis for structuring secure datagram communications. We support this by proposing a novel protocol for datagram security based on flows. Our protocol achieves zero-message keying, thus preserving the connectionless nature of datagram, and makes use of soft state, thus providing the per-packet processing efficiency of session-oriented schemes. We have implemented an instantiation for IP in the 4.4BSD kernel, and we provide a description of our implementation along with performance results.

References

[1]

R. Atkinson. Security Architecture for the Internet Protocol. RFC 1825, August 1995.]]

Digital Library

[2]

R. Atkinson. IP Authentication Header. RFC 1826, August 1995.]]

Digital Library

[3]

R. Atkinson, IP Encapsulating Security Payload (ESP). RFC 1827, August 1995.]]

Digital Library

[4]

A. Aziz, T. Markson, and H. Prafullchandra. Simple Key-Management For lnternet Protocols (SKIP). Internet Draft, August 14 1996.]]

[5]

S. Bellovin. Problem areas for the IP security protocols. In Proceedings of 6th USENIX Security Symposium, San Jose, California, July 22-25 1996.]]

Digital Library

[6]

A. Birrell and B. Nelson. Implementing remote procedure calls. A CM 2Yansaetions on Computer Systems, 2(1):39- 59, February 1984.]]

Digital Library

[7]

L. Blum, M. Blum, and M. $hub. A simple unpredictable pseudo-random number generator. SIAM Journal on Computing, 5(2):364-383, 1986.]]

Digital Library

[8]

S, Deering and R. Hinden. lnternet Protocol, Version 6 (IPv6) Specification. RFC 1883, December 1995.]]

Digital Library

[9]

W. Diftie and M.E. Hellman. New directions in cryptographyo IEEE 2Yansactions on Information Theory, 22(6):644-654, November 1976.]]

[10]

D,E. Eastlake and C.W. Kaufman. Domain Name System Security Eztensions. Internet Draft, August 5 1996.]]

Digital Library

[11]

P. Karn and W.A. Simpson. The Photuris Session Key Management Protocol. Internet Draft, June 1996.]]

Digital Library

[12]

D. Knuth. The Art of Computer Programming: Volume 2, Seminumerical Algorithms. Addison-Wesley Publishing Company, 2nd edition, 1981.]]

Digital Library

[13]

J.B, Lacy, D.P. Mitchell, and W.M. Schell. CryptoLib: Cryptography in software. In Proceedings of USENIX Lrniz Security Symposium IV, pages 1-17, Santa Clara, California, October 4-6 1993.]]

[14]

M,K. McKusick, K. Bostic, M.J. Karels, and J.S. Quarterman. The Design and Implementation of the d.~BSD Operating System. Addison-Wesley Publishing Company, 1996.]]

Digital Library

[15]

National Bureau of Standards, U.S. Department of Commerce, Washingtion, D.C. Data Encryption Standard. FIPS Pub 46, January 15 1977.]]

[16]

National Bureau of Standards, U.S. Department of Commerce, Washingtion, D.C. DES Modes of Operations. FIPS Pub 81, December 1980.]]

[17]

National Institute of Standards, U.S. Department of Commerce, Washingtion, D.C. Secure Hash Standard. FIPS Pub 180, April 1993.]]

[18]

H.K. Orman. The OAKLEY Key Determination Protocol. Internet Draft, May 1996.]]

Digital Library

[19]

O. Partridge. Using the Flow Label Field in IFv6. RFC 1809, June 14 1995.]]

Digital Library

[20]

L.L. Peterson and B.S. Davie. Computer Networks -- A Systems Approach. Morgan Kaufmann Publishers, 1996.]]

Digital Library

[21]

J. Postel. User Datagmm Protocol. RFC 768, August 28 1980.]]

[22]

J. Postel. Internet Protocol: DARPA Internet Program Protocol Specification. RFC 791, September 1981.]]

[23]

R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 16 1992.]]

Digital Library

[24]

W. Rosenberry, D. Kenny, and G. Fisher. Understanding DCE. O'Reilley & Associates, Inc., 1992.]]

Digital Library

[25]

J.G. Steiner, (3. Neuman, and J.I. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of USENIX Winter Conference, pages 191- 202, Dallas, TX, February 1988.]]

[26]

Sun Microsystems, Inc. Remote Procedure Call Protocol Specification Version 2. RFC 1057, June 1988.]]

Digital Library

[27]

G.R. Wright and W.R. Stevens. TCP/IP Illustrated, Volume 2 -- The Implementation. Addison-Wesley Publishing Company, 1995.]]

Digital Library

[28]

CCITT Recommendation X.509 The Directory--Authentication framework, 1988. See also ISO/IEC 9594-8, 1989.]]

[29]

L Zhang, S.E. Deering, D. Estrin, S. Shenker, and D. Zappals. RSVP: A new resource ReSerVation Protocol. IEEE Network Magazine, 9(5), 1993.]]

Digital Library

Cited By

Aguilera MJi MLillibridge MMacCormick JOertli EAndersen DBurrows MMann TThekkath C(2003)Block-level security for network-attached disksProceedings of the 2nd USENIX conference on File and storage technologies10.5555/1973355.1973367(12-12)Online publication date: 31-Mar-2003
https://dl.acm.org/doi/10.5555/1973355.1973367
Tseng YJan JChien H(2003)Authenticated encryption schemes with message linkages for message flowsComputers & Electrical Engineering10.1016/S0045-7906(01)00010-629:1(101-109)Online publication date: Jan-2003
https://doi.org/10.1016/S0045-7906(01)00010-6
Talwar VNahrstedt KGhandeharizadeh SChang SFischer SKonstan JNahrstedt K(2000)Securing RSVP for multimedia applicationsProceedings of the 2000 ACM workshops on Multimedia10.1145/357744.357916(153-156)Online publication date: 4-Nov-2000
https://dl.acm.org/doi/10.1145/357744.357916
Show More Cited By

Index Terms

A flow-based approach to datagram security

Recommendations

A flow-based approach to datagram security

Datagram services provide a simple, flexible, robust, and scalable communication abstraction; their usefulness has been well demonstrated by the success of IP, UDP, and RPC. Yet, the overwhelming majority of network security protocols that have been ...
RFC 5238: Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP)
Multicast routing in a datagram internetwork

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '97: Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication

October 1997

311 pages

ISBN:089791905X

DOI:10.1145/263105

Chairmen:
Christophe Diot
INRIA Sophia Antipolis, France
,
Christian Huitema
Bellcore
,
Scott Shenker
Xerox Corp.
,
Editor:
Martha Steenstrup
BBN Corp., Cambridge, MA

ACM SIGCOMM Computer Communication Review Volume 27, Issue 4
Oct. 1997
291 pages
ISSN:0146-4833
DOI:10.1145/263109
Chairmen:
Christophe Diot
INRIA Sophia Antipolis, France
,
Christian Huitema
Bellcore
,
Scott Shenker
Xerox Corp.,
,
Editor:
Martha Steenstrup
BBN Corp., Cambridge, MA
Issue’s Table of Contents

Copyright © 1997 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 1997

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

COMM97

Sponsor:

SIGCOMM

COMM97: ACM SIGCOMM '97

September 14 - 18, 1997

Cannes, France

Acceptance Rates

SIGCOMM '97 Paper Acceptance Rate 24 of 213 submissions, 11%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
587
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)4

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Aguilera MJi MLillibridge MMacCormick JOertli EAndersen DBurrows MMann TThekkath C(2003)Block-level security for network-attached disksProceedings of the 2nd USENIX conference on File and storage technologies10.5555/1973355.1973367(12-12)Online publication date: 31-Mar-2003
https://dl.acm.org/doi/10.5555/1973355.1973367
Tseng YJan JChien H(2003)Authenticated encryption schemes with message linkages for message flowsComputers & Electrical Engineering10.1016/S0045-7906(01)00010-629:1(101-109)Online publication date: Jan-2003
https://doi.org/10.1016/S0045-7906(01)00010-6
Talwar VNahrstedt KGhandeharizadeh SChang SFischer SKonstan JNahrstedt K(2000)Securing RSVP for multimedia applicationsProceedings of the 2000 ACM workshops on Multimedia10.1145/357744.357916(153-156)Online publication date: 4-Nov-2000
https://dl.acm.org/doi/10.1145/357744.357916
Wong CLam S(1999)Digital signatures for flows and multicastsIEEE/ACM Transactions on Networking10.1109/90.7930057:4(502-513)Online publication date: 1-Aug-1999
https://dl.acm.org/doi/10.1109/90.793005
Chung Kei Wong Lam S(1998)Digital signatures for flows and multicastsProceedings Sixth International Conference on Network Protocols (Cat. No.98TB100256)10.1109/ICNP.1998.723740(198-209)Online publication date: 1998
https://doi.org/10.1109/ICNP.1998.723740

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents