2,732 research outputs found
Flow-Based Detection of IPv6-specific Network Layer Attacks
With a vastly different header format, IPv6 introduces new vulnerabilities not possible in IPv4, potentially requiring new detection algorithms. While many attacks specific to IPv6 have proven to be possible and are described in the literature, no detection solutions for these attacks have been proposed. In this study we identify and characterise IPv6-specific attacks that can be detected using flow monitoring. By constructing flow-based signatures, detection can be performed using available technologies such as NetFlow and IPFIX. To validate our approach, we implemented these signatures in a prototype, monitoring two production networks and injecting attacks into the production traffic
FAIR: Forwarding Accountability for Internet Reputability
This paper presents FAIR, a forwarding accountability mechanism that
incentivizes ISPs to apply stricter security policies to their customers. The
Autonomous System (AS) of the receiver specifies a traffic profile that the
sender AS must adhere to. Transit ASes on the path mark packets. In case of
traffic profile violations, the marked packets are used as a proof of
misbehavior.
FAIR introduces low bandwidth overhead and requires no per-packet and no
per-flow state for forwarding. We describe integration with IP and demonstrate
a software switch running on commodity hardware that can switch packets at a
line rate of 120 Gbps, and can forward 140M minimum-sized packets per second,
limited by the hardware I/O subsystem.
Moreover, this paper proposes a "suspicious bit" for packet headers - an
application that builds on top of FAIR's proofs of misbehavior and flags
packets to warn other entities in the network.Comment: 16 pages, 12 figure
Efficient security for IPv6 multihoming
In this note, we propose a security mechanism for protecting IPv6
networks from possible abuses caused by the malicious usage of a
multihoming protocol. In the presented approach, each
multihomed node is assigned multiple prefixes from its upstream
providers, and it creates the interface identifier part of its
addresses by incorporating a cryptographic one-way hash of the
available prefix set. The result is that the addresses of each
multihomed node form an unalterable set of intrinsically bound
IPv6 addresses. This allows any node that is communicating with
the multihomed node to securely verify that all the alternative
addresses proposed through the multihoming protocol are
associated to the address used for establishing the communication.
The verification process is extremely efficient because it only
involves hash operationsPublicad
An Architecture for Network Layer Privacy
We present an architecture for the provision of network layer privacy based on the SHIM6 multihoming protocol. In its basic form, the architecture prevents on-path eavesdroppers from using SHIM6 network layer information to correlate packets that belong to the same communication but use different locators. To achieve this, several extensions to the SHIM6 protocol and to the HBA (Hash Based Addresses) addressing model are defined. On its full-featured mode of operation, hosts can vary dynamically the addresses of the packets of on-going communications. Single-homed hosts can adopt the SHIM6 protocol with the privacy enhancements to benefit from this protection against information collectors.IEEE Communications SocietyPublicad
Network layer access control for context-aware IPv6 applications
As part of the Lancaster GUIDE II project, we have developed a novel wireless access point protocol designed to support the development of next generation mobile context-aware applications in our local environs. Once deployed, this architecture will allow ordinary citizens secure, accountable and convenient access to a set of tailored applications including location, multimedia and context based services, and the public Internet. Our architecture utilises packet marking and network level packet filtering techniques within a modified Mobile IPv6 protocol stack to perform access control over a range of wireless network technologies. In this paper, we describe the rationale for, and components of, our architecture and contrast our approach with other state-of-the- art systems. The paper also contains details of our current implementation work, including preliminary performance measurements
- …