1. Receive nonce resp Accountable Internet Protocol N Accept &forward Y In accept cache? N Add A (or E):ifaceto accept cache Trust nbhrAD? Verify signature Local AD? Y Receive pktw/ srcA:E Y N Drop pktSend nonce to A or E Nonce response must be signed w/ A’s (or E’s) priv key David Andersen (CMU), Hari Balakrishnan (MIT),Nick Feamster (Georgia Tech), Scott Shenker (UC Berkeley) • SummaryIntrinsic support for network-layer accountability in the InternetMain idea: New addressing scheme for networks and hosts • AD and EID: self-certifying flat names • AD = hash(public_key_of_AD, other_stuff) • Self-certification binds name to named entity Address = AD:EID AD2 AD3 AD1 Two Types of Accountability Each host has a global EID • Control-plane accountability improves security of the routing protocol • Source accountability detects spoofing and forgery Autonomous domains,each with unique ID(smaller than an AS) If multihomed, has multiple addressesAD1:EID,AD2:EID,AD3:EID Control-Plane Accountability Data-Plane Accountability • Origin authentication: Ensure routing prefix being originated by AS X actually belongs to X • Path authentication: Ensure accuracy of AS path • S-BGP (and soBGP) require external infrastructuresRouting registry recording prefix ownership PKI (database) mapping AS to its public key. In practice, registries notoriously inaccurate • AIP: ADs exchange pub keys via BGP messagesPath auth identical to S-BGP (but no PKI). Origin authentication achieved without registry Application: Shut-Off • Problem:Compromised host X sending unwanted traffic to D • (X is “well-intentioned”, owner benign [Shaw]) D X Challenges • Minting of EIDs and ADs • Key management and compromise • Routing scalability • Traffic engineering Shut-off packet signed by D to X:{time, D’s pub key, hash of recent pkt recd from X by D, TTL} • Can send shut-offs to hosts or to ADs • Shut-off scheme implemented in NIC firmware • Immutable by host software (updates require physical access via USB/serial port)