An access control architecture for programmable routers

2001 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2001 (Cat. No.01EX484) Pub Date : 2001-04-27 DOI:10.1109/OPNARC.2001.916835

Jun Gao, P. Steenkiste

{"title":"An access control architecture for programmable routers","authors":"Jun Gao, P. Steenkiste","doi":"10.1109/OPNARC.2001.916835","DOIUrl":null,"url":null,"abstract":"Programmable networks allow the router's functionality to be extended dynamically through the use of active extensions. This flexible architecture facilitates the deployment of new network protocols and services. However, the programmable nature of a network also raises serious safety and security concerns. These concerns must be addressed before programmable networks can be deployed. One particular security question is how we can limit what resources and data active extensions can access on the router. While existing operating systems address this question for end-points and servers, routers have been designed to perform a different task, namely forwarding packets, and the existing OS solutions turn out to be inadequate for routers. We look at how we can restrict active extensions' access to link bandwidth and data traffic. Our solution is based on access control lists that are used to check all active extensions' operations that may affect the use of link bandwidth, or may involve access to user traffic. We implemented these mechanisms in Darwin, an example of a programmable network.","PeriodicalId":243728,"journal":{"name":"2001 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2001 (Cat. No.01EX484)","volume":"438 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2001-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2001 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2001 (Cat. No.01EX484)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/OPNARC.2001.916835","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

Abstract

Programmable networks allow the router's functionality to be extended dynamically through the use of active extensions. This flexible architecture facilitates the deployment of new network protocols and services. However, the programmable nature of a network also raises serious safety and security concerns. These concerns must be addressed before programmable networks can be deployed. One particular security question is how we can limit what resources and data active extensions can access on the router. While existing operating systems address this question for end-points and servers, routers have been designed to perform a different task, namely forwarding packets, and the existing OS solutions turn out to be inadequate for routers. We look at how we can restrict active extensions' access to link bandwidth and data traffic. Our solution is based on access control lists that are used to check all active extensions' operations that may affect the use of link bandwidth, or may involve access to user traffic. We implemented these mechanisms in Darwin, an example of a programmable network.

查看原文本刊更多论文

可编程路由器的访问控制体系结构

可编程网络允许路由器的功能通过使用活动扩展来动态扩展。这种灵活的架构便于部署新的网络协议和业务。然而，网络的可编程特性也引发了严重的安全和安保问题。在部署可编程网络之前，必须解决这些问题。一个特别的安全问题是我们如何限制活动扩展可以访问路由器上的资源和数据。虽然现有的操作系统为端点和服务器解决了这个问题，但路由器被设计为执行不同的任务，即转发数据包，而现有的操作系统解决方案对路由器来说是不够的。我们将研究如何限制活动扩展对链路带宽和数据流量的访问。我们的解决方案基于访问控制列表，该列表用于检查可能影响链路带宽使用或可能涉及访问用户流量的所有活动扩展的操作。我们在Darwin中实现了这些机制，这是一个可编程网络的例子。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2001 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2001 (Cat. No.01EX484)

自引率

0.00%

发文量