Many researchers are proposing alterations to existing routers to provide higher security. Such alternatives include traceback of malicious packets, pushback of filters into the network, diagnostic tools, cooperation between different routers to determine security conditions, and many other features. Implementing those features in standard routers will take much time and effort, and will require cooperation from vendors who are uncertain about which features are valuable and should be included and which do not provide benefit commensurate with their costs.
Programmable routers like Intel's IXA provide a simpler alternative to testing new security features in high speed routers, and to deploying those that prove valuable. Based on Intel's generous support, this project investigates how to embed different security features into IXA routers.
We are using router security features being built for two other projects in our group as test cases.
1. The iSAVE protocol is used to build incoming tables at routers. These tables allow a router to detect packets with spoofed IP source addresses. Such packets are likely to be malicious, and can be filtered as soon as an iSAVE-capable router detects them. iSAVE currently exists in simulation form.
2. The D-WARD system is an anti-DDoS system deployed at ingress routers. D-WARD monitors outgoing traffic and the incoming responses to detect patterns indicating that a DDoS stream is originating in the local network. Rate limits are then applied to misbehaving streams. D-WARD must carefully monitor traffic to ensure that all effective DDoS streams receive rate limits while no legitimate streams are impeded. D-WARD currently exists as an implementation in a software router.
In this project, we will port these systems to the IXA architecture.
In addition to insight gained by adding these security features
to the IXA, we expect to learn something about how well the
IXA can accommodate significant extra functionality on top of
standard IP packet handling and forwarding.
Project Members:
Peter Reiher, Principal Investigator
Greg Prier, Lead Graduate Student
Jelena Mirkovic, Graduate Student
Matt Schnaider, Graduate Student
Michael Burns, Undergraduate Researcher
Tommy Tran, Undergraduate Researcher Contact:
If you have any questions or suggestions, please contact Peter Reiher.