Using IXA to Support Router Security Enhancements

Intel Corporation Gifts and Grants
Funds and equipment to support research in computer security
2001 to 2005

Grants and gifts from Intel Corporation's Network Processing Group Technology Office afforded the LASR research group in UCLA's Computer Science Department an opportunity to study the feasibility of putting important security enhancements into high-speed routers. We worked on  several research projects for DARPA and NSF that involved altering router behavior to provide better security for the Internet. These alterations would, in some cases, put new functionality in the router¹s fast path. While we could study the general feasibility of the approaches in other dimensions with our existing equipment, determining whether a router could provide sufficiently fast service when the security enhancements were in place required access to a programmable router that could be altered to include the new features. The IXA, especially the IXP 1200 models, was perfect for this purpose.

We had two ongoing projects along these lines, with the expectation of more projects in the future. The DARPA-funded project, D-Ward, involved combating DDoS attacks in routers close to attack sources. Routers would observe the flow of packets through them and compare flows to models of normal flows. Flows sufficiently outside the behavior of normal flows would be suspected of being DDoS flows, and would be carefully watched. If this careful observation indicated that the flows were suspicious, the flows would be throttled, easing the attack on the target and lessening the impact on the network as a whole.

Under the NSF-funded project, SAVE, we developed a system capable of filtering out packets with forged IP source addresses. This project relied on a new protocol that builds proper tables of the appropriate incoming interfaces at a router for packets with different sources. Because of asymmetries in the Internet, the existing forwarding tables will not suffice. We used the SAVE protocol to build incoming tables in addition to forwarding tables.

The Intel-provided IXP equipment was also used to support graduate-level classes in computer security. Student projects involved adding security enhancements to the routers, such as firewall capabilities, authenticated routing protocols, automated attack traceback facilities and other network security features.