Abstract
Interconnection across administrative boundaries prompts the need for comprehensive policy enforcement (i.e., access control) with respect to inter-domain packet traffic. Due to the nature of the communication services they provide, stub and transit domains require different mechanisms for policing inter-domain traffic. This paper addresses the design of a policy enforcement mechanism geared specifically towards stub domains. With the aid of some basic concepts borrowed from Visa protocol[5], a much more powerful mechanism is developed and analyzed. Protocol implementation and experimental results are discussed.
This work was performed while the author was affiliated with the Computer Networks and Distributed Systems Laboratory at the University of Southern California.
Chapter PDF
Keywords
References
M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, Proceedings of ACM Symposium on Operating System Principles, December 1989.
W. Diffie, The First Ten Years of Public-Key Cryptography, Proceedings of the IEEE, Vol. 76, No. 5, May 1988.
D. Clark, Policy Routing in Internet Protocols, Journal of Internetworking: Research and Experience, October 1990.
W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. 22, No. 11, November, 1976.
D. Estrin, J. Mogul, G. Tsudik, Visa Protocols for Controlling Inter-Organizational Datagram Flow, IEEE Journal on Selected Areas in Communications, May 1989.
D. Estrin and G. Tsudik, Secure Control of Transit Internetwork Traffic, Computer Networks and ISDN Systems, October 1991.
D. Estrin and G. Tsudik, End-to-End Argument for Network-Layer Access Controls, Journal of Internetworking: Research and Experience, June 1991.
D. Estrin, Policy Requirements for Inter Administrative Domain Routing, Computer Networks and ISDN Systems, June 1991.
J. Galvin, K. McCloghrie, J. Davin, Secure Management of SNMP Networks, Proceedings of 1991 Integrated Network Management Symposium, April 1991.
International Standards Organization, Information Processing Systems — Open Systems Interconnection — Basic Reference Model, ISO 7498, 1977
International Standards Organization, Security Architecture, ISO 7498-2-1988(E), 1988
C. Kent and J. Mogul, Fragmentation Considered Harmful, Proceedings of 1987 ACM SIGCOMM Symposium, August 1987.
J. Linn, Privacy Enhancement for Internet Electronic Mail. Part I: Message Encipherment and Authentication Procedures, RFC 1113, SRI Network Information Center, January 1989.
B. Liskov, L. Shrira and J. Wroclawski, Efficient At-Most-Once Messages Based on Synchronized Clocks, ACM Transactions on Computer Systems, MAy 1991.
P. Mockapetris, Domain Names — Implementation and Specification, RFC 1035, SRI Network Information Center, November 1987.
J. Mogul, Simple and Flexible Datagram Access Controls for Unix-based Gateways, Proceedings of Summer 1989 USENIX Technical Conference, August 1989.
National Bureau of Standards, Federal Information Processing Standards, National Bureau of Standards, Publication 46, 1977.
R. Needham and M. Schroeder, Using Encryption for Authentication in Large Networks of Computers, Communications of the ACM, Vol. 21, No. 12, December 1978.
R. Needham and M. Schroeder, Authentication Revisited, ACM Operating Systems Review, Vol. 21, No. 7, January 1987.
M. Padlipsky, The Elements of Networking Style, Englewood Cliffs, NJ:Prentice Hall, 1985.
J. Postel, Internet Protocol, RFC 791, SRI Network Information Center, September 1981.
J. Postel, Internet Control Message Protocol, RFC 792, SRI Network Information Center, September 1981.
R. Rivest, The MD4 Message Digest Algorithm, Proceedings of CRYPTO'90, August 1990.
R. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, February 1978.
J. Steiner, C. Neuman, J. Schiller, Kerberos: An Authentication Service for Open Network Systems, Proceedings of USENIX Winter Conference, February 1988.
G. Tsudik, Datagram Authentication in Internet Gateways, IEEE Journal on Selected Areas in Communications, May 1989.
G. Tsudik, Message Authentication with One-Way Hash Functions, Proceedings of IEEE Infocom 92, May 1992.
G. Tsudik, Access Control and Policy Enforcement in Internetworks, Ph.D. Dissertation, USC Computer Science TR-91-15, April 1991.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1992 Springer-Verlag
About this paper
Cite this paper
Tsudik, G. (1992). Policy enforcement in stub autonomous domains. In: Deswarte, Y., Eizenberg, G., Quisquater, JJ. (eds) Computer Security — ESORICS 92. ESORICS 1992. Lecture Notes in Computer Science, vol 648. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0013901
Download citation
DOI: https://doi.org/10.1007/BFb0013901
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-56246-7
Online ISBN: 978-3-540-47488-3
eBook Packages: Springer Book Archive