Presentation is loading. Please wait.

Presentation is loading. Please wait.

Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory

Published byLauren Larson Modified over 10 years ago

Similar presentations

Presentation on theme: "Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory"— Presentation transcript:

1 Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory vern@icir.org June 28, 2007

2 Overview Previous session looked at architectural issues for the network securing its own infrastructure Now, we consider the networks role (if any) in protecting end systems Two parts: –What should its role be? –Architectural approaches for DoS defense

3 Agenda, Part 1 What should the networks role be? –Its inevitable that the network will be intrusive with end system traffic, lets architect for it (Vern Paxson) –No lets not, #1 (Paul Syverson) –No lets not, #2 (Nick Weaver) –Discussion

4 Agenda, Part 2 How should the network protect against DoS? –Framing of problem space (Stefan Savage) –The role of identifiers (Stefan Savage) –The role of indirection (Angelos Keromytis) –The role of capabilities (Xiaowei Yang) –Discussion

5 A Glum Vision That We Had Better Plan For Network operators want to control traffic –Control = inspect, modify, tune, censor, confine … for a large variety of reasons: –Policy enforcement –Endhost security –Wiretap / legal intercept –Censorship –Walled gardens / business reasons –Performance engineering

6 Glum Vision, cont Furthermore, they have the power to do so since they hold the fundamental property of connectivity … … unless they are constrained: –By law Unpredictably difficult to shape in a useful fashion –By competitive concerns But these are trumped by law and sole-sourcing

7 Glum Vision, cont We have existence proofs that network operators will go to significant lengths to shoehorn in such control Question: would we like this stuff shoehorned into our future Internet, or directly recognized as a tussle? (Q: will end-to-end crypto save us? A: No, reduces to steganography.)

8 How to Architect for this Tussle? One approach (w/ S. Shenker, M. Allman): –When instantiating communication, end nodes negotiate with network regarding degree of inspection/meddling What will be revealed, what can be modified How to express range of semantics? –If unacceptable, seek alternate paths –Both parties require mechanisms to police for adherence –Already today for SIP proxies, P3P

Download ppt "Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory"

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Themes From the Security Assessment Exercise Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory

Themes From the Security Assessment Exercise Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.

Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.

Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.

Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.

1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.
Overview of Computer Vision CS491E/791E. What is Computer Vision? Deals with the development of the theoretical and algorithmic basis by which useful.

Overview of Computer Vision CS491E/791E. What is Computer Vision? Deals with the development of the theoretical and algorithmic basis by which useful.
The Design Philosophy of the DARPA Internet Protocols D. D. Clark.

The Design Philosophy of the DARPA Internet Protocols D. D. Clark.
Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,

Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,

Similar presentations

Ads by Google