Title:
Packets with Provenance
Packets with Provenance
Authors
Ramachandran, Anirudh
Bhandankar, Kaushik
Tariq, Mukarram Bin
Feamster, Nick
Bhandankar, Kaushik
Tariq, Mukarram Bin
Feamster, Nick
Authors
Advisors
Advisors
Associated Organizations
Collections
Supplementary to
Permanent Link
Abstract
Traffic classification and distinction allows network operators
to provision resources, enforce trust, control unwanted
traffic, and traceback unwanted traffic to its source. Today’s
classification mechanisms rely primarily on IP addresses
and port numbers; unfortunately, these fields are often too
coarse and ephemeral, and moreover, they do not reflect traffic’s
provenance, associated trust, or relationship to other
processes or hosts. This paper presents the design, analysis,
user-space implementation, and evaluation of Pedigree,
which consists of two components: a trusted tagger that resides
on hosts and tags packets with information about their
provenance (i.e., identity and history of potential input from
hosts and resources for the process that generated them), and
an arbiter, which decides what to do with the traffic that carries
certain tags. Pedigree allows operators to write traffic
classification policies with expressive semantics that reflect
properties of the actual process that generated the traffic. Beyond
offering new function and flexibility in traffic classification,
Pedigree represents a new and interesting point in the
design space between filtering and capabilities, and it allows
network operators to leverage host-based trust models to decide
treatment of network traffic.
Sponsor
Date Issued
2008
Extent
Resource Type
Text
Resource Subtype
Technical Report