Thursday, August 16, 2001
Noon - 1 pm
Wean Hall 8220
SCS, Carnegie Mellon
Routers with Access Control
This talk is being given in
partial fulfilment of the speaking requirements of the SCS Ph.D. program.
Unlike routers in a traditional network, routers in a programmable network
can be programmed and their functionality can thus be dynamically extended
through the use of third-party programs, sometimes known as active extensions.
This open architecture, on the one hand, facilitates the deployment of
new network services and protocols, and makes it possible for end-users
to customize routers' behavior regarding the processing of their traffic;
on the other hand, also brings up serious security and safety issues,
which must be dealt with properly before programmable routers can be deployed
in the real world environment.
In this talk, I will focus on the security challenges faced by programmable
networks. The specific question being addressed is how to limit what resources
active extensions can access on a programmable router, hence to protect
services provided by the router from being disrupted by the extensions.
While existing operating systems provide adequate mechanisms to protect
resources on end-hosts, they typically do not handle resources that are
unique to routers. I will present the design and implementation of a secure
router architecture in which active extensions' access to two types of
router-unique resources, namely routers' link bandwidth and end-users'
traffic passing through routers, are guarded by access control lists (ACLs).
Each active extension to be executed on a router is granted by a trusted
authority a set of permissions on the resources that the extension requires
to access. Programmable routers then check all active extensions'
operations that may affect the use of link bandwidth, or may involve access
to user traffic, and allow only the ones that are permitted by the corresponding
access control list. We implemented the access control mechanisms in the
Darwin system, an example of a programmable network.
Jun Gao is a 4th year Ph.D. student in Computer Science at Carnegie Mellon.
His research interests lie mostly in the area of computer networking.
He previously worked on various projects including programmable router
design, Internet resource management mechanisms, and building of virtual
private networks. He is currently focusing on building communication middleware
for application level networking.
Further Seminar Info: