DATE: Thursday, August 16, 2001
TIME: Noon - 1 pm
PLACE: Wean Hall 8220

Jun Gao

SCS, Carnegie Mellon

Securing Programmable Routers with Access Control
This talk is being given in partial fulfilment of the speaking requirements of the SCS Ph.D. program.

Unlike routers in a traditional network, routers in a programmable network can be programmed and their functionality can thus be dynamically extended through the use of third-party programs, sometimes known as active extensions. This open architecture, on the one hand, facilitates the deployment of new network services and protocols, and makes it possible for end-users to customize routers' behavior regarding the processing of their traffic; on the other hand, also brings up serious security and safety issues, which must be dealt with properly before programmable routers can be deployed in the real world environment.

In this talk, I will focus on the security challenges faced by programmable networks. The specific question being addressed is how to limit what resources active extensions can access on a programmable router, hence to protect services provided by the router from being disrupted by the extensions. While existing operating systems provide adequate mechanisms to protect resources on end-hosts, they typically do not handle resources that are unique to routers. I will present the design and implementation of a secure router architecture in which active extensions' access to two types of router-unique resources, namely routers' link bandwidth and end-users' traffic passing through routers, are guarded by access control lists (ACLs). Each active extension to be executed on a router is granted by a trusted authority a set of permissions on the resources that the extension requires to access. Programmable routers then check all active extensions'
operations that may affect the use of link bandwidth, or may involve access to user traffic, and allow only the ones that are permitted by the corresponding access control list. We implemented the access control mechanisms in the Darwin system, an example of a programmable network.

Jun Gao is a 4th year Ph.D. student in Computer Science at Carnegie Mellon. His research interests lie mostly in the area of computer networking. He previously worked on various projects including programmable router design, Internet resource management mechanisms, and building of virtual private networks. He is currently focusing on building communication middleware for application level networking.

For Further Seminar Info: