Secure quality of service handling: SQoSH

Proposals for programmable network infrastructures. such as active networks and open signaling, provide programmers with access to network resources a nd data structures. The motivation for providing these interfaces is accele rated introduction of new services, but exposure of the interfaces introduc es many new security risks. The risks can be reduced or eliminated via appr opriate restrictions on the exported interfaces. In this article we describ e some of the security issues raised by active networks. We then describe o ur secure active network environment architecture. SANE was designed as a s ecurity infrastructure for active networks, and was implemented in the Swit chWare architecture. SANE restricts the actions loaded modules (including " capsules") can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credent ials. SANE can be extended to support restricted control of quality of serv ice in a programmable network element. The Piglet lightweight device kernel provides a "Virtual Clock" type of scheduling discipline for network traff ic, and exports several tuning knobs with which the clock can be adjusted. The ALIEN active loader provides safe access to these knobs to modules that operate on the network element. Thus, the proposed SQoSH architecture is a ble to provide safe, secure access to network resources, while allowing the se resources to be managed by end users needing customized networking servi ces. A desirable consequence of SQoSH's integration of access control and r esource control is that a large class of denial-of-service attacks, unaddre ssed solely with access control and cryptographic protocols, can now be pre vented.