Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Security for Routing Based on Link State Algorithms

IP.com Disclosure Number: IPCOM000117528D
Original Publication Date: 1996-Mar-01
Included in the Prior Art Database: 2005-Mar-31
Document File: 8 page(s) / 307K

Publishing Venue

IBM

Related People

Hauser, RC: AUTHOR [+2]

Abstract

With the increasing use of global networks for commercial and public purposes, benevolence of all parties attached to networks can no longer be assumed. End-to-end security of applications such as mail, ftp, or http is addressed by many proposals and increasingly also pertinent implementations are available. However, all these solutions are not sufficient in presence of attacks on the routing of the employed networks. Attacks spoofing existing nodes by unsolicited routing messages, creating phantom nodes, or altering routing messages emitted by the legitimate sender may be the consequence. Such attacks can lead to complete failure of routing, unexpected behavior or topology information being exposed to non-authorized parties. The prevention of ambiguity of the address space is an additional problem to address.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 18% of the total text.

Security for Routing Based on Link State Algorithms

      With the increasing use of global networks for commercial and
public purposes, benevolence of all parties attached to networks can
no longer be assumed.  End-to-end security of applications such as
mail, ftp, or http is addressed by many proposals and increasingly
also pertinent implementations are available.  However, all these
solutions are not sufficient in presence of attacks on the routing of
the employed networks.  Attacks spoofing existing nodes by
unsolicited routing messages, creating phantom nodes, or altering
routing messages emitted by the legitimate sender may be the
consequence.  Such attacks can lead to complete failure of routing,
unexpected behavior or topology information being exposed to
non-authorized parties.  The prevention of ambiguity of the address
space is an additional problem to address.

      Here, the authentication of link state information is split
into two steps the first of which can be performed with only
negligible delay while the second one is more expensive.  It might,
therefore, be feasible to make the decision whether to store a
routing update message in the node's topology database and whether to
forward that message according to the 'flooding' algorithm after the
first, 'fast' partial authentication.  Before an entry of the
topology database can be used for route calculation, it must have
passed the second step of 'full' authentication.

Requirements

      Each router maintains a topology database to enable efficient
routing of arriving packets or connection setup requests.  The
achieved quality of applied routing depends on each node's ability to
instantaneously adapt its decisions based on the view of the current
topology in the case of alterations of the state of links.  In this
case, neighboring routers will flood the network with LSU messages
representing their current topology.

      The generation and processing of 'flooding' packets in
link-state routing protocols is a very time critical issue.  Incoming
packets must be stored in the topology database if necessary and
flooded on as soon as possible if appropriate.   Generally stated, it
would be preferable if authentication of incoming LSUs could be
performed directly when they are received to prevent
non-authenticated information from being stored in topology database
or flooded.  However, for performance reasons it might also be
acceptable to only verify the origin authenticity at this stage and
postpone the integrity verification in a 'lazy' manner to a later
stage, namely when such a LSU is used for route computation or
compared against another version of itself during updates of the
topology database.

In general, routing shows the following characteristics:

o   The frequency of generating routing updates in a single node is
    relatively low compared to the amount of LSUs generated in the
    whole of the network.  The fact that the expensi...