OrthCredential: A New Network Capability Design for High-Performance Access Control

Network architectures for the future Internet envision a variety of novel network services for transmitting, processing, and storaging of data. These network services may involve costly resources that need to be allocated by a service provider. Thus, an important problem is to limit access to authorized users (e.g., Those who have paid for a particular network service). In addition, these resources need to be protected from denial-of-service attacks or attempts to circumvent this access control. Most existing authentication approaches are based on cryptographic techniques. However, the high computational cost of cryptographic operations makes these techniques unsuitable for the data plane of the network, where potentially every packet needs to be checked at Gigabit per second link rates. In this paper, we describe a novel design for data plane capabilities, called OrthCredential, that solves this problem. The main idea is to use a set of orthogonal sequences as credentials that can be verified easily to protect the data plane against various attacks. These orthogonal sequences can be constructed by a Hadamard transform. Our evaluation of a prototype implementation shows that 64-bit credentials only require less than 300 processor cycles for verification, much less than existing access control schemes such as HMAC. And it provides reasonable security properties (e.g., Less than 10 -- 8 probability of successful attack).