IP easy-pass: a light-weight network-edge resource access control

Providing real-time communication services to multimedia applications and subscription-based Internet access often requires that sufficient network resources be reserved for real-time traffic. However, the reserved network resource is susceptible to resource theft and abuse. Without a resource access control mechanism that can efficiently differentiate legitimate real-time traffic from attacking packets, the traffic conditioning and policing enforced at Internet Service Provider (ISP) edge routers cannot protect the reserved network resource from embezzlement. On the contrary to the usual expectation, the traffic policing at edge routers aggravates their vulnerability to flooding attacks by blindly dropping packets. In this paper, we propose a fast and lightweight IP network-edge resource access control mechanism, called IP Easy-pass, to prevent unauthorized access to reserved network resources at edge devices. We attach a unique pass to each legitimate real-time packet so that an ISP edge router can validate the legitimacy of the incoming IP packet very quickly and simply by checking its pass. We present the generation of Easy-pass, its embedding, and verification procedures. We implement the IP Easy-pass mechanism in the Linux kernel, and measure its overhead on our testbed. Finally, we demonstrate its effectiveness against packet forgery and resource embezzlement attempts by conducting a series of experiments.