PBS signaling architecture for network traffic authorization enhances network security by protecting against unwarranted attacks by hackers (e.g. denial-of-service (DoS) attacks). The PBS design prevents unauthorized attacks -- initiated without explicit consent from the intended receiver -- by introducing a "permission" paradigm: a receiver grants a sender a permission that gives the sender the authority to send a specific quantity of data. This limited permission can prevent attacks since the attack packets that exceed the permission are dropped at a router that is aware of PBS. Beyond security, PBS has applications in network traffic management where cost reduction and failure prevention can be achieved by throttling peak traffic. The PBS architecture operates via on-path signaling to set up permission state, monitor attacks, and trigger the authentication mechanism. Other systems embedded within this technology include DoS detection for identifying the type of attack, decision point for deciding the solution against an attack, and traffic management for handing all incoming packets.
PBS does not require a central server to control permissions; the signaling protocols can be introduced to established networks using a bottom up approach. Also contributing to its scalability, PBS operates with existing network protocols, and its function does not require all of the network’s routers to be aware of PBS. Most packets are screened for the permission state using the industry standard 5-tuple of the data packets. The widely used IPsec Authentication Header is employed for packet authentication and spoofing attack prevention when the network is compromised. Performance experiments were successfully conducted to determine the signaling message overhead, memory requirement for maintaining permission state, and maximum number of sessions that can be handled.
Tech Ventures Reference: IR M09-001