—Enhanced network services often involve allocating resources (bandwidth/buffer space) preferentially to packets belonging to certain flows or traffic classes. Such services are vulnerable to denial-of-service attacks if packet classification is based on information that can be forged, such as source and destination addresses and port numbers. Traditional message authentication codes (MACs), often considered the only solution to this problem, are really not designed to solve it. In particular, their perpacket costs are so high that they enable another form of denial-of-service attack based on overwhelming the verification mechanism. We describe the problem of denial of access to reserved resources and the inadequacies of conventional solutions. We then observe that it is reasonable to trade some of the strong security guarantees provided by conventional MACs for a lower per-packet cost. We propose a new packet authentication algorithm, designed to solve the problem of protecting ...
Kenneth L. Calvert, Srinivasan Venkatraman, Jim Gr