Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication
- 164 Downloads
Packet filtering allows a network gateway to control the network traffic flows and protect the computer system. Most of the recent research works on the filtering systems mainly concern the performance, reliability and defence against common network attacks. However, since the gateway might be controlled by red an untrusted attacker, who might try to infer the identity privacy of the sender host and mount IP tracking to its data packets. IP spoofing is another problem. To avoid data packets to be filtered in the packet filtering system, the malicious sender host might use a spoofed source IP address. Therefore, to preserve the source IP privacy and provide source IP authentication simultaneously in the filtering system is an interesting and challenging problem. To deal with the problem, we construct a data packet filtering scheme, which is formally proved to be semantic secure against the chosen IP attack and IP guessing attack. Based on this filtering scheme, we propose the first privacy-preserving packet filtering system, where the data packets whose source IP addresses are at risk are filtered, the privacy of the source IP is protected and its correctness can be verified by the recipient host. The analysis shows that our protocol can fulfil the objectives of a data packet filtering system. The performance evaluation demonstrates its applicability in the current network systems. We also presented a packet filtering scheme, where the data packets from one subnet can be filtered with only one filter policy.
KeywordsPacket filter Privacy-preserving IP spoofing Authentication
This work is supported by the National Natural Science Foundation of China under Grants 61502086 and 61572115, the Fundamental Research Funds for the Central Universities (No. ZYGX2014J061), the foundation from Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems (No. YF16202) and the foundation from Guangxi Key Laboratory of Trusted Software (No. PF16116X).
- 1.Packet filtering. http://en.wikipedia.org/wiki/PF_(firewall).
- 3.McCanne, S., & Jacobson, V. (1993) The BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the Usenix Winter 1993 technical conference (pp. 259–270). San Diego, California, USA.Google Scholar
- 4.Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., & Sommer, R. (2005). Building a time machine for efficient recording and retrieval of high-volume network traffic. In Proceedings of the 5th internet measurement conference, IMC 2005 (pp. 267–272). Berkeley, California, USA, October 19–21, 2005.Google Scholar
- 13.Wang, Y., & Sun, R. (2014). An IP-traceback-based packet filtering scheme for eliminating DDoS attacks. JNW, 9(4), 874–881.Google Scholar
- 16.Boneh, D., Crescenzo, G.D., Ostrovsky, R., & Persiano, G. (2004). Public key encryption with keyword search. In Advances in cryptology: EUROCRYPT 2004, Proceedings of the international conference on the theory and applications of cryptographic techniques (pp. 506–522). Interlaken, Switzerland, May 2–6, 2004.Google Scholar
- 17.Wei, R., Xu, Y., & Chao, H.J. (2012). Block permutations in Boolean space to minimize TCAM for packet classification. In Proceedings of the IEEE INFOCOM 2012 (pp. 2561–2565). Orlando, FL, USA, March 25–30, 2012.Google Scholar
- 19.Ioannidis, J. (2011). Ipsec. In Encyclopedia of Cryptography and Security (2nd edn., pp. 635–638).Google Scholar
- 20.Boneh, D., Boyen, X., & Goh, E. (2005). Hierarchical identity based encryption with constant size ciphertext. In Advances in cryptology: EUROCRYPT 2005, proceeding of the 24th annual international conference on the theory and applications of cryptographic techniques (pp. 440–456). Aarhus, Denmark, May 22–26, 2005.Google Scholar
- 21.Delerablée, C., & Pointcheval, D. (2008). Dynamic threshold public-key encryption. In Advances in cryptology: CRYPTO 2008, proceedings of the 28th annual international cryptology conference (pp. 317–334). Santa Barbara, CA, USA, August 17–21, 2008.Google Scholar
- 22.Zhang, F., Safavi-Naini, R., & Susilo, W. (2004). An efficient signature scheme from bilinear pairings and its applications. In Public key cryptography: PKC 2004, 7th international workshop on theory and practice in public key cryptography (pp. 277–290). Singapore, March 1–4, 2004.Google Scholar
- 23.Pairing-based cryptography. https://crypto.stanford.edu/pbc/.
- 24.Openssl. https://www.openssl.org.