This paper presents FANFARE, a suite of infrastructure-based primitives that empowers routers and receivers to secure and enforce various flow-control mechanisms, such as per-flow admission control, service differentiation, and congestion control, even in the face of sophisticated attackers. In FANFARE, a sender must receive capabilities from both a receiver and forwarding routers in order to acquire a certain bandwidth allocation, thus empowering both receivers and routers to control the rates of flows. FANFARE provides strong incremental deployment properties; in particular, FANFARE's automatic congestion response mechanism can protect a downstream legacy link from being flooded by FANFARE traffic. In FANFARE, routers use no per-flow state; they only need to rely on local information to make decisions, and hence do not have to trust other routers. FANFARE can be used to secure several known architectures for managing flows. In this paper, for example, we show how to use FANFARE to halt DDoS attacks and to secure a Diffserv infrastructure.

23 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by [email protected]