1413
DACS: DHT-Based Distributed Access-Control System for a Secure Locator/Identier Separation Network
DACS: DHT-Based Distributed Access-Control System for a
Secure Locator/Identier Separation Network
Kai Wang
School of Computer and Control Engineering, Yantai University, China
wangkai_bw@163.com
Abstract
Locator/Identifier Separation Network (LISN) is an
ideal solution to the scalability issues of current routing
infrastructure, and how to achieve a secure LISN attracts
remarkable concerns. This paper proposes a new distributed
hash table (DHT)-based Distributed Access-Control System
(DACS) for a secure LISN, including three functional
modules: the first is a Tag-aware Access-Control module
(TAC), which generates user tag (UTag) and service tag
(STag) by cognizing their natural and dynamic attributes
respectively; the second is an Adaptive Policy Generation
module (APG), which adaptively selects proper policy
instances to achieve intelligent access control; the last
one is a Cooperative Decision Making module (CDM),
providing efcient decision-making with the help of multi-
peer parallel cooperation. We validated its advantages by
implementing the designed DACS in our LISN platform. To
the best of our knowledge, this is the rst attempt to design
a context-aware DACS for LISN, embedding both statically
and dynamically cognitive features.
Keywords: Access control, Distributed hash table,
Locator/identier separation network.
1 Introduction
With the rapid growth of the global routing table,
Locator/Identier Separation Network (LISN) architectures
(e.g., networks embedding Locator/identifier separation
protocol (LISP) [1]) has been considered as one of the
most promising candidates for future Internet routing
architecture, in order to solve the routing scalability
problem [2]. LISN decouples the overlapping semantics
of identity and location in current IP address namespace,
and can achieve better mobility and security performance,
thus attracts considerable attention from both academia and
industry area [3-15].
In the network layer of LISN, an identier namespace
is used to indicate the identity of each network device, and
a locator namespace is used to locate these network devices
in the network topology. Moreover, LISN uses (identier,
port) binding in transport layer of its protocol stack,
rather than (IP address, port) binding previously used in
traditional IP-based networks. In this way, a network device
in LISN can maintain continuous data delivery without
any disruption even using varying locators, because the
(identifier, port) binding used in transport protocol keeps
unchanged, which improves the performance of seamless
delivery, efcient mobility and multi-homing [10][12].
In addition, the locator is used for switching and
routing in the transit core network of a LISN architecture,
while the identier is usually used in edge network where
users access Internet since it represents the identity of every
user. That is, identier is not allowed to be broadcast into
the transit core network, which protects the privacy of user-
related information (e.g., user’s identifier). For example,
attackers cannot obtain legitimate users’ identifiers by
analyzing data messages transmitted in the transit core
network. Therefore, LISN provides better security and
privacy for Internet users.
However, LISN does not support a security-aware
mechanism to handle the threats from legitimate users or
services. For example, a legitimate user may occupy so
many network resources that LISN doesn’t have enough
resource available to other legitimate users. Moreover,
a registered service (e.g., movie) may be patched with a
malicious or constraint content (e.g., illegal words). Thus,
it is very important and necessary to formulate a security-
aware strategy for LISN. Current security systems in LISN
mostly adopt policy-based access-control mechanisms [16],
which only allow or prohibit users to access to their request
contents by checking the predened policies, without any
real context-aware mechanisms. To achieve a secure and
smart LISN, the cognitive and adaptive access-control
solution will be the future, which includes several important
challenges as following:
(1) How to provide a fine-grained access control
mechanism to allow or disallow users access to their
request contents by a given attribute (e.g., user’s age);
(2) How to produce a proper policy based on aware of
varying context (e.g., service’s behaviors and user’s
behaviors) to improve access control decision;
(3) How to overcome the problem of decision-making
bottleneck so as to improve system’s performance and
robustness.
According to the above problems, this paper provides
a novel distributed hash table (DHT)-based distributed
*Corresponding author: Kai Wang; E-mail: wangkai_bw@163.com
DOI: 10.6138/JIT.2016.17.7.20160615
下载后可阅读完整内容,剩余9页未读,立即下载
weixin_38696336
- 粉丝: 3
- 资源: 921
我的内容管理
展开
最新资源
- C++多态实现机制详解:虚函数与早期绑定
- Java多线程与异常处理详解
- 校园导游系统:无向图实现最短路径探索
- SQL2005彻底删除指南:避免重装失败
- GTD时间管理法:提升效率与组织生活的关键
- Python进制转换全攻略:从10进制到16进制
- 商丘物流业区位优势探究:发展战略与机遇
- C语言实训:简单计算器程序设计
- Oracle SQL命令大全:用户管理、权限操作与查询
- Struts2配置详解与示例
- C#编程规范与最佳实践
- C语言面试常见问题解析
- 超声波测距技术详解:电路与程序设计
- 反激开关电源设计:UC3844与TL431优化稳压
- Cisco路由器配置全攻略
- SQLServer 2005 CTE递归教程:创建员工层级结构
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
