1413
DACS: DHT-Based Distributed Access-Control System for a Secure Locator/Identier Separation Network
DACS: DHT-Based Distributed Access-Control System for a
Secure Locator/Identier Separation Network
Kai Wang
School of Computer and Control Engineering, Yantai University, China
wangkai_bw@163.com
Abstract
Locator/Identifier Separation Network (LISN) is an
ideal solution to the scalability issues of current routing
infrastructure, and how to achieve a secure LISN attracts
remarkable concerns. This paper proposes a new distributed
hash table (DHT)-based Distributed Access-Control System
(DACS) for a secure LISN, including three functional
modules: the first is a Tag-aware Access-Control module
(TAC), which generates user tag (UTag) and service tag
(STag) by cognizing their natural and dynamic attributes
respectively; the second is an Adaptive Policy Generation
module (APG), which adaptively selects proper policy
instances to achieve intelligent access control; the last
one is a Cooperative Decision Making module (CDM),
providing efcient decision-making with the help of multi-
peer parallel cooperation. We validated its advantages by
implementing the designed DACS in our LISN platform. To
the best of our knowledge, this is the rst attempt to design
a context-aware DACS for LISN, embedding both statically
and dynamically cognitive features.
Keywords: Access control, Distributed hash table,
Locator/identier separation network.
1 Introduction
With the rapid growth of the global routing table,
Locator/Identier Separation Network (LISN) architectures
(e.g., networks embedding Locator/identifier separation
protocol (LISP) [1]) has been considered as one of the
most promising candidates for future Internet routing
architecture, in order to solve the routing scalability
problem [2]. LISN decouples the overlapping semantics
of identity and location in current IP address namespace,
and can achieve better mobility and security performance,
thus attracts considerable attention from both academia and
industry area [3-15].
In the network layer of LISN, an identier namespace
is used to indicate the identity of each network device, and
a locator namespace is used to locate these network devices
in the network topology. Moreover, LISN uses (identier,
port) binding in transport layer of its protocol stack,
rather than (IP address, port) binding previously used in
traditional IP-based networks. In this way, a network device
in LISN can maintain continuous data delivery without
any disruption even using varying locators, because the
(identifier, port) binding used in transport protocol keeps
unchanged, which improves the performance of seamless
delivery, efcient mobility and multi-homing [10][12].
In addition, the locator is used for switching and
routing in the transit core network of a LISN architecture,
while the identier is usually used in edge network where
users access Internet since it represents the identity of every
user. That is, identier is not allowed to be broadcast into
the transit core network, which protects the privacy of user-
related information (e.g., user’s identifier). For example,
attackers cannot obtain legitimate users’ identifiers by
analyzing data messages transmitted in the transit core
network. Therefore, LISN provides better security and
privacy for Internet users.
However, LISN does not support a security-aware
mechanism to handle the threats from legitimate users or
services. For example, a legitimate user may occupy so
many network resources that LISN doesn’t have enough
resource available to other legitimate users. Moreover,
a registered service (e.g., movie) may be patched with a
malicious or constraint content (e.g., illegal words). Thus,
it is very important and necessary to formulate a security-
aware strategy for LISN. Current security systems in LISN
mostly adopt policy-based access-control mechanisms [16],
which only allow or prohibit users to access to their request
contents by checking the predened policies, without any
real context-aware mechanisms. To achieve a secure and
smart LISN, the cognitive and adaptive access-control
solution will be the future, which includes several important
challenges as following:
(1) How to provide a fine-grained access control
mechanism to allow or disallow users access to their
request contents by a given attribute (e.g., user’s age);
(2) How to produce a proper policy based on aware of
varying context (e.g., service’s behaviors and user’s
behaviors) to improve access control decision;
(3) How to overcome the problem of decision-making
bottleneck so as to improve system’s performance and
robustness.
According to the above problems, this paper provides
a novel distributed hash table (DHT)-based distributed
*Corresponding author: Kai Wang; E-mail: wangkai_bw@163.com
DOI: 10.6138/JIT.2016.17.7.20160615