TY - JOUR T1 - Secure quality of service handling: SQoSH JF - IEEE Communications Magazine Y1 - 2000 A1 - Alexander,D. S A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Muir,S. A1 - Smith,J. M KW - Acceleration KW - Access control KW - active networks KW - ALIEN active loader KW - Clocks KW - Computer network management KW - cryptographic credentials KW - cryptography KW - customized networking services KW - Data security KW - Data structures KW - denial-of-service attacks KW - interfaces KW - Kernel KW - loaded modules KW - network resources KW - network traffic KW - open signaling KW - packet switching KW - Piglet lightweight device kernel KW - programmable network element KW - programmable network infrastructures KW - Programming profession KW - Proposals KW - quality of service KW - remote invocation KW - resource control KW - restricted control of quality of service KW - SANE KW - scheduling KW - scheduling discipline KW - secure active network environment architecture KW - secure quality of service handling KW - security infrastructure KW - security risks KW - SQoSH KW - SwitchWare architecture KW - telecommunication security KW - tuning knobs KW - virtual clock AB - Proposals for programmable network infrastructures, such as active networks and open signaling, provide programmers with access to network resources and data structures. The motivation for providing these interfaces is accelerated introduction of new services, but exposure of the interfaces introduces many new security risks. We describe some of the security issues raised by active networks. We then describe our secure active network environment (SANE) architecture. SANE was designed as a security infrastructure for active networks, and was implemented in the SwitchWare architecture. SANE restricts the actions that loaded modules can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credentials. SANE can be extended to support restricted control of quality of service in a programmable network element. The Piglet lightweight device kernel provides a “virtual clock” type of scheduling discipline for network traffic, and exports several tuning knobs with which the clock can be adjusted. The ALIEN active loader provides safe access to these knobs to modules that operate on the network element. Thus, the proposed SQoSH architecture is able to provide safe, secure access to network resources, while allowing these resources to be managed by end users needing customized networking services. A desirable consequence of SQoSH's integration of access control and resource control is that a large class of denial-of-service attacks, unaddressed solely with access control and cryptographic protocols, can now be prevented VL - 38 SN - 0163-6804 CP - 4 M3 - 10.1109/35.833566 ER -