Network Security Via Explicit Consent

Securing real-world operating systems is hard; dropping packets headed to those systems is easy. Thus, network-layer defenses have become indispensable to end-host security. Unfortunately, most defenses inflict collateral damage, require hardware modification, or necessitate coordination between organizations’ administrators. Yet, for all that, each defense addresses only a subset of attacks. This paper describes ICING, a network layer that allows all stakeholders (senders, receivers, and providers) to deploy new network defenses unilaterally, with enough precision to avoid collateral damage, and without further hardware modification. ICING captures many prior network-layer defenses within a coherent framework: for a packet to flow from sender to receiver, every entity along the path must have consented to the entire path. To enforce this property, ICING’s data plane must address a key challenge: how mutually distrustful realms that cannot rely on per-packet or per-flow public key cryptography ensure that packets follow their purported paths. We demonstrate ICING’s technical feasibility with a prototype that forwards at over 2 Gbit/s.