Reviewer: Charlie Wiseman
Date: 11-3-2005
How would you rate this paper, relative to others we have read? top 25%, but not top 10%
How would you rate your kowledge of the topic of this paper? familiar, but not expert
What problem or issue does the paper address? Why is it important?
A network architecture is designed to limit the effect of denial-of-service attacks. DoS attacks can cause havoc at all levels of Internet service, from root DNS servers down to individual commercial servers (web servers, ftp servers, etc), and clearly need to be dealt with Internet-wide.
What are the main contributions of the paper and why are they important?
The authors present the Traffic Validation Architecture. TVA is a capabilities based architecture that more or less allows servers to control what packets they receive. This is done with a bounded amount of state and computation power needed at hosts and routers, and is shown to stop a large set of DoS attacks from affecting other traffic in a major way.
How significant are these contributions relative to previous work?
As is said, this work explicitly builds on previous work that uses the same notion of capabilities to authenticate traffic. TVA extends the previous work to fill in some holes that had been left open for DoS attacks to exploit.
Give detailed comments justifying your view of the paper.
The overall design of TVA is sound and the provided simulation results speak loudly that the architecture could work as well as is claimed. Still, there are a few things that seem worth mentioning here.
First, the discussion on bounding the amount of state a router has to keep around isn't very clear. Exactly what state is being bounded is explicitly stated. It seems to be referring to the state needed to keep track of how many bytes a particular capability has used. In that context the results seem reasonable (although I'm not sure I understand where the minimum sending rate comes from). Even so, their example of a gigabit line card requires 32MB of memory just
for this state! This says nothing about the rest of the state a router is keeping around, such as the flow nonce to capability cache. Not to mention that there has to be room for the actual packets somewhere in the router.
One problem that is mentioned but glossed over (and not simulated) is that all of the capability overhead becomes more evident with many short flows. In the paper they mention DNS specifically as a target of DoS attacks, and so TVA should be able to deal efficiently with such attacks. However, there are no results presented that show how well TVA reacts in such a situation. In general, the simulation results look good, but it is all based on one topology with the same kind of traffic. More comprehensive results would yield more confidence in the overall performance of TVA.
Another point that seems important but isn't mentioned in the paper is the amount of extra data being sent around on the network because of the capability stamps. In particular, request packets have an extra 32 bits of information, plus 80 bits per capability router, and renewal headers have 96 bits plus 64 per capability router. In their simple dumbbell topology (two routers) this is fine, but what about is the Internet where there are potentially many capability routers. Even though such routers are only needed at certain places in the Internet, such as ISP edges, a normal flow, for example, might pass through 5 capability routers. So, a request then would have over 50 bytes of extra data attached to it, even though the request it self is likely to be quite small (say, a minimum size TCP packet). This seems
like a lot of overhead.