Reviewer: Manfred Georg
Date: 11-3-2005
How would you rate this paper, relative to others we have read? top 10%
How would you rate your kowledge of the topic of this paper? familiar, but not expert
What problem or issue does the paper address? Why is it important?
This paper deals with the addition of capabilities (nonces, hashes etc) to packets in such a way as to render DoS attacks on the network ineffective. It is a merging of several different approaches that is a comprehensive solution to security in a network. This is important since it almost completely solves the problem of bandwidth hogging DoS attacks in the internet.
What are the main contributions of the paper and why are they important?
It merges together several approaches in such a way as to give a comprehensive solution to preventing DoS attacks on network capacity.
How significant are these contributions relative to previous work?
The paper has many insightful points that are non-obvious from previous work. Such as caching capabilities and allowing a nonce to replace them in high bandwidth flows. And the addition of a path finding scheme to solve DoS attacks on request packets.
Give detailed comments justifying your view of the paper.
I have read some other work in this area, and this paper definitely is the first time I have come away thinking that this could actually work. This might be something I would want in my network.
As usual in this problem, overhead is the main issue. I like the analysis on required processing, which is very hopeful. However, I remain skeptical that high line rates are as easy to acheive as stated. The authors neglect to mention an estimate of the Kpps (kilo packets per second) rate for standard IP packets with polling. I didn't follow exactly how the variable bandwidth for variable time length capabilities are verified by the router (it has something to do with chains of secrets?). I hope the presentation clears that up. I'm curious to think how fast a line rate a custom hardware implementation can sustain. Does it scale in the same way as other routing components? Can multiple verification cores be used if necessary?
This paper flows very nicely. It presents very easy and logical steps, which give the impression that the solution is obvious. However, there is a lot of depth here. I wish I had written it :) .