Fast Network Security
Current projects :
Developing extensions of exisiting Internet security that reduces a-priori configuration and reliance on pre-deployed infrastructure, providing DDOS protection. This work focuses on providing anonymous interactions, e.g., DDOS protection without authoritative knowledge of endpoint identity. The work is being done in the IETF Better Than Nothing Security (BTNS) WG, and is part of the TC-Arch effort at ISI.
Examining ways to reduce the cost of using IPsec, notably to avoid DOS attacks that overload CPU resources at receivers. TRIAGE focuses on layered defenses of variable cost and efficacy. This work is part of the Optiputer project.
Developing extensions of exisiting Internet security that supports high throughput, low latency security. This work is part of the Optiputer project.
Developing a file system model for configuring hosts and routers, to provide partitioned permission to configuring subsets of network interfaces, routes, etc. on a device. This allows multiple distinct virtual networks to control parts of a device, i.e., NetFS is to X-Bone VPNs as memory protection is to Virtual Memory.
Provided layers of overlays to enable spread-spectrum defenses from network attacks.
Securely deploys independent concurrent overlay networks, the tunnels of which support IPsec, providing secure partitioning of virtual networks. This is a virtual network equivalent of virtual memory.
Determined how to support dynamic routing in the presence of IPsec, notably pioneering the technique of combining IPsec transport mode with separate IP-IP encapsulation tunnels, as contrasted to IPsec tunnel mode. Developed as part of the X-Bone project.
Analyzed the current performance of MD5, and determined the performance limits of the algorithm, whether in hardware or software. A previous version of this work appeared as RFC-1810. Developed during the ATOMIC-2 project.