Secure and Policy-Compliant

Source Routing
 Abstract
In today’s Internet, inter-domain route control
remains elusive; nevertheless, such control could
improve the performance, reliability, and utility of the
network for end users and ISPs alike.
While researchers have proposed a number of
source routing techniques to combat this limitation,
there has thus far been no way for independent ASes
to ensure that such traffic does not circumvent local
traffic policies, nor to accurately determine the
correct party to charge for forwarding the traffic.
 Introduction
Algorithm /Method Used:
Platypus Policy Framework.
Algorithm /Method Description:
Platypus uses network capabilities, primitives that are placed
within individual packets, to securely attest to the policy
compliance of source routing requests.
Network capabilities are
i) Transferable: an entity can delegate capabilities to others,
ii) Composable: a packet may be accompanied by a set of
capabilities, and
iii) cryptographically authenticated. Capabilities can be
issued by ASes to any parties they know how to bill.
Each capability specifies a desired transit point (called a
waypoint), a resource principal responsible for the traffic, and a
stamp of authorization
NETWORK operators and academic researchers alike recognize
that today’s wide-area Internet routing does not realize the full
potential of the existing network infrastructure in terms of
performance, reliability, or flexibility.
While a number of techniques for intelligent, source-
controlled path selection have been proposed to improve end-
to-end performance, reliability, and flexibility, they have proven
problematic to deploy due to concerns about security and
network instability. We attempt to address these issues in
developing a scalable, authenticated, policy-compliant, wide-
area source routing protocol.
We present the design and evaluation of Platypus, a source
routing system that, like many source-routing protocols before
it, can be used to implement efficient overlay forwarding, select
among multiple ingress/egress routers, provide virtual AS
multi-homing, and address many other common routing
deficiencies .
The key advantage of Platypus is its ability to ensure
policy compliance during packet forwarding. Platypus enables
packets to be stamped at the source as being policy compliant,
reducing policy enforcement to stamp verification. Hence,
Platypus allows for management of routing policy independent
of route export and path selection.
Objective:
In today’s Internet, inter-domain route control remains elusive;
nevertheless, such control could improve the performance,
reliability, and utility of the network for end users and ISPs
alike.
Existing System:

An increasing number of ASes have been connecting to the

Internet through the BGP inter-domain routing protocol.
With increasing stress on the scale of this system and
increasing reliance on Internet connectivity, more participants
demand additional functionality from inter-domain routing
that BGP cannot handle.
BGP today offers route fail-over times as long as 15
minutes, and very limited control over incoming traffic across
multiple wide area paths.
More research literature and news media are calling for
stemming malicious or erroneous routing announcements.
We propose policy control architecture, OPCA that runs as an
overlay network on top of BGP. OPCA allows an AS to make
route change requests at other, remote ASes to achieve faster
route fail-over and provide capabilities to control traffic
entering the local AS.
Proposed System:

around the concept of network capabilities, which allow for

accountable, fine-grained path selection by cryptographically
attesting to policy compliance at each hop along a source route.

Capabilities can be composed to construct routes

through multiple ASes and can be delegated to third parties.
Platypus caters to the needs of both end users and ISPs: users
gain the ability to pool their resources and select routes other
than the default, while ISPs maintain control over where, when,
and whose packets traverse their networks.
We describe the design and implementation of an extensive
Platypus policy framework that can be used to address several
issues in wide-area routing at both the edge and the core, and
evaluate its performance and security. Our results show that
incremental deployment of Platypus can achieve immediate
gains.
ADVANTAGES:

• Estimates(i.e. budget, schedule etc .) become more realistic

as work progresses, because important issues discover
earlier.

• It is more able to cope with the changes that are software

development generally entails.

• Software engineers can get their hands in and start working

on the core of a project earlier.
 Design Engineering
Activity Diagram:
[Source]

Find Routes Enter the Message

Share Policy [ISP]

Message Packets

Send to ISP Receive Packets

[Destination] Packets Authentication

Receive Packets Forward to Destination

Use Case Diagram: Find Route

Share Policy

Enter Message

Source Message Packets

Send to Other ISP

Receive Packets
Intermediate ISP

Filter the Packets

Authenticate Policy

Forward Packets

Destination
Sequence Diagram:
Source Share Policy Message ISPs Authenticate Destination

2 : sharing()
1 : sharing policy()

3 : enter the message()

4 : message packets()

5 : send packets()

6 : authenticate packets()

7 : forward packets()