OSAA: On-Demand Source Authentication and Authorization in the Internet

Lack of ability to control inbound traffic is one of the essential security vulnerabilities of the present Internet. It is the consequence of the fundamental fact that the Internet was built as a highly distributed public network, in which every node may freely send arbitrary traffic to any other node. This vulnerability can be exploited by a variety of DoS attacks (with a volumetric DDoS attack being the most prominent example) or non-malicious phenomena like flash crowds. In this paper, state-of-the-art solutions aiming to mitigate these risks have been discussed and a novel proposal, On-demand Source Authentication and Authorization (OSAA), has been presented. OSAA does not target a particular threat but addresses the root cause of the vulnerability. The proposed architecture enables Internet end nodes to authenticate traffic sources and facilitates cost-effective filtering of unauthorized traffic. The solution is based on a capability-based security model and public key infrastructure. Key characteristics of OSAA are strong security of provided services and a viable business case with clear economic incentives for parties bearing the workload.