FPAC: Fast, Fixed-Cost Authentication for Access to Reserved Resources

Enhanced network services often involve allocating resources (bandwidth/buffer space) preferentially to packets belonging to certain flows or traffic classes. Such services are vulnerable to denial-of-service attacks if packet classification is based on information that can be forged, such as source and destination addresses and port numbers. Traditional message authentication codes (MACs), often considered the only solution to this problem, are really not designed to solve it. In particular, their perpacket costs are so high that they enable another form of denial-of-service attack based on overwhelming the verification mechanism. We describe the problem of denial of access to reserved resources and the inadequacies of conventional solutions. We then observe that it is reasonable to trade some of the strong security guarantees provided by conventional MACs for a lower per-packet cost. We propose a new packet authentication algorithm, designed to solve the problem of protecting reserved resources, with a very low, fixed per-packet cost. While it cannot replace conventional MACs for end-to-end authentication, we argue that it is a better solution for the problem considered here. We present measurements from a prototype implementation that can verify a packet of arbitrary size in as few as 1000 machine cycles on an Intel architecture machine.