Capability-Based Egress Network Access Control for Transferring Access Rights

Sydney, Australia July 04-July 07

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/ICITA.2005.92

Third International Conference on Inf ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Shinichi Suzuki Articles by Yasushi Shinjo Articles by Toshio Hirotsu Articles by Kozo Itano Articles by Kazuhiko Kato

	ASCII Text	x
	Shinichi Suzuki, Yasushi Shinjo, Toshio Hirotsu, Kozo Itano, Kazuhiko Kato, "Capability-Based Egress Network Access Control for Transferring Access Rights," Information Technology and Applications, International Conference on, vol. 2, pp. 488-495, Third International Conference on Information Technology and Applications (ICITA'05) Volume 2, 2005.

	BibTex	x
	@article{ 10.1109/ICITA.2005.92, author = {Shinichi Suzuki and Yasushi Shinjo and Toshio Hirotsu and Kozo Itano and Kazuhiko Kato}, title = {Capability-Based Egress Network Access Control for Transferring Access Rights}, journal ={Information Technology and Applications, International Conference on}, volume = {2}, year = {2005}, isbn = {0-7695-2316-1}, pages = {488-495}, doi = {http://doi.ieeecomputersociety.org/10.1109/ICITA.2005.92}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Information Technology and Applications, International Conference on TI - Capability-Based Egress Network Access Control for Transferring Access Rights SN - 0-7695-2316-1 SP488 EP495 A1 - Shinichi Suzuki, A1 - Yasushi Shinjo, A1 - Toshio Hirotsu, A1 - Kozo Itano, A1 - Kazuhiko Kato, PY - 2005 KW - null VL - 2 JA - Information Technology and Applications, International Conference on ER -

Shinichi Suzuki, University of Tsukuba

Yasushi Shinjo, University of Tsukuba and JST

Toshio Hirotsu, Toyohashi University of Technology and JST

Kozo Itano, University of Tsukuba and JST

Kazuhiko Kato, University of Tsukuba and JST

In conventional egress network access control (NAC) using access control lists (ACLs), modifying ACLs is a heavy task for administrators. To enable rapid configuration without a large amount of effort by administrators, we introduce capabilities to egress NAC. In our egress NAC, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize capability-based egress NAC, we use DNS messages and IP options to carry capabilities. A resolver of the client sends the user name, domain name, and service name as DNS query messages to a DNS cache server, which issues capabilities according to a policy and sends them as DNS answer messages to the client. The client kernel includes these capabilities in the IP options of packets and sends them to the router. The router checks the capabilities of the packets to determine whether to pass or block them. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router?s performance.

Citation:

Shinichi Suzuki, Yasushi Shinjo, Toshio Hirotsu, Kozo Itano, Kazuhiko Kato, "Capability-Based Egress Network Access Control for Transferring Access Rights," icita, vol. 2, pp.488-495, Third International Conference on Information Technology and Applications (ICITA'05) Volume 2, 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.