DIPLOMA: Distributed Policy Enforcement Architecture for MANETs

Mansoor Alicherry; Angelos D. Keromytis

DIPLOMA: Distributed Policy Enforcement Architecture for MANETs
Alicherry, Mansoor
Keromytis, Angelos D.
Computer Science
Persistent URL:
Book/Journal Title:
2010 Fourth International Conference on Network and System Security: NSS 2010: 1-3 September 2010, Melbourne, Australia
Book Author:
Xiang, Yang
Samarati, Pierangela
Hu, Jiankun
Zhou, Wanlei
Sadeghi, Ahmad-Reza
IEEE Computer Society
Publisher Location:
Los Alamitos, Calif.
Lack of well-defined defense perimeter in MANETs prevents the use traditional firewalls, and requires the security to be implemented in a distributed manner. We recently introduced a novel deny-by-default distributed security policy enforcement architecture for MANETs by harnessing and extending the concept of network capabilities. The deny-by-default principle allows compromised nodes to access only authorized services, limiting their ability to disrupt or even interfere with end-to-end connectivity and nodes beyond their local communication radius. The enforcement of policies is done hop-by-hop, in a distributed manner. In this paper, we present the implementation of this architecture, called DIPLOMA, on Linux. Our implementation works at the network layer, and does not require any changes to existing applications. We identify the bottlenecks of the original architecture and propose improvements, including a signature optimization, so that it works well in practice. We present the results of evaluating the architecture in a realistic MANET testbed Orbit. The results show that the architecture incurs minimal overhead in throughput, latency and jitter. We also show that the system protects network bandwidth and the end-hosts in the presence of attackers. To that end, we identify ways of creating multi-hop topologies in indoor environments so that a bad node cannot interfere with every other node. We also show that existing applications are not impacted by the new architecture, achieving good performance.
Computer science
Publisher DOI:
Item views
text | xml
Suggested Citation:
Mansoor Alicherry, Angelos D. Keromytis, , DIPLOMA: Distributed Policy Enforcement Architecture for MANETs, Columbia University Academic Commons, .

Columbia University Libraries | Policies | FAQ