Computer Science Department
School of Computer Science, Carnegie Mellon University


FANFARE for the Common Flow

Elaine Shi, Bryan Parno, Adrian Perrig,
Yih-Chun Hun, Bruce Maggs

February 2005, Updated June 2005

Keywords: Denial-of-Service, network infrastructure, capability, flow

This paper presents FANFARE, a suite of infrastructure-based primitives that empowers routers and receivers to secure and enforce various flow-control mechanisms, such as per-flow admission control, service differentiation, and congestion control, even in the face of sophisticated attackers. In FANFARE, a sender must receive capabilities from both a receiver and forwarding routers in order to acquire a certain bandwidth allocation, thus empowering both receivers and routers to control the rates of flows. FANFARE provides strong incremental deployment properties; in particular, FANFARE's automatic congestion response mechanism can protect a downstream legacy link from being flooded by FANFARE traffic. In FANFARE, routers use no per-flow state; they only need to rely on local information to make decisions, and hence do not have to trust other routers. FANFARE can be used to secure several known architectures for managing flows. In this paper, for example, we show how to use FANFARE to halt DDoS attacks and to secure a Diffserv infrastructure.

23 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by