14.3. Components of a Resilient Network Architecture

Based on the discussion presented so far, we ask ourselves the basic question of what needs to be addressed in a resilient network architecture for such a service paradigm. Our thesis is that (1) the network needs to operate in a semi-reservation-oriented mode, (2) security and authentication need to be built-in factors, (3) routing can operate and hide information from untrusted elements, and (4) entry points to the network have the ability to do authorization checks and/or control traffic when necessary so that SC services can have priority (under stress).

Consider first one of the basic premises of our approach: the semi-reservation-oriented operation of the network. This means that the network has the ability to reserve resources to be made available to some services (e.g., SC services) when they need them. Note that the reservation need not be on a per-flow basis [9] such as in int-serv; a per class-based-type reservation, such as in diff-serv [10], suffices when needed. For brevity, we will refer to this network as the semi-reservation-oriented network (SRON). In this network, any reservation that is set does not necessarily remain static over a long duration; in fact, the SRON, in our view, operates in an adaptive reservation mode and can run without reservation until needed.

Secondly, security is a dynamic built-in factor in the SRON. This allows us to do at least the following: (1) determine if a router cannot be trusted, (2) check if a request has the authority to use reserved parts of the network, and (3) hide certain information in the network through encryption that can only be “seen” by authorized users. This aspect affects the operation of the routers and information exchanged among themselves. Since our interest is to provide priority to SC services, especially under a stress/attack, it is imperative that we periodically check the routers to see if they are trustworthy. Furthermore, we want the capability to hide resources (e.g., bandwidth) in the network that can be used by critical services at the right time using the trusted routers.

Since the network operates in the SRON mode and for the routers to determine good/acceptable routes, the routers need to exchange information about resource availability. For simplicity of illustration, we will use available bandwidth to be the resource of interest. For the purpose of this illustration, we assume that a link-state protocol is used to disseminate this information. The question then is, what should be included in this link-state advertisement, and more importantly, how do we ensure that the information advertised cannot be deciphered by an entity in the middle of the network? Given this premise, we next consider in depth both insider and outsider threats and countermeasures in a link-state routing framework.