Routing with Confidence: Supporting Discretionary Routing Requirements in Policy Based Networks Apu Kapadia * , Prasad Naldurg, Roy H. Campbell Dept. of Computer Science University of Illinois at Urbana-Champaign Urbana, IL, USA {akapadia, naldurg, rhc}@uiuc.edu Abstract We propose a novel policy-based secure routing framework that extends the mandatory nature of network access-control policies and allows users to exercise dis- cretionary control on what routes they choose in a given network. In contrast to existing research that focuses mainly on restricting network access based on user cre- dentials, we present a model that allows users to spec- ify discretionary constraints on path characteristics and discover routes based on situational trust attributes of routers in a network. In this context, we present three levels of trust-attribute certification based on inherent, consensus based, and inferred characteristics of routers. We also define a “confidence” measure that captures the “quality of protection” of a route with regard to vari- ous dynamic trust relationships that arise from this in- teraction between user preferences and network policy. Based on this measure, we show how to generate paths of highest confidence efficiently by using shortest path algorithms. We show how our model generalizes the notion of Quality of Protection (QoP) for secure rout- ing and discuss how it can be applied to anonymous and privacy-aware routing, intrusion tolerant commu- nication, and secure resource discovery for ubiquitous computing, high performance, and peer-to-peer environ- ments. 1 Introduction With the advent of Policy Based Networking (PBN), network administrators now have the ability to spec- * Apu Kapadia is funded by the U.S. Dept. of Energy’s High- Performance Computer Science Fellowship through Los Alamos Na- tional Laboratory, Lawrence Livermore National Laboratory, and San- dia National Laboratory. ify, administer, and enforce an organization’s network- access and utilization policies more effectively. PBN has traditionally focused on which users have access to what resources in a network [9]. A PBN framework uses bandwidth management, traffic-flow management, firewalling, caching, and other routing protocol and net- work security solutions such as IPSec, VPNs, etc., to provide differentiated services to groups of users in a dedicated network. For most part, the policies in a PBN refer to manda- tory access control (MAC) and utilization policies that the network, as a system, applies to its users. The PBN architecture [10] organizes different network ob- jects such as resources and services into different ob- ject roles, and defines a policy as a relationship between these object roles and different user groups. For exam- ple, traffic from certain groups of users can be treated preferentially, or access to certain network resources can be restricted to users belonging to a specific group. In addition, policies can be defined based on the attributes of the traffic itself—e.g., music file transfers or other application specific packets can be bandwidth-limited. PBN Policies are stored in a (possibly distributed) policy repository and enforced at Policy Enforcement Points (PEPs) on firewalls, routers and switches, etc., using a wide variety of mechanisms such as access control, fil- tering, and queue management. The PBN framework has greatly simplified the man- agement and administration of organizational network security policies. In this paper, we propose a novel ex- tension to this framework that incorporates a user’s ex- pectations and preferences, with the existing mandatory network policies, to influence the path chosen by a user’s traffic within this setting. Our motivation stems from the observation that the discretionary demands of users have been largely ignored in any formulation of PBN policies. In addition to a user’s identity and group membership Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04) 0-7695-2141-X/04 $ 20.00 © 2004 IEEE