Abstract
To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems (ASes) become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy stateful inspection firewalls in their borders. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) State sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its intial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.
| Original language | English |
|---|---|
| Pages (from-to) | 1887-1891 |
| Number of pages | 5 |
| Journal | IEEE International Conference on Communications |
| Volume | 4 |
| Publication status | Published - 2004 |
| Event | 2004 IEEE International Conference on Communications - Paris, France Duration: 2004 Jun 20 → 2004 Jun 24 |
ASJC Scopus subject areas
- Computer Networks and Communications
- Electrical and Electronic Engineering