acm sigcomm

Leveraging capabilities in network architectures is a hot area of research today. A number of researchers have argued that capabilities could help improve network security (especially DoS attacks) because an attacker would lack the ability to generate traffic unless it acquires the appropriate capability first. This paper puts forward a interesting insight -- we could try leveraging DNS as a capability system and configure servers to change their IP addresses frequently (perhaps by changing IP translations in the NAT box placed in front of the server). A host needs to perform a DNS lookup before initiating a connection to the server. The paper does a nice job of describing how DNS could be used as a capability system. All reviewers acknowledged that the paper’s observation (i.e., “Hey! Here’s how to turn DNS into a capability system”) is a really nice one. The paper is also well-written and thought-provoking, and thus a very nice new addition on a long line of previous papers on the theme of how to introduce new functionality by piggy-backing on existing networking systems. The reviewers' main concern was understanding the exact nature of the threats that such a system would prevent. The reviewers felt that many DoS attacks today rely on flooding the network (rather than on sending a small number of packets only) and this system falls short from preventing such attacks. For example, even without the server's current IP address, an attacker could still flood the NAT box if they were to know a previously valid server IP. While the reviewers' concerns are very specific – the paper’s threat model is not clearly articulated – they get to a much deeper issue of this research area. The nature of the argument put forward appears to be recursive. On one hand, capabilities can stop DoS attacks on the network. But, how do we stop DoS attacks on the capabilities system itself?