Direct End-to-Middle Authentication in Cooperative Networks

Transcription

1 Direct End-to-Middle Authentication in Cooperative Networks Von der Fakultät für Mathematik, Informatik und Naturwissenschaften der RWTH Aachen University zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften genehmigte Dissertation vorgelegt von Dipl.-Inform. Tobias Martin Heer aus Mutlangen, Schwäbisch Gmünd Berichter: Prof. Dr.-Ing. Klaus Wehrle Prof., PhD Sasu Tarkoma Tag der mündlichen Prüfung Diese Dissertation ist auf den Internetseiten der Hochschulbibliothek digital verfügbar.

2

3 WICHTIG: D 82 überprüfen!!! Reports on Communications and Distributed Systems edited by Prof. Dr.-Ing. Klaus Wehrle Communication and Distributed Systems, RWTH Aachen University Volume 3 Tobias Martin Heer Direct End-to-Middle Authentication in Cooperative Networks Shaker Verlag Aachen 2012

4 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available in the Internet at Zugl.: D 82 (Diss. RWTH Aachen University, 2011) Copyright Shaker Verlag 2012 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. Printed in Germany. ISBN ISSN Shaker Verlag GmbH P.O. BOX D Aachen Phone: 0049/2407/ Telefax: 0049/2407/ Internet: info@shaker.de

5 Abstract Cooperative networks rely on user cooperation at the network layer to provide services, such as packet forwarding or shared access to other network resources like storage or Internet access. Examples of cooperative networks that build upon user contribution are ad-hoc networks, decentralized wireless mesh networks, micro-operator networks, wireless Internet access sharing networks or hybrids between these network types. However, while it enables new types of networks and services, the concept of cooperative network service provisioning also creates new attack possibilities for malicious and selfish users. For example, wireless multi-hop networks are particularly susceptible to attacks based on flooding and the interception of, tampering with, and forging of packets. Thus, reliable communication in such networks quintessentially depends on mechanisms to allow on-path devices, such as middleboxes, to verify the authenticity of network traffic and the identity of the communicating peers. Efficient standard authentication techniques for end-to-middle authentication typically assume the presence of shared keys within the network or rely on trusted third parties, such as on-line authentication servers. However, in cooperative scenarios, these approaches suffer from significant drawbacks in respect to functionality and efficiency. Moreover, the tight resource constraints of wireless routers and access points in cooperative scenarios make the use of more flexible but less efficient authentication techniques challenging. Hence, a careful selection of cryptographic components and the creation of new and flexible and efficient mechanisms is required to enable end-to-middle authentication in cooperative multi-hop networks. In this thesis, we address the problem of end-to-middle authentication on different levels of granularity, ranging from infrequent signaling events to rapid verification of high-bandwidth payload streams. The different security and performance requirements of signaling and payload traffic prevent the creation of a one-size-fits-all solution but requires the use of specialized approaches. We designed and analyzed three solutions that cover low-frequency signaling events as well as high-frequency payload protection. We first analyze and extend the Host Identity Protocol to enable secure publickey based end-to-middle authentication for signaling traffic. However, the use of CPU-intensive public-key verification prevents the use of this solution for verifying high-bandwidth payload streams. Consequently, our second solution focuses on more lightweight cryptographic components to provide end-to-middle authentication for payload. The Adaptive and Lightweight Protocol for Hop-By-hop Authentication, ALPHA, uses efficient hash functions and hash chains to enable rapid verification of the source and integrity of a payload packet. Finally, our third solution sacrifices end-to-middle integrity protection of the packet to further improve the verification performance. The family of Stream-based Per-packet One-time Token Schemes, SPOTS enables middleboxes to rapidly authenticate the source of a packet when the middlebox is agnostic to the contents of the forwarded packet. In combination, the three solution provide a flexible set of mechanisms that enables efficient end-tomiddle authentication for a wide range of scenarios within and beyond the setting of cooperative multi-hop networks.

6

7 Kurzfassung Kooperative Netze beruhen auf dem Prinzip der Zusammenarbeit von Benutzern auf Netzwerkebene, um Dienste wie z.b. das Weiterleiten von Paketen oder den gemeinsamen Zugriff auf andere Netzwerkressourcen wie Speicherplatz und Internetzugang gemeinschaftlich zu erbringen. Beispiele für kooperative Netzwerke sind Ad-Hoc-Netze, dezentrale drahtlose Mesh-Netzwerke, Micro-Operator-Netzwerke, WLAN-Communities oder hybride Formen dieser Netzwerk-Typen. Jedoch schafft das Konzept der gemeinschaftlichen Schaffung eines Netzes auch neue Angriffsmöglichkeiten für egoistische und bösartige Benutzer. Zum Beispiel sind drahtlose Multi-Hop-Netzwerke besonders anfällig gegenüber Angriffen, die auf dem Fluten des Netzwerks mit Schadpaketen oder der Manipulation und Fälschung von Paketen beruhen. Um eine zuverlässige Kommunikation in solchen Netzwerken zu erreichen sind daher Mechanismen notwendig, welche es weiterleitenden Geräten, sogenannten Middleboxen, erlauben, die Herkunft und Authentizität von Paketen vor der Weiterleitung zu überprüfen. Effiziente Standardlösungen, um eine solche Ende-zu-Mitte-Authentifizierung zu erreichen, setzen typischerweise geteilte symmetrische Schlüssel zwischen Endgeräten und Middleboxen voraus oder beruhen auf einer stets verfügbaren Verbindung zu einem Authentifizierungsserver. Diese Einschränkungen führen jedoch in kooperativen Netzen zu deutlichen Nachteilen bezüglich der Flexibilität und Effizienz. Darüber hinaus erschweren die knappen Ressourcen von drahtlosen Geräten wie WLAN-Routern und Access Points den Einsatz flexiblerer aber weniger effizienter kryptographischer Methoden. Diese Arbeit beschäftigt sich mit dem Problem der effizienten Ende-zu-Mitte Authentifizierung in verschiedenen Granularitäten, beginnend mit der Authentifizierung sporadischer Signalisierungsnachrichten bis hin zur rapiden Bearbeitung von hochfrequenten Authentifikationsereignissen, wie sie für breitbandige Nutzdatenströme nötig sind. Dabei verhindern die verschiedenen Sicherheits- und Performanzanforderungen von Signalisierungsnachrichten und Nutzdatenströmen die Schaffung einer allumfassenden Lösung. Daher stellt diese Arbeit drei sich ergänzende Lösungen vor, deren Kombination ein breites Spektrum an Authentifikationsgranularitäten abdecken. Diese Arbeit widmet sich zuerst der Public-Key-basierten Ende-zu-Mitte-Authentifizierung. Dabei wird das Host Identity Protocol (HIP) analysiert und erweitert, um den Schutz von sporadischem Signalisierungsverkehr zu erreichen. Jedoch verhindert die Nutzung von rechenintensiven Public-Key-Verifikationen in HIP den Einsatz dieser Lösung für die Authentisierung von breitbandigen Nutzdatenströmen. Daher verwendet die zweite vorgestellte Lösung ausschließlich leichtgewichtige kryptographische Komponenten, um die effiziente Ende-zu-Mitte-Authentifizierung von Nutzdatenströmen zu ermöglichen. Das Adaptive and Lightweight Protocol for Hop-by-Hop Authentication, ALPHA, verwendet effiziente Hash-Funktionen und Hash-Ketten, um eine schnelle Überprüfung der Quelle und Integrität eines Netzwerkpakets zu erreichen. Die dritte vorgestellte Lösung, SPOTS, verzichtet auf

8 Ende-zu-Mitte Integritätsschutz um die kryptographische Komplexität der Authentifizierung weiter zu senken. SPOTS basiert ausschließlich auf effizienten Einwegfunktionen und ermöglicht es Middleboxen ausschließlich die Quellinformation eines Paketes zu überprüfen. Diese alleinige Quellprüfung eignet sich besonders für die Anwendung in Fällen, in denen eine Überprüfung des Paketinhalts durch die Middleboxen nicht notwendig oder nicht möglich ist, zum Beispiel bei Ende-zu-Ende verschlüsselten Daten. In Kombination bieten die drei Lösungen einen flexiblen Satz von Mechanismen, welcher effiziente Ende-zu-Mitte-Authentifizierung für ein breites Spektrum von Szenarien innerhalb und außerhalb von kooperativen Multi-Hop- Netzen ermöglicht.

9 Acknowledgments I would like to thank a number of people who have influenced, guided, and encouraged me in my research that eventually resulted in this thesis. The beginning of the story of this thesis dates back to a stay in Finland in 2005 and Back then, when searching for a topic for my Diploma thesis, I first stumbled across lightweight authentication. Pekka Nikander left just enough breadcrumbs to get me interested in the general topic. Miika Komu and Sasu Tarkoma helped me to define the topic of my Diploma thesis, which eventually evolved into Lightweight HIP and later into ALPHA. Without the encouragement of these two determined and helpful researchers, this thesis would not have had a beginning. I would like to thank Andrei Gurtov for inviting me to Finland and for supporting this work in the early stages. I would further like to thank Yukka Ylitalo for his inspiration and feedback while I was in Finland. These people created the spark that later turned into this thesis. I can t possibly thank my advisor Klaus Wehrle enough. He accepted me as a Ph.D. student and allowed me to further pursue my research interests. He always helped me in all personal and professional questions. I am deeply grateful for his encouragement in the early days and his continuous support and advice throughout my time as a Ph.D student. Over the years I had the chance to work with many brilliant students who taught me much of what I know today. I am especially proud that some of these students became colleagues and that I had the great pleasure of working with them since then. Thank you, René Hummen and Hanno Wirtz. I want to express my special thanks to Thomas Jansen, Dongsu Park, and Shaohui Li, who helped to implement large parts of HIP-MA during their time as student workers and thesis students. I want to thank Johannes Gilger and Florian Weingarten for putting so much effort into creating the first basic implementation of ALPHA. Christian Dernehl, Hossein Shafagh, and Christoph Rackwitz took up the implementation baton later and carried on the work on ALPHA and SPOTS. Without these five students, such a complete implementation of both protocols would not exist. I would also like to thank all other students that contributed to aspects of my work that are not part of this thesis: Thank you, Sebastian Jansen, Jens Otten, Robert Backhaus, Wolfram Fischer, Diego Biurrun, Lars Hermerschmidt, Dongsu Park, and Jahn Bertsch. I am grateful for all the help and advice I received from my colleagues at RWTH Aachen University. For a long time, Stefan Götz was an excellent mentor to me, helping me with all troubles that a Ph.D. student has to face. Moreover, I had the privilege to work with many more wonderful colleagues who supported me during this thesis. Jó Agila Bitsch, Elias Weingärtner, Nicolai Viol, Raimondas Sasnauskas, Georg Kunz, Dirk Thißen, Olaf Landsiedel, Arne Schmitz, and Simon Rieche deserve special thanks. Moreover, I truly appreciated and enjoyed working with all other Ph.D. students of the COMSYS group. It was great to be part of such a wonderful bunch of people. In addition I would like to thank our technical staff and secretaries for their practical help and patience. Therefore, I wish to thank Ulrike May, Petra Zeidler, Rainer Krogull, and Helen Bolke-Hermanns. I also had the pleasure to work with some inspiring researchers outside the RWTH Aachen. I would like to thank Oscar Garcia Morchon for the interesting insights into

10 security on tightly constrained devices. You have been a great research companion. I really enjoyed the joint work with Samu Varjonen within and outside the IETF and I appreciate his patience even when things took longer than expected. Working with Ari Keranen was always a great pleasure and I am grateful for his sharp eyes that helped to spot even tiny inconsistencies in masses of IETF draft text. Finally, I wish to thank Robert Moskowitz for the interesting and fruitful discussions on security, networking, science, and life in general. I would also like to thank Andreas Weber, my mentor at the teacher training college in Schwäbisch Gmünd. He showed me how fascinating computer science can be. Without him I would probably be teaching in an elementary school now not the worst choice, I guess. Last but most importantly, I am most grateful for all the support that I received from my friends and family. Without their love and patience, this thesis would have not been possible. Without the encouragement of my wonderful wife Melanie and my children Jana and Jannik, I would not have been able to complete this work.

11 Contents 1 Introduction Contributions ScopeandGenesisofthisThesis ScopeofourSolutions Outline Scenario and Problem Statement CooperativeNetworks Community Internet Sharing Networks CooperativeWirelessMulti-hopNetworks Middleboxes History and Terminology Middleboxes in Cooperative Networks ProblemStatement Challenges Three End-to-middle Authentication Solutions Authentication and Network Security Authentication AuthenticationandIntegrity GranularityofAuthentication AuthenticationGoals AuthenticationinthisThesis Identity Security Goals and their Dependency on Authentication Security Model and Terminology... 27

12 3.2.1 Extended Threat Model and Terminology ThreatsinNetworkSecurity Eavesdropping Impersonation Man-In-The-Middle Attacks DelayandReplayAttacks DenialofServiceAttacks ExhaustiveKeySpaceSearchandCryptoanalysis SecurityMechanismsforAuthentication Public-key Based Authentication Authentication Based on Cryptographic Hash Functions Other Building Blocks for Security Protocols SecurityProtocols SecurityContextsandSecurityAssociations TheIPSecurityArchitecture TheHostIdentityProtocol SignaturesBasedonDelayedSecretDisclosure PLA:PacketLevelAuthentication Summary HIP-MA: Authenticated End-to-Middle Signaling with HIP The Host Identity Protocol and Middleboxes HostIdentityNamespace Replay Attack against HIP Middleboxes End-hostImpersonation PayloadChannelHijacking Non-Solutions HIP Middlebox Authentication Extension Phase One: Initial End-to-Middle Authentication Phase Two: Subsequent End-to-Middle Authentication DoS Protection for Middleboxes Summary Security Benefits and Limitations... 74

13 4.5.1 BenefitsofHIP-MA AttackScenarios Compatibility and Incremental Deployment Application Scenarios and Use cases Use Case 1: Distributed Identity-based Access Control Use Case 2: Secure End-to-Middle Signaling Implementation Details PerformanceEvaluation EvaluationSetup PerformanceEvaluation RelatedWork PLAforHIP AuthenticationServers,802.1XandEAP OtherRelatedWork Conclusions ALPHA: Lightweight End-to-middle Authentication for Payload Overview IntroductiontoALPHA RelatedWork AuthenticationBasedonDelayedSecretDisclosure Interaction-based Approaches Hop-by-hopAuthentication DesignofBasicALPHA ALPHA s Interactive Hash Chain Signature Scheme StatesandStateTransitions Path Binding for ALPHA UnreliableandReliableDataTransmission BandwidthAdaptation ALPHA-C:CumulativeTransmissions ALPHA-M:Pre-signedMerkleTrees Hash Chain Bootstrapping and Renewal HashChainRenewal...123

14 5.7 Implementation ArchitectureOverview Implementation Details UseofParallelAssociationsinALPHAforIP AnalysisofALPHA ALPHAStrengths ALPHA Limitations AttackScenarios Evaluation Scenario-independent Evaluation Scenario-specificEvaluation EvaluationofALPHAforIP PerformanceComparisonofALPHA,PLA,andWPLA Conclusions SPOTS: A Family of Lightweight Source-Only Authentication Tokens IntroductiontoToken-basedAuthentication End-to-Middle Source-only Authentication Basic End-to-middle Source Authentication Scheme Resiliency of the Basic Scheme Loss-TolerantSource-onlyAuthentication ParallelHashChains Residual Cost of Hash Chain Based Tokens Cross-authenticatedHashChainsandHashTrees Implementation PerformanceEvaluation TokenSchemeEvaluation Communication Performance Applications of Authentication Tokens Use Case A: Source-only authentication for HIP and IPsec UseCaseB:SecuringTESLAPacketBuffers SPOTS Strengths and Limitations RelatedWork Conclusions...201

15 7 Discussion and Conclusions Contributions ChallengesRevisited HIP Middlebox Authentication Extension Adaptive and Lightweight Protocol for Hop-by-hop Authentication Stream-basedPer-packetOne-timeTokenSchemes InterplayBetweentheProtocols ImpactofourWork FutureWork End-to-middle Fragmentation Support State Management at Middleboxes InteractionwithotherProtocolLayers Other Traffic and Communication Patterns Applications of End-to-Middle Authentication FinalRemarks A Additional HIP-MA Evaluation Graphs 211 B Additional ALPHA Evaluation Graphs 215 C Additional SPOTS Evaluation Graphs 221 Glossary 221 Index 227 Bibliography 229

16

17 1 Introduction Over the last decades, computer networks have become more and more dynamic, distributed, and cooperative. Beginning with the Internet as the most prominent example of a cooperative and distributed network, a development towards even more open and dynamic network concepts in the wired and wireless domain is evident. This development is driven by the need to reduce the deployment and operation costs and to increase the functionality and availability of networks. For example, peerto-peer networks promote network concepts where end-hosts supplement or even substitute core functions of the network (e.g., routing and addressing). Involving user devices enables these systems to cheaply and reliably serve use cases for which expensive server infrastructure would otherwise be required. At the same time, the rapid development and proliferation of wireless communication technology, especially Wi-Fi, has led to an almost ubiquitous presence of affordable and available wireless client devices and infrastructure. This availability of cheap wireless stations and access points in combination with an open frequency band has fostered research and development in new wireless networks with small-scale operator structures, in which, similar to the peer-to-peer concept, users create wireless networks based on individual contribution. Like for peer-to-peer-networks, user contribution can enable a larger wireless coverage and can reduce the deployment and operation costs because the effort for creating and running the cooperative network is shared among all users. A second reason for the success of such user-operated networks is the high flexibility regarding the provisioning of the network, its services, and its business models. Such flexibility is highly valued in a domain mostly dominated by large mobile communication companies. However, with the advent of such cooperatively operated networks, new security threats, such as selfish misuse of shared network resources, arise because central control and authentication infrastructures are often missing. Examples of networks that embrace user contribution are ad-hoc networks, decentralized wireless mesh networks, micro-operator networks, wireless Internet access sharing networks or hybrids between these network types [BH08]. A common trait

18 2 1. Introduction of these networks is the contribution of users to the network infrastructure by providing services like network access control and routing, that, in other networks, are exclusively provided by a dedicated network operator. The absence of such trusted network structures requires new decentralized solutions for essential security services, such as authentication, authorization, and accounting. Furthermore, since core network services are provided by untrusted users, the distinction between trust worthy managed network infrastructure and untrusted user devices is fading. Most notably, a simple distinction between benign insiders (the provider) and potentially malicious outsiders (the user) is not possible anymore. As a result, in addition to general security threats of wireless networks, cooperative networks are highly vulnerable to selfish misuse of the network, as well as to resource-targeted Denial of Service (DoS) attacks. In recent years, two complementary developments have gained importance in the area of network security to counter the threats in distributed networks. For one, end-systems implement an increasing number of security features because networks especially in the wireless domain have become inherently insecure. For another, middleboxes realize more and more security-related services within the network to prevent intrusion, DoS attacks, and misuse of resources. However, the disconnect between these two developments created end-to-end protocols that are primarily concerned with the end-to-end security properties and middleboxes that are left to scavenge the sparse and mostly non-verifiable information from forwarded packets. With an increasing trend for general traffic encryption [KKG + 10, AN04], middleboxes are often left with no other option but to merely observe the information in few unencrypted packet headers, further impairing the ability of these devices to detect malicious attacks and selfish behavior. The need to close the gap between end-to-end security solutions and security services provided within the network has sparked interest in middlebox-aware security solutions in which end-to-end security protocols are designed to aid middleboxes in their security related tasks. Examples of such end-to-middle solutions are the Host Identity Protocol (HIP) [MNJH08, MHJH11] and the Packet-Level Authentication (PLA) [CLK05] protocol. These protocols support middleboxes explicitly in their authentication-related tasks, allowing them to better protect the network against unauthorized access and resource misuse. Technically, these protocols rely on CPU-intensive public-key signatures, which either results in serious performance limitations or the need for specialized cryptographic hardware acceleration, which, due to its complexity and price, is not available in commodity hardware devices today. The mismatch between the computational resources of middleboxes and the computational demands of the employed cryptographic primitives renders these protocols vulnerable to DoS attacks and limits their applicability to processing of low volumes of traffic. 1.1 Contributions One of the main causes for concern in cooperative networks is the general lack of trust that stems from the missing distinction between a trusted insider and a potentially malicious outsider. Without sensible classification of trustworthy and

19 1.2. Scope and Genesis of this Thesis 3 non-trustworthy groups of devices, the identity of a device becomes a key concept for detecting and preventing malicious actions. However, pure end-to-end authentication techniques are insufficient if malicious or selfish actions threaten the network itself rather than another end-host. Hence, our main focus is on end-to-middle authentication as a key building block for achieving a range of security goals, such as access control, availability, and non-repudiation. In particular, this thesis shows how end-to-end protocols can be extended with end-to-middle authentication features to counter authentication-related threats. Such end-to-middle authentication allows entities on the communication path to verify the origin and integrity of the data they process. In this thesis we analyze, design, and evaluate end-to-middle authentication protocols for multi-hop networks. Thereby, we address the fundamental tension between security and lack of central control in cooperative networks. To support the distributed and decentralized character of emerging cooperative networks, we discuss three novel approaches that enable direct end-to-middle authentication without reliance on trusted on-line third-party authentication servers. With such a capability, middleboxes can shelter against resource misuse and protect end-hosts against DoS attacks that leverage the middleboxes as a weak spot. Additional security measures typically come at a price because increased security often results in reduced performance or increased protocol or system complexity. Thus, we specifically consider these metrics in our work and provide a range of options that provide tradeoffs between security, performance, and protocol complexity. Apart from simple but heavy-weight public-key based authentication methods, we explore more lightweight alternatives based on cryptographic hashes and hash chains to provide adaptable end-to-middle authentication protocols to meet the performance and security needs of many application scenarios. As main contribution of this work, we design and analyze three protocols: 1. The HIP Middlebox Authentication extension (HIP-MA) for public-key based end-to-middle signaling. 2. The Adaptive and Lightweight Protocol for Hop-by-hop Authentication (ALPHA), a protocol that relies on a lightweight hash-chain authentication mechanism for higher traffic volumes. 3. Stream-based Per-packet One-time Token Schemes (SPOTS), a family of token schemes for lightweight token-based source authentication without integrity protection for payload. 1.2 Scope and Genesis of this Thesis The creation of the three proposed end-to-middle authentication protocols (HIP-MA, ALPHA, and SPOTS tokens) was an iterative process consisting of the analysis and subsequent improvement of our previous work. The order and structure of this work reflects the chronological order of these iterations. Thus, the shortcomings of each discussed protocol define the design goals for the next protocol. However, in order

20 4 1. Introduction to achieve these goals, tradeoffs between performance, simplicity, and security are necessary. In the following, we briefly summarize the relations and the rationale for creating each of the three protocols: HIP-MA End-to-middle Authentication for HIP Signaling Traffic: The first protocol presented in this work focuses on the protection of end-to-middle signaling traffic with low traffic volume. To this end, we analyzed the Host Identity Protocol (HIP), a security and key exchange protocol that acknowledged the presence of middleboxes in its design phase. During our analysis of the interaction between HIP end-hosts and middleboxes we discovered that HIP does not provide a proof of freshness to middleboxes, rendering on-path devices vulnerable to replay attacks performed by colluding attackers. We designed HIP-MA, which mitigates such attacks and allows on-path middleboxes to securely authenticate end-hosts. The performance of HIP-MA is limited by the computational cost of the public key signature algorithms employed by HIP, and hence, limits the use of HIP to the protection of low-frequency signaling events (i.e., low traffic volumes). ALPHA End-to-middle Authentication for High-Volume Traffic: Driven by the performance limitations of HIP-MA, we analyzed alternative and less resource demanding signature schemes with the goal of securing high-volume payload traffic. Hash chains, as inexpensive cryptographic components can be used to provide efficient end-to-end source authentication and integrity protection for unicast and multicast traffic. In our work on the Adaptive and Lightweight Protocol for Hop-by-hop Authentication, ALPHA, we design a hash-chain based approach to match the requirements of end-to-middle source authentication and integrity protection for signaling and payload traffic. However, ALPHA shows channel properties, such as delay and burstiness, that deviate from the behavior of an unprotected IP communication. This makes ALPHA applicable for network applications with high throughput requirements but limited end-to-end delay constraints. SPOTS Lightweight End-to-middle Source Authentication: The third proposed mechanism uses cryptographic tokens based on computationally inexpensive hash chains and hash graphs: Stream-based Per-packet One-time Token Schemes (SPOTS). SPOTS tokens are replay-proof tokens for source authentication without additional delays or the use of computationally expensive asymmetric cryptography. In scenarios where middleboxes only need to attribute packets to a sender (e.g., for per-sender resources allocation or per-sender access control), SPOTS can provide a simple and highly efficient defense mechanism against a malicious or selfish sender. In contrast to AL- PHA, SPOTS tokens are suited for delay-sensitive applications and achieve an even higher throughput. The common focus of HIP-MA, ALPHA, and SPOTS on end-to-middle authentication leads to a number of common properties. First, all of these protocols focus on IP networks and are conceptually located at or above the network layer and below the transport layer in the communication stack. This layering is in accordance with the function of the network and transport layer, with the network layer being the layer