The current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate. Not all of the problem is due to the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing protocol stacks, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of "end-middle-end"network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Akamai Technologies, Inc. Akamai: How it works.
	2	David G. Andersen, Mayday: distributed filtering for internet services, Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems, p.3-3, March 26-28, 2003, Seattle, WA
	3	Antisip SARL. The eXtended osip library.
	4	Katerina Argyraki , David R. Cheriton, Active internet traffic filtering: real-time response to denial-of-service attacks, Proceedings of the annual conference on USENIX Annual Technical Conference, p.10-10, April 10-15, 2005, Anaheim, CA
	5	Ballani, H., Chawathe, Y., Ratnasamy, S., Roscoe, T., and Shenker, S. Off by Default! In Proceedings of the HotNets'05 (College Park, MD, Nov. 2005).
	6	BMC Software. Marimba Product Line.
	7	P. Calhoun , J. Loughney , E. Guttman , G. Zorn , J. Arkko, Diameter Base Protocol, RFC Editor, 2003
	8	Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Access Control Lists: Overview and Guidelines, pp. 429--436.
	9	Cisco Systems, I. Cisco IOS Security Configuration Guide (Release 12.4). Cisco Press, 2006, ch. Firewall Support for SIP, pp. 587--600.
	10	Jon Crowcroft , Steven Hand , Richard Mortier , Timothy Roscoe , Andrew Warfield, Plutarch: an argument for network pluralism, Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture, August 25-27, 2003, Karlsruhe, Germany
	11	(Ed.), R. B., Zhang, L., Berson, S., Herzog, S., and Jamin, S. RFC 2205: Resource ReSerVation Protocol (RSVP), Sept. 1997.
	12	Kevin Fall, A delay-tolerant network architecture for challenged internets, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863960]
	13	Bryan Ford , Jacob Strauss , Chris Lesniewski-Laas , Sean Rhea , Frans Kaashoek , Robert Morris, Persistent personal names for globally connected mobile devices, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
	14	Francis, P. Firebreak: An IP Perimeter Defense Architecture. Tech. Rep. cul.cis/TR2006-2060, Cornell University, Ithaca, NY, 2006.
	15	Paul Francis Ramakrishna, IPNL: A NAT-extended internet architecture, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.69-80, August 2001, San Diego, California, United States
	16	Fraunhofer Fokus. CPLEd - A CPL Editor.
	17	Fraunhofer Fokus. SIP Express Router.
	18	Michael J. Freedman , Karthik Lakshminarayanan , David Mazières, OASIS: anycast for any service, Proceedings of the 3rd conference on Networked Systems Design & Implementation, p.10-10, May 08-10, 2006, San Jose, CA
	19	GENI planning group. GENI: Global Environment for Network Innovations.
	20	Mark Gritter , David R. Cheriton, An architecture for content routing support in the internet, Proceedings of the 3rd conference on USENIX Symposium on Internet Technologies and Systems, p.4-4, March 26-28, 2001, San Francisco, California
	21	Guha, S., and Francis, P. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proceedings of the 2005 Internet Measurement Conference (New Orleans, LA, Oct. 2005).
	22	Guha, S., and Francis, P. Identity Trail: Covert Surveillance Using DNS. In Proceedings of 7th Workshop on Privacy Enhancing Technologies (Ottawa, Canada, June 2007).
	23	T. Hain, Architectural Implications of NAT, RFC Editor, 2000
	24	Hautakorpi, J., Camarillo, G., Penfield, R. F., Hawrylyshen, A., and Bhatia, M. Internet draft: Requirements from SIP (Session Initiation Protocol) Session Border Control Deployments, Apr. 2007. Work in progress. draft-ietf-sipping-sbc-funcs-03.txt.
	25	Hua Chu, Y., Rao, S. G., Seshan, S., and Zhang, H. A case for end system multicast. IEEE Journal on Selected Areas in Communications 20, 8 (Oct. 2002), 1456--1471.
	26	Felipe Huici , Mark Handley, An edge-to-edge filtering architecture against DoS, ACM SIGCOMM Computer Communication Review, v.37 n.2, April 2007  [doi>10.1145/1232919.1232924]
	27	Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, ACM SIGCOMM Computer Communication Review, v.32 n.4, October 2002
	28	Teemu Koponen , Mohit Chawla , Byung-Gon Chun , Andrey Ermolinskiy , Kye Hyun Kim , Scott Shenker , Ion Stoica, A data-oriented (and beyond) network architecture, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan
	29	Lennox, J., Wu, X., and Schulzrinne, H. RFC 3880: Call Processing Language (CPL): A Language for User Control of Internet Telephony Services, Oct. 2004.
	30	Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
	31	Mannie, E. RFC 3945: Generalized Multi-Protocol Label Switching (GMPLS) Architecture, Oct. 2004.
	32	W. Marshall, Private Session Initiation Protocol (SIP) Extensions for Media Authorization, RFC Editor, 2003
	33	Microsoft Corporation. UPnP - Universal Plug and Play Internet Gateway Device v1.01, Nov. 2001.
	34	Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
	35	Moskowitz, R., and Nikander, P. RFC 4423: Host Identity Protocol (HIP) Architecture, May 2006.
	36	T. S. Eugene Ng , Ion Stoica , Hui Zhang, A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.319-332, June 25-30, 2001
	37	Nissenbaum, H. Privacy as Contextual Integrity. Washington Law Review 79, 1 (Feb. 2004), 119--158.
	38	Nordmark, E., and Bagnulo, M. Internet draft: Level 3 multihoming shim protocol, Nov. 2006. draft-ietf-shim6-proto-07.txt. Work in progress.
	39	OpenSSL Team. The Open Source toolkit for SSL/TLS.
	40	Venugopalan Ramasubramanian , Emin Gün Sirer, The design and implementation of a next generation name service for the internet, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	41	Ramsdell, B. RFC 3851: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, July 2004.
	42	Rosenberg, J. RFC 3856: A Presence Event Package for the Session Initiation Protocol (SIP), Aug. 2004.
	43	Rosenberg, J., Mahy, R., and Huitema, C. Internet draft: TURN - Traversal Using Relay NAT, Mar. 2006. Work in progress.
	44	J. Rosenberg , H. Schulzrinne , G. Camarillo , A. Johnston , J. Peterson , R. Sparks , M. Handley , E. Schooler, SIP: Session Initiation Protocol, RFC Editor, 2002
	45	J. Rosenberg , J. Weinberger , C. Huitema , R. Mahy, STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), RFC Editor, 2003
	46	Reiner Sailer , Xiaolan Zhang , Trent Jaeger , Leendert van Doorn, Design and implementation of a TCG-based integrity measurement architecture, Proceedings of the 13th conference on USENIX Security Symposium, p.16-16, August 09-13, 2004, San Diego, CA
	47	Saint-Andre, P. RFC 3290: Extensible Messaging and Presence Protocol (XMPP): Core, Oct. 2004.
	48	Stiemerling, M., Quittek, J., and Taylor, T. MIDCOM Protocol Semantics, June 2004. Work in progress.
	49	Ion Stoica , Daniel Adkins , Shelley Zhuang , Scott Shenker , Sonesh Surana, Internet indirection infrastructure, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	50	Technical Specification Group Core Network and Terminals. 3GPP TS 29.207: Policy control over Go interface, Sept. 2005.
	51	Trusted Computing Group. TPM Specification Version 1.2.
	52	Tschudin, C., and Gold, R. SelNet: A Translating Underlay Network. Tech. Rep. 2003--020, Uppsala University, Uppsala, Sweden, Nov. 2001.
	53	Venkataraman, V., Francisy, P., and Calandrino, J. Chunkyspread: Multitree Unstructured Peer-to-Peer Multicast. In Proceedings of the IPTPS '06 (Santa Barbara, CA, Feb. 2006).
	54	VeriSign Inc. Security (SSL Certificates), Communications, and Information Services.
	55	P. Vixie , S. Thomson , Y. Rekhter , J. Bound, Dynamic Updates in the Domain Name System (DNS UPDATE), RFC Editor, 1997
	56	von Ahn, L., Blum, M., Hopper, N. J., and Langford, J. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03 (Warsaw, Poland, May 2003).
	57	Michael Walfish , Hari Balakrishnan , Scott Shenker, Untangling the web from DNS, Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation, p.17-17, March 29-31, 2004, San Francisco, California
	58	Michael Walfish , Jeremy Stribling , Maxwell Krohn , Hari Balakrishnan , Robert Morris , Scott Shenker, Middleboxes no longer considered harmful, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.15-15, December 06-08, 2004, San Francisco, CA
	59	XiaoFeng Wang , Michael K. Reiter, Defending Against Denial-of-Service Attacks with Puzzle Auctions, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.78, May 11-14, 2003
	60	Wroclawski, J. The MetaNet: White Paper. In Proceedings of Workshop on Research Directions for the Next Generation Internet (Vienna, VA, May 1997).
	61	Yaar, A., Perrig, A., and Song, D. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Symposium on Security and Privacy (Pittsburgh, PA, May 2004), pp. 130--143.
	62	Xiaowei Yang , David Wetherall , Thomas Anderson, A DoS-limiting network architecture, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	63	Beichuan Zhang , Wenjie Wang , Sugih Jamin , Daniel Massey , Lixia Zhang, Universal IP multicast delivery, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.50 n.6, p.781-806, 13 April 2006  [doi>10.1016/j.comnet.2005.07.016]
	64	Philip R. Zimmermann, The official PGP user's guide, MIT Press, Cambridge, MA, 1995

• ACM SIGCOMM Computer Communication Review
  Volume 37 ,  Issue 4   October 2007