Research On End-to-End Availability Problems Of Micro Communication Element System Based On Virtual Circuit

For years, researches on information security have been focusing more on confidentiality and integrity than availability. Since several big websites like Yahoo, Buy.com, eBuy, Amazon and CNN suffered from the DDoS (Distributive Denial of Service, DDoS) attacks in February, 2000, the problems on the network availability, based on TCP/TP architecture, have become more and more urgent to solve. So researches begin to focus on the network availability. However, they are just laid on the qualitative level. So it is difficult to make precise analysis and evaluation and the models and solutions to network availability, which are just the patches to the existing TCP/TP network architecture, can't solve the problems basically and systematically.In order to deal with such situation, researches in China put forward a new network architecture—service unit network architecture and its implementation model—micro communication element system structure on the basis of virtual circuit. Although it has some advantages, there are still many problems to study and solve.The paper is concerned about the end-to-end availability problems on the micro communication element system structure based on the virtual circuit, and the quantitative method about it. In the micro communication element system structure, the access router is easily suffered from denial service attacks which use the vulnerability of identity authentication protocol when it identifies the identity of the source node which requests for setting up the virtual circuit. So the paper puts forward an identity authentication system to resist the denial service attacks. The wicked authorized entity may send a large deal of packets through the established virtual circuit to flood the network or target nodes and make it impossible that the network or target nodes offer service to the non-wicked authenticated entity, So the paper puts forward a resource allocation model based on virtural circuit and make a description and analysis of the resource allocation algorithm adopted by the model.The paper sums up the availability property in the information security field and introduce the concept "capability availability" which takes the service capability as the subject of study. Then the paper describes the concept "availability" in the information security field related to the concept "availability" which takes "product lifetime" as the subject of study in the reliability engineering field and approximately states that the availability in the information security field is the multiplication between product lifetime availability and the service capability availability.To calculate the product lifetime availability, the paper takes the quantitative theory and methods in which the reliability engineering analyzes the product availability. First, transform the end-to-end communication structure of micro communication element system structure into the availability diagram with the serial connection of three sub-systems. Then, calculate the product lifetime availability of the three sub-systems respectively using the random process theory. Finally, the product lifetime availability of the end-to-end micro communication element system is the multiplication of the three sub-systems product lifetime availabilities.To calculate the service capability availability, the paper takes the system service capability as the system resousrce allocation capability. Similar to the method mentioned above, First, transform the end-to-end micro communication element system functional structure into the capability availability diagram with the serial connection of several units, then calculate each unit's capability availability respectively. Finally, the end-to-end micro communication elenet system capability availability is the multiplication of each unit's capability availability.The paper designs an identity authentication system—CL identity authentication system with little algorithm complexity and powerful authentication synchronic capability.Traditional resource allocation models just allocate resource based on the process identifier and user identifier of the process. But for some process, the non-wicked authorization entity can't obtain the service needed if the resource requests are utilized to offer service to wicked authorization entity. Then the denial service problems arise. So the paper puts forward a resource allocation model on the basis of virtual circuit in which resource allocation monitor allocates resource not only between process identifier and user identifier of the process but also between virtual circuit identifier and the identification of source node wich initiates the establishment of the virtual circuit. As a result, the model can effectively resist the denial service attack from the wicked authorization entity.