Skip to main content

PBS NSLP: Network Traffic Authorization

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Expired & archived
Authors Se Gi Hong , Henning Schulzrinne
Last updated 2010-01-12 (Latest revision 2008-11-03)
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes the NSIS Signaling Layer protocol (NSLP) for network traffic authorization on the Internet, the Permission-Based Sending (PBS) NSLP. This NSLP aims to prevent Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. PBS NSLP is based on the proactive approach of explicitly granting permissions and the reactive approach of monitoring and reacting against the attacks. Signaling installs and maintains the permission state of routers for a data flow. PBS NSLP uses two security mechanisms: message security in an end-to-end fashion and channel security in a hop-by-hop fashion. The message security is for protecting the integrity of the message on end-to-end traffic and channel security is for protecting the integrity and confidentiality between adjacent nodes. These security mechanisms enable the secure distribution of shared keys, as well as protection of signaling messages. To authenticate data packets, the PBS NSLP requests a sender to use an existing security protocol, the IPsec Authentication Header (AH). This allows routers to drop bogus packets by using an IP packet filter. To avoid a compromised router that drops legitimate packets, the PBS NSLP triggers the sender to change the data flow path. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at The list of Internet-Draft Shadow Directories can be accessed at This Internet-Draft will expire on July 16, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.


Se Gi Hong
Henning Schulzrinne

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)