The "Spread Identity (SI)" Paradigm

The SI paradigm evolved from the "Dynamic Transport Selection (DTS)" project, which was sponsored by Aether Systems Inc; to investigate the following problem: Given "n" multiple data transport services(channels), how to dynamically select any "k" out of the n available channels in order to optimize a set of goals, such as maximize the bandwidth; minimize the overall cost (ex using using Wi-Fi whenever possible, vs. using cell-phone service); in data streaming scenarios (audio, video or stream of stock quotes, weather conditions, etc.) minimize the jitter, etc...
This turns out to be an interesting   Pareto-optimization   problem.

DTS naturally led to the question: How can the multiple network interfaces and transport channels (that are widely available today) be leveraged
to enhance the security of communications?
Inspired by the spectacular success of the "Spread Spectrum" techniques at the physical layer, I developed the "Spread Identity" paradigm for the network layer (which is the 3rd layer of the networking stack; in the context of the Internet, it is the "IP" layer). Since the identity of a communicating entity at the IP layer is its IP address, SI deliberately "spreads" the identity of a host across multiple IP addresses and vice-versa, i.e., multiple hosts are assigned the same IP address to support multiple concurrent data flows, as long as the peer-ends are distinguishable. Perimeter gateways (which we call SI gateways) that perform Double-NAT(Network Address Translation) are leveraged, together with the DNS (Domain Name Service which translates a string such as "" into the corresponding IP address "") for the purpose of achieving the "spreading". The mapping between host identities and IP addresses is deliberately made to appear as many-to-may when viewed from either side of the SI gateway (only the SI gateway knows the underlying one-to-one mapping). The end result is an extremely robust, fully backward compatible and therefore incrementally deployable framework which leads to the following unique capabilities:

  1. The dynamically created (source-address,destination-address) NAT entry can be leveraged as a dynamic access control token or as a flow marker. Note that a destination address cannot be spoofed (otherwise the payload will not reach the intended target host). Therefore leveraging the destination address as a flow marker enormously simplifies tracking, processing and filtering of flows.
  2. As a result, abnormal behavior (and therefore potentially malicious activity) can be identified extremely fast, simply by a "token-matching" at the SI gateways. This in-turn leads to ultra-fast intrusion detection as well as prevention in a large number of scenarios.
  3. SI enables multi-level, multi-pronged robust defenses and even offenses against Denial of Service (DoS) attacks.
  4. SI completely resolves the problem of IPv4 address scarcity.
  5. SI substantially enhances network-traceback capability
  6. It can yield TOR (The Onion Routing) like anonymity in hardware-box (if the SI gateway is implemented entirely in hardware and the internal NAT entries are deleted after their use and not exposed anywhere outside the hardware box) with all the anonymity advantages of TOR but none of the disadvantages (such as long connection as well as data transfer delays....)
  7. SI is extremely important and relevant in the huge address space of IPv6 protocol (it helps minimize the routing-table sizes in core routers).
  8. All the above unique advantages are enabled simultaneously with other well-known benefits of "dynamic indirection", such as load-balancing, enhanced support for host mobility, etc.

The theoretical contributions of this work are the following:

For more details see the publications below  

Last update: June, 2014