Abstract
There are many deployed approaches for blocking unwanted traffic,
either once it reaches the recipient's network, or closer to its
point of origin. One of these schemes is based on the notion of
traffic carrying capabilities that grant access to a
network and/or end host. However, leveraging capabilities results
in added complexity and additional steps in the communication
process: Before communication starts a remote host must be
vetted and given a capability to use in the subsequent
communication. In this paper, we propose a lightweight mechanism
that turns the answers provided by DNS name resolution---which
Internet communication broadly depends on anyway---into
capabilities. While not achieving an ideal capability system, we
show the mechanism can be built from commodity technology and is
therefore a pragmatic way to gain some of the key benefits of
capabilities without requiring new infrastructure.
