Abstract
Attacks against the forwarding path could deviate data packets from the predefined route to achieve ulterior purposes, which has posed a serious threat to the software-defined network. Previous studies attempted to solve this security issue through complex authentication or traffic statistics methods. However, existing schemes have the disadvantages of high bandwidth overhead and high process delay. Hence, this article proposed a lightweight forwarding path verification mechanism based on P4 implementation. First, we deployed inband network telemetry to obtain path information, and then performed the path verification inside each hop in the programmable data plane to ensure that various attacks against forwarding paths could be intercepted. Finally, complete path verification information would convey to the control plane for backup. Corresponding experimental results demonstrate that our mechanism can effectively improve the security of the packet forwarding path with acceptable throughput and delay.
Supported by State Key Laboratory of Mobile Network and Mobile Multimedia Technology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cai, H., Wolf, T.: Source authentication and path validation with orthogonal network capabilities. In: 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 111–112 (2015). https://doi.org/10.1109/INFCOMW.2015.7179368
Zhang, C., Zhao, M., Zhu, L., Zhang, W., Wu, T., Ni, J.: FRUIT: a blockchain-based efficient and privacy-preserving quality-aware incentive scheme. IEEE J. Sel. Areas Commun. (Early Access, 2022)
Yan, Z.J.: Trusted communication technologies for future networks. ZTE Technol. J. 27(5), 8 (2021)
Wang, J., Liu, Y., Zhang, W., Yan, X., Zhou, N., Jiang, Z.: Relfa: resist link flooding attacks via Renyi entropy and deep reinforcement learning in SDN-IoT. China Commun. 19(7), 157–171 (2022). https://doi.org/10.23919/JCC.2022.07.013
Legner, M., Klenze, T., Wyss, M., Sprenger, C., Perrig, A.: EPIC: every packet is checked in the data plane of a path-aware internet. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 541–558. USENIX Association, August 2020. https://www.usenix.org/conference/usenixsecurity20/presentation/legner
Li, Y., et al.: Achieving a blockchain-based privacy-preserving quality-aware knowledge marketplace in crowdsensing. In: Proceedings of IEEE EUC, Wuhan, China, pp. 1–6 (2022)
Liu, X., Li, A., Yang, X., Wetherall, D.: Passport: secure and adoptable source authentication. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2008, pp. 365–378. USENIX Association, USA (2008)
Yaar, A., Perrig, A., Song, D.: Siff: a stateless internet flow filter to mitigate DDOS flooding attacks. In: IEEE Symposium on Security and Privacy, Proceedings, pp. 130–143 (2004). https://doi.org/10.1109/SECPRI.2004.1301320
Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014). https://doi.org/10.1145/2656877.2656890
Naous, J., Walfish, M., Nicolosi, A., Mazières, D., Miller, M., Seehra, A.: Verifying and enforcing network paths with icing. In: Proceedings of the Seventh COnference on Emerging Networking EXperiments and Technologies. CoNEXT 2011. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/2079296.2079326
Sengupta, B., Li, Y., Bu, K., Deng, R.H.: Privacy-preserving network path validation. ACM Trans. Internet Technol. 20(1) (2020). https://doi.org/10.1145/3372046
Wu, B., et al.: Enabling efficient source and path verification via probabilistic packet marking. In: 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS), pp. 1–10 (2018). https://doi.org/10.1109/IWQoS.2018.8624169
Barrera, D., Chuat, L., Perrig, A., Reischuk, R.M., Szalachowski, P.: The scion internet architecture. Commun. ACM 60(6), 56–65 (2017). https://doi.org/10.1145/3085591
Sasaki, T., Pappas, C., Lee, T., Hoefler, T., Perrig, A.: SDNSec: forwarding accountability for the SDN data plane. In: 2016 25th International Conference on Computer Communication and Networks (ICCCN), pp. 1–10 (2016). https://doi.org/10.1109/ICCCN.2016.7568569
Zhang, P., Wu, H., Zhang, D., Li, Q.: Verifying rule enforcement in software defined networks with REV. IEEE/ACM Trans. Netw. 28(2), 917–929 (2020). https://doi.org/10.1109/TNET.2020.2977006
Li, Q., Zou, X., Huang, Q., Zheng, J., Lee, P.P.C.: Dynamic packet forwarding verification in SDN. IEEE Trans. Depend. Secure Comput. 16(6), 915–929 (2019). https://doi.org/10.1109/TDSC.2018.2810880
Zhang, P., et al.: Network-wide forwarding anomaly detection and localization in software defined networks. IEEE/ACM Trans. Netw. 29(1), 332–345 (2021). https://doi.org/10.1109/TNET.2020.3033588
Zhang, S., Cao, C., Tang, X.: Computing power network technology architecture based on SRv6. ZTE Technol. J. 28(1), 5 (2022)
Song, F., Li, L., You, I., Zhang, H.: Enabling heterogeneous deterministic networks with smart collaborative theory. IEEE Netw. 35(3), 64–71 (2021). https://doi.org/10.1109/MNET.011.2000613
Acknowledgements
This work was supported by the ZTE industry-university research cooperation fund project “Research on network identity trusted communication technology architecture”, the State Key Laboratory of Mobile Network and Mobile Multimedia Technology and the Fundamental Research Funds under Grant 2021JBZD204.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zeng, J., Liu, Y., Zhang, W., Yan, X., Zhou, N., Jiang, Z. (2023). Hop-by-Hop Verification Mechanism of Packet Forwarding Path Oriented to Programmable Data Plane. In: Quan, W. (eds) Emerging Networking Architecture and Technologies. ICENAT 2022. Communications in Computer and Information Science, vol 1696. Springer, Singapore. https://doi.org/10.1007/978-981-19-9697-9_37
Download citation
DOI: https://doi.org/10.1007/978-981-19-9697-9_37
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-9696-2
Online ISBN: 978-981-19-9697-9
eBook Packages: Computer ScienceComputer Science (R0)