I Know If the Journey Changes: Flexible Source and Path Validation

Abstract

No matter from the perspective of detection or defense, source and path validations are fundamentally primitive in constructing security mechanisms to greatly enhance network immunity in the face of malicious attacks, such as injection, traffic hijacking and hidden threats. However, existing works for source and path verification still impose a non-trivial operational overhead and lack adjustment capability for path dynamic changes. In this paper, we propose a flexible and convenient source and path validation protocol called PSVM, which uses an authentication structure PIC composed of ordered pieces to carry out packet verification. Specifically, in the basic PSVM protocol, PIC (related to cryptographic computation) in the packet header does not require any update during packet verification, which thus enables a lower processing overhead in routers. To cope with the challenge of path policy changes in the running protocol, the dynamic PSVM protocol supports controllable adjustment and migration, especially in the case of avoiding a malicious node or region. Our evaluation of a prototype experiment on Click demonstrates that the verification efficiency of PSVM is barely influenced by payload size or path length. Compared to the baseline of normal IP routing, the throughput reduction ratio of the basic PSVM is about 13%, which is much better than 28% of existing best solution Origin and Path Trace (OPT). In addition, for a 35-hop path with 30 pieces of PIC needed to be adjusted in dynamic PSVM, the throughput reduction ratio of routing cross node performing the adjustment operation after normal verification is only 2.4 %.