Atlas: A First Step Toward Multipath Validation

Abstract As an indispensable feature for future secure Internet, path validation verifies whether packets follow specified paths. Existing solutions, however, cannot apply to multipath routing with practical efficiency. Multipath routing may proliferate an exponential scale path choice and the source may not know which path will be followed by a packet as a priori knowledge. In this paper, we design and implement Atlas as the first protocol for efficient multipath validation. It makes a leap in efficiency by two newly proposed techniques—hierarchical validation and tagged pruning. Hierarchical validation divides multipath into non-overlapping segments. We need to compute the path credential for each segment only once no matter how many paths it may co-locate. Furthermore, tagged pruning labels each segment with a unique tag. A router can directly identify the credential field to validate and delete credentials of unused paths. This further accelerates validation and saves bandwidth. Furthermore, we explore two efficiency enhancements—low-level credential elimination and used credential elimination—to improve Atlas scalability. We validate the practicality and applicability of Atlas over a recent topology measurement of Internet2’s IP Network. To validate the performance of Atlas and the enhancements, we implement Atlas using the Click modular router. Experiment results show that compact Atlas headers enable large-scale multipath validation without breaching the MTU limit. Atlas thus invigorates multipath validation practicality.

[1]  David Wetherall,et al.  Source selectable path diversity via routing deflections , 2006, SIGCOMM 2006.

[2]  Anukool Lakhina,et al.  BRITE: Universal Topology Generation from a User''s Perspective , 2001 .

[3]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[5]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[6]  Tilman Wolf,et al.  Source Authentication and Path Validation in Networks Using Orthogonal Sequences , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[7]  Tilman Wolf,et al.  Source authentication and path validation with orthogonal network capabilities , 2015, 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[8]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2015, SIGCOMM 2015.

[9]  Ke Xu,et al.  Enabling Efficient Source and Path Verification via Probabilistic Packet Marking , 2018, 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS).

[10]  Jennifer Rexford,et al.  Toward internet-wide multipath routing , 2008, IEEE Network.

[11]  Bobby Bhattacharjee,et al.  Alibi Routing , 2015, Comput. Commun. Rev..

[12]  Kenneth L. Calvert,et al.  Separating routing and forwarding: A clean-slate network layer design , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[13]  Krishna P. Gummadi,et al.  Improving the Reliability of Internet Paths with One-hop Source Routing , 2004, OSDI.

[14]  Fan Yang,et al.  Robust and lightweight fault localization , 2017, 2017 IEEE 36th International Performance Computing and Communications Conference (IPCCC).

[15]  Adrian Perrig,et al.  The SCION internet architecture , 2017, Commun. ACM.

[16]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[17]  Daniel R. Simon,et al.  Secure traceroute to detect faulty or malicious routing , 2003, CCRV.

[18]  David R. Cheriton,et al.  Feedback based routing , 2003, CCRV.

[19]  Hao Li,et al.  Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks , 2016, CoNEXT.

[20]  Ian M. Leslie,et al.  How bad is naive multicast routing? , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[21]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[22]  Jennifer Rexford,et al.  MIRO: multi-path interdomain routing , 2006, SIGCOMM 2006.

[23]  Jonathan Katz,et al.  Aggregate Message Authentication Codes , 1995 .

[24]  Ravindra K. Ahuja,et al.  Network Flows: Theory, Algorithms, and Applications , 1993 .