YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Donghong Qin,Jaihai Yang,Hui Wang,Bin Zhang,Lei Gao,Zhuolin Liu

DOI: https://doi.org/10.1109/ICOIN.2012.6164381

2012-01-01

Abstract:Multi-path routing is a promising technique to increase the Internet's reliability and to give users greater control over the service they receive. Currently the interdomain routing protocol limits each router to using a single route for same destination, which may not satisfy the diverse requirements of end users. In this paper, in order to support the effective and efficient multi-path service(MPS), we propose a multi-path inter-domain routing via deviation from primary path(MIR-DPP) which includes two main steps as following. Firstly, to improve the path diversity of node pairs, the special topology collected from neighboring ASes around the primary path, and the multipath set is calculated by our multipath discovery method. Secondly, to gain high-quality paths which are not compliant with routing policy, a negotiation mechanism is designed to address policy limits. Experiments with Internet topology and routing data demonstrate that MIR-DPP offers tremendous flexibility and diversity for path selection with reasonable overhead.

Donghong Qin,Jaihai Yang,Zhuolin Liu,Hui Wang,Bin Zhang,Wei Zhang

DOI: https://doi.org/10.1109/AINA.2012.83

2012-01-01

Abstract:Multipath routing is an important and promising technique to increase the Internet's reliability and to give users greater control over the service they receive. Currently the interdomain routing protocol limits each router to using a single route for a destination network, which does not satisfy the diverse requirements of end users. In this paper, in order to support the effective and efficient multipath routing, we propose a multipath interdomain routing system(AMIR), which not only provides more novel paths but also realizes a new AS-level routing scheme. In the control plane, the topology information is collected from neighboring ASes around the primary path, and based on this topology, multipath of the special node pairs is calculated by our multipath discovery algorithm. In the data plane, we use the interdomain source routing to forward the packets. Experiments with Internet topology and routing data demonstrate that AMIR is practical and feasible, and offers tremendous flexibility and diversity for path selection with reasonable overhead.

Dan Wu,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Min Huang

DOI: https://doi.org/10.1016/j.comnet.2015.08.028

IF: 5.493

2015-01-01

Computer Networks

Abstract:Interdomain Multipath Routing, which enables a source AS to use more than one paths for a destination AS, is a promising technique for achieving high bandwidth, high resiliency and fast reaction to failures. However, previous interdomain multipath routing protocols often produce paths which might share bottlenecks, which makes them vulnerable to failure on bottlenecks and therefore inefficient to support interdomain traffic engineering or concurrent multipath transfer. In this paper, we propose Disjoint Interdomain Multipath Routing (DIMR), attempting to make more ASes discover two disjoint paths. In this protocol, we present the concept of path combination and design the rules of path combination selection. We evaluate DIMR by simulation. Experimental results show that, DIMR enables over 90% of multi-connected ASes to install two disjoint paths.

Yaping Liu,Shuo Zhang,Haojin Zhu,Peng-Jun Wan,Lixin Gao,Yaoxue Zhang,Zhihong Tian

DOI: https://doi.org/10.1016/j.jpdc.2020.04.005

IF: 4.542

2020-08-01

Journal of Parallel and Distributed Computing

Abstract:<p>In recent years, with the continuous expansion of metropolitan area networks, the routing security problem has become more and more serious. In particular, promise-violating attack to inter-domain routing protocol is one of the most difficult attacks to defend, which always leads to serious consequences, such as maliciously attracting traffic and disrupting the network. To deal with such attack, current research generally adopts routing verification. However, it can only detect attacks violating a specific routing policy triggered by one malicious node, and no research has yet solved the problem caused by multiple collusion nodes. In this paper, we propose BRVM, a blockchain-based routing verification model, to address the issue that violating the shortest AS Path policy. The main idea of BRVM is to construct a route proof chain to verify whether a route violates the policy with the help of the blockchain technology. The precondition that avoiding the collusion attack is that the proportion of the malicious verification nodes is lower than the fault tolerance rate of the consensus algorithm. Then, we prove the correctness of BRVM in theory, and implement a prototype based on Quagga and Hyperledger Fabric. Some experiments on this prototype show that BRVM can indeed solve the promise-violating problem caused by multiple collusion nodes, and about 15.5% faster in performance compared with SPIDeR.</p>

computer science, theory & methods

Zhixin Sun,Kai Bu,Ke Ding

DOI: https://doi.org/10.1007/978-3-642-10485-5_14

2009-01-01

Abstract:For improving the routing security of traditional DHT, in this paper, a Multidimensional Mapping Mechanism and a secure routing method based on it are proposed against various routing attacks. The proposed mechanism, which maps the resource search and related peers to a smaller space following the same topology with current DHT protocol to simplify the routing operation and decrease the coupling degree between security mechanisms and routing geometry, lays a solid foundation for applying to diversified DHT protocols. The subsequently proposed security measures based on Multidimensional Mapping Mechanism for DHT routing still keeps independent of certain DHT protocol. It pervades throughout the whole routing process, and peers could correct the malicious routing under its security rules. The theoretical analysis and simulation experiment result show that the secure routing method proposed in this paper can improve the average success ratio of lookup through effectively inhibiting malicious behavior.

Quan Ren,Tao Hu,Jiangxing Wu,Yuxiang Hu,Lei He,Julong Lan

DOI: https://doi.org/10.1016/j.comnet.2021.108134

IF: 5.493

2021-01-01

Computer Networks

Abstract:SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

Z ZANG,G LUO,C YIN,臧志远,罗贵明,殷翀元

DOI: https://doi.org/10.1016/S1007-0214(09)70011-2

2009-01-01

Abstract:In networks, the stable path problem (SPP) usually results in oscillations in interdomain systems and may cause systems to become unstable. With the rapid development of internet technology, the occurrence of SPPs in interdomain systems has quite recently become a significant focus of research. A framework for checking SPPs is presented in this paper with verification of an interdomain routing system using formal methods and the NuSMV software. Sufficient conditions and necessary conditions for determining SPP occurrence are presented with proof of the method's effectiveness. Linear temporal logic was used to model an interdomain routing system and its properties were analyzed. An example is included to demonstrate the method's reliability.

Yaping Liu,Shuo Zhang,Haojin Zhu,Peng-Jun Wan,Lixin Gao,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-37228-6_4

2019-01-01

Abstract:Promise-violating attack to inter-domain routing protocol is becoming common in recent years, which always causes serious consequences, such as malicious attraction traffic, broken network. To deal with this kind of attack, routing verification is introduced by current research. However, it can only detect attacks against a specific routing policy triggered by one malicious node, and no research has yet been conducted to solve the problem caused by multiple collusion nodes. In this work, we present BRVM, a blockchain-based routing verification model, to address the issue of violating shortest AS Path policy. The main idea of BRVM is to record the route proofs to verify whether a route violates the policy using the blockchain technology. The precondition of avoiding a collusion attack is that the proportion of the malicious verification nodes is lower than the fault tolerance rate of the consensus algorithm used in the blockchain. We theoretically prove the correctness of BRVM, and implement a prototype based on Quagga and Fabric. Our experiments show that BRVM can solve this kind of promise-violating problem caused by multiple collusion nodes, and about 21% faster than SPIDeR [14] in performance.

SHEN Yang,ZHENG Baoyu,ZHAO Xianjing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.12.041

2007-01-01

Abstract:The paper proposes a multipath routing protocol(multipath routing protocol based on a hybrid criterion to choose routing, HC-MRP) based on DSDV in Ad Hoc networks. By the cross-layer technique, it proposes a hybrid criterion based on the shortest path criterion and the best channel state criterion, and establishes a neighbor node structure by which the multi-path mode can be expanded. The multi-path dividual transmission is employed as the transmission mode of paths. The simulation shows that by the mode of multi-path dividual transmission, the proposed protocol improves the throughput with a little price of the performance of delivery.

Hao Yin,Yang Wang,Geyong Min,Sebastien Berton,Rui Guo,Chuang Lin

DOI: https://doi.org/10.1002/cpe.1506

2010-01-01

Abstract:Multipath routing can adapt to traffic changes, increase reliability and enhance the Quality of Service support in communication networks. This routing algorithm has been recognized as one of the salient features in Mobile Ad hoc Networks (MANETs). However, existing multipath routing protocols are often practically infeasible due to its security venerability if they suffer from attacks in MANETs, such as repudiation attacks, Denial of Service attacks. In this paper we propose a novel secure multipath routing protocol, referred to as SMRP, and investigate its feasibility and performance. SMRP applies a new heuristic algorithm increasing the number of disjoint paths and a smart authentication mechanism to enhance the security against the attacks in MANETs. The performance results from extensive analysis and experiments show that SMRP can efficiently enhance the security in MANETs while preserving the low overhead of computing and communication. Copyright (C) 2009 John Wiley & Sons, Ltd.

Li Qi,Xu Mingwei,Wu Jianping,Shi Xingang,Chiu Dah Ming,Lee Patrick P.C.

DOI: https://doi.org/10.1109/ICCCN.2010.5560122

2010-01-01

Abstract:Routing failures are common on the Internet and routing protocols can not always react fast enough to recover from them, which usually causes packet delivery failures. To address the problem, fast reroute solutions have been proposed to guarantee reroute path availability and to avoid high packet loss after network failures. However, existing solutions are often specific to single type of routing protocol. It is hard to deploy these solutions together to protect Internet routing including intra- and inter-domain routing because of their individual computational and storage complexity. Moreover, most of them can not provide effective protection for traffic over failed links, especially for the bi-directional traffic. In this paper, we propose a unified fast reroute solution for routing protection under network failures. Our solution leverages identifier based direct forwarding to guarantee the effectiveness of routing protection and supports incremental deployment. In particular, enhanced protection cycle (e-cycle) is proposed to construct rerouting paths and to provide node and link protection for both intra- and inter-domain routing. We evaluate our solution by simulations, and the results show that the solution provides 100% failure coverage for all end-to-end routing paths with approximately two extra Forwarding Information Base (FIB) entries.

Peng Su,Zhengping Wu

DOI: https://doi.org/10.1007/978-90-481-9151-2_90

2010-01-01

Abstract:Although Border Gateway Protocol (BGP) is broadly used among autonomous systems (ASes), the topology of peer autonomous systems is often mysterious to some Internet Service Providers (ISPs) or administrative domains. With unknown routing policies of BGP neighbors and their uplink ASes, it is uneasy to make a proper design when building a multihoming environment. Sometimes it may even cause congestion problems. Some mistakenly announced prefixes of ASes over the Internet will continuously increase routing table and deteriorate policy-based routing. This paper analyzes the adjacency relationships of ASes over the entire Internet and their announced prefixes. Using this information, our prototype system can automatically identify the more appropriate access point for individual ASes, depict the relations among ASes, and provide decision support to manage the improper address spaces over the Internet.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icnp.2012.6459939

2012-01-01

Abstract:The authentication of the IP source address remains one of the most important steps in making the Internet as trustworthy as possible. With existing anti-spoofing solutions, deployed ASes lack cooperation when exchanging routing decisions and disseminations. In general, this makes anti-spoofing mechanisms inefficient and does not adapt to incremental deployment. By introducing routing choice feedback, we propose a distributed inter-domain anti-spoofing solution (Umbrella). In Umbrella, the deployed ASes can acquire approximate global routing choice information. Our approach offers gains in efficiency through the verification of the packets forwarding path and the construction of dynamically spoofing packets filter. Our experimental analysis of Umbrella shows it to be both effective and incrementally deployable.

Xinyou Cui,Xiaoping Zheng,Yanhe Li,Yili Guo,Hanyi Zhang

DOI: https://doi.org/10.1109/ofc.2007.4348361

2007-01-01

Abstract:Multilayer routing on restricted path (MRRP) was proposed, which confines the traffic only choose network resource on the restricted path. Discrete event simulation (DES) shows that MRRP has lower blocking probability and resource occupation.

Hai-jun GENG,Xin-gang SHI,Zhi-liang WANG,Xia YIN,Shao-ping YIN

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.01.032

2018-01-01

Abstract:With the expansion of the Internet,a large number of real-time applications are deployed on the Internet,which places greater demands on network delay.However,the current deployed intra-domain routing protocol cannot meet the requirements of real-time application for network delay.Therefore,improving the Internet routing availability has become an urgent problem.Academia and industry employ routing protection schemes to quickly respond to network failures and improve Internet routing availability.The existing routing protection schemes do not consider the importance of nodes in the network.However,the importance of different nodes in the network is not the same in real networks.To solve this problem,an intra-domain routing protection algorithm based on critical nodes (RPBCN) was proposed.Firstly,an Internet routing availability model is built,which can quantitatively measure the Internet muting availability.Then,a node criticality model is established,which can quantitatively measure the importance of nodes in the network At last,RPBCN is proposed based on the Internet routing availability model and node criticality model.The experiment results show that RPBCN greatly improves the Internet routing availability while possessing low computation overhead,which provides an efficient solution for the ISP to solve the Internet route availability problem.

Lp Chou,Cc Hsu,F Wu

DOI: https://doi.org/10.1109/icon.2002.1033328

2002-01-01

Abstract:Ad-hoc networks are a new wireless networking paradigm for mobile hosts. Unlike conventional wireless networks, ad-hoc networks have no fixed network infrastructure or administrative support. The topology of the network changes dynamically as mobile nodes join or depart the network or radio links between nodes become unusable. In this paper we propose some efficient multi-path approaches that provide more secure routing schemes for ad-hoc network than previous ones. Within these approaches, more than one routing paths are selected. With the underlying coding technique, it can guarantee security against some malicious parties(it depends on how robust system is.) Moreover, we apply these schemes into existing ad-hoc network routing protocols, table-driven and on-demand routing algorithms. Finally, we derive the relation between some probabilities on our algorithms.

Li Zhi-tang,GUO Wei

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.09.016

2005-01-01

Abstract:Because of frequent topology changes and wireless multi-hop link, traditional security routing protocol can't adapt mobile Ad hoc networks. In this paper, a mutual authentication security Ad hoc Network routing protocol, MASRP(mutual authenticated secure Ad hoc routing protocol) is proposed. With mutual authentication end nodes and exchange one-time session key in the route discovery of demand routing, it ensure that it is correctness of routing discovers and reliability of data transfers from end to end, to increase the secure of routing protocol. At the end of this paper, the secure of protocol is also proved by BAN logic.

Li-Ping Chou,Chin-Chi Hsu,Fan Wu

DOI: https://doi.org/10.1109/icon.2002.1033328

2002-01-01

Abstract:Ad-hoc networks are a new wireless networking paradigm for mobile hosts. Unlike conventional wireless networks, ad-hoc networks have no fixed network infrastructure or administrative support. The topology of the network changes dynamically as mobile nodes join or depart the network or radio links between nodes become unusable. We propose some efficient multipath approaches that provide more secure routing schemes for ad-hoc network than previous ones. Within these approaches, more than one routing paths are selected. With the underlying coding technique, it can guarantee security against some malicious parties (it depends on how robust system is). Moreover, we apply these schemes into existing ad-hoc network routing protocols, table-driven and on-demand routing algorithms. Finally, we derive the relation between some probabilities on our algorithms.

Qi Li,Mingwei Xu,Jianping Wu,Patrick P. C. Lee,Xingang Shi,Dah Ming Chiu,Yuan Yang

DOI: https://doi.org/10.1109/tnsm.2012.070512.110138

2012-01-01

IEEE Transactions on Network and Service Management

Abstract:Routing failures are common on the Internet and routing protocols can not always react fast enough to recover from them, which usually cause packet delivery failures. To address the problem, fast reroute solutions have been proposed to guarantee reroute path availability and to avoid high packet loss after network failures. However, existing solutions are often specific to single type of routing protocol. It is hard to deploy these solutions together to protect Internet routing including both intra- and inter-domain routing protocols because of their individual computational and storage complexity. Moreover, most of them can not provide effective protection for traffic over failed links, especially for the bi-directional traffic. In this paper, we propose a unified fast reroute solution for routing protection under network failures. Our solution leverages identifier based direct forwarding to guarantee the effectiveness of routing protection and supports incremental deployment. In particular, enhanced protection cycle (e-cycle) is proposed to construct rerouting paths and to provide node and link protection for both intra- and inter-domain routing protocols. We evaluate our solution by simulations, and the results show that the solution provides 100% failure coverage for all end-to-end routing paths with approximately two extra Forwarding Information Base (FIB) entries. Furthermore, we report an experimental evaluation of the proposed solution in operational networks. Our results show that the proposed solution effective provides failure recovery and does not introduce processing overhead to packet forwarding.