Yifan Li,Xiaohe Hu,Chengjun Jia,Kai Wang,Jun Li

DOI: https://doi.org/10.1109/TNSM.2022.3229675

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:Cloud-native computing has become a prevailing paradigm with lightweight runtime-level isolation and fast delivery for scalable applications. Cloud-native network policies (CNNPs) are used to realize network isolation with respect to security and availability. Due to the dynamic environment, CNNPs are label-based instead of IP-based and take the form of attribute-based access control (ABAC) to obtain good expressivity. To ensure the correctness of network isolation, CNNP verification is an essential but challenging problem given the large scale and frequent updates of cloud-native environments and the operation automation demand. Thus, we design Kano, an efficient, i.e., easy-to-use and fast-to-execute, system for verifying large scale CNNPs at runtime. Kano is operation-friendly, with a proposed intent-based verification language. A bit matrix model with a prefiltration algorithm and a partial-update method is proposed to support fast complete and incremental verification. Kano also generates fix plans for violations to assist operators. Kano is implemented as a CNNP verification system that is used in ABAC cloud-native platforms and is integrated into the popular Kubernetes orchestrator. An evaluation on a large scale network of 100k nodes and about 68k policies shows the efficiency of Kano, with 12.51 seconds for all reachable invariant verification and 0.299 milliseconds for policy addition verification.

Yahui Li,Han Zhang,Jilong Wang,Xingang Shi,Xia Yin,Zhiliang Wang,Jiankun Hu,Congcong Miao,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2024.3409935

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network managers configure networks to enforce various high-level policies, and to respond to the wide range of network events (e.g., attacks, intrusions, malicious route announcements from neighbors) that may occur. It is incredibly difficult to specify these high-level policies in terms of distributed low-level configuration. These high-level policies hold only if the distributed configurations are well equipped to react to unsafe and unreliable environments (e.g., malicious route announcements, unsafe components and devices). Therefore, it is important to proactively verify whether network policies hold across continually changing environments in terms of current network configurations. State-of-the-art policy verification techniques are limited because they can check only the Boolean policies (e.g., forwarding reachability, waypoint or blackhole-freeness). However, many policy violations express themselves in quantitative ways (e.g., a link becomes overloaded). In this paper, we propose quantitative network verification (QNV) analyzing the quantitative policies of networks across unsafe and unreliable environments. QNV translates network configurations into a symbolic simulation model that captures the stable states to which the network forwarding will converge as a result of interactions between routing protocols. It then generates a logical formula matrix that describes network forwarding in the event of failures and verifies quantitative policies based on the formula matrix. We implement QNV and evaluate it on realistic and synthetic configurations. Our evaluation shows that QNV can precisely verify quantitative policies in only a few minutes, even in large networks.

Qiang Wu,Xiangping Bryce Zhai,Xi Liu,Chun-Ming Wu,Fangliang Lou,Hongke Zhang

DOI: https://doi.org/10.1109/TNET.2022.3193686

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Network Functions Virtualization (NFV) replaces the specialized hardware with the software-based forwarding to promise the flexibility, scalability and automation benefits. With an increasing range of applications, NFV must ultimately forward packets at rates that are comparable to the native and specialized hardware-based approaches. However, the transition packet forwarding from specialized hardware to software-based has turned out to be more challenging than expected. Thus, NFV acceleration is desperately needed to play a crucial role in the development of NFV. It is an interesting issue how to address the persistent performance tuning in a way that provides far greater flexibility to meet the demands of power. The existing developments are very inefficient, since that the uncontrollable and unanticipated performance regressions frequently occur. Besides, the environments for full system simulations are traditionally expensive and time consuming to evaluate the system performance. In this paper, we propose the methodology named as “NFV Acceleration via Lean Measurements (NALM)” to tune the performance for the NFV acceleration. NALM provides a holistic measurement approach through combining individual measures to quickly identify the bottlenecks, which can help developers with a better understanding of the design tradeoffs. Moreover, the environments for large scale performance simulation are replaced by a debugger. Thus, the waste is eliminated in terms of time consumption and infrastructure costs of the full system simulation. The systematic analysis of the multi-cores speedup ratio highlights the potential optimization space and rules. We further propose the improvement recommendations on efficient practices. The experiments evaluate the specific effects, and the relationship between the metrics and forwarding performance.

Xiang Chen,Qun Huang,Peiqiao Wang,Zili Meng,Hongyan Liu,Yuxin Chen,Dong Zhang,Haifeng Zhou,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/IWQOS52092.2021.9521329

2021-01-01

Abstract:In network function virtualization (NFV), network functions (NFs) are chained as a service function chain (SFC) to enhance NF management with high flexibility. Recent solutions indicate that the processing performance of SFCs can be significantly improved by offloading NFs to programmable switches. However, such offloading requires a deep understanding of NF properties to achieve the maximum SFC performance, which brings non-trivial burdens to network administrators. In this paper, we propose LightNF, a novel system that simplifies NF offloading in programmable networks. LightNF automatically dissects comprehensive NF properties (e.g., NF performance behaviors) via code analysis and performance profiling while eliminating manual efforts. It then leverages the analyzed NF properties in its SFC placement so as to produce the performance-optimal offloading. We have implemented a LightNF prototype. Our experiments show that LightNF outperforms state-of-the-art solutions with an orders-of-magnitude reduction in per-packet processing latency and 9.5x improvement in SFC throughput.

Yifan Li,Chengjun Jia,Xiaohe Hu,Jun Li

DOI: https://doi.org/10.1109/hoti51249.2020.00024

2020-01-01

Abstract:Container technology is a light weight back-end virtualization solution which copes with the growing demand for internet service concurrency. For security and availability, network isolation is essential in container network. Label based network access control policies are employed as a network isolation solution by the famous container orchestrator, Kubernetes. The large scale and flexibility of container networks implies a prohibitive complexity, whereas the constant changes of policies and containers demand a short response time, thus the policy verification needs to be efficient. However, there is no existing tool that solves the verification problem of label based network access control policies. Kano is proposed as the first system to cover container network policy verification, including incremental verification. It leverages on a prefiltration algorithm to reduce the time complexity of reachability matrix calculation from O(n 2 ) to O(n). With predefined and user-defined constraints which can be verified quickly with the reachability matrix, Kano removes potential risk from the container network. Based on the verification result, Kano provides advices to reinforce the security and availability of the container network.

Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Yahui Li,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Fangdan Ye,Jiangyuan Yao,Han Zhang

DOI: https://doi.org/10.1016/j.comnet.2020.107326

IF: 5.493

2020-01-01

Computer Networks

Abstract:Configuring a network is always difficult and error-prone because of low-level configuration languages and complex routing mechanisms. Most network outages occur when network the configuration is updated. Thus, it is important to proactively verify network configurations. Unfortunately, there are two practical obstacles that inhibit the performance of existing configuration verification tools: (i) Lack of knowledge. Network users often do not know which input verification queries need to be verified. (ii) Limited scalability. Even the state-of-the-art tool (i.e., Minesweeper [1]) takes approximately 500 seconds to complete a single reachability query for a network with tens of routers. Considering the total number of queries that must be verified, real networks often make such techniques impractical. In this paper, we propose NUV, a framework for performing network configuration update verification. NUV outputs verification queries for only the endpoints whose forwarding behavior has changed under the updated network configuration. Based on the network forwarding model, NUV infers the potential traffic impact and eliminates endpoints whose forwarding behavior is equivalent in both the original network configuration and the updated configuration. The NUV outputs can be used as input to a rich collection of existing configuration verification tools. Evaluations on a series of benchmark networks show that NUV can solve the lack of knowledge problem, and it enables query verification to execute at speeds orders of magnitude faster than existing tools; thus, it also improves verification scalability.

Kun Wang,Chengcheng Zhao,Jinpei Chu,Yiping Shi,Jianyuan Lu,Biao Lyu,Shunmin Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/tnet.2024.3469386

2024-01-01

Abstract:The Virtual Private Cloud (VPC) service enables users to configure shared resources within public clouds on demand, providing isolation between users. However, configuring the VPC network is a complex and error-prone task, and misconfiguration has been the leading cause of cloud network security issues. The large number of complex network components and configurations makes it difficult to perform scalable, efficient, and accurate fault verification of the network behavior. To address this issue, we design a comprehensive and automated fault diagnosis and localization tool, called, which is built upon an innovative modular network model that accurately captures the logic functions of real components within VPC networks, and propose eleven functions to verify network reachability and security requirements. We conduct performance testing of on various datasets and compared it with other verification tools. The experiments show that outperforms in modeling and analyzing real VPC scenarios while also possessing the fastest verification speed. It can model and analyze large VPC networks with tens of thousands of components and millions of configuration rules in less than half an hour.

German Sviridov,Zheng Tao Shen,Jorge Cardoso

2024-04-30

Abstract:Virtual Private Cloud (VPC) is the main network abstraction technology used in public cloud systems. VPCs are composed of a set of network services that permit the definition of complex network reachability properties among internal and external cloud entities such as tenants' VMs or some generic internet nodes. Although hiding the underlying complexity through a comprehensible abstraction layer, manually enforcing particular reachability intents in VPC networks is still notably error-prone and complex. In this paper, we propose AutoNet, a new model for assisting cloud tenants in managing reachability-based policies in VPC networks. AutoNet is capable of safely generating incremental VPC configurations while satisfying some metric-based high-level intent defined by the tenants. To achieve this goal, we leverage a MaxSAT-based encoding of the network configuration combined with several optimizations to scale to topologies with thousands of nodes. Our results show that the developed system is capable of achieving a sub-second response time for production VPC deployments while still providing fine-grained control over the generated configurations.

Networking and Internet Architecture

Michel Gokan Khan,Saeed Bastani,Javid Taheri,Andreas Kassler,Shuiguang Deng

DOI: https://doi.org/10.1109/CloudNet.2018.8549333

2018-01-01

Abstract:Network Function Virtualization (NFV) focuses on decoupling network functions from proprietary hardware (i.e., middleboxes) by leveraging virtualization technology. Combining it with Software Defined Networking (SDN) enables us to chain network services much easier and faster. The main idea of using these technologies is to consolidate several Virtual Network Functions (VNFs) into a fewer number of commodity servers to reduce costs, increase VNFs fluidity and improve resource efficiency. However, the resource allocation and placement of VNFs in the network is a multifaceted decision problem that depends on many factors, including VNFs resource demand characteristics, arrival rate, configuration of underlying infrastructure, available resources and agreed Quality of Services (QoS) in Service Level Agreements (SLAs). This paper presents a bottom-up open-source NFV analysis platform (NFV-Inspector) to (1) systematically profile and classify VNFs based on resource capacities, traffic demand rate, underlying system properties, placement of VNFs in the network, etc. and (2) extract/calculate the correlation among the QoS metrics and resource utilization of VNFs. We evaluated our approach using an emulated virtual Evolved Packet Core platform (Open5GCore) to showcase how complex relation among various NFV service chains can be systematically profiled and analyzed.

Xu Tian-Ni,Sun Hai-Feng,Zhang Di,Zhou Xiao-Ming,Sui Xiu-Feng,Wang Sa,Huang Qun,Bao Yun-Gang

DOI: https://doi.org/10.1007/s11390-020-0434-1

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:With the advent of virtualization techniques and software-defined networking (SDN), network function virtualization (NFV) shifts network functions (NFs) from hardware implementations to software appliances, between which exists a performance gap. How to narrow the gap is an essential issue of current NFV research. However, the cumbersomeness of deployment, the water pipe effect of virtual network function (VNF) chains, and the complexity of the system software stack together make it tough to figure out the cause of low performance in the NFV system. To pinpoint the NFV system performance issues, we propose NfvInsight, a framework for automatic deployment and benchmarking VNF chains. Our framework tackles the challenges in NFV performance analysis. The framework components include chain graph generation, automatic deployment, and fine granularity measurement. The design and implementation of each component have their advantages. To the best of our knowledge, we make the first attempt to collect rules forming a knowledge base for generating reasonable chain graphs. NfvInsight deploys the generated chain graphs automatically, which frees the network operators from executing at least 391 lines of bash commands for a single test. To diagnose the performance bottleneck, NfvInsight collects metrics from multiple layers of the software stack. Specifically, we collect the network stack latency distribution ingeniously, introducing only less than 2.2% overhead. We showcase the convenience and usability of NfvInsight in finding bottlenecks for both VNF chains and the underlying system. Leveraging our framework, we find several design flaws of the network stack, which are unsuitable for packet forwarding inside one single server under the NFV circumstance. Our optimization for these flaws gains at most 3x performance improvement.

Chen Sun,Jun Bi,Zhilong Zheng,Heng Yu,Hongxin Hu

DOI: https://doi.org/10.1145/3098822.3098826

2018-01-01

Abstract:Software-based sequential service chains in Network Function Virtualization (NFV) could introduce significant performance overhead. Current acceleration efforts for NFV mainly target on optimizing each component of the sequential service chain. However, based on the statistics from real world enterprise networks, we observe that 53.8% network function (NF) pairs can work in parallel. In particular, 41.5% NF pairs can be parallelized without causing extra resource overhead. In this paper, we present NFP, a high performance framework, that innovatively enables network function parallelism to improve NFV performance. NFP consists of three logical components. First, NFP provides a policy specification scheme for operators to intuitively describe sequential or parallel NF chaining intents. Second, NFP orchestrator intelligently identifies NF dependency and automatically compiles the policies into high performance service graphs. Third, NFP infrastructure performs light-weight packet copying, distributed parallel packet delivery, and load-balanced merging of packet copies to support NF parallelism. We implement an NFP prototype based on DPDK in Linux containers. Our evaluation results show that NFP achieves significant latency reduction for real world service chains.

Binanda Sengupta,Yingjiu Li,Kai Bu,Robert H. Deng

DOI: https://doi.org/10.1145/3372046

IF: 5.3

2020-01-01

ACM Transactions on Internet Technology

Abstract:The end-users communicating over a network path currently have no control over the path. For a better quality of service, the source node often opts for a superior (or premium) network path to send packets to the destination node. However, the current Internet architecture provides no assurance that the packets indeed follow the designated path. Network path validation schemes address this issue and enable each node present on a network path to validate whether each packet has followed the specific path so far. In this work, we introduce two notions of privacy-path privacy and Index privacy-in the context of network path validation. We show that, in case a network path validation scheme does not satisfy these two properties, the scheme is vulnerable to certain practical attacks (that affect the privacy, reliability, neutrality and quality of service offered by the underlying network). To the best of our knowledge, ours is the first work that addresses privacy issues related to network path validation. We design PrivNPV, a privacy-preserving network path validation protocol, that satisfies both path privacy and index privacy. We discuss several attacks related to network path validation and how PrivNPV defends against these attacks. Finally, we discuss the practicality of PrivNPV based on relevant parameters.

Hoang-Dung Tran,Xiaodong Yang,Diego Manzanas Lopez,Patrick Musau,Luan Viet Nguyen,Weiming Xiang,Stanley Bak,Taylor T. Johnson

DOI: https://doi.org/10.48550/arXiv.2004.05519

2020-04-12

Systems and Control

Abstract:This paper presents the Neural Network Verification (NNV) software tool, a set-based verification framework for deep neural networks (DNNs) and learning-enabled cyber-physical systems (CPS). The crux of NNV is a collection of reachability algorithms that make use of a variety of set representations, such as polyhedra, star sets, zonotopes, and abstract-domain representations. NNV supports both exact (sound and complete) and over-approximate (sound) reachability algorithms for verifying safety and robustness properties of feed-forward neural networks (FFNNs) with various activation functions. For learning-enabled CPS, such as closed-loop control systems incorporating neural networks, NNV provides exact and over-approximate reachability analysis schemes for linear plant models and FFNN controllers with piecewise-linear activation functions, such as ReLUs. For similar neural network control systems (NNCS) that instead have nonlinear plant models, NNV supports over-approximate analysis by combining the star set analysis used for FFNN controllers with zonotope-based analysis for nonlinear plant dynamics building on CORA. We evaluate NNV using two real-world case studies: the first is safety verification of ACAS Xu networks and the second deals with the safety verification of a deep learning-based adaptive cruise control system.

Hanan Suwi,Nadjia Kara,Omar Abdel Wahab,Claes Edstrom,Yves Lemieux

DOI: https://doi.org/10.1007/s10922-024-09830-y

2024-06-13

Journal of Network and Systems Management

Abstract:Network Function Virtualization (NFV) is a new technology that allows service providers to improve the cost efficiency of network service provisioning. This is accomplished by decoupling the network functions from the physical environment within which they are deployed and converting them into software components that run on top of commodity hardware. Despite its importance, NFV encounters many challenges at the placement, resource management, and adaptation levels. For example, any placement strategy must take into account the minimization of several factors, including those of hardware resource utilization, network bandwidth and latency. Moreover, Virtual Network Functions (VNFs) should continuously be adjusted to keep up with the changes that occur at both the data center and user levels. Over the past few years several efforts have been made to come up with innovative placement, resource management, and readjustment policies. However, a problem arises when these policies exhibit some conflicts and/or redundancies with one another, since the policies are proposed by multiple sources (e.g., service providers, network administrators, NFV-orchestrators and customers). This constitutes a serious problem for the network service as a whole and has several negative impacts such as Service-Level Agreement (SLA) violations and performance degradation. Besides, as conflicts may occur among a set of policies, pairwise detection will not adequate. In this paper, we tackle this problem by defining a conflict and redundancy detection and an automated resolution mechanisms to identify and solve the issues within and between NFV policies. Finally, we integrate a real-time detection component into our solution to provide continuous and comprehensive conflict and redundancy resolution, as new policies are introduced. The experimental results show that the proposed policy detection and resolution tools could rapidly identify, detect and solve conflicts and redundancies among NFV policies and extremely fast than other frameworks. Furthermore, the results show that our solution is efficient even in scenarios that consist of more than 2000 policies. Moreover, our proposed detection mechanisms can detect and solve the conflicts and redundancies for various types of policies such as placement, scaling and migration.

computer science, information systems,telecommunications

Xiaoli Zhang,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/MNET.001.1800330

IF: 10.294

2020-01-01

IEEE Network

Abstract:Guaranteeing that large scale networks are always operated as policy goals dictate is critical for network availability, security, and performance. The problem is challenging, as it should not only assure the correctness of policy configurations across various network devices, but also guarantee the faithfulness of policy enforcement on actual packet forwarding behaviors. In this article, we provide a systematic overview of the direction of network verification, which covers both verification of network configurations and assurance of device actual behaviors. In particular, we summarize state-of-the-art designs with focuses from early stateless data planes with switches/routers to more recent stateful ones containing middleboxes. After analyzing and comparing these works, we also specify future directions in the verification of stateful networks.

Nick Giannarakis,Alexandra Silva,David Walker

DOI: https://doi.org/10.1145/3473595

2021-08-22

Proceedings of the ACM on Programming Languages

Abstract:ProbNV is a new framework for probabilistic network control plane verification that strikes a balance between generality and scalability. ProbNV is general enough to encode a wide range of features from the most common protocols (eBGP and OSPF) and yet scalable enough to handle challenging properties, such as probabilistic all-failures analysis of medium-sized networks with 100-200 devices. When there are a small, bounded number of failures, networks with up to 500 devices may be verified in seconds. ProbNV operates by translating raw CISCO configurations into a probabilistic and functional programming language designed for network verification. This language comes equipped with a novel type system that characterizes the sort of representation to be used for each data structure: concrete for the usual representation of values; symbolic for a BDD-based representation of sets of values; and multi-value for an MTBDD-based representation of values that depend upon symbolics. Careful use of these varying representations speeds execution of symbolic simulation of network models. The MTBDD-based representations are also used to calculate probabilistic properties of network models once symbolic simulation is complete. We implement the language and evaluate its performance on benchmarks constructed from real network topologies and synthesized routing policies.

Xiaoli Zhang,Qi Li,Jianping Wu,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2020.3028846

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:With the advent of network function virtualization (NFV), outsourcing network functions (NFs) to the cloud is becoming increasingly popular for enterprises since it brings significant benefits for NF deployment and maintenance, such as improved scalability and reduced overhead. However, NF outsourcing limits the control of customer enterprises over NF deployment and management, consequently raising serious security concerns. Enterprises cannot ensure whether their outsourced NFs and associated service function chains (SFCs) are correctly enforced according to their specifications. In this paper, we propose vSFC, an SFC verification scheme that allows an enterprise to accurately verify the correctness of SFC enforcement in real time. Specifically, it can detect a wide range of SFC violations including forwarding path incompliance, packet dropping, and flow dropping attacks. Meanwhile, it is generic and agile, which can be applied to arbitrary cloud architectures without requiring any modification to NFs. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype on top of Linux kernel-based virtual machines (KVM) and conduct extensive experiments with real traffic. The experimental results show that vSFC can accurately detect SFC violations with negligible overhead.

Xiaojing Chen,Wei Ni,Iain B. Collings,Xin Wang,Shugong Xu

DOI: https://doi.org/10.1109/tcomm.2018.2877336

IF: 6.166

2019-02-01

IEEE Transactions on Communications

Abstract:This paper proposes a new fully decentralized approach to online placement and optimization of virtual machines (VMs) for network functions virtualization (NFV). The approach is of practical value, as network services comprising a chain of virtual network functions (VNFs) are proposed to be queued on the basis of leading unexecuted VNFs at every server, rather than on the typical basis of services, reducing queues per server and facilitating queue management and signaling. It is also non-trivial because the VNFs of network services must be executed correctly in order at different VMs, coupling the optimal decisions of VMs on processing or offloading. Exploiting Lyapunov optimization techniques, we decouple the optimal decisions by deriving and minimizing the instantaneous upper bound of the NFV cost in a distributed fashion, and achieve the asymptotically minimum time-average cost. We also reduce the queue length by allowing individual VMs to (un)install VNFs based on local knowledge, achieving stable redeployment of VNFs, adapting to the network topology and the temporal and spatial variations of services. Simulations show that the proposed approach is able to reduce the time-average cost of NFV by 71% and reduce the queue length (or delay) by 74%, as compared with existing approaches.

telecommunications,engineering, electrical & electronic

Kaiping Xue,Jiayu Yang,Qiudong Xia,David S. L. Wei,Jian Li,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tnsm.2021.3136547

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:As a new architecture of Internet infrastructure, Information-Centric Networking (ICN) is mainly designed to effectively handle the rapidly increasing user demand for content delivery through in-network caching. While facilitating the dissemination of content to users and making better use of the network resources, ICN is also vulnerable in that attackers can inject poisoned content into the network and isolate users from valid content sources. The introduction of signature verification in each router can effectively prevent this attack, but it also introduces great computation overhead. Existing schemes in ICN reduce verification overhead from a single routing perspective but do not consider integrating resources within ICN for collaborative content authentication and cyber self-defense. In this paper, we propose a collaborative, secure, and efficient content validation protection framework, named CSEVP, to implement a multi-router collaborative defense mechanism for ICN. On the one hand, we conduct content verification by probabilistically choosing one router involved in the transmission path to offload the computation overhead of content verification from a single router to multiple ones. On the other hand, we adopt bloom filters for routers to record and share verification results to further facilitate a more efficient content validity verification. The security and efficiency analysis shows that our proposed CSEVP can achieve efficient content validity verification among multiple routers with acceptable low communication and storage overhead.