In-situ Proof-of-Transit for Path-Aware Programmable Networks

This paper presents a scalable and efficient solution for secure network design that involves the selection and verification of network paths. The proposed approach addresses the challenge of extending compliance policies to cover path-aware programmable networks by decoupling the routing/forwarding mechanisms from the Proof-of-Transit (PoT) implementation. Thus, two concepts are bounded: i) a source routing mechanism based on a fixed routeID representing a unique identifier per path, which serves as a key for the PoT lookup table; ii) the "in situ" that allows to collect telemetry information in the packet while the packet traverses a path. The former enables path selection with policy at the edge, while the later allows to perform path verification without extra probe-traffic. A P4 programmable language prototype demonstrates the effectiveness of this approach to protect against deviation attacks with low overhead. The results show a significant reduction in network's forwarding state for fat-tree topologies depending on the workload per path (flows/path). (AU)