Hop-by-Hop Verification Mechanism of Packet Forwarding Path Oriented to Programmable Data Plane

Attacks against the forwarding path could deviate data packets from the predefined route to achieve ulterior purposes, which has posed a serious threat to the software-defined network. Previous studies attempted to solve this security issue through complex authentication or traffic statistics methods. However, existing schemes have the disadvantages of high bandwidth overhead and high process delay. Hence, this article proposed a lightweight forwarding path verification mechanism based on P4 implementation. First, we deployed inband network telemetry to obtain path information, and then performed the path verification inside each hop in the programmable data plane to ensure that various attacks against forwarding paths could be intercepted. Finally, complete path verification information would convey to the control plane for backup. Corresponding experimental results demonstrate that our mechanism can effectively improve the security of the packet forwarding path with acceptable throughput and delay.