计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (10): 328-335.doi: 10.11896/jsjkx.240800163

• 计算机网络 • 上一篇    下一篇

基于可编程数据平面的SRv6功能一致性验证机制

王鹏睿1, 胡宇翔1,2,3, 崔鹏帅1,2,3, 董永吉1,2,3, 夏计强1   

  1. 1 信息工程大学信息技术研究所 郑州 450002
    2 先进通信网全国重点实验室 郑州 450002
    3 网络空间安全教育部重点实验室 郑州 450002
  • 收稿日期:2024-08-30 修回日期:2024-11-25 出版日期:2025-10-15 发布日期:2025-10-14
  • 通讯作者: 胡宇翔(chxachxa@126.com)
  • 作者简介:(wprxxgcdx@163.com)
  • 基金资助:
    国家重点研发计划(2023YFB2903902);中原科技创新领军人才项目(244200510038);嵩山实验室重点研发项目(221100210900-02)

SRv6 Functional Conformance Verification Mechanism Based on the Programmable Data Plane

WANG Pengrui1, HU Yuxiang1,2,3, CUI Pengshuai1,2,3, DONG Yongji1,2,3, XIA Jiqiang1   

  1. 1 Institute of Information Technology Research,Information Engineering University,Zhengzhou 450002,China
    2 National Key Laboratory of Advanced Communication Networks,Zhengzhou 450002,China
    3 Key Laboratory of Cyberspace Security,Ministry of Education,Zhengzhou 450002,China
  • Received:2024-08-30 Revised:2024-11-25 Online:2025-10-15 Published:2025-10-14
  • About author:WANG Pengrui,born in 1997,postgra-duate.His main research interests include segment routing and programmable data plane.
    HU Yuxiang,born in 1982,Ph.D,Ph.D supervisor.His main research interests include next generation network architecture and switching technology.
  • Supported by:
    National Key Research and Development Program of China(2023YFB2903902), Science and Technology Innovation Leading Talents Subsidy Project of Central Plains(244200510038) and Key R&D Projects of Songshan Laboratory(221100210900-02).

PDF (PC)

0

摘要: 现阶段SRv6(Segment Routing over IPv6)中,段标签(Segment Identifier,SID)设计为流量工程、安全认证等网络功能提供了可编程性。这些功能的实现依赖于数据平面中流表的精确匹配与执行,但当流表被恶意篡改或错误配置时,容易导致功能一致性问题的出现。而带内网络遥测(In-band Network Telemetry,INT)技术作为SDN场景中经典的具有可编程性的校验工具,可将二者天然结合。为此,提出了基于可编程数据平面的SRv6功能一致性验证机制(Programmable Data Plane Based Consistency Verification Mechanism for SRv6 Functional,SRv6FCV)。SRv6FCV采用数据平面可编程技术为探针包插入认证标识,首先依据监控需求动态地将SID转换为特定的INT元数据结构,然后构造探针报文注入并逐跳收集特定网络功能的流表执行信息,最后对遥测信息进行解析并基于符号执行算法完成功能一致性验证。仿真结果表明,SRv6FCV能够保证满足流表规则以及业务功能执行策略的一致性。相较于之前的研究,SRv6FCV在完成对网络功能一致性校验的基础上,拥有更低的运行开销,同时其校验时长也有显著缩短。

关键词: 段路由, 段标签, SRv6, 带内网络遥测, 一致性

Abstract: At present,the SID in SRv6 is designed to provide programmability for traffic engineering,security authentication,and other network functions.The realization of these functions depends on the precise matching and execution of flow tables in the data plane,but when the flow tables are maliciously modified or incorrectly configured,it is easy to cause inconsistency problems in function implementation.As a classic verification tool with programmability in SDN scenarios,the INT technology can naturally combine with the two.This paper proposes the SRv6 Function Consistency Verification(SRv6FCV) mechanism based on programmable data plane.SRv6FCV uses data plane programmability technology to insert authentication identifiers into probe pac-kets,first dynamically converts the SID into a specific INT metadata structure according to the monitoring needs,then constructs probe packets and injects them into the network to collect flow table execution information for specific network functions,and finally decodes the telemetry information and completes the function consistency verification based on symbolic execution algorithms.Simulation results show that SRv6FCV can ensure consistency between flow table rules and business function execution policies.Compared with previous studies,SRv6FCV,in addition to achieving consistency verification of network functions,has lower running overhead and significantly reduces verification time.

Key words: Segment routing,SID,SRv6,In-band network telemetry,Consistency

中图分类号: 

  • TP393
[1]SUGIURAT,TAKAHASHI K,ICHIKAWA K,et al.Acar:An application-aware network routing system using SRv6[C]//2022 IEEE 19th Annual Consumer Communications & Networking Conference(CCNC).2022:751-752.
[2]ZHENGQ,TANG S,CHEN B,et al.Highly-Efficient and Adaptive Network Monitoring:When INT Meets Segment Routing[J].IEEE Transactions on Network and Service Management,2021,18(3):2587-2597.
[3]WEI W,ZHANG X,PAN P,et al.EPM-SR:efficient perfor-mance measurement framework for KPIs to support segment routing over IPv6 Network[C]//2022 IEEE 22nd International Conference on Communication Technology(ICCT).2022:1800-1805.
[4]CHEN B,CHEN F,TANG S,et al.On Orchestration of Segment Routing and In-band Network Telemetry[J].IEEE Transactions on Network and Service Management,2023,20(4):4047-4060.
[5]ZUO Q Y,CHEN M,ZHAO G S,et al.Openflow-based SDN technologies[J].Journal of Software,2013,24(5):1078-1097.
[6]BIFULCO R,RÉTVÁRI G.A survey on the programmable data plane:Abstractions,architectures,and open problems[C]//Proceedings of the 19th IEEE International Conference on High Performance Switching and Routing(HPSR).IEEE,2018.1-7.
[7]WANG X Y,HU A Q,FANG H.Improved collusion-resistant unidirectional proxy re-encryption scheme from lattice[J].IET Information Security,2020,18(1):342-351.
[8]DUTTA P,SUSILO W,DUONG D H,et al.Collusion-resistant identitybased proxy re-encryption:lattice-based constructions in standard model[J].Theoretical Computer Science,2021,871:16-29.
[9]WANG X A,GE Y L,YANG X Y.PRE +:dual of proxy re-encryption and its application[J].International Journal of Web and Grid Services,2018,14(1):44-69.
[10]SINGH K,RANGAN C P,AGRAWAL R,et al.Provably se-cure lattice based identity based unidirectional PRE and PRE + schemes[J].Journal of Information Security and Applications,2020,54(3/4):102569.
[11]ATENIESE G,FU K,GREEN M,et al.Improved proxy re-encryption schemes with applications to secure distributed storage[J].ACM Trans on Information and System Security,2006,9(1):1-30.
[12]GUO H,ZHANG Z F,XU J,et al.Non-transferable proxy reencryption[J].The Computer Journal,2019,62(4):490-506.
[13]PEREŠÍNI P,KUŹNIAR M,AND KOSTIĆ D.Monocle:Dynamic,Fine-grained Data Plane Monitoring[C]//Proceedings of CoNEXT.2015:1-13.
[14]TAN L,SU W,MIAO J,et al.FindINT:Detect and Locate the Lost in-Band Network Telemetry Packet[J].IEEE Networking Letters,2022,4(1):20-24.
[15]MARQUES JA,GASPARY L P.Advancing Network Monitoring and Operation with In-band Network Telemetry and Data Plane Programmability[C]//NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium.2023:1-6.
[16]LIU W,ZHANG X,FENG C,et al.Segment Routing based In-Band Network Telemetry in IPv6 over Optical Networks[C]//2024 2nd International Conference On Mobile Internet,Cloud Computing and Information Security(MICCIS).2024:125-129.
[17]GENTRY C,PEIKERT C,VAIKUNTANATHAN V.How to use a short basis:trapdoors for hard lattices and new cryptographic constructions[C]//Proc. of the 40th ACM Symposium on Theory of Computing.2018:197-206.
[18]WANG F H,HU Y P,JIA Y Y.Lattice-based signature scheme in the standard model[J].Journal of Xidian University,2012,39(4):57-61,119.
[19]QIU L S,WANG L L,LIU J,et al.SRSV:Efficient Resource Reservation for Satellite Networks Based on Segment Routing[C]//2022 5th International Conference on Hot Information-Centric Networking(HotICN).2022:99-104.
[20]WANG X Y,HU A Q,HAO F.Feasibility analysis of latticebased proxy re-encryption[C]//Proc. of the 17th International Conference on Cryptography,Security and Privacy.2017:12-16.
[21]CHICA J C C,IMBACHI J C,VEGA J F B.Security in SDN:A comprehensive survey[J].Journal of Network and Computer Applications,2020,159:102595.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发