A data plane security model of segmented routing based on SDP trust enhancement architecture

Wang, Liang; Ma, Hailong; Jiang, Yiming; Tang, Yin; Zu, Shuodi; Hu, Tao

doi:10.1038/s41598-022-12858-2

Cited by 6 publications

(1 citation statement)

References 23 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SbSR (SDP based SR)30 ZbSR (ZTA based SR)Problem orientedThe terminal device of the SR network data planeThe switching device of the SR network data plane Modeling The migration model of the mature SDP model is carried out Based on the concept of ZTA, a new ZTA model is designed by adding security components and reassembling the original functional components Assessment Port scanning; Traffic monitoring; DoS attack; Topology detection based on label detection; Routing loop attack based on directional label; Performance overhead Control plane message tampering; Data plane loop attack; Identity deception; Back door utilization; DOS attack; Performance overhead Figure 2. ZbSR security model.…”

mentioning

confidence: 99%

A data plane security model of SR-BE/TE based on zero-trust architecture

Wang

et al. 2022

Sci Rep

View full text Add to dashboard Cite

Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE (Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR (ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north–south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east–west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios.

show abstract

mentioning

confidence: 99%