SEC: Secure, Efficient, and Compatible Source Address Validation with Packet Tags

“…A more general view of attack mitigation that includes several DDoS attacks have been presented in [104], [105], [106]. Considering the source of traffic, a proactive approach of source address validation has been considered in [107], while the study in [108], [109], [110] detects and drops spoofed traffic. Some specific cases have also been considered.…”

“…3) Security of Source of the Traffic: The studies in [107], [108], [109], [110] consider the security for the source of the traffic. While [107] advocates a proactive strategy for source address validation, the studies in [108], [109], [110] detect and drop spoofed traffic in a reactive manner.…”

“…Tag-based solutions for source address validation, have some drawbacks including insecure key negotiation, heavy encryption algorithms with computational overheads for routers, and using non-standard headers. To overcome these problems, Yang et al [107] employ a secure key negotiation mechanism that can be implemented in programmable routers. The proposed method combines Elliptic Curve Diffie-Hellman Ephemeral key agreement and resource public key infrastructure to enable secure key negotiation and defeat Manin-the-Middle attacks.…”

“…AR-DDoS attack mitigation has been considered in [103]. Considering the security of the source of traffic, the study in [107] offload tag generation to the programmable routers for source address validation, while the studies in [108], [109], [110] filter spoofed traffic in the network element e.g., by implementing Hop Count Filtering. A more general view of attack mitigation that includes several DDoS attacks have been presented in [104], [105], [106].…”

“…• Bandwidth Consumption: Fully in-network security methods which do not require traffic transmission to the scrubbing servers or (SDN) controller, will save bandwidth in comparison with controller/server based methods. For a source address validation application, the experimental results in [107] show that in-network filtering of the spoofed packets can save the bandwidth up to 200 kbps. The co-design approaches can consume higher bandwidth than fully-in-network security schemes due to overhead of communication between server/controller and network element.…”

A Survey on In-Network Computing: Programmable Data Plane and Technology Specific Applications

“…A more general view of attack mitigation that includes several DDoS attacks have been presented in [104], [105], [106]. Considering the source of traffic, a proactive approach of source address validation has been considered in [107], while the study in [108], [109], [110] detects and drops spoofed traffic. Some specific cases have also been considered.…”

“…3) Security of Source of the Traffic: The studies in [107], [108], [109], [110] consider the security for the source of the traffic. While [107] advocates a proactive strategy for source address validation, the studies in [108], [109], [110] detect and drop spoofed traffic in a reactive manner.…”

“…Tag-based solutions for source address validation, have some drawbacks including insecure key negotiation, heavy encryption algorithms with computational overheads for routers, and using non-standard headers. To overcome these problems, Yang et al [107] employ a secure key negotiation mechanism that can be implemented in programmable routers. The proposed method combines Elliptic Curve Diffie-Hellman Ephemeral key agreement and resource public key infrastructure to enable secure key negotiation and defeat Manin-the-Middle attacks.…”

“…AR-DDoS attack mitigation has been considered in [103]. Considering the security of the source of traffic, the study in [107] offload tag generation to the programmable routers for source address validation, while the studies in [108], [109], [110] filter spoofed traffic in the network element e.g., by implementing Hop Count Filtering. A more general view of attack mitigation that includes several DDoS attacks have been presented in [104], [105], [106].…”

“…• Bandwidth Consumption: Fully in-network security methods which do not require traffic transmission to the scrubbing servers or (SDN) controller, will save bandwidth in comparison with controller/server based methods. For a source address validation application, the experimental results in [107] show that in-network filtering of the spoofed packets can save the bandwidth up to 200 kbps. The co-design approaches can consume higher bandwidth than fully-in-network security schemes due to overhead of communication between server/controller and network element.…”

A Survey on In-Network Computing: Programmable Data Plane and Technology Specific Applications

Design and Testing of Source Address Validation Protocols: A Survey

SOID: Towards an Efficient Incremental Deployment Scheme for Source Address Validation