PoT-PolKA: Let the Edge Control the Proof-of-Transit in Path-Aware Networks

This paper presents a scalable and efficient solution for secure network design that involves the selection and verification of network paths. The proposal addresses the challenges related to compliance policies by introducing a Proof-of-Transit (PoT) feasible implementation for path-aware programmable networks. Our approach relies on i) a source routing mechanism based on a fixed routeID representing a unique identifier per path, which serves as a key for PoT lookup tables; ii) the "in situ" that allows to collect telemetry information in the packet while the packet traverses a path. The former enables path selection with policy at the edge, while the later allows to perform path verification without extra probe-traffic. A P4 programmable language prototype demonstrates the effectiveness of this approach to protect against deviation attacks with low overhead. The results show its scalability considering the protocol overhead as the path length increases; a significant reduction in network's forwarding state for fat-tree topologies depending on the workload per path (flows/path). Finally, experimental results show a RTT comparison evaluation, the impact of PoT computation, protection to path deviation and seamless path migration keeping flow protection.