A data plane security model of segmented routing based on SDP trust enhancement architecture

Segment routing (SR) technology is a new network functional technology derived from MPLS technology and based on SDN. Combining SR with software-defined perimeter (SDP), a new network security technology, is expected to solve the traditional problems such as data monitoring, denial of service, and n...

Descripción completa

Detalles Bibliográficos
Autores principales: Wang, Liang, Ma, Hailong, Jiang, Yiming, Tang, Yin, Zu, Shuodi, Hu, Tao
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Nature Publishing Group UK 2022
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9130199/
https://www.ncbi.nlm.nih.gov/pubmed/35610296
http://dx.doi.org/10.1038/s41598-022-12858-2
_version_ 1784712937117581312
author Wang, Liang
Ma, Hailong
Jiang, Yiming
Tang, Yin
Zu, Shuodi
Hu, Tao
author_facet Wang, Liang
Ma, Hailong
Jiang, Yiming
Tang, Yin
Zu, Shuodi
Hu, Tao
author_sort Wang, Liang
collection PubMed
description Segment routing (SR) technology is a new network functional technology derived from MPLS technology and based on SDN. Combining SR with software-defined perimeter (SDP), a new network security technology, is expected to solve the traditional problems such as data monitoring, denial of service, and new threats such as loop attack and label detection faced by SR data plane. Focusing on the security management of access devices in the SR data plane, first, this paper proposes an SR security model SbSR (SDP-based SR) based on SDP trust enhancement architecture, then, two-level SDP AH trust verification mechanism and 4 trust management mechanisms including initial trust value, trust evaluation, trust renewal, trust inheritance are designed. In the trust evaluation mechanism as the core of the model, System cloud grey model (1,1) weighted Markov prediction model is introduced to obtain real-time trust based on the historical behavior of device nodes, and 4 indexes, namely benign message ratio, loyal forwarding ratio, forwarding ratio stationarity coefficient, packet rate stationarity coefficient, are introduced to distinguish malicious devices from normal devices. Finally, the simulation test results of 5 security functions and security costs show that the proposed architecture can solve port scanning, traffic monitoring, topology detection, loop attack, and DoS attack of SR network data plane with an average access delay cost of 2.84 s for each new network agent, and realize multi-faceted protection of SR network data plane.
format Online
Article
Text
id pubmed-9130199
institution National Center for Biotechnology Information
language English
publishDate 2022
publisher Nature Publishing Group UK
record_format MEDLINE/PubMed
spelling pubmed-91301992022-05-26 A data plane security model of segmented routing based on SDP trust enhancement architecture Wang, Liang Ma, Hailong Jiang, Yiming Tang, Yin Zu, Shuodi Hu, Tao Sci Rep Article Segment routing (SR) technology is a new network functional technology derived from MPLS technology and based on SDN. Combining SR with software-defined perimeter (SDP), a new network security technology, is expected to solve the traditional problems such as data monitoring, denial of service, and new threats such as loop attack and label detection faced by SR data plane. Focusing on the security management of access devices in the SR data plane, first, this paper proposes an SR security model SbSR (SDP-based SR) based on SDP trust enhancement architecture, then, two-level SDP AH trust verification mechanism and 4 trust management mechanisms including initial trust value, trust evaluation, trust renewal, trust inheritance are designed. In the trust evaluation mechanism as the core of the model, System cloud grey model (1,1) weighted Markov prediction model is introduced to obtain real-time trust based on the historical behavior of device nodes, and 4 indexes, namely benign message ratio, loyal forwarding ratio, forwarding ratio stationarity coefficient, packet rate stationarity coefficient, are introduced to distinguish malicious devices from normal devices. Finally, the simulation test results of 5 security functions and security costs show that the proposed architecture can solve port scanning, traffic monitoring, topology detection, loop attack, and DoS attack of SR network data plane with an average access delay cost of 2.84 s for each new network agent, and realize multi-faceted protection of SR network data plane. Nature Publishing Group UK 2022-05-24 /pmc/articles/PMC9130199/ /pubmed/35610296 http://dx.doi.org/10.1038/s41598-022-12858-2 Text en © The Author(s) 2022 https://creativecommons.org/licenses/by/4.0/Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) .
spellingShingle Article
Wang, Liang
Ma, Hailong
Jiang, Yiming
Tang, Yin
Zu, Shuodi
Hu, Tao
A data plane security model of segmented routing based on SDP trust enhancement architecture
title A data plane security model of segmented routing based on SDP trust enhancement architecture
title_full A data plane security model of segmented routing based on SDP trust enhancement architecture
title_fullStr A data plane security model of segmented routing based on SDP trust enhancement architecture
title_full_unstemmed A data plane security model of segmented routing based on SDP trust enhancement architecture
title_short A data plane security model of segmented routing based on SDP trust enhancement architecture
title_sort data plane security model of segmented routing based on sdp trust enhancement architecture
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9130199/
https://www.ncbi.nlm.nih.gov/pubmed/35610296
http://dx.doi.org/10.1038/s41598-022-12858-2
work_keys_str_mv AT wangliang adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT mahailong adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT jiangyiming adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT tangyin adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT zushuodi adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT hutao adataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT wangliang dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT mahailong dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT jiangyiming dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT tangyin dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT zushuodi dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture
AT hutao dataplanesecuritymodelofsegmentedroutingbasedonsdptrustenhancementarchitecture

Ejemplares similares