Cargando…
A data plane security model of SR-BE/TE based on zero-trust architecture
Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE (Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR (ZTA-based SR) based on zer...
| Autores principales: | , , , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Nature Publishing Group UK
2022
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9708840/ https://www.ncbi.nlm.nih.gov/pubmed/36446864 http://dx.doi.org/10.1038/s41598-022-24342-y |
| _version_ | 1784841027156180992 |
|---|---|
| author | Wang, Liang Ma, Hailong Li, Ziyong Pei, Jinchuan Hu, Tao Zhang, Jin |
| author_facet | Wang, Liang Ma, Hailong Li, Ziyong Pei, Jinchuan Hu, Tao Zhang, Jin |
| author_sort | Wang, Liang |
| collection | PubMed |
| description | Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE (Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR (ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north–south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east–west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios. |
| format | Online Article Text |
| id | pubmed-9708840 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2022 |
| publisher | Nature Publishing Group UK |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-97088402022-12-01 A data plane security model of SR-BE/TE based on zero-trust architecture Wang, Liang Ma, Hailong Li, Ziyong Pei, Jinchuan Hu, Tao Zhang, Jin Sci Rep Article Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE (Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR (ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north–south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east–west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios. Nature Publishing Group UK 2022-11-29 /pmc/articles/PMC9708840/ /pubmed/36446864 http://dx.doi.org/10.1038/s41598-022-24342-y Text en © The Author(s) 2022 https://creativecommons.org/licenses/by/4.0/Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) . |
| spellingShingle | Article Wang, Liang Ma, Hailong Li, Ziyong Pei, Jinchuan Hu, Tao Zhang, Jin A data plane security model of SR-BE/TE based on zero-trust architecture |
| title | A data plane security model of SR-BE/TE based on zero-trust architecture |
| title_full | A data plane security model of SR-BE/TE based on zero-trust architecture |
| title_fullStr | A data plane security model of SR-BE/TE based on zero-trust architecture |
| title_full_unstemmed | A data plane security model of SR-BE/TE based on zero-trust architecture |
| title_short | A data plane security model of SR-BE/TE based on zero-trust architecture |
| title_sort | data plane security model of sr-be/te based on zero-trust architecture |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9708840/ https://www.ncbi.nlm.nih.gov/pubmed/36446864 http://dx.doi.org/10.1038/s41598-022-24342-y |
| work_keys_str_mv | AT wangliang adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT mahailong adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT liziyong adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT peijinchuan adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT hutao adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT zhangjin adataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT wangliang dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT mahailong dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT liziyong dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT peijinchuan dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT hutao dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture AT zhangjin dataplanesecuritymodelofsrbetebasedonzerotrustarchitecture |