CUMULATIVE SCHEMES FOR NETWORK PATH PROOF OF TRANSIT

摘要

A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. In one embodiment, each network node reads a first value and a second value from in-band metadata of packet, and generates, using a cryptographic key that is unique to each respective network node, an encryption result based on the first value. An updated second value is generated based on the second value read from the packet and the encryption result. Each network node writes the updated second value to the in-band metadata of the packet, and forwards the packet in the network. In another embodiment, a secret sharing scheme is employed by each network node computes a portion of verification information using a unique share of a secret and based on the packet specific information.

主权项

1. A system comprising:
a plurality of network nodes associated with a path in a network, each network node configured to:
obtain information about a packet, the information including in-band metadata that includes one or more fields for at least a first value and a second value, the first value being based on a number and/or a timestamp generated at an initial network node of the plurality of network nodes of the path in the network, and the second value being cumulatively updated as the packet passes through the plurality of network nodes of the path in the network;read the first value and the second value from the in-band metadata of the packet;generate, using a cryptographic key that is unique to each respective network node, an encryption result based on the first value;generate an updated second value based on the second value read from the packet and the encryption result;write the updated second value to the in-band metadata of the packet; andforward the packet in the network.