Trusted Virtual Link:An Identity Verification Scheme For Datagrams Using Overlay Network

Internet Protocol(IP),as a widely used protocol in the network layer of the current network model,plays an import role in the Internet,however,there are no effective ways to verify and trace the source of IP datagram at present.Although researchers have proposed some mechanism working in data link layer,network layer or transport layer to solve this problem,most of them functions at a coarse granularity of verification and bring compatibility issues.Since there exists large number of devices following current standards published by Internet Engineering Task Force(IETF),it is hard to replace them to support the next generation network architecture in a short time,which calls for an evolutionary approach.Software-Defined Network(SDN),which separates the network control plane from the data forwarding plane,offers greater flexibility for datagram and equipment,also provides a well solution for the evolution.Taking compatibility as a major premise,this paper tries to implement a finegrained verification scheme which provides the ability of verifying the source of datagram for every forwarding node,more concretely,the contribution includes:(1)This paper builds a virtual packet-switched network for datagrams using tunnelling technology,which forms a network lays over the Wide Area Network(WAN).Based on the thought of separating identity and location of a host,this paper inserted a identity layer running overlay network identity verification(ONIV)protocol between the data link layer of the overlay network protocol stack and the transport layer of the existing network,thus created a trusted virtual link(TVL)for datagram.(2)Referring to the handshake sub-protocol of the Transport Layer Security(TLS)protocol version 1.3,this paper designs the link cryptographic negotiation sub-protocol and the tunnel cryptographic Negotiation sub-protocol for ONIV with low transmission delay.By escrowing the link verification session key in a time capsule,ONIV provides all the node forwarding datagrams in the virtual packet-switched network with the ability of verify its origin.By sharing a tunnel verification session key between any adjacent nodes in the virtual packet-switched network,ONIV provides a find-grained verification on the level of a frame.(3)Referring the Virtual e Xtensible Local Area Network(VXLAN)protocol implemented by Open vSwitch(OVS),this paper designed and implemented a virtual switch prototype,which supports ONIV and solves the segment offloading problem and tunnel-on-WAN problem in OVS.After building a mini virtual packet-switched network in WAN using the prototype,this paper measured the availability and bandwidth of TVL,also analyzed the security of TVL.The results show that node in TVL has the ability of verifying the source of datagram and guarantees performance.