Edge-Based Record Route: A Novel Approach for Single Packet
4.2 Edge-Based Record Route
4.2.2 Encoding Schemes for Edge-based Record Route
To illustrate conversion of the edge-based route representation into a bit string, we first assume that all routers in the network are EBRR-enabled routers. Then, a naive scheme is to use a fixed number of bits to encode link identifiers. In the following context, the set
of traversed link identifiers of a packet p.path.links, is treated as an integer. p.path.end is 32-bit integer. Assume that the globally maximum degree of a router is M . Then, whenever a router receives a packet, it left shifts p.path.links by dlog(M )e bits and adds the identifier of the incoming link to the shifted result. Afterwards, it updates p.path.end with its IP own address. Algorithm 6 shows the details of the edge-based record router using fixed bits encoding scheme.
Algorithm 6 Edge-Based Record Route Algorithm using Fixed-length Encoding Scheme Encoding Scheme executed at router ri
1: for each packet p received via link lin do
2: p.path.links ← p.path.links ∗ 2dlog(M )e+ id(lin) 3: p.path.end ← ip(ri).
4: end for
Path construction scheme executed at the end host 1: Let p be the attack packet.
2: Let rcurr denote the currently identified router.
3: routers(p) ← φ 4: E ← p.path.links 5: rcurr ← p.path.end
6: Insert rcurr as the first element of routers(p).
7: repeat
8: idl ← E mod 2dlog(M )e
9: Let l ∈ L(rcurr) be the link with id(l) = idl and r be the router that l is incident from.
10: Insert r as the first element of routers(p).
11: E ← bE/2dlog(M )ec 12: rcurr ← r.
13: until E = 1
The naive encoding scheme has two fundamental disadvantages. First, in practice, it is difficult to obtain an appropriate value of M . Moreover, the globally maximum degree may dynamically change. This problem cannot be solved by using a “sufficient large” value. The second problem is that using a fixed number of bits to store a link identifier may likely result in unnecessary waste of space. Consider a small network as shown in Fig. 4.2. The global maximum degree is 5 and thus the fixed number of bits for representing a link identifier is 3 (dlog(5)e = 3). However, it is only necessary for router r3. For other routers such as r1, 2 bits is sufficient for encoding its links since the degree of r1 is 3.
To address this issue, the number of bits for representing a link is determined according to the degree of each router respectively. That is, whenever a router ri receives a packet p via link lin, it left shifts p.path.links by dlog(deg(ri))e bits and then add id(lin) to
the shifted result. In this approach, it is not necessary to obtain the globally maximum degree. Moreover, the number of bits used to represent the whole path is reduced. In fact, based on the same idea, the space efficiency can be further improved. Conceptually, p.path.links is left shifted by log(deg(ri)) bits rather than dlog(deg(ri))e bits. This is achieved by replacing the shift operation with multiplication. That is, when packet p arrives at a router via incoming link lin, p.path.links = p.path.links ∗ deg(ri) + id(lin).
In addition, it is reasonable to assume that in large networks only part of the routers are EBRR-enabled routers, and each EBRR-enabled router is aware of the status of its adjacent routers whether they are EBRR-enabled routers or not. We also assume that an EBRR-enabled router knows the degree of its adjacent routers. With these assumptions, the entire route of a packet is partitioned into a set of partial paths, where each partial path contains a successive sequence of EBRR-enabled routers. These partial paths are also referred to as traceable subpaths. On the other hand, a path without EBRR-enabled routers are referred to as a non-traceable subpath. This change leads to a modification to the original edge-based route representation. The modified definition is given as follows.
Definition 2 (Edge-Based Route Representation with Non-Traceable Subpaths) The path of a packet p refers to the concatenation of partial paths (or say, traceable sub-paths). p.path is written as (p.path1, p.path2, . . ., p.pathk), where p.path1 denote the partial path which is nearest the attack source. p.pathi.links represents the sequence of links in a partial path p.pathi. Similarly p.pathi.end denotes the IP address of the last router in the partial path, and |p.path| denotes the total number of partial paths.
Due to the change of assumptions, there is a slight change in the process of edge-based record route. That is, for a partial path p.pathi, p.pathi.end is filled with an IP address when packet p is forwarded to a non-EBRR-enabled router. In other cases, only p.pathi.links are updated. Algorithm 7 shows the details of enhanced edge-based record route scheme.
A partial path can be implemented as structure with three fields in the IP header.
Fig. 4.3 shows the format of a partial path. It can be divided into three fields. The first field EID (encoded identifier) is used to stored the encoded link identifiers. As we will see in the next section, the length of this field is determined both by the number of EBRR-enabled routers in each partial path and the available space for storing a partial path in
Algorithm 7 Edge-Based Record Route Algorithm using Dynamic-Length Encoding Scheme
Encoding Scheme executed at router ri
1: for each packet p received via link lin do
2: Let rj denote the next hop router to which p will be forwarded.
3: k ← |p.path|
4: p.pathk+1.links ← p.pathk+1.links ∗ deg(ri) + id(lin) 5: if router rj does not support edge-based record route then 6: p.pathk+1.end ← ip(ri)
7: Append p.pathk+1 as the last element in p.path.
8: end if 9: end for
Path construction scheme executed at the end host 1: Let p be the attack packet.
2: Let rcurr denote the currently identified router.
3: routers(p) ← φ 4: i ← |p.path|
5: while i ≥ 1 do 6: E ← p.pathi.links 7: rcurr ← p.pathi.end
8: Insert rcurr as the first element in routers(p).
9: repeat
10: idl ← E mod deg(rcurr)
11: Let l ∈ L(rcurr) be the link with id(l) = idl and r be the router that l is incident from.
12: Insert r as the first element in routers(p).
13: E ← bE/deg(rcurr)c.
14: rcurr ← r.
15: until E = 1 16: i ← i − 1 17: end while
an IP packet. The second field is 32 bits long, used to store the end point address of the partial path. The third field, Pauth, is used to assure the correctness and authenticity of the partial path. In fact, the Pauth field is used to bind the partial path to the IP packet.
It also allows the end host system to validate the source of a partial path. As a result, attackers can neither mislead the path reconstruction procedure by injecting false partial paths. In the next section, we will describe an implementation of the edge-based record route in details, including the field of a packet to store partial paths, the mechanism to deliver partial paths to the end host systems, and the authentication of partial paths.
Figure 4.3: The structure of a partial path