=Paper=
{{Paper
|id=Vol-2923/paper9
|storemode=property
|title=Network Security Approach based on Traffic Engineering Fast ReRoute with support of Traffic Policing
|pdfUrl=https://ceur-ws.org/Vol-2923/paper9.pdf
|volume=Vol-2923
|authors=Oleksandr Lemeshko,Oleksandra Yeremenko,Maryna Yevdokymenko,Anastasiia Shapovalova,Valentyn Lemeshko
|dblpUrl=https://dblp.org/rec/conf/cpits/LemeshkoYYSL21
}}
==Network Security Approach based on Traffic Engineering Fast ReRoute with support of Traffic Policing==
https://ceur-ws.org/Vol-2923/paper9.pdf
Network Security Approach based on Traffic Engineering Fast
ReRoute with support of Traffic Policing
Oleksandr Lemeshkoa, Oleksandra Yeremenkoa, Maryna Yevdokymenkoa,
Anastasiia Shapovalovaa, and Valentyn Lemeshkoa
a
Kharkiv National University of Radio Electronics, 14 Nauky ave., Kharkiv, 61166, Ukraine
Abstract
The work is devoted to the approach development and investigation of the network security
providing based on Traffic Engineering Fast ReRoute with support of Traffic Policing. The
corresponding flow-based mathematical model has been developed where the technological
task of secure fast rerouting was presented in the form of a linear programming problem. The
novelty of the proposed model is the modification of load balancing conditions and bandwidth
protection during fast rerouting, which in addition to the Quality of Service, also considers the
probability of compromising the link as an indicator of network security. The routing solutions
obtained within the proposed model are aimed at reducing the overload of communication links
with a high probability of compromising by redistributing traffic for transmission through more
secure network links. The advantage of the proposed solution is that in the conditions of
congestion the load balancing is realized on the principles of Traffic Engineering and, if
necessary, differentiated limitation of the load entering the network. An additional advantage
of the proposed optimization model is its linearity, which focuses on the low computational
complexity of the corresponding protocol implementation in practice. Numerical research of
the Secure TE-FRR-TP model has confirmed the adequacy and efficiency of routing solutions
made on its basis, both in terms of ensuring network security, resilience, and load balancing
with traffic policing based on priorities.
Keywords 1
Cyber resilience, redundancy, fast ReRoute, traffic engineering, traffic policing, security
metric, probability of compromise.
1. Introduction
In modern conditions of information society development, more and more attention is paid to the
development of network (telecommunication) technologies in improving the Quality of Service (QoS),
Quality of Reliability (QoR), and network security in terms of Quality of Protection (QoP) [1–3]. The
same network means, mechanisms and protocols are often connected to the solution of such tasks.
According to the results of research on a promising trend in telecommunications, it is the improvement
of routing protocols, which contribute to the creation of functionality and provide a full-fledged means
of ensuring service quality, resilience, and security [4–10]. The most effective way to improve routing
protocols is to review the mathematical models and computational methods (algorithms) on which they
are based [11–13].
Owing to software modifications and settings, modern protocol solutions have long gone beyond the
rather limited functionality of combinatorial algorithms (Dijkstra and Bellman-Ford) to find the shortest
path on the graph [14]. Therefore, modern protocols even support multipath and fault-tolerant routing
with load balancing, mainly on paths with equal cost metrics [15]. However, the future of routing
protocols is seen by many scientists [11–14, 16–18] in the use of flow-based mathematical models and
Cybersecurity Providing in Information and Telecommunication Systems, January 28, 2021, Kyiv, Ukraine
EMAIL: oleksandr.lemeshko.ua@ieee.org (A.1); oleksandra.yeremenko.ua@ieee.org (A.2); maryna.yevdokymenko@ieee.org (A.3);
anastasiia.shapovalova@nure.ua (A.4); valentyn.lemeshko@nure.ua (A.5)
ORCID: 0000-0002-0609-6520 (A.1); 0000-0003-3721-8188 (A.2); 0000-0002-7391-3068 (A.3); 0000-0003-0701-1282 (A.4); 0000-0003-
1564-8873 (A.5)
©️ 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
81
�optimization methods for route calculation and load balancing. Within the framework of flow-based
solutions, additional opportunities are opened for providing QoS simultaneously on several indicators,
full implementation of fault-tolerance functions with the protection of structural elements of the
network and its bandwidth [11–17], as well as secure routing [13, 19–22]. Therefore, the task of
supporting these important functionalities within a single mathematical model, which would take into
account aspects of Quality of Service based on load balancing, resilience, and network security, is
gaining relevance.
2. Flow-based Model of the Network Security Providing based on Traffic
Engineering Fast ReRoute with Support of Policing
In this work, the approach of the network security providing based on Traffic Engineering Fast
ReRoute with support of Traffic Policing (Secure TE-FRR-TP) is presented that is a further
development of the models proposed in [23–26]. The following parameters are introduced into the
corresponding flow-based model:
G ( R, E ) graph describing the network structure;
R {Ri ; i 1, m} set of nodes (network routers);
E {Ei , j ; i, j 1, m; i j} set of edges (network links);
Ri { R j : E j ,i E; j 1, m; i j } subset of routers incident to the Ri router;
i, j link capacity;
K set of flows circulating in the network ( k K );
xik, j control variables that determine the fraction of intensity of
the kth flow in the link Ei , j of the primary path;
xik, j control variables that determine the fraction of intensity of
the kth flow in the link Ei , j of the backup path;
k proportion of the intensity of the kth flow that receives a
denial of service when using the primary path;
k proportion of the intensity of the kth flow that receives a
denial of service when using the backup path;
sk source node;
dk destination node;
k average intensity (packet rate) of the kth flow in packets per
second (1/s);
uik, j control variables that represent the upper bound values of
routing variables of the primary and backup paths;
control variable that numerically determines the upper bound
of the network links utilization;
TH threshold of the upper bound of the network links utilization;
pi , j probability of link Ei , j compromise;
vi, j weighting coefficients related to the probability of link Ei , j
compromise;
wk PR 1
k weighting coefficients based on the priority of the kth flow
( PR k ) transmitted over the primary path;
wk PR k 0.5 weighting coefficients based on the priority of the kth flow
( PR k ) transmitted over the backup path.
82
� The result of solving the technical task of network security providing based on Traffic Engineering
Fast ReRoute with support of policing is a calculation of two types of routing variables xik, j and xik, j
for the primary or backup path. When the multipath strategy is used for routing variables of both types,
the following constraints implied on them [24, 26]
0 xik, j 1 and 0 xik, j 1 . (1)
The flow conservation conditions aimed at ensuring the connectivity of the calculated primary and
backup multipath also should be met [23]:
xik, j x kj ,i 0;k K , Ri sk , d k ;
j:Ei , j E j:E j ,i E
xi , j x j ,i 1 ;k K , Ri sk ;
k k k
(2)
j:Ei , j E j:E j ,i E
xi , j x j ,i 1;k K , Ri d k ;
k k k
j:Ei , j E j:E j ,i E
xik, j x jk,i 0;k K , Ri sk , d k ;
j:Ei , j E j:E j ,i E
xi , j x j ,i 1 ;k K , Ri sk ;
k k k
(3)
j:Ei , j E j:E j ,i E
xi , j x j ,i 1;k K , Ri d k .
k k k
i , j
j : E E j : E j ,i E
During the process of fast rerouting, the link Ei, j E protection scheme under multipath routing
strategy over the backup multipath, the following condition is used [23, 25]:
0 xik, j ik, j , (4)
where
0, when protecting the link Ei , j ;
ik, j (5)
1, otherwise .
Linear conditions (4) and (5) are needed to guarantee that the protected link Ei, j E will not be
included in the backup path.
In the case of the node Ri R protection, conditions (4) and (5) are used for protecting the adjacent
links to this node [23], namely:
0 xik, j ik, j under R j Ri , j 1, m (6)
where ik, j are determined according to (5).
Within the presented approach of the network security providing based on Traffic Engineering Fast
ReRoute with support of Traffic Policing, the model proposes to introduce the following modified
conditions for preventing overloading in order to provide both load balancing and network security
under the parameter of the probability of the network link compromising [26]:
u i , j vi , j i , j , E i , j E ,
k k
(7)
kK
where
xik, j uik, j and xik, j uik, j , (8)
0 uik, j 1 , (9)
0 TH . (10)
It should be noted that TH is determined by the QoS level requirements for the network. Moreover,
the novelty of the approach is the introduction in conditions (11) the vi , j coefficients, the boundaries
of which are following [24, 26]:
83
� 0, if pi, j 1;
vi, j (11)
1, if pi, j 0.
With the increase of the probability of link compromise pi , j from 0 to 1, the weighting coefficient
vi , j should decrease from 1 to 0. Different variants of the functional representation of the dependence
v f ( p) that meet the conditions (11). The simplest case is linear functional dependence [24, 26]:
vi , j 1 pi , j . (12)
Using the conditions (7) ensures that the separate link utilization is determined by the probability of
its compromising.
In this work, as an example, the following power function is considered:
vi , j 1 pin, j , (13)
where n 1 [26].
As can be seen from Fig. 1, increasing the parameter n in (13) reduces the sensitivity of the load
balancing to the threat to network security [26].
Figure 1: Models of functional dependence of weighting coefficient on the probability of compromise
As an optimality criterion of the problem solution of the network security providing based on the
Traffic Engineering Fast ReRoute with support of policing the following function has been selected:
J wk k wk k c min (14)
kK kK
under condition
wk wk w p w p с, (15)
k p
where the priority PR of the kth flow must be higher than the priority PR of the pth flow and
c 0.25 .
As priority values, 3 bits of IP precedence in the IP packet header can be used within the range from
0 to 7, as well as DSCP (Differentiated Services Code Point) values that vary from 0 to 63 [23].
Taking all into account, the optimality criterion (14) aimed at minimizing the conditional costs of
the consistent solution of the FRR, TE, and TP technological tasks. However, conditions (7)-(11) and
(13) are responsible for the load balancing the packet flows over the network links with minimum
probability of compromise.
84
� Also, should be noted that the first term in (14) determines the conditional cost of denials to maintain
flows being transmitted through the primary paths. The second term is the cost of denials of servicing
the flows being transmitted in the backup paths. While the third term is a weighted upper bound of the
network link utilization.
3. Numerical Research of the Mathematical Model of Secure TE-FRR-TP
The analysis of the proposed approach and corresponding mathematical model of Secure TE-FRR-
TP has been conducted on several network configurations for the multiple flows case with different
priorities. Therefore, the main features of the model are explained in the network example shown in
Fig. 2. The input data for numerical research such as link capacities and their probabilities of
compromise are presented in Table 1.
Let us provide a solution of the Secure TE-FRR-TP for the case of two flows transmission using the
scheme of link E11,12 protection. Assume the following flows characteristics:
R1 is the source node, R16 is the destination node, flow intensity is changing within the range
1 10 1100 1/s, PR1 4 is flow priority;
R5 – source node, R12 is the destination node, flow intensity is changing within the range
2 10 1100 1/s, PR 2 1 is flow priority.
For the presented example, suppose that the threshold of the upper bound of the network links
utilization is TH =0.65 and power function is vi , j 1 pi2, j , where n 2 .
R1 R2 R3 R13
1
1200 950 400
2
R4 R5 R6 R14
400 600 500
R7 R8 R9 R15
300 800
R10 R11 R12 R16
1
700 950 1000
2
Figure 2: Network structure for numerical research
As can be seen from the results of the research presented in Fig. 3, with the increase of the network
load, the upper bound of the network link utilization also gradually increased. The absence of sharp
fluctuations in the values (Fig. 3) has a positive effect on the whole network QoS. Under these
conditions, at low network load, when 1 750 1/s and 2 590 1/s, the fulfillment of condition
0 TH (10) did not cause a limitation of the intensity of the flow at the network edge and
1 1 2 2 0 (Figure 3).
Table 1
85
�Input data for investigation the network security approach based on Traffic Engineering Fast ReRoute
with support of Traffic Policing
Probability of Probability of
Network Link Capacity, 1/s Compromise, Network Link Capacity, 1/s Compromise,
pi,j pi,j
E1,2 1200 0.2 E7,10 500 0.4
E2,3 950 0.5 E8,11 400 0.2
E1,4 800 0.3 E9,12 800 0.5
E2,5 900 0.4 E10,11 700 0.3
E3,14 700 0.1 E11,12 950 0.2
E5,4 400 0.5 E3,13 400 0.1
E5,6 600 0.2 E13,14 500 0.3
E4,7 700 0.2 E6,14 500 0.4
E5,8 500 0.1 E14,15 900 0.2
E6,9 800 0.4 E9,15 800 0.5
E7,11 300 0.1 E15,16 1100 0.3
E8,9 300 0.3 E12,16 1000 0.2
Figure 3: Dependence the upper bound of the network links utilization from the transmitted flows
intensities
However, with excessive load on the network, condition (10) was met in a way when TH
(Fig. 3) by limiting the intensities of flows that transmitted over both the primary and backup multipath.
According to Figures 3-7, traffic limitation for transmitted flows were based on the following principles:
The limitation was applied to the flow that was the source of overload under condition (10);
If the overload was created by several flows, the limitation primarily concerned the flow with
lower priority in accordance with condition (15);
Load balancing was performed consistent with condition (7) so that communication links with
a lower probability of compromising were loaded more than less secure links.
Therefore, the study showed that with these initial data (Table 1), the first (high-priority) packet
flow during the use of the primary multipath was the least limited in its intensity. In support of the
86
�above principles, the first flow was limited in the event that it created an overload of links that were
part of both the primary and the backup multipath (Fig. 4 and Fig. 5).
Figure 4: The solution of the Secure TE-FRR-TP problem for the first flow of packets (primary path)
Figure 5: The solution of the Secure TE-FRR-TP problem for the first flow of packets (backup path)
However, earlier than all and with greater intensity, the second (low-priority) flow was limited when
using the backup multipath (Fig. 6). Somewhat later and with less intensity, the second flow was limited
when using the primary multipath (Fig. 7).
87
�Figure 6: The solution of the Secure TE-FRR-TP problem for the second flow of packets (backup path)
Figure 7: The solution of the Secure TE-FRR-TP problem for the second flow of packets (primary path)
4. Conclusion
In modern telecommunication networks, the operation of protocols is aimed at achieving a high level
of Quality of Service, resilience, and security. Therefore, an important scientific and applied task is the
adaptation of promising solutions for fault-tolerant routing (fast rerouting) with load balancing to the
requirements of network security. Thus, the relevant problem is formulated and solved in the work,
which is related to the development of a flow-based model of the network security providing based on
Traffic Engineering Fast ReRoute with support of Policing, namely Secure TE-FRR-TP. Within this
88
�model, the problem of secure fast rerouting was presented in the form of a linear programming problem
when the criterion was condition (14), and the constraints were expressions (1)–(11), (13), and (15).
The novelty of the proposed model is the modification of load balancing conditions and bandwidth
protection during fast rerouting (7), which in addition to the Quality of Service, also considers the
probability of compromising the link as an indicator of network security. The routing solutions obtained
within the proposed model are aimed at reducing the overload of communication links with a high
probability of compromising by redistributing traffic for transmission through more secure network
links.
However, it should be borne in mind that the proposed solution is a compromise in solving the tasks
of ensuring the Quality of Service, on the one hand, and improving fault-tolerance and network security,
on the other. Implementation of schemes for the protection of structural elements of the network and its
bandwidth requires the introduction of redundancy in the use (reservation) of network resources. Taking
into account the network security indicators within the model (1)–(15) also leads to underloading of the
most insecure communication links according to their probability of compromise. Because network
resources are always limited, these measures can lead to network overload, which is accompanied by a
limit on the load at its edge. The advantage of the proposed solution is that in the conditions of
congestion the load balancing is realized on the principles of TE and, if necessary, differentiated
limitation of the load entering the network, according to the values of IP-priority and packet flow
intensity. An additional advantage of the proposed optimization model Secure TE-FRR-TP is its
linearity, which focuses on the low computational complexity of its protocol implementation in practice.
5. References
[1] R. Bruzgiene, L. Narbutaite, T. Adomkus, P. Pocta, P. Brida, J. Machaj, E. Leitgeb, P. Pezzei, H.
Ivanov, N. Kunicina, A. Zabasta, Quality-Driven Schemes Enhancing Resilience of Wireless
Networks under Weather Disruptions, in: Rak J., Hutchison D. (Eds.), Guide to Disaster-Resilient
Communication Networks, Computer Communications and Networks, Springer, Cham, 2020,
pp. 299–326. doi: 10.1007/978-3-030-44685-7_12.
[2] A. Z. Dodd, The Essential Guide to Telecommunications (Essential Guide Series), Pearson, 2019.
[3] R. White, E. Banks, Computer Networking Problems and Solutions: An innovative approach to
building resilient, modern networks, 1st ed., Addison-Wesley Professional, 2018.
[4] S. Gupta, Security and QoS in Wireless Sensor Networks, 1st ed., eBooks2go Inc, 2018.
[5] D. Medhi, K. Ramasamy, Network routing: algorithms, protocols, and architectures, Morgan
Kaufmann, 2017.
[6] I. Strelkovskaya, I. Solovskaya, Using spline-extrapolation in the research of self-similar traffic
characteristics, J. Electr. Eng. 70(4) (2019) 310–316. doi: 10.2478/jee-2019–0061.
[7] I. Strelkovskaya, I. Solovskaya, A. Makoganiuk, Spline-extrapolation method in Traffic
forecasting in 5G networks, J. Telecommun. Inf. Technol. 3 (2019) 8–16. doi:
10.26636/jtit.2019.134719
[8] L. Globa, M. Skulysh, O. Romanov, M. Nesterenko, Quality Control for Mobile Communication
Management Services in Hybrid Environment, in: Ilchenko M., Uryvsky L., Globa L. (Eds.),
Advances in Information and Communication Technologies, volume 560 of Lecture Notes in
Electrical Engineering, Springer, Cham, 2019, pp. 76–100. doi: 10.1007/978-3-030-16770-7_4.
[9] A. A. Semenov, O. O. Semenova, O. M. Voznyak, O. M. Vasilevskyi, M. Y. Yakovlev, Routing
in telecommunication networks using fuzzy logic, in: 2016 17th International Conference of
Young Specialists on Micro/Nanotechnologies and Electron Devices (EDM), IEEE, 2016, pp.
173–177. doi: 10.1109/EDM.2016.7538719.
[10] J. Papan, P. Segec, P. Paluch, J. Uramova, M. Moravcik, The new Multicast Repair (M‐REP) IP
fast reroute mechanism, Concurr. Comput. Pract. Exp. 32(13) (2020). doi: 10.1002/cpe.5105.
[11] O. Lemeshko, O. Yeremenko, Enhanced method of fast re-routing with load balancing in software-
defined networks, J. Electr. Eng. 68(6) (2017) 444–454. doi: 10.1515/jee-2017-0079.
[12] O. Lemeshko, O. Yeremenko, N. Tariki, Solution for the default gateway protection within fault-
tolerant routing in an IP network, Int. J. Electr. Comput. Eng. Syst. 8(1) (2017) 19–26. doi:
10.32985/ijeces.8.1.3.
89
�[13] O. Yeremenko, O. Lemeshko, A. Persikov, Secure Routing in Reliable Networks: Proactive and
Reactive Approach, in: Shakhovska N., Stepashko V. (Eds.) Advances in Intelligent Systems and
Computing II. CSIT 2017, volume 689 of Advances in Intelligent Systems and Computing,
Springer, Cham, 2018, pp. 631–655. doi: 10.1007/978-3-319-70581-1_44.
[14] T. Gomes, L. Jorge, R. Girão-Silva, J. Yallouz, P. Babarczi, J. Rak, Fundamental Schemes to
Determine Disjoint Paths for Multiple Failure Scenarios, in: Rak J., Hutchison D. (Eds.), Guide to
Disaster-Resilient Communication Networks, Computer Communications and Networks,
Springer, Cham, 2020, pp. 429–453. doi: 10.1007/978-3-030-44685-7_17.
[15] J. Papán, P. Segeč, P. Palúch, Ľ. Mikuš, M. Moravčík, The survey of current IPFRR mechanisms,
in: Janech J., Kostolny J., Gratkowski T. (Eds.), Proceedings of the 2015 Federated Conference on
Software Development and Object Technologies. SDOT 2015., volume 511 of Advances in
Intelligent Systems and Computing, Springer, Cham, 2015, pp. 229–240. doi: 10.1007/978-3-319-
46535-7_18.
[16] R. Girão-Silva, T. Gomes, L. Martins, D. Tipper, A. Alashaikh, A centrality-based heuristic for
network design to support availability differentiation, in: Proceedings of the 16th International
Conference on the Design of Reliable Communication Networks DRCN 2020, IEEE, Milano,
Italy, 2020, pp. 1–7, doi: 10.1109/DRCN48652.2020.1570603040.
[17] J. Rak, D. Papadimitriou, H. Niedermayer, P. Romero, Information-driven network resilience:
Research challenges and perspectives, Opt. Switching Netw. 23(2) (2017) 156–178. doi:
10.1016/j.osn.2016.06.002.
[18] A. Mendiola, J. Astorga, E. Jacob, M. Higuero, A survey on the contributions of Software-Defined
Networking to Traffic Engineering, IEEE Commun. Surv. Tutor. 19(2) (2017) 918–953. doi:
10.1109/COMST.2016.2633579.
[19] U. Palani, G. Amuthavalli, V. Alamelumangai, Secure and load-balanced routing protocol in
wireless sensor network or disaster management, IET Inf. Secur. 14(5) (2020) 513–520. doi:
10.1049/iet-ifs.2018.5057.
[20] M. V. Patil, V. Jadhav, Secure, reliable and load balanced routing protocols for multihop wireless
networks, in: Proceedings of the 2017 International Conference on Intelligent Computing and
Control (I2C2) Proceedings, IEEE, 2017, pp. 1–6. doi: 10.1109/I2C2.2017.8321936.
[21] N. Kumar, Y. Singh, Trust and packet load balancing based secure opportunistic routing protocol
for WSN, in: Proceedings of the 2017 4th International Conference on Signal Processing,
Computing and Control (ISPCC) Proceedings, IEEE, 2017, pp. 463–467.
doi: 10.1109/ISPCC.2017.8269723.
[22] S. Li, S. Zhao, X. Wang, K. Zhang, L. Li, Adaptive and secure load-balancing routing protocol for
service-oriented wireless sensor networks, IEEE Syst. J. 8(3) (2013) 858–867. doi:
10.1109/JSYST.2013.2260626.
[23] O. Lemeshko, O. Yeremenko, A.M. Hailan, M. Yevdokymenko, A. Shapovalova, Policing based
traffic engineering fast ReRoute in SD-WAN architectures: approach development and
investigation, in: Al-Bakry A. et al. (Eds.), New Trends in Information and Communications
Technology Applications. NTICT 2020, volume 1183 of Communications in Computer and
Information Science, Springer, Cham, 2020, pp. 29–43, doi: 10.1007/978-3-030-55340-1_3.
[24] O. Lemeshko, O. Yeremenko, M. Yevdokymenko, A. Shapovalova, T. Radivilova, D. Ageyev,
Secure based traffic engineering model in softwarized networks, in: Proceedings of the IEEE
International Conference on Advanced Trends in Information Theory ATIT, IEEE, 2020, pp. 1–4.
[25] O. Lemeshko, O. Yeremenko, M. Yevdokymenko, A. Shapovalova, A.M. Hailan, A. Mersni,
Cyber resilience approach based on traffic engineering fast reroute with policing, in: Proceedings
of the 10th IEEE International Conference on Intelligent Data Acquisition and Advanced
Computing Systems: Technology and Applications, IEEE, 2019, pp. 117–122.
doi: 10.1109/IDAACS.2019.8924294.
[26] О. Lemeshko, A. Shapovalova, A. M. K. Al-Dulaimi, O. Yeremenko, M. Yevdokymenko, Flow-
based routing model with load balancing under network security parameters, Inf. Telecommun.
Sci. 2 (2020) 44–50. doi: 10.20535/2411-2976.22020.44-50.
90
�