Network Security Approach based on Traffic Engineering Fast ReRoute with support of Traffic Policing Oleksandr Lemeshkoa, Oleksandra Yeremenkoa, Maryna Yevdokymenkoa, Anastasiia Shapovalovaa, and Valentyn Lemeshkoa a Kharkiv National University of Radio Electronics, 14 Nauky ave., Kharkiv, 61166, Ukraine Abstract The work is devoted to the approach development and investigation of the network security providing based on Traffic Engineering Fast ReRoute with support of Traffic Policing. The corresponding flow-based mathematical model has been developed where the technological task of secure fast rerouting was presented in the form of a linear programming problem. The novelty of the proposed model is the modification of load balancing conditions and bandwidth protection during fast rerouting, which in addition to the Quality of Service, also considers the probability of compromising the link as an indicator of network security. The routing solutions obtained within the proposed model are aimed at reducing the overload of communication links with a high probability of compromising by redistributing traffic for transmission through more secure network links. The advantage of the proposed solution is that in the conditions of congestion the load balancing is realized on the principles of Traffic Engineering and, if necessary, differentiated limitation of the load entering the network. An additional advantage of the proposed optimization model is its linearity, which focuses on the low computational complexity of the corresponding protocol implementation in practice. Numerical research of the Secure TE-FRR-TP model has confirmed the adequacy and efficiency of routing solutions made on its basis, both in terms of ensuring network security, resilience, and load balancing with traffic policing based on priorities. Keywords 1 Cyber resilience, redundancy, fast ReRoute, traffic engineering, traffic policing, security metric, probability of compromise. 1. Introduction In modern conditions of information society development, more and more attention is paid to the development of network (telecommunication) technologies in improving the Quality of Service (QoS), Quality of Reliability (QoR), and network security in terms of Quality of Protection (QoP) [1–3]. The same network means, mechanisms and protocols are often connected to the solution of such tasks. According to the results of research on a promising trend in telecommunications, it is the improvement of routing protocols, which contribute to the creation of functionality and provide a full-fledged means of ensuring service quality, resilience, and security [4–10]. The most effective way to improve routing protocols is to review the mathematical models and computational methods (algorithms) on which they are based [11–13]. Owing to software modifications and settings, modern protocol solutions have long gone beyond the rather limited functionality of combinatorial algorithms (Dijkstra and Bellman-Ford) to find the shortest path on the graph [14]. Therefore, modern protocols even support multipath and fault-tolerant routing with load balancing, mainly on paths with equal cost metrics [15]. However, the future of routing protocols is seen by many scientists [11–14, 16–18] in the use of flow-based mathematical models and Cybersecurity Providing in Information and Telecommunication Systems, January 28, 2021, Kyiv, Ukraine EMAIL: oleksandr.lemeshko.ua@ieee.org (A.1); oleksandra.yeremenko.ua@ieee.org (A.2); maryna.yevdokymenko@ieee.org (A.3); anastasiia.shapovalova@nure.ua (A.4); valentyn.lemeshko@nure.ua (A.5) ORCID: 0000-0002-0609-6520 (A.1); 0000-0003-3721-8188 (A.2); 0000-0002-7391-3068 (A.3); 0000-0003-0701-1282 (A.4); 0000-0003- 1564-8873 (A.5) ©️ 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 81 optimization methods for route calculation and load balancing. Within the framework of flow-based solutions, additional opportunities are opened for providing QoS simultaneously on several indicators, full implementation of fault-tolerance functions with the protection of structural elements of the network and its bandwidth [11–17], as well as secure routing [13, 19–22]. Therefore, the task of supporting these important functionalities within a single mathematical model, which would take into account aspects of Quality of Service based on load balancing, resilience, and network security, is gaining relevance. 2. Flow-based Model of the Network Security Providing based on Traffic Engineering Fast ReRoute with Support of Policing In this work, the approach of the network security providing based on Traffic Engineering Fast ReRoute with support of Traffic Policing (Secure TE-FRR-TP) is presented that is a further development of the models proposed in [23–26]. The following parameters are introduced into the corresponding flow-based model: G  ( R, E ) graph describing the network structure; R  {Ri ; i  1, m} set of nodes (network routers); E  {Ei , j ; i, j  1, m; i  j} set of edges (network links); Ri  { R j : E j ,i  E; j  1, m; i  j } subset of routers incident to the Ri router; i, j link capacity; K set of flows circulating in the network ( k  K ); xik, j control variables that determine the fraction of intensity of the kth flow in the link Ei , j of the primary path; xik, j control variables that determine the fraction of intensity of the kth flow in the link Ei , j of the backup path; k proportion of the intensity of the kth flow that receives a denial of service when using the primary path; k proportion of the intensity of the kth flow that receives a denial of service when using the backup path; sk source node; dk destination node; k average intensity (packet rate) of the kth flow in packets per second (1/s); uik, j control variables that represent the upper bound values of routing variables of the primary and backup paths;  control variable that numerically determines the upper bound of the network links utilization; TH threshold of the upper bound of the network links utilization; pi , j probability of link Ei , j compromise; vi, j weighting coefficients related to the probability of link Ei , j compromise; wk  PR  1 k weighting coefficients based on the priority of the kth flow ( PR k ) transmitted over the primary path; wk  PR k  0.5 weighting coefficients based on the priority of the kth flow ( PR k ) transmitted over the backup path. 82 The result of solving the technical task of network security providing based on Traffic Engineering Fast ReRoute with support of policing is a calculation of two types of routing variables xik, j and xik, j for the primary or backup path. When the multipath strategy is used for routing variables of both types, the following constraints implied on them [24, 26] 0  xik, j  1 and 0  xik, j  1 . (1) The flow conservation conditions aimed at ensuring the connectivity of the calculated primary and backup multipath also should be met [23]:    xik, j   x kj ,i  0;k  K , Ri  sk , d k ;  j:Ei , j E j:E j ,i E    xi , j   x j ,i  1   ;k  K , Ri  sk ; k k k (2)  j:Ei , j E j:E j ,i E    xi , j   x j ,i    1;k  K , Ri  d k ; k k k  j:Ei , j E j:E j ,i E    xik, j   x jk,i  0;k  K , Ri  sk , d k ;  j:Ei , j E j:E j ,i E    xi , j   x j ,i  1   ;k  K , Ri  sk ; k k k (3)  j:Ei , j E j:E j ,i E    xi , j   x j ,i    1;k  K , Ri  d k . k k k  i , j j : E E j : E j ,i E During the process of fast rerouting, the link Ei, j  E protection scheme under multipath routing strategy over the backup multipath, the following condition is used [23, 25]: 0  xik, j  ik, j , (4) where 0, when protecting the link Ei , j ; ik, j   (5) 1, otherwise . Linear conditions (4) and (5) are needed to guarantee that the protected link Ei, j  E will not be included in the backup path. In the case of the node Ri  R protection, conditions (4) and (5) are used for protecting the adjacent links to this node [23], namely: 0  xik, j   ik, j under R j  Ri , j  1, m (6) where ik, j are determined according to (5). Within the presented approach of the network security providing based on Traffic Engineering Fast ReRoute with support of Traffic Policing, the model proposes to introduce the following modified conditions for preventing overloading in order to provide both load balancing and network security under the parameter of the probability of the network link compromising [26]:    u i , j   vi , j  i , j , E i , j  E , k k (7) kK where xik, j  uik, j and xik, j  uik, j , (8) 0  uik, j  1 , (9) 0    TH . (10) It should be noted that TH is determined by the QoS level requirements for the network. Moreover, the novelty of the approach is the introduction in conditions (11) the vi , j coefficients, the boundaries of which are following [24, 26]: 83 0, if pi, j  1; vi, j   (11) 1, if pi, j  0. With the increase of the probability of link compromise pi , j from 0 to 1, the weighting coefficient vi , j should decrease from 1 to 0. Different variants of the functional representation of the dependence v  f ( p) that meet the conditions (11). The simplest case is linear functional dependence [24, 26]: vi , j  1  pi , j . (12) Using the conditions (7) ensures that the separate link utilization is determined by the probability of its compromising. In this work, as an example, the following power function is considered: vi , j  1  pin, j , (13) where n  1 [26]. As can be seen from Fig. 1, increasing the parameter n in (13) reduces the sensitivity of the load balancing to the threat to network security [26]. Figure 1: Models of functional dependence of weighting coefficient on the probability of compromise As an optimality criterion of the problem solution of the network security providing based on the Traffic Engineering Fast ReRoute with support of policing the following function has been selected: J   wk k   wk   k  c    min (14) kK kK under condition wk  wk  w p  w p  с, (15) k p where the priority PR of the kth flow must be higher than the priority PR of the pth flow and c  0.25 . As priority values, 3 bits of IP precedence in the IP packet header can be used within the range from 0 to 7, as well as DSCP (Differentiated Services Code Point) values that vary from 0 to 63 [23]. Taking all into account, the optimality criterion (14) aimed at minimizing the conditional costs of the consistent solution of the FRR, TE, and TP technological tasks. However, conditions (7)-(11) and (13) are responsible for the load balancing the packet flows over the network links with minimum probability of compromise. 84 Also, should be noted that the first term in (14) determines the conditional cost of denials to maintain flows being transmitted through the primary paths. The second term is the cost of denials of servicing the flows being transmitted in the backup paths. While the third term is a weighted upper bound of the network link utilization. 3. Numerical Research of the Mathematical Model of Secure TE-FRR-TP The analysis of the proposed approach and corresponding mathematical model of Secure TE-FRR- TP has been conducted on several network configurations for the multiple flows case with different priorities. Therefore, the main features of the model are explained in the network example shown in Fig. 2. The input data for numerical research such as link capacities and their probabilities of compromise are presented in Table 1. Let us provide a solution of the Secure TE-FRR-TP for the case of two flows transmission using the scheme of link E11,12 protection. Assume the following flows characteristics:  R1 is the source node, R16 is the destination node, flow intensity is changing within the range 1  10  1100 1/s, PR1  4 is flow priority;  R5 – source node, R12 is the destination node, flow intensity is changing within the range  2  10  1100 1/s, PR 2  1 is flow priority. For the presented example, suppose that the threshold of the upper bound of the network links utilization is TH =0.65 and power function is vi , j  1  pi2, j , where n  2 . R1 R2 R3 R13 1 1200 950 400 2 R4 R5 R6 R14 400 600 500 R7 R8 R9 R15 300 800 R10 R11 R12 R16 1 700 950 1000 2 Figure 2: Network structure for numerical research As can be seen from the results of the research presented in Fig. 3, with the increase of the network load, the upper bound of the network link utilization also gradually increased. The absence of sharp fluctuations in the values  (Fig. 3) has a positive effect on the whole network QoS. Under these conditions, at low network load, when 1  750 1/s and  2  590 1/s, the fulfillment of condition 0    TH (10) did not cause a limitation of the intensity of the flow at the network edge and 1  1  2   2  0 (Figure 3). Table 1 85 Input data for investigation the network security approach based on Traffic Engineering Fast ReRoute with support of Traffic Policing Probability of Probability of Network Link Capacity, 1/s Compromise, Network Link Capacity, 1/s Compromise, pi,j pi,j E1,2 1200 0.2 E7,10 500 0.4 E2,3 950 0.5 E8,11 400 0.2 E1,4 800 0.3 E9,12 800 0.5 E2,5 900 0.4 E10,11 700 0.3 E3,14 700 0.1 E11,12 950 0.2 E5,4 400 0.5 E3,13 400 0.1 E5,6 600 0.2 E13,14 500 0.3 E4,7 700 0.2 E6,14 500 0.4 E5,8 500 0.1 E14,15 900 0.2 E6,9 800 0.4 E9,15 800 0.5 E7,11 300 0.1 E15,16 1100 0.3 E8,9 300 0.3 E12,16 1000 0.2 Figure 3: Dependence the upper bound of the network links utilization from the transmitted flows intensities However, with excessive load on the network, condition (10) was met in a way when    TH (Fig. 3) by limiting the intensities of flows that transmitted over both the primary and backup multipath. According to Figures 3-7, traffic limitation for transmitted flows were based on the following principles:  The limitation was applied to the flow that was the source of overload under condition (10);  If the overload was created by several flows, the limitation primarily concerned the flow with lower priority in accordance with condition (15);  Load balancing was performed consistent with condition (7) so that communication links with a lower probability of compromising were loaded more than less secure links. Therefore, the study showed that with these initial data (Table 1), the first (high-priority) packet flow during the use of the primary multipath was the least limited in its intensity. In support of the 86 above principles, the first flow was limited in the event that it created an overload of links that were part of both the primary and the backup multipath (Fig. 4 and Fig. 5). Figure 4: The solution of the Secure TE-FRR-TP problem for the first flow of packets (primary path) Figure 5: The solution of the Secure TE-FRR-TP problem for the first flow of packets (backup path) However, earlier than all and with greater intensity, the second (low-priority) flow was limited when using the backup multipath (Fig. 6). Somewhat later and with less intensity, the second flow was limited when using the primary multipath (Fig. 7). 87 Figure 6: The solution of the Secure TE-FRR-TP problem for the second flow of packets (backup path) Figure 7: The solution of the Secure TE-FRR-TP problem for the second flow of packets (primary path) 4. Conclusion In modern telecommunication networks, the operation of protocols is aimed at achieving a high level of Quality of Service, resilience, and security. Therefore, an important scientific and applied task is the adaptation of promising solutions for fault-tolerant routing (fast rerouting) with load balancing to the requirements of network security. Thus, the relevant problem is formulated and solved in the work, which is related to the development of a flow-based model of the network security providing based on Traffic Engineering Fast ReRoute with support of Policing, namely Secure TE-FRR-TP. Within this 88 model, the problem of secure fast rerouting was presented in the form of a linear programming problem when the criterion was condition (14), and the constraints were expressions (1)–(11), (13), and (15). The novelty of the proposed model is the modification of load balancing conditions and bandwidth protection during fast rerouting (7), which in addition to the Quality of Service, also considers the probability of compromising the link as an indicator of network security. The routing solutions obtained within the proposed model are aimed at reducing the overload of communication links with a high probability of compromising by redistributing traffic for transmission through more secure network links. However, it should be borne in mind that the proposed solution is a compromise in solving the tasks of ensuring the Quality of Service, on the one hand, and improving fault-tolerance and network security, on the other. Implementation of schemes for the protection of structural elements of the network and its bandwidth requires the introduction of redundancy in the use (reservation) of network resources. Taking into account the network security indicators within the model (1)–(15) also leads to underloading of the most insecure communication links according to their probability of compromise. Because network resources are always limited, these measures can lead to network overload, which is accompanied by a limit on the load at its edge. The advantage of the proposed solution is that in the conditions of congestion the load balancing is realized on the principles of TE and, if necessary, differentiated limitation of the load entering the network, according to the values of IP-priority and packet flow intensity. An additional advantage of the proposed optimization model Secure TE-FRR-TP is its linearity, which focuses on the low computational complexity of its protocol implementation in practice. 5. References [1] R. Bruzgiene, L. Narbutaite, T. Adomkus, P. Pocta, P. Brida, J. Machaj, E. Leitgeb, P. Pezzei, H. Ivanov, N. Kunicina, A. Zabasta, Quality-Driven Schemes Enhancing Resilience of Wireless Networks under Weather Disruptions, in: Rak J., Hutchison D. (Eds.), Guide to Disaster-Resilient Communication Networks, Computer Communications and Networks, Springer, Cham, 2020, pp. 299–326. doi: 10.1007/978-3-030-44685-7_12. [2] A. Z. Dodd, The Essential Guide to Telecommunications (Essential Guide Series), Pearson, 2019. [3] R. White, E. Banks, Computer Networking Problems and Solutions: An innovative approach to building resilient, modern networks, 1st ed., Addison-Wesley Professional, 2018. [4] S. Gupta, Security and QoS in Wireless Sensor Networks, 1st ed., eBooks2go Inc, 2018. [5] D. Medhi, K. Ramasamy, Network routing: algorithms, protocols, and architectures, Morgan Kaufmann, 2017. [6] I. Strelkovskaya, I. Solovskaya, Using spline-extrapolation in the research of self-similar traffic characteristics, J. Electr. Eng. 70(4) (2019) 310–316. doi: 10.2478/jee-2019–0061. [7] I. Strelkovskaya, I. Solovskaya, A. Makoganiuk, Spline-extrapolation method in Traffic forecasting in 5G networks, J. Telecommun. Inf. Technol. 3 (2019) 8–16. doi: 10.26636/jtit.2019.134719 [8] L. Globa, M. Skulysh, O. Romanov, M. Nesterenko, Quality Control for Mobile Communication Management Services in Hybrid Environment, in: Ilchenko M., Uryvsky L., Globa L. (Eds.), Advances in Information and Communication Technologies, volume 560 of Lecture Notes in Electrical Engineering, Springer, Cham, 2019, pp. 76–100. doi: 10.1007/978-3-030-16770-7_4. [9] A. A. Semenov, O. O. Semenova, O. M. Voznyak, O. M. Vasilevskyi, M. Y. Yakovlev, Routing in telecommunication networks using fuzzy logic, in: 2016 17th International Conference of Young Specialists on Micro/Nanotechnologies and Electron Devices (EDM), IEEE, 2016, pp. 173–177. doi: 10.1109/EDM.2016.7538719. [10] J. Papan, P. Segec, P. Paluch, J. Uramova, M. Moravcik, The new Multicast Repair (M‐REP) IP fast reroute mechanism, Concurr. Comput. Pract. Exp. 32(13) (2020). doi: 10.1002/cpe.5105. [11] O. Lemeshko, O. Yeremenko, Enhanced method of fast re-routing with load balancing in software- defined networks, J. Electr. Eng. 68(6) (2017) 444–454. doi: 10.1515/jee-2017-0079. [12] O. Lemeshko, O. Yeremenko, N. Tariki, Solution for the default gateway protection within fault- tolerant routing in an IP network, Int. J. Electr. Comput. Eng. Syst. 8(1) (2017) 19–26. doi: 10.32985/ijeces.8.1.3. 89 [13] O. Yeremenko, O. Lemeshko, A. Persikov, Secure Routing in Reliable Networks: Proactive and Reactive Approach, in: Shakhovska N., Stepashko V. (Eds.) Advances in Intelligent Systems and Computing II. CSIT 2017, volume 689 of Advances in Intelligent Systems and Computing, Springer, Cham, 2018, pp. 631–655. doi: 10.1007/978-3-319-70581-1_44. [14] T. Gomes, L. Jorge, R. Girão-Silva, J. Yallouz, P. Babarczi, J. Rak, Fundamental Schemes to Determine Disjoint Paths for Multiple Failure Scenarios, in: Rak J., Hutchison D. (Eds.), Guide to Disaster-Resilient Communication Networks, Computer Communications and Networks, Springer, Cham, 2020, pp. 429–453. doi: 10.1007/978-3-030-44685-7_17. [15] J. Papán, P. Segeč, P. Palúch, Ľ. Mikuš, M. Moravčík, The survey of current IPFRR mechanisms, in: Janech J., Kostolny J., Gratkowski T. (Eds.), Proceedings of the 2015 Federated Conference on Software Development and Object Technologies. SDOT 2015., volume 511 of Advances in Intelligent Systems and Computing, Springer, Cham, 2015, pp. 229–240. doi: 10.1007/978-3-319- 46535-7_18. [16] R. Girão-Silva, T. Gomes, L. Martins, D. Tipper, A. Alashaikh, A centrality-based heuristic for network design to support availability differentiation, in: Proceedings of the 16th International Conference on the Design of Reliable Communication Networks DRCN 2020, IEEE, Milano, Italy, 2020, pp. 1–7, doi: 10.1109/DRCN48652.2020.1570603040. [17] J. Rak, D. Papadimitriou, H. Niedermayer, P. Romero, Information-driven network resilience: Research challenges and perspectives, Opt. Switching Netw. 23(2) (2017) 156–178. doi: 10.1016/j.osn.2016.06.002. [18] A. Mendiola, J. Astorga, E. Jacob, M. Higuero, A survey on the contributions of Software-Defined Networking to Traffic Engineering, IEEE Commun. Surv. Tutor. 19(2) (2017) 918–953. doi: 10.1109/COMST.2016.2633579. [19] U. Palani, G. Amuthavalli, V. Alamelumangai, Secure and load-balanced routing protocol in wireless sensor network or disaster management, IET Inf. Secur. 14(5) (2020) 513–520. doi: 10.1049/iet-ifs.2018.5057. [20] M. V. Patil, V. Jadhav, Secure, reliable and load balanced routing protocols for multihop wireless networks, in: Proceedings of the 2017 International Conference on Intelligent Computing and Control (I2C2) Proceedings, IEEE, 2017, pp. 1–6. doi: 10.1109/I2C2.2017.8321936. [21] N. Kumar, Y. Singh, Trust and packet load balancing based secure opportunistic routing protocol for WSN, in: Proceedings of the 2017 4th International Conference on Signal Processing, Computing and Control (ISPCC) Proceedings, IEEE, 2017, pp. 463–467. doi: 10.1109/ISPCC.2017.8269723. [22] S. Li, S. Zhao, X. Wang, K. Zhang, L. Li, Adaptive and secure load-balancing routing protocol for service-oriented wireless sensor networks, IEEE Syst. J. 8(3) (2013) 858–867. doi: 10.1109/JSYST.2013.2260626. [23] O. Lemeshko, O. Yeremenko, A.M. Hailan, M. Yevdokymenko, A. Shapovalova, Policing based traffic engineering fast ReRoute in SD-WAN architectures: approach development and investigation, in: Al-Bakry A. et al. (Eds.), New Trends in Information and Communications Technology Applications. NTICT 2020, volume 1183 of Communications in Computer and Information Science, Springer, Cham, 2020, pp. 29–43, doi: 10.1007/978-3-030-55340-1_3. [24] O. Lemeshko, O. Yeremenko, M. Yevdokymenko, A. Shapovalova, T. Radivilova, D. Ageyev, Secure based traffic engineering model in softwarized networks, in: Proceedings of the IEEE International Conference on Advanced Trends in Information Theory ATIT, IEEE, 2020, pp. 1–4. [25] O. Lemeshko, O. Yeremenko, M. Yevdokymenko, A. Shapovalova, A.M. Hailan, A. Mersni, Cyber resilience approach based on traffic engineering fast reroute with policing, in: Proceedings of the 10th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IEEE, 2019, pp. 117–122. doi: 10.1109/IDAACS.2019.8924294. [26] О. Lemeshko, A. Shapovalova, A. M. K. Al-Dulaimi, O. Yeremenko, M. Yevdokymenko, Flow- based routing model with load balancing under network security parameters, Inf. Telecommun. Sci. 2 (2020) 44–50. doi: 10.20535/2411-2976.22020.44-50. 90