Constant-Size Credential-Based Packet Forwarding Verification in SDN

The emerging software-deﬁned networking (SDN) technology lacks tools to proactively ensure that policies will be followed or to inspect the behavior of the network. The network is vulnerable to sophisticated attacks against packets, such as alteration, injection, dropping, and hijacking attacks. Accurate and eﬃcient network packet forwarding veriﬁcation is a critical issue to ensure the correctness of packet forwarding when confronting with malicious attacks, while most of the existing packet forwarding veriﬁcation solutions were implemented by inserting linear-scale cryptographic tags that increased with path length, which introduced signiﬁcant communication overhead. In this paper, we propose a constant-size credential based packet forwarding veriﬁcation mechanism in SDN. In the scheme, the ingress switch of a ﬂow embeds a tag credential of constant-size which is independent of the packet forwarding path, each downstream switch veriﬁes packets basing on the constant-size credential, and the controller periodically acquires node forwarding statistics along the path and localizes anomaly. The header space communication overhead of the proposed scheme is less than existing linear-scale mechanisms. We further prototype and evaluate the proposed scheme. Experiments demonstrate that the scheme achieves eﬃcient forwarding and eﬀective anomaly localization with less than 11% of additional forwarding delays and no more than 10% of throughput degradation.


Introduction
As a new network paradigm, SDN [1] decouples the control plane and data plane and reshapes the ossified network architectures. e open network programming interface of SDN promotes network innovation, reduces the cost of network operation and maintenance, provides a new experimental way for the research of the new network architecture, and also greatly promotes the development of the next generation of internet technology. However, the "three layers and two interfaces" (application plane, control plane, data plane, southbound interface, and northbound interface) of the network architecture enlarges network attack surfaces to facilitate malicious attackers. SDN faces both typical security threats of traditional IP networking and those unique to its architecture. ese typical or unique security issues, such as legality and consistency of flow rules, vulnerabilities of the southbound interface protocol, e.g., OpenFlow protocol, vulnerabilities of the data plane and controller, and lack of trust mechanism between controller and applications, are constraints for large-scale deployment of SDN [2].
Network nodes or routers should verify packets to ensure that the full-link security from source to destination is an important part of network security [3]. However, the current architecture of SDN does not guarantee that a packet of a flow does follow the rules or path specified by the controller. e SDN controller knows nothing about the real forwarding path and behavior of data plane switches. e main reason is that SDN lacks tools to proactively ensure that policies will be followed or to reactively inspect the behavior of the network. Malicious switch nodes controlled by an adversary in the network can inject, drop, and alter packets, or even redirect packets of a flow to deviate from the controller authorization path and violate the crucial network policies [4]. e general methodology of packet forwarding verification in traditional IP networking is to embed linearscale cryptographic tags in packets to verify packets hop-byhop. In SDN, most of the existing packet forwarding verification solutions leverage the methodology that is in traditional IP networking. However, embedding linear-scale cryptographic tags as forwarding path lengthens introduces significant header space communication overhead.
Embedding linear-scale cryptographic tags in packet of a flow as path lengthens is a fundamental efficiency barrier. e primary reason is as follows. As forwarding path length increases, the validation tags inserted take up more header space overhead as well as network transmission bandwidth. What is more, longer validation tags inserted need to take more time to produce and verify. Existing packet forwarding verification mechanisms enforce Ο(n) size validation tags for an n-hop forwarding path, which introduces significant header space overhead and excessive computation overhead, and degrade network transmission performance. e packet forwarding verification solutions should strive to provide verification ability with insignificant overhead and locate the abnormal link.
Making use of the traits of centralized control and network programmability in SDN, we present a constantsize credential based packet forwarding verification. To summarize, the contributions of this paper are threefold.
(1) We design CSCPV, a constant-size credential based packet forwarding verification in SDN. e CSCPV limits the header space overhead of cryptographic tags embedded. It outperforms the existing linearscale mechanisms; even the flow path length is a very small value. CSCPV can effectively detect malicious forwarding behavior and achieve efficient packet forwarding with negligible header space overhead. (2) We design an efficient tag credential for packet forwarding verification. e size of credential is independent of path length; it is constant-size and easy to implement. And we also conduct theoretical analysis of credential security.
(3) Leveraging P4 [5] (Programming Protocol-independent Packet Processors), we further prototype CSCPV. We also extensively evaluate our CSCPV prototype on Mininet simulations. e analyses and experiment results demonstrate that the proposed mechanism introduces limited computation and header space communication overhead. Concretely, CSCPV only introduces less than 10% of throughput degradation and no more than 11% of additional forwarding delays. And due to constant-size credential, CSCPV significantly reduces the header space overhead over the SDN forwarding verification mechanisms OPT [6] and SDNsec [7].
e rest of the article is organized as follows. Section 2 introduces related works, Section 3 briefly describes the problem and attack model. In Section 4, we present CSCPV, the constant-size credential based packet forwarding verification mechanism in SDN. In Section 5, we analyze the security of CSCPV, and we further prototype CSCPV leveraging P4 switch and present the performance evaluation results based on the CSCPV prototype with Mininet simulations in Section 6. We conclude the paper in Section 7.

Related Works
Embedding or inserting linear-scale cryptographic tags approaches have been widely used in packet forwarding verification in traditional IP networking as well as SDN. OPT [6] presents a lightweight source and path verification mechanism, the sender embeds all validation tags of nodes along the forwarding path in packets, and each intermediate router performs two message authentication code calculation operations to verify packets. e OPT's cryptographic tags increase linearly as path lengthens and OPT is unable to tackle malicious node dropping or hijacking attacks. In literature [7], SDNsec, as a type of network packet path validation mechanism, was proposed. e controller checks whether each packet of a flow has followed the correct path, which introduces a large bandwidth overhead on the control channel. Also, the disadvantage of SDNsec is that the inserted cryptographic tags increase linearly as path lengthens. ICING [8] uses aggregated message authentication code technology to enable source and path authentication; however, ICING requires each intermediate router to store shared keys with other routers on the path and has a higher header space overhead. More precisely, ICING has a per-hop overhead of 42 bytes. PrivNPV [9] proposes path verification target for path privacy and index privacy security; similarly, the packet header space overhead increases linearly with the path length. e main goal of data path credentials architecture [10] is to identify valid node and thus not to allow the transmission of attack traffic, but the system requires 4 L times (L is path length) of handshake interactions on the credential initialization stage, which introduces significant network communication overhead, and the credential fails to protect packet integrity.
Inspired by the literature [10], in this paper, we propose CSCPV, a packet forwarding verification mechanism based on constant-size credential, which can effectively compress the packet header space overhead, introduce negligible computation and communication overhead, and forward packets efficiently.

Problem Statement
In SDN, controller issues forwarding policies, and the data plane switches follow issued policies to forward packets. However, malicious switches controlled by an adversary can commit attacks such as alteration, dropping, injection, and even hijacking packets. An attacker is to control switches on a path and interrupt the normal packets forwarding of a flow.
Packet alteration attack: a malicious attacker controls a switch on a path and tampers with any part of the data packet of a flow, such as packet header information and packet payload.
Packet injection attack: a malicious attacker controls a switch on a path and inserts forged packets of a flow and sends it towards a downstream switch.
Packet hijacking attack: a malicious attacker controls a switch on a path and redirects packets of a flow to another path that has not been authorized by the controller.
Packet dropping attack: a malicious attacker controls a switch on a path and drops packets of a particular flow.
In this paper, we focus on packet forwarding verification, detecting malicious attacks, and localizing network anomaly with limited computation and communication overhead. We assume that the controller in SDN is security; also SDN enables Transport Layer Security (TLS) and communications between the controller and switches in data plane are secured. And we assume that, along a forwarding path, the ingress and egress switch are benign nodes, because there is no meaning to verify packets if packets even do not enter or leave the network.

Design of CSCPV
e challenge of designing CSCPV is to abandon the methodology of existing packet forwarding verification solutions which embed linear-scale cryptographic tags in packets as path lengthens. Instead, we perform packets verification by introducing negligible constant-size tag credential which is independent of path length. In this section, we will present detailed description to solve the design challenge. Table 1 shows some of the relevant notations used in this paper. Section 4.1 outlines the CSCPV mechanism and Sections 4.2-4.4, respectively, illustrate the initialization of constantsize credential, packet forwarding verification, and anomaly localization in CSCPV.

Overview.
In the network, each switch node is associated with an identity (say, N i ), and there exists a trustable party, called the Key Generation Center (KGC). e KGC chooses a group G, and G � 〈g〉 is a multiplicative group of prime order q, where g is a generator of the group G. KGC chooses two hash functions, where Ω is the output space of H 2 , and Ω ∈ 0, 1 { } l . en KGC picks a random element x from Z q and sets y � g x ∈ G. Finally, the KGC outputs the master secret key MSK � x and the public parameters MPK � G, q, g, y, H 1 , H 2 . For each node with identity N i , the KGC selects a random element a i ∈ Z q and sets b i � g a i ; using the master secret key MSK � x, the KGC computes c i � a i + H 1 (N i ‖b i )x and sends the partial secret key (b i , c i ) to the node N i . Node N i has obtained a partial secret key (b i , c i ) from KGC, and then it picks a random element x i from Z q and sets y i � g x i . Finally, node N i outputs the public key PK i � (b i , y i ) and the secret key SK i � (c i , x i ).
When a new flow enters the network, the controller calculates the path of the flow and issues the flow forwarding path PATH and the session identifier SID to the source ingress switch N 0 through a secure channel. Here, PATH is the authorized forwarding path. e secure channel can be implemented with OpenFlow on top of SSL/TLS. At the same time, the controller installs flow table entries for switches on the authorized forwarding path. N 0 generates a tag credential of constant-size (say, CSC). As shown in Figure 1, the tag CSC locates in-between the IP and TCP/ UDP header. e fixed length of CSC is 32 bytes (the length of CSC is 160 bytes when a packet is the first packet of a flow), and the meaning of each field is as follows.
SID: session token, where SID is an integer that uniquely identifies a flow. N bit : the maximum number of bits set to 1 in field PVF, and in the next section, we will discuss how to set the field N bit . L: flow path length. F: the flag F is set to 1 when a packet is the first packet of a flow, and the total size of CSC is 160 bytes. While in subsequent packets transmission of the flow, the flag F will be set to 0, and the total size of CSC is 32 bytes. SeqNO: the ingress switch of a flow inserts a monotonic increasing count in every packet it forwards. σ/NULL: when a packet is the first packet of a flow, the flag F is set to 1, and the field σ is the key negotiation parameter set by the source ingress switch, and the size of this field is 1024 bits. Otherwise, the flag F is 0, the field is NULL, and its size is 0 bits. PktHash: digest of a packet's payload is 64 bits. PVF: packet validation field enabling node N i to verify a packet is 128 bits. Anonymous key shared between N 0 and N i

Security and Communication Networks
For a flow, the source ingress switch N 0 uses anonymous key-agreement protocol [22] to generate a temporary shared key sk i with each switch node N i on the path and computes the message authentication code MAC based on the key sk i and constructs the packet validation field PVF based on Bloom Filter data structure [23]. Here, the core idea is that the field PVF can contain multiple MAC items at the same time. e L (path length) MAC elements of switch nodes on the path are then superimposed in the field PVF by N 0 . N 0 forwards a packet to the next hop and each downstream node N i along the path receives the packet and computes message authentication code MAC i based on the temporary shared key sk i . N i queries and checks if its own MAC i exists in the field PVF to verify the packet. e controller periodically obtains statistics of each switch node on the forwarding path and localizes network anomaly. e overall architecture of CSCPV is shown in Figure 2.
In the control layer, there are two modules.  Table Entries: the module stores flow rules installed by the controller, and the switch forwards packets based on the rules.

Path Computation and Flow
4.2. Credential Initialization. As described above, when a new flow enters the network, the source ingress switch N 0 sends a request to the controller, and controller calculates packet forwarding path PATH of the flow. Controller sends authorized path PATH and the session identifier (say SID) to the source ingress switch N 0 . Leveraging anonymous keyagreement protocol [22], N 0 generates a temporary shared key sk i with each switch node N i on the path, here path is PATH � <N 0 , N 1 , ...... , N L >. N 0 picks a random element ω ∈ Z q , set σ � g ω , here σ is the shared key negotiation parameter. For each node N i on the path PATH, according to section 4.1, its public key is ] ω and z i,i � y ω i , then the anonymous shared symmetric key between N 0 and N i is . N 0 only computes the shared symmetric key sk i with each node on the path when the first packet of a new flow enters the network, no need to repeat computing in the subsequent packets transmission. N 0 generates a tag of constant-size as shown in Figure 1. As described in Section 4.1, when a packet is the first packet of a flow, the flag F in CSC is set to 1, and then σ/NULL field is set to σ, which is the shared key negotiation parameter as above. All the subsequent packets of the flow have a flag F set to 0 in tag CSC, and the tag CSC will no longer contain the field σ/NULL. For each switch node N i on the path PATH � <N 0 , N 1 , ......, N L >, N 0 calculates the message authentication code MAC i based on the shared symmetric session key sk i as follows: Here, PktHash is digest of the IP packet's payload and PktHash ⟵ Hash(payload), CSC 8 is the first 8 bytes of the constant-size credential, and TTL i denoted the expected TTL at switch node N i during the IP packet transmission. e IP INVAR is the invariant portion of the original IP header at   each router during forwarding. N 0 constructs the packet validation field PVF based on Bloom Filter [23]. As shown in Figure 3, here, N 0 computes MAC i (1 ≤ i ≤ L) items and superimposes them in the field PVF. When a packet of a flow is transmitted, each downstream switch node N i can query or check if its own MAC i exists in the field PVF based on the Bloom Filter and thus verifies the packet. e Bloom Filter is a type of data structure containing an array of m-bits. An empty Bloom Filter data structure (the field PVF) is initialized with all bits set to zero. Based on the Bloom Filter, N 0 constructs the field PVF. When inserting an element, e.g., MAC i , one bit corresponding to the value of a single hash function for the element MAC i is set to 1. Concretely, for each message authentication code MAC i (1 ≤ i ≤ L), the Bloom Filter maps MAC i to k positions in field PVF (corresponding bits will be set to 1) with k independent hash functions h 1 , h 2 . . . k k . Finally, the L (path length) MAC elements of all switch nodes along the path are then superimposed in the field PVF based on Bloom Filter data structure.
Making use of k independent hash functions h 1 , h 2 . . . k k , a message authentication code MAC i is mapped to k positions (of course, maybe there exists positions collision) in the PVF. Supposing the set of indices v i [j] (1 ≤ j ≤ k) of bits of a MAC i element mapped in the PVF, there must be the following (2) to be established: When the tag CSC is constructed completely, as shown in Figure 1, the tag CSC locates in-between the IP and TCP/ UDP header. According to the flow table entry installed, the ingress switch N 0 sends the packet to the next hop node N 1 .

Packet Verification.
For each switch node N i on the path PATH � <N 0 , N 1 , ......, N L >, N i receives a packet and parses fields in the tag CSC. If the flag F is set to 1, this indicates that the packet is the first packet of a flow. Based on the field of shared key negotiation parameter σ � g ω in tag CSC, N i computes the temporary shared symmetric key sk i with the source switch node N 0 . According to Section 4.1, node N i possesses private key SK i � (c i , x i ), N i sets z i,0 ′ � σ c i and z i,i ′ � σ x i , and then the temporary shared symmetric key between N i and N 0 is sk i ′ � H 2 (z i,0 ′ ‖z i,i ′ ). As follows in (3) and (4), we can deduce sk i ′ � sk i , which means the symmetric key sk i computed by N 0 and sk i ′ computed by N i are the same.
Switch node N i saves the temporary shared symmetric key sk i and there is no need to repeat calculation in the subsequent packets transmission. When a packet tagged with constant-size credential is received by switch node N i , firstly, N i checks if the value of field N bit exceeds the presetting threshold L · k (L is path length, and k denotes the number of independent hash functions) and also verifies whether the real count of bits set to 1 in the field PVF of the tag CSC exceeds the presetting threshold value. If validation fails, the packet will be dropped. Secondly, N i calculates the message authentication code MAC i ′ according to (1) and verifies and checks if the message authentication code MAC i ′ exists in the field PVF based on Bloom Filter as shown in Figure 3.
] � 0, it indicates that packet verification has failed, and node N i will drop the packet. And if k j�1 PVF[v i [j]] � 1, the packet is verified to be valid with a higher probability, and then N i forwards the packet to the next node N i+1 .

Anomaly Localization.
A packet of a flow arrives at the egress switch node N L , if the packet is the first packet of the flow, basing on the temporary shared symmetric key sk L computed via the anonymous key negotiation protocol depicted in Section 4.3, N L computes the message authentication code and verifies the packet based on the field PVF. If verification succeeds, N L forwards the packet to the destination. e controller periodically collects forwarding packet's statistics (say, count[i]) of each switch N i on the authorized transmission path. If the difference of count of packets forwarded between adjacent connection switch node along the path exceeds a threshold, e.g., the natural packet loss rate θ, there must be a malicious node dropping packets or tampering packets. e controller will locate the link as abnormal link. Anomaly localization algorithm is shown below.
For any two adjacent nodes N i and N i+1 along the path PATH = <N 0 , N 1 , ...... , N L >, the controller compares counts of packets received and verified to be valid by the two nodes, e.g., count As shown in Figure 4, the controller periodically acquires the node forwarding statistics on the transmission path. e counts of valid packets of nodes N i , N i+1 , and N i+2 forwarding are 10000, 9000, and 8998, respectively. In Figure 4

Analyses and Discussions
In CSCPV, each switch node holds the public key PK i � (b i , y i ) and private key SK i � (c i , x i ). Based on anonymous key negotiation protocol, the source ingress switch negotiates the shared session key sk i (1 ≤ i ≤ L) with nodes along the forwarding path via the first packet of a flow. e source ingress node generates the tag CSC of constant-size which includes packet validation field PVF based on Bloom Filter. Using the shared symmetric key, downstream switch node on the path calculates message authentication code of the packet and queries or checks if its own MAC exists in the field PVF based on Bloom Filter data structure to verify packet. However, the attacker can simply modify or fabricate the field N bit of the tag CSC and set all bits in the field PVF to 1; it would result in the idea that any packet injected or tampered by the attacker would be verified to be valid by all downstream nodes. In order to make the tag CSC immune to these attacks, we need to limit the size of field N bit and check if the count of bits set to 1 in the field PVF exceeds a presetting value. Here, we introduce two additional concepts to the filed PVF. We introduce two definitions as follows. For a single MAC item, the probability that one bit in field PVF is set to 1 by a single function in k independent hash functions is P.
On the contrary, the probability that a bit in field PVF is not set to 1 by a single hash function in k independent hash functions is Ρ: And the probability that a bit in field PVF is not set to 1 by none of k independent hash functions is Ρ k : en, along the path of length L, in field PVF of aggregated L validation MAC items, the probability that a bit will not be set to 1 by none of k independent hash functions is (Ρ) k·L .
So, on the path of length L, in field PVF of aggregated L validation items, the probability that a bit is set to 1 by k independent hash functions is 1 − (Ρ) k·L .
Accordingly, the expectation value of bits set to 1 in field PVF based on Bloom Filter of size m with k independent hash functions and L (path length) inserted MAC items is Assuming there are no bit positions collisions between and within each MAC in field PVF of aggregated L validation MAC items via k independent hash functions mapping, the maximum value of function Γ(pvf) is Γ(pvf) max � L · k, which means the maximum expectation value of pvf(m, k, L) does not exceed L · k. So, it is no doubt that function pvf(m, k, L) is met with (12) as follows: In Figure 1, for a packet of a flow, the value of field N bit in the tag CSC of constant-size can be preset to Γ(pvf) max � L · k. When a switch node receives the packet, firstly, it verifies whether the value of field N bit is greater than Γ(pvf) max ; secondly, it counts the real number of bits  set to 1 in field PVF. If the real count is greater than N bit , the switch node would drop the packet, which indicates that there exists malicious node attacking against the tag CSC of constant-size.
Considering the presence of malicious node N i− 1 on the forwarding path, node N i− 1 implements attacking via injecting or tampering packets. Node N i receives a packet and calculates the message authentication code MAC i of the packet and checks and verifies MAC i in field PVF. False negatives of checking and verification are not possible (one MAC i that is an item of the field PVF may never be reported as not being an item). However, checking and verification are of a probabilistic nature and false positives are possible (one MAC i that is not an item of the field PVF may be reported to an item); according to [23], the false positive rate is shown as follows: us, a packet injected or tampered by node N i− 1 will be verified to be invalid with probability 1 − (1 − e kL/m ) k by the next hop node N i and will be dropped. A packet of malicious node N i− 1 injecting or tampering is verified to be valid by all the downstream nodes N i (i ≤ L) along the path, which indicates that the malicious node has successfully implemented an attack, and the probability is denoted as Even if an attacker has controlled a switch node completely, it is difficult to fabricate the field PVF based on Bloom Filter since the result of cryptographic hash function MAC K (ˑ) can not be guessed without availability of other node's shared session key K. It is reasonable to assume that the function MAC K (ˑ) with shared key K generates pseudorandom outputs. Via k independent hash functions h 1 , h 2 . . . k k mapping, the adversary needs to determine which bits should be set to 1 or set to 0 in the field PVF of CSC, so the attacker can not exploit.

Experiment and Evaluation
In this section, we further prototype CSCPV with Mininet simulation network environment to evaluate the effectiveness of proposed scheme by behavioral-model version 2 (BMV2) and programmable P4 switch. Experiments include the number of bits set to 1 in field PVF of tag CSC at different path lengths, malicious node tampering attacking success rate, anomaly localization accuracy, and evaluation of the proposed scheme network performance.

Experiment Setup.
With 64-bit Ubuntu16.04 operating system, the simulation platform is configured with Intel (R) Core (TM) i7-8550 CPU, 1.8 GHz, 8 GB of memory. Our experiments are performed on Mininet, programmable P4 software switch, and controller components based on P4Runtime interface. In this paper, we extend the switch behavior model BMV2 using C++ to implement the anonymous key negotiation and packet forwarding verification of CSCPV. e process for P4 switch of CSCPV is shown in Figure 5, which includes Input, Parse, Ingress, Egress, Output, etc. For more details about P4, please refer to the literature [5]. And the virtual network simulation prototype is composed of 30 virtual P4 switches and several virtual host terminals.

e Number of Bits Set to 1 Experiment 1.
e experiment tests the number of bits set to 1 in PVF at different path lengths and different number of k independent hash functions. According to the description and discussion in Section 4 and Section 5, the ingress switch of a flow embeds a tag CSC of constant-size in packets, and aggregated L (path length) MAC items based on temporary shared key with node on the forwarding path are then superimposed in the field PVF based on Bloom Filter data structure. Each downstream switch node verifies packets based on field PVF. e value of field N bit in CSC is the maximum number of bits set to 1 in field PVF. In order to make the tag CSC of constant-size immune to the attack that attacker sets all bits to 1 in field PVF which make all packets injected or tampered verified to be valid by all downstream switch nodes, we should limit the value of field N bit to restrain these attacks. Different path lengths and the number of independent hash functions result in different numbers of bits set to 1 in PVF. e experiment results of number of bits set to 1 in PVF under different path lengths circumstances are shown in Figure 6. Figure 6 depicts the results for the number of bits set to 1 in PVF. We performed experiments for different path lengths (L varying from 2 to 20) and different numbers of k (k � 3 and k � 4) independent hash functions. Figure 6 shows that when the path length L is 20 hops and the number of hash functions is k � 3 and k � 4 respectively, the number of bits set to 1 in PVF based on Bloom Filter is about 50 and 62, respectively, less than half of size m of the PVF (here m is 128). When the path length is almost the average value of the internet transmission path, i.e., L � 13 hops [24], k � 3, and k � 4, respectively, the number of bits set to 1 in Packet transmissoin Statistics request Statistics ACK PVF is about 34 and 43, respectively. So, the field PVF of size m (128 bits) in tag CSC really meets the network packet transmission path requirement. And the experiment results are in line with (11).

Malicious Tampering Success Rate
Experiment 2. is experiment tests the success rate of tampering packet by malicious nodes. We selected a path whose length is 12 hops and picked switch node N 5 as an adversary node. Node N 5 tampers network packets via probabilities λ � 0.1 and λ � 0.2, respectively. We performed experiment using different numbers of k (k � 3, k � 4) independent hash functions.
As shown in Figure 7, when k � 3, node N 5 performs tampering attack via probabilities λ � 0.1 and λ � 0.2, respectively, node N 6 receives and verifies packets, and the false positives rates (packets tampered be verified to be valid) are about 1.7% and 1.68%, respectively. And when k � 4, the false positives rates are about 1.42% and 1.38%, respectively, at the node N 6 . When the packets tampered by N 5 are verified to be valid by N 6 and forwarded to node N 7 , the false positives rates are about ranging from 0.01% to 0.02% at node N 7 and 0% at node N 8 . According to (14), for a packet tampered by the malicious node N 5 , the probability that the packet tampered by N 5 and verified to be valid along the downstream nodes N 7 to N 12 trends toward 0.0%. So, there is hardly any possibility of a packet tampered by a malicious node and passed through the network to destination.

Localization Accuracy
Experiment 3. We performed experiments for testing controller anomaly localization accuracy for malicious node tampering or dropping attack. According to problem description in Section 3, tampering a packet is equivalent to dropping an original packet and injecting a forged packet at the same time, while hijacking attack is equivalent to  dropping the forwarded packets on the authorized path. So, this experiment mainly considers the two types of anomaly localization for malicious nodes tampering and dropping against packets. In Section 4.4, controller localizes anomaly link by comparing the statistics of valid packets received by adjacent nodes on the forwarding path. e natural packet loss rate of the link is about θ � 0.001; we evaluate the anomaly localization accuracy with variation of packet tampered or dropped probability of misbehaved switch nodes. And the controller performs an anomaly detection per 300 ms.
As the following, Figure 8 depicts the experiment results. We make a further evaluation for the localization accuracy of tampering and dropping against packets, respectively, in terms of different values of attacking rate. We pick node N 5 as an adversary, and N 5 continuously alters and drops packets, respectively, with probability varying from 0.03% to 0.3%. As Figure 8 shows, when the malicious node N 5 performs tampering or dropping attacks with trivial probability varying from 0.03% to 0.09%, the anomaly localization accuracy ranges from 40% to 80%; when the attacking probability increases from 0.15% to 0.18%, the anomaly localization accuracy is about 90%, where localization accuracy becomes more accurate when the value of attacking rate increases. And while the attack probability varies from 0.21% to 0.3%, localization accuracy is above 95%.

Performance Evaluation.
In this subsection, we evaluate the performance of proposed mechanism, including the computation overhead during packets transmission, packets transmission round trip time (RTT), the network throughput, and header space communication overhead.

Computation Overhead.
e computation overhead of packets transmission is the major factor which affects forwarding delay and network throughput. e computation overhead of existing typical schemes such as OPT [6] and SDNsec [7] is shown in Table 2.
From Table 2, we learn that the computation overhead of CSCPV is less than the existing typical linear-scale counterparts. OPT [6] presents a lightweight packet verification mechanism where the sender embeds all validation tags of intermediate nodes along the packet forwarding path, each intermediate router performs two times of message authentication code computation operations, the destination receivers need L times, and the total computation overhead is 4 L * M. SDNsec [7] verifies the path compliance and consistency of switches in SDN. However, to check whether each packet of a flow has really followed the authorized path, the egress switch needs to report each packet with cryptographic tags to the controller, and the total computation overhead is 2 L (E + M). In CSCPV, the ingress switch node needs to perform L message authentication code computation operations, and each downstream node only computes one time, so the total overhead of CSCPV is 2 L * M.

Experiment 4.
We performed experiments for testing round trip time of running CSCPV and nonrunning CSCPV protocol (Baseline) at different path lengths. Moreover, we test round trip time of SDNsec and OPT under the same circumstances of network simulation environment, and the experiment results are shown in Figure 9.
From Figure 9, we learn that the average round-trip time of the Baseline of 6 hops and 8 hops is about 14.5 ms and 20 ms, respectively, while CSCPV is approximate to 15.5 ms and 22 ms; CSCPV introduces less than 11% of additional forwarding delays on average. SDNsec and OPT are slightly higher than CSCPV, which introduces a range from 13% to 14% of additional forwarding delay on average.  CSCPV protocol (Baseline) on the path of 8 hops. Packet payload size varies from 300 bytes to 1200 bytes. Moreover, we test the SDNsec and OPT network throughput under the same circumstances of network simulation environment, and the experiments results are shown in Figure 10. What we need notice is that our experiment platform is not the real network environment but the virtual network, so there exists a big difference about the throughput with the real network.
From Figure 10, with the same payload size, we learn that SDNsec and OPT network throughput is about 13% degradation, while CSCPV is no more than 10% throughput degradation.

Communication Overhead.
e header space communication overhead is an extra portion of the normal IP packet (i.e., SDNsec header, OPT header, and CSCPV header). From SDNsec and OPT, we know the embedded tags lengths of SDNsec and OPT increase as forwarding path lengthens, with the formulation as 22 + 8 * L and 52 + 16 * L, respectively. Table 3 shows the header space communication overhead of SDNsec, OPT, and CSCPV at different path lengths. When path length varies from 4 to 16, SDNsec's header space overhead increases from 54 to 150 bytes, and OPT increases from 116 to 372 bytes, while the proposed scheme of CSCPV overhead is constant-size of 32 bytes. Here, we define header space communication overhead ratio κ between header space tagged and entire packet payload size, e.g., for packet payload size of 1024 bytes, κ OPT � 52 + 16L/1024, κ SDNsec � 22 + 8L/1024, and κ CSCPV � 32/1024. Specifically, Table 4 shows that when the path length is 10 hops (the average internet transmission path length is 13 hops [24]), packet payload size varying from 128 to 1024 bytes, the header space communication overhead ratio κ of SDNsec varies from 79.6% to 9.96%, and    OPT varies from 100% to 20.7%, while only 25% and 3.13% communication overhead ratio κ of CSCPV. According to the analyses and experiment results, we can conclude that CSCPV outperforms existing SDNsec and OPT.

Conclusion
e existing packet forwarding verification solutions in SDN enable packet verification by embedding linear-scale cryptographic tags as forwarding path lengthens, which introduce significant computation and communication overhead. We present CSCPV, a packet forwarding verification mechanism based on constant-size credential in SDN. In CSCPV, the ingress switch embeds a tag of constant-size credential which is independent of the length of packet forwarding path. Each downstream node verifies packets based on the constant-size credential. And the controller periodically obtains forwarding statistics of each node on the path to locate network anomaly. We further prototype and evaluate the proposed CSCPV. e analyses and experiments results show that CSCPV computation and communication overhead are less than similar linear-scale counterparts. With less than 11% additional forwarding delay and no more than 10% throughput degradation, CSCPV achieves efficient packet forwarding and can effectively detect and locate anomaly. With no doubt, the bigger the size of cryptographic data embedded, the higher the network communication overhead. In CSCPV, when the path length is a small value, the credential tags inserted are 32 bytes of fixed-size still. In future work, we will plan to focus on the credential tags that dynamically change at different path lengths. Concretely, according to the variation of path length, leveraging on the Bloom Filter, we will try to research self-adaptive-size packet verification credential to further reduce the network communication overhead without loss security.

Data Availability
e data used to support the findings of this study can be obtained from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest regarding the publication of this paper.