Abstract

The path computation element (PCE) architecture has been proposed to effectively enable multi-domain traffic engineering (TE) in generalized multiprotocol label switching (GMPLS) networks while providing an adequate level of confidentiality among domains. However, a malicious utilization of the procedures defined within the PCE architecture might affect the confidentiality of network domain information in a multi-domain multi-carrier network scenario. This paper discusses the critical issues of the PCE architecture in terms of confidentiality. A two-step authorization scheme, named the behavior-based PCE authorization policy (BPAP), is proposed. The BPAP includes a novel add-on PCE component and a central authorization policy server to protect against confidentiality breaking. The scheme is based on the PCE protocol (PCEP) client behavior analysis and includes attack pattern detection procedures and possible partial information filtering of the reply message. The applicability of the BPAP scheme is validated in wavelength switched optical networks (WSONs) through simulations focusing on the exchange of a restricted set of available resources. Finally, a BPAP implementation is experimentally evaluated, showing the efficiency of the two-step scheme in terms of scalability, capability to limit the discovery of critical information, and reactivity to confidential attacks.

© 2011 OSA

Full Article  |  PDF Article

References

  • View by:
  • |
  • |
  • |

  1. A. Farrel and I. Bryskin, GMPLS: Architecture and Applications, Morgan Kaufmann Publishers Inc., 2005.
  2. Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.
  3. A. Farrel, A. J. Bruce, and J. P. Vasseur, "A path computation element (PCE)-based architecture," IETF RFC 4655, Aug. 2006.
  4. R. Casellas, R. Martinez, R. Munoz, and S. Gunreben, "Enhanced backwards recursive path computation for multi-area wavelength switched optical networks under wavelength continuity constraint," J. Opt. Commun. Netw. 1, (2), A180‒A193 (2009).
    [CrossRef]
  5. S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
    [CrossRef]
  6. R. Bradford, J.-P. Vasseur, and A. Farrel, "Preserving topology confidentiality in inter-domain path computation using a key-based mechanism," IETF RFC 5520, Apr. 2009.
  7. F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.
  8. J. Vasseur and J. Le Roux, "Path computation element (PCE) communication protocol (PCEP)," IETF RFC 5440, Mar. 2009.
  9. N. Bithar, R. Zhang, and K. Kumaki, "Inter-AS requirements for the path computation element communication protocol (PCECP)," IETF RFC 5376, Nov. 2008.
  10. J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.
  11. R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.
  12. E. Toktar, E. Jamhour, and E. Maziero, "RSVP policy control using XACML," Proc. POLICY’04, June 2004.
  13. L. Fang, C. Wang, and G. Ma, "A framework for network security situation awareness based on knowledge discovery," Proc. ICCET’10, Apr. 2010.
  14. N. Nordbotten, "XML and web services security standards," IEEE Commun. Surv. Tutorials 11, (3), 4‒21 (2009).
    [CrossRef]
  15. Y. Demchenko, M. Cristea, and C. de Laat, "XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure," Proc. POLICY’09, July 2009.
  16. S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.
  17. S. Polito, M. Chamania, and A. Jukan, "Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks," Proc. ICC’09, June 2009.
  18. A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

2009

2007

S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
[CrossRef]

Bernstein, G.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

Bitar, N.

J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.

Bithar, N.

N. Bithar, R. Zhang, and K. Kumaki, "Inter-AS requirements for the path computation element communication protocol (PCECP)," IETF RFC 5376, Nov. 2008.

Bradford, R.

R. Bradford, J.-P. Vasseur, and A. Farrel, "Preserving topology confidentiality in inter-domain path computation using a key-based mechanism," IETF RFC 5520, Apr. 2009.

Bruce, A. J.

A. Farrel, A. J. Bruce, and J. P. Vasseur, "A path computation element (PCE)-based architecture," IETF RFC 4655, Aug. 2006.

Bryskin, I.

A. Farrel and I. Bryskin, GMPLS: Architecture and Applications, Morgan Kaufmann Publishers Inc., 2005.

Casellas, R.

R. Casellas, R. Martinez, R. Munoz, and S. Gunreben, "Enhanced backwards recursive path computation for multi-area wavelength switched optical networks under wavelength continuity constraint," J. Opt. Commun. Netw. 1, (2), A180‒A193 (2009).
[CrossRef]

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Castoldi, P.

A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Cerutti, I.

A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

Chamania, M.

S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.

S. Polito, M. Chamania, and A. Jukan, "Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks," Proc. ICC’09, June 2009.

Cristea, M.

Y. Demchenko, M. Cristea, and C. de Laat, "XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure," Proc. POLICY’09, July 2009.

Cugini, F.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Dasgupta, S.

S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
[CrossRef]

de Laat, C.

Y. Demchenko, M. Cristea, and C. de Laat, "XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure," Proc. POLICY’09, July 2009.

de Oliveira, J.

S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
[CrossRef]

Demchenko, Y.

Y. Demchenko, M. Cristea, and C. de Laat, "XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure," Proc. POLICY’09, July 2009.

Fang, L.

L. Fang, C. Wang, and G. Ma, "A framework for network security situation awareness based on knowledge discovery," Proc. ICCET’10, Apr. 2010.

Farrel, A.

R. Bradford, J.-P. Vasseur, and A. Farrel, "Preserving topology confidentiality in inter-domain path computation using a key-based mechanism," IETF RFC 5520, Apr. 2009.

A. Farrel and I. Bryskin, GMPLS: Architecture and Applications, Morgan Kaufmann Publishers Inc., 2005.

A. Farrel, A. J. Bruce, and J. P. Vasseur, "A path computation element (PCE)-based architecture," IETF RFC 4655, Aug. 2006.

Gebbers, D.

S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.

Gharbaoui, M.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Giorgetti, A.

A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

Gunreben, S.

Jamhour, E.

E. Toktar, E. Jamhour, and E. Maziero, "RSVP policy control using XACML," Proc. POLICY’04, June 2004.

Jukan, A.

S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.

S. Polito, M. Chamania, and A. Jukan, "Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks," Proc. ICC’09, June 2009.

Kumaki, K.

N. Bithar, R. Zhang, and K. Kumaki, "Inter-AS requirements for the path computation element communication protocol (PCECP)," IETF RFC 5376, Nov. 2008.

Le Roux, J.

J. Vasseur and J. Le Roux, "Path computation element (PCE) communication protocol (PCEP)," IETF RFC 5440, Mar. 2009.

J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.

Lee, Y.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

Liu, L.

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Ma, G.

L. Fang, C. Wang, and G. Ma, "A framework for network security situation awareness based on knowledge discovery," Proc. ICCET’10, Apr. 2010.

Martensson, J.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

Martinez, R.

R. Casellas, R. Martinez, R. Munoz, and S. Gunreben, "Enhanced backwards recursive path computation for multi-area wavelength switched optical networks under wavelength continuity constraint," J. Opt. Commun. Netw. 1, (2), A180‒A193 (2009).
[CrossRef]

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Martini, B.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Maziero, E.

E. Toktar, E. Jamhour, and E. Maziero, "RSVP policy control using XACML," Proc. POLICY’04, June 2004.

Munoz, R.

R. Casellas, R. Martinez, R. Munoz, and S. Gunreben, "Enhanced backwards recursive path computation for multi-area wavelength switched optical networks under wavelength continuity constraint," J. Opt. Commun. Netw. 1, (2), A180‒A193 (2009).
[CrossRef]

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Nordbotten, N.

N. Nordbotten, "XML and web services security standards," IEEE Commun. Surv. Tutorials 11, (3), 4‒21 (2009).
[CrossRef]

Paolucci, F.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Polito, S.

S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.

S. Polito, M. Chamania, and A. Jukan, "Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks," Proc. ICC’09, June 2009.

Sambo, N.

A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

Takeda, T.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

Toktar, E.

E. Toktar, E. Jamhour, and E. Maziero, "RSVP policy control using XACML," Proc. POLICY’04, June 2004.

Tsuritani, T.

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

Tsurusawa, M.

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

Valcarenghi, L.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

Vasseur, J.

J. Vasseur and J. Le Roux, "Path computation element (PCE) communication protocol (PCEP)," IETF RFC 5440, Mar. 2009.

J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.

Vasseur, J. P.

A. Farrel, A. J. Bruce, and J. P. Vasseur, "A path computation element (PCE)-based architecture," IETF RFC 4655, Aug. 2006.

Vasseur, J.-P.

S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
[CrossRef]

R. Bradford, J.-P. Vasseur, and A. Farrel, "Preserving topology confidentiality in inter-domain path computation using a key-based mechanism," IETF RFC 5520, Apr. 2009.

Wang, C.

L. Fang, C. Wang, and G. Ma, "A framework for network security situation awareness based on knowledge discovery," Proc. ICCET’10, Apr. 2010.

Zhang, R.

J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.

N. Bithar, R. Zhang, and K. Kumaki, "Inter-AS requirements for the path computation element communication protocol (PCECP)," IETF RFC 5376, Nov. 2008.

IEEE Commun. Surv. Tutorials

N. Nordbotten, "XML and web services security standards," IEEE Commun. Surv. Tutorials 11, (3), 4‒21 (2009).
[CrossRef]

IEEE Network

S. Dasgupta, J. de Oliveira, and J.-P. Vasseur, "Path- computation-element-based architecture for interdomain MPLS/GMPLS traffic engineering: overview and performance," IEEE Network 21, (4), 38‒45 (2007).
[CrossRef]

J. Opt. Commun. Netw.

Other

R. Bradford, J.-P. Vasseur, and A. Farrel, "Preserving topology confidentiality in inter-domain path computation using a key-based mechanism," IETF RFC 5520, Apr. 2009.

F. Paolucci, F. Cugini, B. Martini, M. Gharbaoui, L. Valcarenghi, and P. Castoldi, "Preserving confidentiality in PCEP-based inter-domain path computation," Proc. ECOC’10, Sept. 2010.

J. Vasseur and J. Le Roux, "Path computation element (PCE) communication protocol (PCEP)," IETF RFC 5440, Mar. 2009.

N. Bithar, R. Zhang, and K. Kumaki, "Inter-AS requirements for the path computation element communication protocol (PCECP)," IETF RFC 5376, Nov. 2008.

J. Vasseur, R. Zhang, N. Bitar, and J. Le Roux, "A backward-recursive PCE-based computation (BRPC) procedure to compute shortest constrained inter-domain traffic engineering label switched paths," IETF RFC 5441, Apr. 2009.

R. Casellas, R. Martinez, R. Munoz, T. Tsuritani, L. Liu, and M. Tsurusawa, "Lab-trial of multi-domain lightpath provisioning with PCE path computation combining BRPC and path-key topology confidentiality in GMPLS translucent WSON networks," Proc. ECOC’10, Sept. 2010.

E. Toktar, E. Jamhour, and E. Maziero, "RSVP policy control using XACML," Proc. POLICY’04, June 2004.

L. Fang, C. Wang, and G. Ma, "A framework for network security situation awareness based on knowledge discovery," Proc. ICCET’10, Apr. 2010.

Y. Demchenko, M. Cristea, and C. de Laat, "XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure," Proc. POLICY’09, July 2009.

S. Polito, D. Gebbers, M. Chamania, and A. Jukan, "A new NSIS application for LSP setup with security features," Proc. ICC’10, May 2010.

S. Polito, M. Chamania, and A. Jukan, "Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks," Proc. ICC’09, June 2009.

A. Giorgetti, N. Sambo, I. Cerutti, and P. Castoldi, "Impact of link-state advertisement in GMPLS-based wavelength-routed networks," Optical Fiber Communication Conf. and Expo. and the Nat. Fiber Optic Engineers Conf., 2008, JWA98.

A. Farrel and I. Bryskin, GMPLS: Architecture and Applications, Morgan Kaufmann Publishers Inc., 2005.

Y. Lee, G. Bernstein, J. Martensson, T. Takeda, and T. Tsuritani, "PCEP Requirements for WSON Routing and Wavelength Assignment," Draft-ietf-pce-wson-routing-wavelength-03, IETF, Nov. 2010.

A. Farrel, A. J. Bruce, and J. P. Vasseur, "A path computation element (PCE)-based architecture," IETF RFC 4655, Aug. 2006.

Cited By

OSA participates in CrossRef's Cited-By Linking service. Citing articles from OSA journals and other participating publishers are listed here.

Alert me when this article is cited.


Figures (7)

Fig. 1
Fig. 1

(Color online) Extended PCE architecture.

Fig. 2
Fig. 2

(Color online) PCE–APS authorization procedure workflow.

Fig. 3
Fig. 3

(Color online) Pan-European triple layered 6-domain topology.

Fig. 4
Fig. 4

BPAP simulation results: blocking probability.

Fig. 5
Fig. 5

Experimental results: APS response time.

Fig. 6
Fig. 6

Experimental results: reactivity during Wm attack ( T = 0 . 8 ).

Fig. 7
Fig. 7

Experimental results: reactivity during Bm/Dm/Tm slow attacks.

Tables (2)

Tables Icon

Table I BPAP Schemes’ Confidentiality Degree

Tables Icon

Table II BPAP Attack Classes Detection Features