Path validation has already been incrementally deployed in the Internet architecture. It secures packet forwarding by enabling end hosts to negotiate specific forwarding paths and enforcing on-path routers to prove their forwarding behaviors along these paths. Most existing path validation solutions target static paths, paying less attention to fully dynamic paths that support flexible routing. In this paper, we present Hummingbird as the first validation solution over fully dynamic paths. It features a hidden equal-probability sampling technique. Gaining efficiency via routers probabilistically sampling packets to validate, we craft the sampling probability such that each router validates a similar amount of packets given an unknown path length. We further hide the state of whether a packet has been sampled and validated using a lightweight, non-cryptographic scheme. This prevents attackers from differentiating and selectively mis-forwarding packets. We validate security and efficiency of Hummingbird through both theoretical proof and experimental evaluation.

中文翻译：

---

蜂鸟：具有隐藏等概率采样的动态路径验证

路径验证已经逐步部署在互联网架构中。它通过使终端主机能够协商特定的转发路径并强制路径上的路由器证明它们沿这些路径的转发行为来保护数据包转发。大多数现有路径验证解决方案都针对静态路径，较少关注支持灵活路由的全动态路径。在本文中，我们将蜂鸟作为第一个完全动态路径的验证解决方案。它具有隐藏的等概率抽样技术。通过路由器对数据包进行概率采样以进行验证来提高效率，我们设计了采样概率，使得每个路由器在给定未知路径长度的情况下验证相似数量的数据包。我们进一步隐藏了数据包是否已使用轻量级进行采样和验证的状态，非加密方案。这可以防止攻击者区分和选择性地错误转发数据包。我们通过理论证明和实验评估来验证蜂鸟的安全性和有效性。