Seraph: Towards secure and efficient multi-controller authentication with [formula omitted]-threshold signature in multi-domain SDWAN

Abstract

The multi-controller scheme is widely adopted in Software-Defined Wide Area Networks (SDWANs), where a WAN is segmented into multiple domains, each controlled by one controller. These controllers communicate with each other in-band, necessitating authentication before exchanging control messages. However, relying solely on identification of a single node for authentication exposes the network to spoofing attacks, jeopardizing its security. To address this issue, we present Seraph, an innovative (t,n)-threshold signature-based authentication scheme that verifies not only the node itself but also its “endorsement” nodes to establish its identity. We have investigated the best practice for defining the “endorsement” relationships concerning security and overheads, formulating the problem as an integer programming problem. We have demonstrated the polynomial-time hardness (NP-hardness) of the problem and proposed an efficient Seraph algorithm. Through our rigorous simulation analysis, we show that Seraph can provide comparative performance with Optimal and reduce time usage by over 90%.