Service function chaining (SFC) establishes a service path where a sequence of functions is executed according to service requirements. However, SFC lacks a mechanism to ensure proper traversal of relay nodes in the data plane. Misconfigurations and the presence of attackers can lead to forwarding anomalies and path deviation, potentially allowing packets to bypass security network functions in the service path. To mitigate potential security breaches, ordered proof of transit (OPoT) has been proposed as a mechanism to verify whether traffic adheres to the designated path. In this paper, we realize lightweight OPoT-based path verification based on extended Berkeley Packet Filter (eBPF) for trustworthy SFC. Furthermore, by integrating it with the existing SFC proxy, we extend the proposed approach to accommodate both SFC-aware and SFC-unaware virtual network functions (VNFs) in the segment routing over IPv6 data plane (SRv6) domain. Through experiments, we demonstrate the capability of the proposed approach to detect path deviations. Additionally, we reveal the performance limitations of the proposed approach.
Takanori Hara, Masahiro Sasabe, eBPF-Based Ordered Proof of Transit for Trustworthy Service Function Chaining, IEEE Transactions on Network and Service Management, pp.1-12, March 2025.
@article{hara25EBPFBasedOrderedProof,
author = "Hara, Takanori and Sasabe, Masahiro",
title = "{{eBPF-Based Ordered Proof}} of {{Transit}} for {{Trustworthy Service Function Chaining}}",
year = "2025",
month = "March",
journal = "IEEE Transactions on Network and Service Management",
pages = "1--12",
doi = "10.1109/TNSM.2025.3550333"
}