New Protocols for Connection Authentication
SURFnet
The project is a PoC where we want to authenticate user traffic on a per packet basis and forward (or drop) the packet based on the authentication header. A client application (similar to e.g. an OpenVPN client app) adds an authentication encapsulation header (similar to IPSEC AH) to each outgoing packet. It contains a Hash Message Authentication Code (HMAC). When the packet arrives at a P4 capable PE device of the service provider, the authentication header is parsed and the HMAC is verified (using a shared key that is negotiated at session start). When the integrity and authenticity of the packet is verified, the packet is forwarded to the associated service (L2 circuit, L3 VPN, etc). When the verification fails, the packet is dropped.