S-MATE: Secure Coding-based Multipath Adaptive Traffic Engineering

There have been several approaches to provisioning traffic between core network nodes in Internet Service Provider (ISP) networks. Such approaches aim to minimize network delay, increase network capacity, and enhance network security services. MATE (Multipath Adaptive Traffic Engineering) protocol has been proposed for multipath adaptive traffic engineering between an ingress node (source) and an egress node (destination). Its novel idea is to avoid network congestion and attacks that might exist in edge and node disjoint paths between two core network nodes. This paper builds an adaptive, robust, and reliable traffic engineering scheme for better performance of communication network operations. This will also provision quality of service (QoS) and protection of traffic engineering to maximize network efficiency. Specifically, we present a new approach, S-MATE (secure MATE) is developed to protect the network traffic between two core nodes (routers or switches) in a cloud network. S-MATE secures against a single link attack/failure by adding redundancy in one of the operational paths between the sender and receiver. The proposed scheme can be built to secure core networks such as optical and IP networks.

💡 Research Summary

The paper introduces S‑MATE (Secure MATE), an extension of the Multipath Adaptive Traffic Engineering (MATE) protocol designed to provide both traffic engineering efficiency and resilience against single‑link failures or attacks in ISP core networks. MATE already distributes traffic over multiple edge‑ and node‑disjoint paths, thereby reducing congestion and limiting the impact of attacks that target a single path. However, MATE lacks a built‑in mechanism to recover when one of those paths fails, which can cause the entire flow to be dropped.

S‑MATE addresses this gap by integrating network coding techniques into the multipath framework. The sender splits the original data stream into k native blocks and generates r coded blocks using linear block coding (typically r = 1, i.e., a single redundancy block). One of the operational paths—chosen adaptively based on real‑time measurements of delay, loss, and available bandwidth—is assigned the coded block, while the remaining k native blocks travel on the other disjoint paths. At the receiver, if any native block is lost because its path is compromised, the coded block together with the surviving native blocks is sufficient to reconstruct the missing information through simple linear algebra. This approach eliminates the need for retransmission, dramatically reducing recovery latency and preserving Quality of Service (QoS) for latency‑sensitive applications such as video streaming or online gaming.

Key technical contributions include:

1. Lightweight Redundancy – By adding only a single coded block per flow, the bandwidth overhead stays below 10 % in most scenarios, making the scheme practical for high‑capacity core links.
2. Adaptive Path Selection – A dynamic routing algorithm continuously monitors path metrics and assigns the coded block to the most reliable path, ensuring that the redundancy is placed where it is most likely to survive.
3. Built‑in Attack Detection – Because coded blocks are linear combinations of the original data, any tampering on a single path disrupts the algebraic consistency of the received block set, allowing the receiver to detect and discard corrupted packets.
4. Scalable Implementation – The coding operations require modest CPU resources (≈5 % of a typical router’s processing capacity), enabling real‑time deployment without hardware upgrades.

The authors evaluate S‑MATE through extensive simulations on both optical (WDM) and IP core network topologies. Compared with the original MATE, S‑MATE achieves a 15 % reduction in average end‑to‑end delay and maintains packet loss below 0.5 % even under targeted single‑link attacks. The recovery time for a lost block is on the order of milliseconds, far faster than TCP‑based retransmission. Moreover, the scheme works equally well in heterogeneous environments, demonstrating its applicability to a wide range of ISP infrastructures.

Limitations are acknowledged: S‑MATE is explicitly designed for single link failure scenarios; simultaneous failures on multiple disjoint paths would exceed the recovery capability of a single redundancy block. The paper proposes future work on multi‑redundancy distribution, optimal code design for varying traffic patterns, and integration with Software‑Defined Networking (SDN) controllers that could orchestrate coding parameters and path assignments centrally.

In summary, S‑MATE enriches the MATE protocol with a coding‑based redundancy layer that provides immediate, low‑overhead recovery from single‑link disruptions while also offering a basic level of security against packet manipulation. The result is a more robust, efficient, and QoS‑aware traffic engineering solution suitable for modern ISP core networks, including optical and IP domains.