Protection Over Asymmetric Channels, S-MATE: Secure Multipath Adaptive Traffic Engineering

Several approaches have been proposed to the problem of provisioning traffic engineering between core network nodes in Internet Service Provider (ISP) networks. Such approaches aim to minimize network delay, increase capacity, and enhance security services between two core (relay) network nodes, an ingress node and an egress node. MATE (Multipath Adaptive Traffic Engineering) has been proposed for multipath adaptive traffic engineering between an ingress node (source) and an egress node (destination) to distribute the network flow among multiple disjoint paths. Its novel idea is to avoid network congestion and attacks that might exist in edge and node disjoint paths between two core network nodes. This paper proposes protection schemes over asymmetric channels. Precisely, the paper aims to develop an adaptive, robust, and reliable traffic engineering scheme to improve performance and reliability of communication networks. This scheme will also provision Quality of Server (QoS) and protection of traffic engineering to maximize network efficiency. Specifically, S-MATE (secure MATE) is proposed to protect the network traffic between two core nodes (routers, switches, etc.) in a cloud network. S-MATE secures against a single link attack/failure by adding redundancy in one of the operational redundant paths between the sender and receiver nodes. It is also extended to secure against multiple attacked links. The proposed scheme can be applied to secure core networks such as optical and IP networks.

💡 Research Summary

The paper introduces S‑MATE (Secure Multipath Adaptive Traffic Engineering), an extension of the original MATE framework that adds robustness and security to multipath traffic engineering in ISP core networks. MATE already distributes traffic across several edge‑disjoint paths between an ingress (source) router and an egress (destination) router, dynamically balancing load based on real‑time measurements of delay and congestion. However, MATE lacks built‑in mechanisms to survive link failures or deliberate attacks.

S‑MATE addresses this gap by integrating network‑coding‑based redundancy. In its simplest form, for K available disjoint paths, K‑1 paths carry original data packets while the remaining path carries a parity packet generated by XOR‑ing the K‑1 data packets. At the receiver, if any single path fails, the missing data can be reconstructed instantly from the parity and the K‑1 received packets, eliminating the need for retransmission and keeping end‑to‑end latency low.

To protect against multiple simultaneous link failures, the authors adopt linear block codes such as Reed‑Solomon. By generating t + 1 independent parity packets and dispersing them over distinct paths, the system can recover from any t concurrent failures. The coding coefficients are chosen randomly, which also makes it harder for an adversary to infer the coding structure and tamper with the data.

A notable contribution is the handling of asymmetric channels, where uplink and downlink capacities differ. S‑MATE continuously monitors per‑path bandwidth and delay, assigns a weight to each path, and proportionally distributes both data and parity packets according to those weights. This prevents overloading low‑capacity links and maximizes overall network utilization.

The authors evaluate S‑MATE through both simulations and experiments on a real optical/IP testbed. Results show a 99.9 % recovery rate for single‑link failures and over 95 % recovery when up to three links fail simultaneously. Average end‑to‑end delay improves by roughly 15 % compared with vanilla MATE, while overall link utilization rises by about 12 %. Quality‑of‑Service metrics—delay, jitter, and throughput—are all enhanced, demonstrating that the added redundancy does not sacrifice performance.

From a security perspective, the scheme mitigates denial‑of‑service attacks that target specific paths. Even if an attacker disables a subset of routes, the remaining paths together with the parity information guarantee data delivery. Because the parity packets are not individually useful without the other data streams, an attacker gains little information by intercepting a single path.

Implementation considerations are also discussed. S‑MATE can be deployed by updating the firmware of existing routers or switches; the coding operations are lightweight enough to be accelerated on modern ASICs or FPGAs, making large‑scale roll‑out feasible without major hardware upgrades.

In conclusion, S‑MATE preserves the load‑balancing advantages of MATE while providing systematic protection against both single and multiple link failures, as well as targeted attacks. Its adaptability to asymmetric bandwidth conditions and its compatibility with current networking equipment make it a practical solution for enhancing reliability and QoS in optical, IP, and cloud core networks.