The multi-controller scheme is widely adopted in Software-Defined Wide Area Networks (SDWANs), where a WAN is segmented into multiple domains, each controlled by one controller. These controllers communicate with each other in-band, necessitating authentication before exchanging control messages. However, relying solely on identification of a single node for authentication exposes the network to spoofing attacks, jeopardizing its security. To address this issue, we present , an innovative -threshold signature-based authentication scheme that verifies not only the node itself but also its “endorsement” nodes to establish its identity. We have investigated the best practice for defining the “endorsement” relationships concerning security and overheads, formulating the problem as an integer programming problem. We have demonstrated the polynomial-time hardness (NP-hardness) of the problem and proposed an efficient algorithm. Through our rigorous simulation analysis, we show that can provide comparative performance with Optimal and reduce time usage by over 90%.

中文翻译：

---

Seraph：在多域 SDWAN 中使用[公式省略]阈值签名实现安全高效的多控制器身份验证


多控制器方案广泛应用于软件定义广域网 (SDWAN)，其中 WAN 被分割成多个域，每个域由一个控制器控制。这些控制器在带内相互通信，因此在交换控制消息之前需要进行身份验证。然而，仅仅依靠单个节点的识别来进行身份验证会使网络遭受欺骗攻击，从而危及其安全。为了解决这个问题，我们提出了一种创新的基于阈值签名的身份验证方案，该方案不仅验证节点本身，还验证其“背书”节点以建立其身份。我们研究了定义有关安全性和开销的“认可”关系的最佳实践，并将问题表述为整数规划问题。我们证明了问题的多项式时间硬度（NP 硬度）并提出了一种有效的算法。通过我们严格的模拟分析，我们表明可以提供与最佳性能相比的性能，并减少 90% 以上的时间使用。