0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type (8b) | Length (8b) | Reserved/Flags (16b) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Nonce (96b) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Witness (64-256b) |
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-This project demonstrates a mechanism for achieving Proof-of-Transit (PoT) in an SRv6 (Segment Routing over IPv6) network using eBPF (Extended Berkeley Packet Filter) attached to Linux TC (Traffic Control) and XDP (eXpress Data Path) hooks.
The core idea is to embed a custom Type-Length-Value (TLV) object within the Segment Routing Header (SRH) through all nodes in the path. This TLV contains metadata (random nonce) and a cryptographic hash (computed through the fast SipHash, Poly1305 and BLAKE3 Keyed-hash algorithms) that allows downstream nodes to verify the path taken by the packet.
Compiling the BTF bytecode and the CLI tool
- Linux Kernel: Version supporting eBPF, TC BPF, XDP, and SRv6.
- libbpf-dev: Development headers for libbpf, same as the Kernel.
- iproute2: For managing TC filters and XDP programs.
- clang/llvm: For compiling C code to eBPF bytecode.
# Install Linux Kernel headers and tools
apt install linux-image-$(uname -r) linux-headers-$(uname -r) linux-tools-$(uname -r)
# Install required libraries
apt install clang llvm libbpf-dev libelf-dev make
# Compile all algorithms
make blake3
make siphash
make halfsiphash
make hmac-sha1
make poly1305
# The artefacts will be generated here
ls -l cmd/build/Usage options and key management
Usage:
seg6-pot-tlv --load <iface>
Loads & attaches the eBPF XDP and TC programs to <iface> and pins the maps.
seg6-pot-tlv --sid <sid> --key <key>
Updates the pinned map with <sid> (IPv6) with the related <key> (max 32B).
seg6-pot-tlv --keys
Shows all the keys pinned on the key map with their related SID.
Examples:
sudo ./seg6-pot-tlv --load ens5
sudo ./seg6-pot-tlv --sid 2001:db8:ff:1::1 --key aa112233445566778899aabbccddeeff00112233445566778899aabbccddee11
sudo ./seg6-pot-tlv --sid 2001:db8:ff:2::1 --key bb112233445566778899aabbccddeeff00112233445566778899aabbccddee22
sudo ./seg6-pot-tlv --sid 2001:db8:ff:3::1 --key cc112233445566778899aabbccddeeff00112233445566778899aabbccddee33
sudo ./seg6-pot-tlv --sid 2001:db8:ff:4::1 --key dd112233445566778899aabbccddeeff00112233445566778899aabbccddee44Debugging TLV logs and operations
# Monitor eBPF logs
bpftool prog trace
# Monitor SRv6 packets
tcpdump -pni any "ip6[6]==43" -vvv -x
tshark -i any -p -f "ip6[6]==43" -V -x
Setting-up DEMO scenario for tests
Run tests and evaluation
Environment: x86_64 Xeon E5-2683 v4 @ 2.10GHz, 128G RAM, Ubuntu 24.04
Tools: Clang 18.1.3, Kernel 6.11.0-19-generic, Realtek RTL8411 PCI Gigabit Ethernet
SRv6 Domain: VRF 10 table local, IPv6 Network 2001:db8::ff::/48
SRv6 Setup: R1 and R4 Action End.DT6, R2, R3, and R5 Action End
Important
The following work and its results are the artefacts of a project presented for the Network Security class on a Master's in Computer Science from State University of Londrina (UEL) in order to obtain a good grade on the subject.
This repository is created solely for educational purposes. The content provided here is intended to serve as examples and study material. There are no guarantees that the code or any other material is suitable or safe for production use.
If you choose to use any part of this project in a production environment, you do so at your own risk. It is strongly recommended to thoroughly review the code and implement proper testing before any production use.
- IETF (2025). Segment Routing over IPv6 (SRv6) Security
- Iannone, L. (2024). Segment Routing over IPv6 Proof of Transit
- Borges, R. et al. (2023). In-situ Proof-of-Transit for Path-Aware Programmable Networks.
- Hara, Y. et al. (2025). eBPF-Based Ordered Proof of Transit for Trustworthy Service Function Chaining.
- Borges, R. et al. (2024). PoT-PolKA: Let the Edge Control the Proof-of-Transit in Path-Aware Networks.
- Martinez, A. et al. (2024). Implementation of a Traffic Flow Path Verification System in a Data Network.
- Martinello, M. et al. (2024). PathSec: Path-Aware Secure Routing with Native Path Verification and Auditability.