In today’s hyper-connected world, the Computing Continuum demands a fundamental shift in
how we secure data as it travels across the network. While traditional networking focuses on
finding the fastest path, the CASTOR project introduces a new, non-negotiable metric:
quantifiable trust.
Moving Beyond Binary Trust
Traditional security models often treat trust as a binary “on/off” switch, and a router is either
verified during boot-up, or it isn’t. However, in a dynamic environment where network
devices are frequently updated, misconfigured, or targeted by emerging vulnerabilities, a
“trusted” device can quickly become a security liability. CASTOR solves this by moving away
from static, point-in-time evaluations toward a continuous, evidence-based and
quantifiable trust assessment process.
Defining Trust and Trustworthiness
To build a secure framework, CASTOR first establishes a clear distinction between two
foundational concepts. Trustworthiness is a property of the trustee (such as a router)
representing the likelihood that it will fulfill a trustor’s expectations (like keeping data
confidential) within a specific context. Conversely, trust represents the subjective decision
made by the trustor to rely on that device based on objective evidence.
The Dual Brain of Assessment
Elevating trust characterization into actionable insights at the orchestration layer requires an
abundance of trustworthiness evidence collected directly from the routing plane. One of
CASTOR’s primary innovations is its federated Trust Assessment Framework (TAF),
which introduces a highly modular approach to this process. Rather than strictly relying on
the continuous transmission of trustworthiness evidence from the forwarding plane to the
orchestration layer, CASTOR enables localized, in-device trust evaluations. Therefore,
CASTOR provides the mechanisms at the orchestration layer to dynamically specify which
trust calculations should be executed locally – allowing the network elements to share
lightweight trust opinions – and which evaluations need to be made directly at a global level.
Overall, the overarching CASTOR trust characterization process is divided into two
specialized functions. A Local TAF agent is instantiated on each participating router to
assess its own internal health, verifying properties like secure boot integrity and runtime
behavioral correctness. Simultaneously, a Global TAF operates as a centralized trust
orchestrator at the management layer. It maintains a dynamic “Trust Topology” by collecting
reports from local agents and – potentially along with network-wide telemetry – provides a
holistic view of the network’s security posture. This allows the Global TAF to yield important
trust insights that can be used at the orchestration layer to calculate and enforce traffic
engineering policies that satisfy both network- and trust-related requirements.
The TAF consists of several tightly integrated sub-components that manage the lifecycle of a
trust decision:x
- Trust Model Manager (TMM): Manages the internal representation of trust
relationships as directed graphs of entities and propositions. - Trust Source Manager (TSM): Acts as the backbone of the evidence-based theory,
as it transforms raw evidence (like boot logs or behavioral telemetry) from different
Trust Sources into structured trust opinions. - Trustworthiness Level Expression Engine (TLEE): The computational core that
uses Subjective Logic algebra to calculate the Actual Trust Level (ATL) for various
propositions. These propositions may range from low-level trustworthiness claims at
the device level to composite evaluations that encompass an entire network path or
even an entire domain. - Trust Decision Engine (TDE): Compares the computed ATL against the Required
Trust Level (RTL) thresholds to produce actionable results, such as granting or
denying trust for a specific path.
Quantifying Uncertainty with Subjective Logic
In the real world, security evidence is rarely perfect; it can be incomplete, delayed, or even
conflicting. CASTOR addresses this by using subjective logic as its mathematical
foundation. Unlike standard probability, subjective logic allows the system to explicitly reason
with degrees of belief, disbelief, and uncertainty. This methodology ensures that decision-
making processes remain aware of evidence quality gaps, allowing the Global TAF to
“discount” reports from agents that are themselves considered less reliable.
The Path Forward: Continuous Verification
By adhering to Zero-Trust principles, CASTOR assumes no inherent trustworthiness on the
routing plane. Instead, it uses continuous monitoring to detect when a router’s Actual Trust
Level (ATL) falls below the Required Trust Levels (RTL). This drop in trust is treated with
the same urgency as a physical link failure, triggering immediate recalculations and the
enforcement of new, compliant traffic engineering policies.
By establishing this rigorous, evidence-based foundation, CASTOR transforms trust: from an
abstract concept into a dynamic, manageable network metric. This shift ensures that as the
Computing Continuum continues to expand, our most sensitive communications (from
emergency responder alerts to autonomous drone swarms) remain protected by an
infrastructure that never stops verifying. This enables a new approach for network integrity,
where secure data transmission is not just a best-effort goal, but a provable guarantee
across every hop of the path.
