Frederik Hauser,Mark Schmidt,Michael Menth,Marco Haberle

DOI: https://doi.org/10.1109/access.2020.3012738

IF: 3.9

2020-01-01

IEEE Access

Abstract:In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub [1]. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sukhveer Kaur,Krishan Kumar,Naveen Aggarwal

DOI: https://doi.org/10.1016/j.comcom.2021.01.027

IF: 5.047

2021-03-01

Computer Communications

Abstract:<p>Software Defined Networking (SDN) is a promising technology that provides flexibility, programmability, and network automation by shifting the network intelligence to the logically centralized controller. In SDN architecture, the controller maintains the global view of network topology; therefore the network management is efficient as compared to the traditional networks. Moreover, the cost of SDN devices is less due to the use of open source network operating system instead of proprietary and vendor-specific software. In spite of the flexibility offered by the SDN, OpenFlow enabled switches have a fixed behavior as specified in the datasheet of switch ASIC. They recognize fixed set of header fields according to the support of OpenFlow version. In addition, SDN is suffering from scalability and performance issues because SDN switches heavily dependent on the control plane to forward the packets which increases the data-control communication overhead. To resolve these issues, P4-Programmable data plane switches can be used. The analysis of review articles about SDN suggests insufficient focus on the data plane programmability. Therefore, this paper provides the comprehensive overview of domain-specific language (P4) for the programmability of the data plane. We have discussed the problems in the traditional SDN architecture and then, how these problems can be managed by the data plane programmability. Further, this study critically analyse the research articles based on the P4 programming language for network traffic monitoring, DDoS attack detection, load balancing, and packet aggregation and disaggregation. Finally, we have identified the research gaps and highlighted the open research challenges in the field of data plane programmability for the future directions.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhuge Bin,Wang Baoxia,Wang Yining,Wu Chunming,Yao Minhui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015207

2015-01-01

Abstract:Firstly，the concept of SDN applications was proposed from the perspective of users payment for allocating network resources.Secondly，with the comparison between traditional desktop application programming and network programming，the advantage of SDN programming was described.Thirdly，the concept of software defined price （SDP）was introduced.Based on the characteristics of SDN applications，the framework of SDP-based SDN application so as to apply to the OpenDaylight open source project was designed.Finally，an implementation of creating a virtual tenant network based on SDP was showed.The results of experiment present that the users can choose their desired virtual tenant according to the mechanism of SDP.

Dong Zhang,Xiang Chen,Qun Huang,Xiaoyan Hong,Chunming Wu,Haifeng Zhou,Yi Yang,Hongyan Liu,Yuxin Chen

DOI: https://doi.org/10.1109/access.2019.2950446

IF: 3.9

2019-01-01

IEEE Access

Abstract:Network function virtualization allows network functions to be implemented and managed flexibly as a service function chain (SFC) in the data plane to process flows. However, software-based SFCs lead to poor performance compared to proprietary middleboxes. Moreover, existing solutions tackling performance issues suffer from the development complexity incurred by hardware details. To address these problems, we leverage both the high performance of P4-capable devices and the high flexibility of P4 language. In this paper, we present a P4 Service Chaining framework (P4SC), which tackles multiple challenges for P4 to support the SFC implementation. P4SC provides a suite of primitives allowing efficient SFC expression, and a converter and a generator converting input SFC requests to the corresponding P4 program. Here, an algorithm based on longest common subsequence (LCS) is used to allow simultaneously implementing multiple SFCs. Moreover, P4SC offers a runtime manager for flexible SFC management at runtime. It also provides an automatic integration mechanism to integrate P4-based NFs into P4SC. We implement a P4SC prototype, which supports three types of P4-capable devices. The experimental results show that P4SC outperforms state of the arts with orders-of-magnitude SFC performance improvement while maintains high flexibility.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Shan Jing,Chuan Zhao,Wenxiu Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00055

2023-12-17

Abstract:As Software Defined Networking (SDN) becomes increasingly prevalent, the risk of Distributed Denial of Service (DDoS) attacks targeting SDN also grows. Specifically, the SDN data plane, consisting of simple forwarding devices, is more susceptible to DDoS attacks launched by malicious actors. These attacks can impose tremendous load on the SDN, potentially leading to its complete collapse in severe cases. The traditional SDN architecture based on the OpenFlow Protocol falls short in meeting the requirements for programming the data plane. To address this challenge and improve the flexibility of SDN architectures, the Programming Protocol-Independent Packet Processors (P4) has emerged. However, existing solutions, primarily based on Statistical Learning, Machine Learning, and Deep Learning, require further enhancement in terms of accuracy, complexity, and latency. In this study, we utilize the P4 language to implement a programmable data plane and propose the P4-CACNN model for detecting and defending against DDoS attacks on the data plane. Firstly, we employ an appropriate attention mechanism to enhance the processing of incoming traffic. Subsequently, the data is fed into a discriminator consisting of a Convolutional Neural Network (CNN) to classify whether it constitutes attack traffic. Experimental results demonstrate that our proposed model achieves a remarkable 98.99% accuracy in detecting DDoS attacks on the SDN data plane, while maintaining low latency.

Computer Science,Engineering

Ya Gao,Zhenling Wang

DOI: https://doi.org/10.1155/2021/1257046

2021-11-23

Mobile Information Systems

Abstract:Network attacks show a trend of increased attack intensity, enhanced diversity, and more concealed attack methods, which put forward higher requirements for the performance of network security equipment. Unlike the SDN (software defined network) switch with a fixed-function data plane, switches with programmable data planes can help users realize more network protocols. Programming Protocol-independent Packet Processors (P4) is proposed to define the operations of the data plane and to implement user’s applications, e.g., data center networks, security, or 5G. This paper provides a review of research papers on solving network security problems with P4-based programmable data plane. The work can be organized into two parts. In the first part, the programming language P4, P4 program, architectures, P4 compilers, P4 Runtime, and P4 target are introduced according to the workflow model. The advantages of P4-based programmable switching in solving network security are analyzed. In the second part, the existing network security research papers are divided into four parts according to the perspectives of passive defense, active defense, and combination of multiple technologies. The schemes in each category are compared, and the core ideas and limitations are clarified. In addition, a detailed comparison is made for the research on the performance of P4 targets. Finally, trends and challenges related to the P4-based programmable data plane are discussed.

computer science, information systems,telecommunications

Bhargavi Goswami,Manasa Kulkarni,Joy Paulose

DOI: https://doi.org/10.1109/access.2023.3275756

IF: 3.9

2023-01-01

IEEE Access

Abstract:Software Defined Networking (SDN) has been a prominent technology in the last decade that increases networking programmability. The SDN philosophy decouples the application, control, and data plane to increase the network programmability. The data plane is an essential but unsolved component that receives less attention than control and application planes. Traditionally, the data plane uses fixed functions that forward packets using a limited number of protocols. The P4 (Programming Protocol-independent Packet Processors) language makes it possible to program SDN data plane, which push the SDN to the next level. In the research community and industry, programming the data plane has garnered significant attention. Surprisingly, there has been no comprehensive reviews of programmable data-plane switches, which have many advantages in today’s networks. The authors reviewed the evolution of networks from legacy to programmable data planes, explained the fundamentals of programmable switches, and summarized the network generation from traditional to programmable networks. In this paper, SDN is described from a P4-centric standpoint and discusses over 75 related research papers. Several taxonomies for the field are provided, outline potential research areas, and provide greater details regarding the patterns that have led to the development of this technology.

computer science, information systems,telecommunications,engineering, electrical & electronic

Athanasios Liatifis,Panagiotis Sarigiannidis,Vasileios Argyriou,Thomas Lagkas

DOI: https://doi.org/10.1145/3556973

IF: 16.6

2023-01-18

ACM Computing Surveys

Abstract:Software-defined Networking (SDN) marked the beginning of a new era in the field of networking by decoupling the control and forwarding processes through the OpenFlow protocol. The Next Generation SDN is defined by Open Interfaces and full programmability of the data plane. P4 is a domain-specific language that fulfills these requirements and has known wide adoption over recent years from Academia and Industry. This work is an extensive survey of the P4 language covering domains of application, a detailed overview of the language, and future directions.

computer science, theory & methods

Yazhe Tang,Zixin Xu,Jie Han

DOI: https://doi.org/10.1109/iccis59958.2023.10453777

2023-01-01

Abstract:Encrypting sensitive information such as IP address and port number of data stream can improve the detection resistance of data during network transmission and reduce security threats. The challenge is that the process of achieving sensitive information obfuscation is complex in traditional network environments with limited network node capabilities. Existing work is mostly based on the principles of traditional cryptography to attain secure end-to-end encrypted authentication and transmission. However, it suffers from high time and space costs, complex and inefficient terminal systems, and the inability to encrypt the aforementioned sensitive information. In this paper, we propose to use the P4(Programming Protocol-independent Packet Processors Procedure, one domain-specific language for data plane) to empower network nodes with encryption and decryption of sensitive identification information in a programmable network environment, combined with a control plane to embed traffic security efforts inside the network and ensure the process is transparent to the end system. Experimental results demonstrate that the P4-based encryption and obfuscation mechanism can ensure data transmission in a hybrid network environment of traditional and programmable networks, obfuscating sensitive information without causing performance burden in terms of transmission delay and throughput.

Francesco Paolucci,Filippo Cugini,Piero Castoldi,Tomasz Osinski

DOI: https://doi.org/10.1109/mnet.021.1900599

IF: 10.294

2021-05-01

IEEE Network

Abstract:The 5G network revolution will be enabled by deep integration of Software Defined Networking (SDN) and Network Function Virtualization (NFV) to support multi-tenancy, per-user and per-application quality of service and experience. However, full softwarization and current SDN platforms may not be able to sustain the complexity and the heterogeneity of different requirements, for example, strict latency, jitter, high precision traffic and advanced monitoring. For such services, SDN/NFV needs to be boosted not only considering orchestration and control plane, but also data plane programmability. In this article, the potential of the P4 language is illustrated with the aim to show its disruptive novel functionalities at the data plane level currently not available in a SDN/NFV network, opening the way to new orchestration frameworks and enabling a novel autonomic and flexible network at the edge. Use cases, assessments and softwarized performance results are proposed and discussed in the edge and IoT scenario, targeting advanced traffic engineering, cyber security, multi-tenancy, 5G offloading, and telemetry, to demonstrate the feasibility of such an approach.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Wojciech Kozlowski,Fernando Kuipers,Stephanie Wehner

DOI: https://doi.org/10.1145/3426744.3431321

2020-10-22

Abstract:The quantum technology revolution brings with it the promise of a quantum internet. A new -- quantum -- network stack will be needed to account for the fundamentally new properties of quantum entanglement. The first realisations of quantum networks are imminent and research interest in quantum network protocols has started growing. In the non-quantum world, programmable data planes have broken the pattern of ossification of the protocol stack and enabled a new -- software-defined -- network software architecture. Similarly, a programmable quantum data plane could pave the way for a software-defined quantum network architecture. In this paper, we demonstrate how we use P4$_{16}$ to explore abstractions and device architectures for quantum networks.

Networking and Internet Architecture,Quantum Physics

Frederik Hauser,Mark Schmidt,Marco Häberle,Michael Menth

DOI: https://doi.org/10.48550/arXiv.1904.07088

2019-04-15

Networking and Internet Architecture

Abstract:We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.

Kairo Tavares,Tiago Ferreto

DOI: https://doi.org/10.5753/sbrc.2021.16738

2021-08-16

Abstract:Network Intrusion Detection Systems (NIDS) are one of the key defense mechanisms employed to detect and mitigate network-based threats. Several works explored the ability to offload NIDS pre-filtering capabilities to hardware platforms in order to reduce resource usage saturation and improve detection accuracy. Among them, network data plane solutions in SDN aim to leverage the hardware speed and the recent flexibility of programmable switches. However, those solutions are designed without considering a constrained data plane with limited table sizes and memory space, thus reducing accuracy detection and vulnerability buffer saturation attacks. This paper proposes P4- ONIDS, a solution that improves the parsing and compilation of NIDS rules for the data plane alongside sketch-based solutions for suspicious flow pre-filtering while maintaining a low usage of resources and leveraging the hardware speed of the data plane. We evaluate the compiler and our pre-filtering data plane capabilities in an emulated environment using Mininet with Snort NIDS. Results have shown more than 400x reduction on generated P4 rules. Some experiments reach an accuracy of approximately 90% with 40% of packets filtering.

Frederik Hauser,Marco Häberle,Daniel Merling,Steffen Lindner,Vladimir Gurevich,Florian Zeiger,Reinhard Frank,Michael Menth

DOI: https://doi.org/10.1016/j.jnca.2022.103561

IF: 7.574

2023-03-01

Journal of Network and Computer Applications

Abstract:Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane application programming interfaces (APIs) which may be leveraged by user-defined software-defined networking (SDN) control. This offers great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community, and it is supported by various software and hardware platforms. In the first part of this paper we give a tutorial of data plane programming models, the P4 programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we categorize a large body of literature of P4-based applied research into different research domains, summarize the contributions of these papers, and extract prototypes, target platforms, and source code availability. For each research domain, we analyze how the reviewed works benefit from P4’s core features. Finally, we discuss potential next steps based on our findings.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Arash Shaghaghi,Mohamed Ali Kaafar,Rajkumar Buyya,Sanjay Jha

DOI: https://doi.org/10.48550/arXiv.1804.00262

2018-04-01

Abstract:Software-Defined Network (SDN) radically changes the network architecture by decoupling the network logic from the underlying forwarding devices. This architectural change rejuvenates the network-layer granting centralized management and re-programmability of the networks. From a security perspective, SDN separates security concerns into control and data plane, and this architectural recomposition brings up exciting opportunities and challenges. The overall perception is that SDN capabilities will ultimately result in improved security. However, in its raw form, SDN could potentially make networks more vulnerable to attacks and harder to protect. In this paper, we focus on identifying challenges faced in securing the data plane of SDN - one of the least explored but most critical components of this technology. We formalize this problem space, identify potential attack scenarios while highlighting possible vulnerabilities and establish a set of requirements and challenges to protect the data plane of SDNs. Moreover, we undertake a survey of existing solutions with respect to the identified threats, identifying their limitations and offer future research directions.

Cryptography and Security

Ermin Sakic,Nemanja Deric,Endri Goshi,Wolfgang Kellerer

DOI: https://doi.org/10.48550/arXiv.1905.04064

2019-08-14

Abstract:Byzantine Fault Tolerance (BFT) enables correct operation of distributed, i.e., replicated applications in the face of malicious take-over and faulty/buggy individual instances. Recently, BFT designs have gained traction in the context of Software Defined Networking (SDN). In SDN, controller replicas are distributed and their state replicated for high availability purposes. Malicious controller replicas, however, may destabilize the control plane and manipulate the data plane, thus motivating the BFT requirement. Nonetheless, deploying BFT in practice comes at a disadvantage of increased traffic load stemming from replicated controllers, as well as a requirement for proprietary switch functionalities, thus putting strain on switches' control plane where particular BFT actions must be executed in software. P4BFT leverages an optimal strategy to decrease the total amount of messages transmitted to switches that are the configuration targets of SDN controllers. It does so by means of message comparison and deduction of correct messages in the determined optimal locations in the data plane. In terms of the incurred control plane load, our P4-based data plane extensions outperform the existing solutions by ~33.2% and ~40.2% on average, in random 128-switch and Fat-Tree/Internet2 topologies, respectively. To validate the correctness and performance gains of P4BFT, we deploy bmv2 and Netronome Agilio SmartNIC-based topologies. The advantages of P4BFT can thus be reproduced both with software switches and "commodity" P4-enabled hardware. A hardware-accelerated controller packet comparison procedure results in an average 96.4% decrease in processing delay per request compared to existing software approaches.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Chen Sun,Jun Bi,Haoxian Chen,Hongxin Hu,Zhilong Zheng,Shuyong Zhu,Chenghui Wu

DOI: https://doi.org/10.1109/tnet.2017.2726550

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:As the prevailing technique of software-defined networking (SDN), open flow introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, open flow only provides a simple "match-action" paradigm and lacks the functionality of stateful forwarding for the SDN data plane, which limits its ability to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel stateful data plane architecture (SDPA) for the SDN data plane. A co-processing unit, forwarding processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended open flow protocol to support the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, domain name system (DNS) reflection defense, and heavy hitter detection applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

D. Siracusa,R. D. Corin,Marco Savi,Luca Mendozzi,Luis Augusto Dias Knob

DOI: https://doi.org/10.48550/arXiv.2307.05936

2023-07-12

Abstract:Programmable data planes offer precise control over the low-level processing steps applied to network packets, serving as a valuable tool for analysing malicious flows in the field of intrusion detection. Albeit with limitations on physical resources and capabilities, they allow for the efficient extraction of detailed traffic information, which can then be utilised by Machine Learning (ML) algorithms responsible for identifying security threats. In addressing resource constraints, existing solutions in the literature rely on compressing network data through the collection of statistical traffic features in the data plane. While this compression saves memory resources in switches and minimises the burden on the control channel between the data and the control plane, it also results in a loss of information available to the Network Intrusion Detection System (NIDS), limiting access to packet payload, categorical features, and the semantic understanding of network communications, such as the behaviour of packets within traffic flows. This paper proposes P4DDLe, a framework that exploits the flexibility of P4-based programmable data planes for packet-level feature extraction and pre-processing. P4DDLe leverages the programmable data plane to extract raw packet features from the network traffic, categorical features included, and to organise them in a way that the semantics of traffic flows are preserved. To minimise memory and control channel overheads, P4DDLe selectively processes and filters packet-level data, so that only the features required by the NIDS are collected. The experimental evaluation with recent Distributed Denial of Service (DDoS) attack data demonstrates that the proposed approach is very efficient in collecting compact and high-quality representations of network flows, ensuring precise detection of DDoS attacks.

Computer Science,Engineering