Browse > Article
http://dx.doi.org/10.33778/kcsa.2020.20.5.003

Policy-based In-Network Security Management using P4 Network DataPlane Programmability  

Cho, Buseung (한국과학기술정보연구원/과학기술연구망센터)
Publication Information
Convergence Security Journal / v.20, no.5, 2020 , pp. 3-10 More about this Journal
Abstract
Recently, the Internet and networks are regarded as essential infrastructures that constitute society, and security threats have been constantly increased. However, the network switch that actually transmits packets in the network can cope with security threats only through firewall or network access control based on fixed rules, so the effective defense for the security threats is extremely limited in the network itself and not actively responding as well. In this paper, we propose an in-network security framework using the high-level data plane programming language, P4 (Programming Protocol-independent Packet Processor), to deal with DDoS attacks and IP spoofing attacks at the network level by monitoring all flows in the network in real time and processing specific security attack packets at the P4 switch. In addition, by allowing the P4 switch to apply the network user's or administrator's policy through the SDN (Software-Defined Network) controller, various security requirements in the network application environment can be reflected.
Keywords
In-network security; Data Plane Programmability; Software-Defined Network; P4;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Casado, T. Garfinkel, A. Akella, M. Freedman, D. Boneh, N. McKeown, and S. Shenker, "SANE: A protection architecture for enterprise networks", 15th USENIX Security Symposium, 2006.
2 M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McK- eown, and S. Shenker. "Ethane: Taking control of the enterprise", ACM Special Interest Group on Data Communication (SIGCOMM), 2007.
3 Qiao Kang, Lei Xue, Adam Morrison, Yuxin Tang, Ang Chen, and Xiapu Luo, "Programmable In-Network Security for Context-aware BYOD Policies", 29th USENIX Security Symposium,
2019.
4 S. Hong, R. Baykov, L. Xu, S. Nadimpalli, and G. Gu. "Towards SDN-defined programmable BYOD (bring your own device) security", Network and Distributed System Security Symposium (NDSS), 2016.
5 F. Paolucci, F. Civerchia, A. Sgambelluri, A. Giorgetti, F. Cugini, and P. Castoldi, "P4 Edge Node Enabling Stateful Traffic Engineering and Cyber Security", IEEE/OSA Journal of Optical Communications and Networking, Vol. 11, Issue 1, 2019.
6 N. Narayanan, Ganesh C. Sankaran and Krishna M. Sivalingam, "Mitigation of security attacks in the SDN data plane using P4-enabled switches", International Symposium on Advanced Networks and Telecommunication Systems (ANTS), 2019.
7 W. J. A. Silva, "Avoiding inconsistency in OpenFlow stateful applications caused by multiple flow requests", International Conference on Computing, Networking and Communications (ICNC), pp. 548-553, 2018.
8 R. Skowyra, L. Xu, G. Gu, T. Hobson, V. Dedhia, J. Landry, and H. Okhravi. "Effective topology tampering attacks and defenses in software-defined networks", 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2018.
9 T. Sasaki, A. Perrig, and D. E. Asoni, "Control-plane isolation and recovery for a secure SDN architecture," IEEE NetSoft Conference and Workshops (NetSoft), pp. 459-464, 2016,
10 D. Kim, Z. Liu, Y. Zhu, C. Kim, J. Lee, V. Sekar, S. Seshan, "TEA: Enabling State-Intensive Network Functions on Programmable Switches, ACM Special Interest Group on Data Communication (SIGCOMM), 2020.
11 이명선, 조부승, 박형우, 김현철, "국가연구망의 발전방향 및 차세대 국가연구망 보안", 제16권 제7호, pp.3-11, 2016.
12 BAREFOOT NETWORKS, Tofino 2 Chip, https://www.barefootnetworks.com.
13 S. Fichera, L. Galluccio, S. C. Grancagnolo, G. Morabito, and S. Palazzo, "OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers," Computer Networks, Vol. 92, No. Part 1, pp. 89-100, 2015.   DOI