Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Programmable data planes for network security
Roland Meier
nsg.ee.ethz.ch
HotSec 2019
2
if (packet_is_evil):
packet.ipv4.evil_bit = 1
else:
packet.ipv4.evil_bit = 0
Version Type of service Total length
Identifier Flags Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
…
Header length
Evil DF MF
3
if (packet_is_evil):
packet.ipv4.evil_bit = 1
else:
packet.ipv4.evil_bit = 0
60 milliseconds
hours
50 GB
There has always been hardware to process packets.
What has changed?
4
This hardware is programmable
It is now possible to write programs for the control plane and the data plane of a network
5
vendor-specific software
slow but versatile
Control plane
fixed-function hardware
fast but restricted
Data plane
It is now possible to write programs for the control plane and the data plane of a network
6
vendor-specific software
slow but versatile
Control plane
fixed-function hardware
fast but restricted
Data plane
programmable custom
Programmable data planes are heavily used in the networking community
7
Programmable data planes are heavily used in the networking community
8
Programmable data planes are heavily used in the networking community
9
NSDI
SIGCOMM
23 papers
20
Programmable data planes are barely used in the security community
10
NSDI
SIGCOMM
S&P
USENIX Sec
CCS
NDSS
23 papers
20
1
1
0
3
Programmable data planes are barely used in the security community
11
NSDI
SIGCOMM
S&P
CCS
NDSS
23 papers
20
1
0
3
NetHide: Secure and Practical Network Topology Obfuscation
Roland Meier(1), Petar Tsankov(1), Vincent Lenders(2), Laurent Vanbever(1), Martin Vechev(1)
nethide.ethz.ch
USENIX Security 2018
(2)(1)
USENIX Sec 1
Programmable data planes are barely used in the security community
12
NSDI
SIGCOMM
CCS
NDSS
23 papers
20
0
3
USENIX Sec 1
S&P 1
Programmable data planes are barely used in the security community
13
NSDI
SIGCOMM
CCS
23 papers
20
0
USENIX Sec 1
S&P 1
NDSS 3
Why?
Programmable data planes are barely used in the security community
15
no sampling no impact on performance
Programmable data planes allow processing all packets at line rate
P4 is a domain-specific programming language
16[Andy Fingerhut: P4 in 500 words]
C
loops
recursive callspointersmallocfree
parserstablesarchitectures
Possibilities and limitations of programmable data planes
17
simple operations on all packets
extract information from packets
custom headers and protocols
complex operations
maintain (large) state
modify the payload
Let’s discuss these 2 topics (and more)
18
Roland [email protected]
Which network security applications can benefit from programmable data planes and how?
Which dangers does this new technology impose?e.g. related to attacks against data-plane programs