Advertisement

Security Middleware Programming Using P4

  • Péter VörösEmail author
  • Attila Kiss
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9750)

Abstract

Today’s Internet requires easily manageable, and simply extensible network control systems, which we can’t say about the current networks. Software-Defined Networking (SDN) [1] is an emerging architecture what aims to create a system for the upcoming needs, by offering a directly programmable, agile, centrally managed, and programatically configured way for the operators to control their network [2]. SDN decouples the network control and forwarding functions, which makes it easier to create new abstractions in networking, simplifying management and making network advancement easier.

SDN devices are programmable through a dedicated interface, with a specific protocol, from which the most known is actually OpenFlow [3]. The biggest problem with OpenFlow is that it does not support new header definitions, which is necessary for network operators to apply new packet encapsulations. To overcome these issues with OpenFlow, a new high-level language has been created: Programming Protocol-independent Packet Processors (P4) [4]. This language supports a fully programmable parser, which makes us able to define new headers without problem.

However there are a lot of opportunities to do with P4, we focused on the network security field. In this paper we introduce the first security middleware programmed and configured in P4. Our software works as a layer 3 firewall, with protocol, and port filtering, flood attack detection, and the ability to make decisions about Ethernet, IPv4, IPv6, TCP, UDP header fields.

Keywords

Software-defined networking OpenFlow P4 Packet Processors Security Network virtualization Programmable networks 

Notes

Acknowledgment

Authors thank Ericsson Ltd. for support via the ELTE CNL collaboration.

References

  1. 1.
    McKeown, N.: Software-defined networking. INFOCOM Keynote Talk 17(2), 30–32 (2009)Google Scholar
  2. 2.
    Kreutz, D., Ramos, F.M., Esteves, P., Verissimo, C., Rothenberg, E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)CrossRefGoogle Scholar
  3. 3.
    openflow.org. Openflow definition (2015). http://archive.openflow.org/wp/learnmore/
  4. 4.
    Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)CrossRefGoogle Scholar
  5. 5.
    opennetworking.org. Sdn definition (2015). https://www.opennetworking.org/sdn-resources/sdn-definition
  6. 6.
    Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI, vol. 15 (2015)Google Scholar
  7. 7.
    P4.org. P4 latest specification (2016). http://p4.org/wp-content/uploads/2015/04/p4-latest.pdf
  8. 8.
    P4 language evolution (2016). http://p4.org/p4/p4-language-evolution/
  9. 9.
    Kozanitis, C., Huber, J., Singh, S., Varghese, G.: Leaping multiple headers in a single bound: wire-speed parsing using the kangaroo system. In: 2010 Proceedings IEEE INFOCOM, pp. 1–9. IEEE (2010)Google Scholar
  10. 10.
    Yadav, N., Cohn, D.: Openflow primitive set (2011)Google Scholar
  11. 11.
    Yu, M., Wundsam, A., Raju, M.: Nosix: a lightweight portability layer for the sdn os. ACM SIGCOMM Comput. Commun. Rev. 44(2), 28–35 (2014)CrossRefGoogle Scholar
  12. 12.
    Jeyakumar, V., Alizadeh, M., Kim, C., Mazières, D.: Tiny packet programs for low-latency network control and monitoring. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, p. 8. ACM (2013)Google Scholar
  13. 13.
    Sivaraman, A., Winstein, K., Subramanian, S., Balakrishnan, H.: No silver bullet: extending sdn to the data plane. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. ACM, p. 19 (2013)Google Scholar
  14. 14.
    Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The click modular router. ACM Trans. Comput. Syst. (TOCS) 18(3), 263–297 (2000)CrossRefGoogle Scholar
  15. 15.
    mininet.org. Mininet - an instant virtual network on your laptop (2016). http://mininet.org

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Information Systems, Faculty of InformaticsEötvös Lóránd UniversityBudapestHungary
  2. 2.Department of Mathematics and Informatics, Faculty of EconomicsJ. Selye UniversityKomárnoSlovakia

Personalised recommendations