Security Middleware Programming Using P4
Today’s Internet requires easily manageable, and simply extensible network control systems, which we can’t say about the current networks. Software-Defined Networking (SDN)  is an emerging architecture what aims to create a system for the upcoming needs, by offering a directly programmable, agile, centrally managed, and programatically configured way for the operators to control their network . SDN decouples the network control and forwarding functions, which makes it easier to create new abstractions in networking, simplifying management and making network advancement easier.
SDN devices are programmable through a dedicated interface, with a specific protocol, from which the most known is actually OpenFlow . The biggest problem with OpenFlow is that it does not support new header definitions, which is necessary for network operators to apply new packet encapsulations. To overcome these issues with OpenFlow, a new high-level language has been created: Programming Protocol-independent Packet Processors (P4) . This language supports a fully programmable parser, which makes us able to define new headers without problem.
However there are a lot of opportunities to do with P4, we focused on the network security field. In this paper we introduce the first security middleware programmed and configured in P4. Our software works as a layer 3 firewall, with protocol, and port filtering, flood attack detection, and the ability to make decisions about Ethernet, IPv4, IPv6, TCP, UDP header fields.
KeywordsSoftware-defined networking OpenFlow P4 Packet Processors Security Network virtualization Programmable networks
Authors thank Ericsson Ltd. for support via the ELTE CNL collaboration.
- 1.McKeown, N.: Software-defined networking. INFOCOM Keynote Talk 17(2), 30–32 (2009)Google Scholar
- 3.openflow.org. Openflow definition (2015). http://archive.openflow.org/wp/learnmore/
- 5.opennetworking.org. Sdn definition (2015). https://www.opennetworking.org/sdn-resources/sdn-definition
- 6.Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation, NSDI, vol. 15 (2015)Google Scholar
- 7.P4.org. P4 latest specification (2016). http://p4.org/wp-content/uploads/2015/04/p4-latest.pdf
- 8.P4 language evolution (2016). http://p4.org/p4/p4-language-evolution/
- 9.Kozanitis, C., Huber, J., Singh, S., Varghese, G.: Leaping multiple headers in a single bound: wire-speed parsing using the kangaroo system. In: 2010 Proceedings IEEE INFOCOM, pp. 1–9. IEEE (2010)Google Scholar
- 10.Yadav, N., Cohn, D.: Openflow primitive set (2011)Google Scholar
- 12.Jeyakumar, V., Alizadeh, M., Kim, C., Mazières, D.: Tiny packet programs for low-latency network control and monitoring. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, p. 8. ACM (2013)Google Scholar
- 13.Sivaraman, A., Winstein, K., Subramanian, S., Balakrishnan, H.: No silver bullet: extending sdn to the data plane. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. ACM, p. 19 (2013)Google Scholar
- 15.mininet.org. Mininet - an instant virtual network on your laptop (2016). http://mininet.org