ABSTRACT
Path-aware networking has introduced new possibilities to monitor and control network access and solved a multitude of modern-day Internet security issues. Being able to authorize usage of specific paths enables network operators to offer high-quality services to customers requiring highly reliable network access.
Currently, securing a network path or an end host is only possible by using high-level solutions like VPNs. With EPIC-HP (Every Packet Is Checked - Hidden Path), it has been shown that it is possible to move this functionality down into the network itself. EPIC-HP extends the path-aware Internet architecture SCION by offering per-packet checksums, adding authentication to network traffic. This is used to combat DoS attacks on the network's end hosts and give high-priority access to specific end users. In this paper, we show that it is possible to implement the functionality of EPIC-HP along with SCION on the Intel Tofino 2 ASIC. EPIC-HP requires AES-based MAC verification with per-path keys in the data plane. By using the multi-pipeline structure of the Tofino, we implemented the required AES and AES-CMAC cryptography using three pipes of the switch's total four independent pipes.
The throughput we achieve is an order of magnitude above the data rates previously achieved for EPIC-HP and is a significant step towards a more secure Internet.
- David Barrera, Laurent Chuat, Adrian Perrig, Raphael M. Reischuk, and Pawel Szalachowski. 2017. The SCION Internet Architecture. In Communications of the ACM, Vol. 60. 56--65.Google ScholarDigital Library
- Laurent Chuat, Markus Legner, David A Basin, David Hausheer, Samuel Hitz, Peter Müller, and Adrian Perrig. 2022. The Complete Guide to SCION-From Design Principles to Formal Verification.Google Scholar
- Joeri de Ruiter and Caspar Schutijser. 2021. Next-Generation Internet at Terabit Speed: SCION in P4. In CoNEXT. Association for Computing Machinery, New York, NY, USA, 119--125.Google Scholar
- Markus Legner, Tobias Klenze, Marc Wyss, Christoph Sprenger, and Adrian Perrig. 2020. EPIC: Every Packet is Checked in the Data Plane of a Path-Aware Internet. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC'20). USENIX Association, USA, Article 31, bibinfonumpages18 pages.Google Scholar
- Lars-Christian Schulz and David Hausheer. 2022. Offloading SCION Packet Forwarding to XDP BPF.Google Scholar
- Lars-Christian Schulz, Robin Wehner, and David Hausheer. 2023. Cryptographic Path Validation for SCION in P4. In EuroP4 '23, December 8, 2023, Paris, France.Google ScholarDigital Library
- FPGA-based line-rate packet forwarding for the SCION future Internet architecture. Master's thesis. ETH Zürich.Google Scholar
- Anapaya Systems. 2023. Anapaya Core. https://www.anapaya.net/products-for-partnersGoogle Scholar
- Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig, and David G Andersen. 2011. SCION: Scalability, control, and isolation on next-generation networks. In 2011 IEEE Symposium on Security and Privacy. IEEE, 212--227.Google ScholarDigital Library
Index Terms
- Poster: High-Speed Per-Packet Checksums on the Intel Tofino
Recommendations
Cryptographic Path Validation for SCION in P4
EuroP4 '23: Proceedings of the 6th on European P4 WorkshopSCION has been proposed as a new Internet architecture addressing security and scalability shortcomings in the current Internet. Multiple real-world deployments of SCION exist already, nevertheless few hardware implementations of SCION routers are ...
Next-generation internet at terabit speed: SCION in P4
CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and TechnologiesRegularly, new architectures are proposed to address shortcomings in the current internet. It is not always trivial to evaluate how these proposals would perform in practice. This situation is improved significantly with the introduction of the P4 ...
P4-Compatible High-Level Synthesis of Low Latency 100 Gb/s Streaming Packet Parsers in FPGAs
FPGA '18: Proceedings of the 2018 ACM/SIGDA International Symposium on Field-Programmable Gate ArraysPacket parsing is a key step in SDN-aware devices. Packet parsers in SDN networks need to be both reconfigurable and fast, to support the evolving network protocols and the increasing multi-gigabit data rates. The combination of packet processing ...
Comments