programmable data planes for network security€¦ · nethide: secure and practical network...
TRANSCRIPT
![Page 1: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/1.jpg)
Programmable data planes for network security
Roland Meier
nsg.ee.ethz.ch
HotSec 2019
![Page 2: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/2.jpg)
2
if (packet_is_evil):
packet.ipv4.evil_bit = 1
else:
packet.ipv4.evil_bit = 0
Version Type of service Total length
Identifier Flags Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
…
Header length
Evil DF MF
![Page 3: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/3.jpg)
3
if (packet_is_evil):
packet.ipv4.evil_bit = 1
else:
packet.ipv4.evil_bit = 0
60 milliseconds
hours
50 GB
![Page 4: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/4.jpg)
There has always been hardware to process packets.
What has changed?
4
This hardware is programmable
![Page 5: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/5.jpg)
It is now possible to write programs for the control plane and the data plane of a network
5
vendor-specific software
slow but versatile
Control plane
fixed-function hardware
fast but restricted
Data plane
![Page 6: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/6.jpg)
It is now possible to write programs for the control plane and the data plane of a network
6
vendor-specific software
slow but versatile
Control plane
fixed-function hardware
fast but restricted
Data plane
programmable custom
![Page 7: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/7.jpg)
Programmable data planes are heavily used in the networking community
7
![Page 8: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/8.jpg)
Programmable data planes are heavily used in the networking community
8
![Page 9: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/9.jpg)
Programmable data planes are heavily used in the networking community
9
NSDI
SIGCOMM
23 papers
20
![Page 10: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/10.jpg)
Programmable data planes are barely used in the security community
10
NSDI
SIGCOMM
S&P
USENIX Sec
CCS
NDSS
23 papers
20
1
1
0
3
![Page 11: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/11.jpg)
Programmable data planes are barely used in the security community
11
NSDI
SIGCOMM
S&P
CCS
NDSS
23 papers
20
1
0
3
NetHide: Secure and Practical Network Topology Obfuscation
Roland Meier(1), Petar Tsankov(1), Vincent Lenders(2), Laurent Vanbever(1), Martin Vechev(1)
nethide.ethz.ch
USENIX Security 2018
(2)(1)
USENIX Sec 1
![Page 12: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/12.jpg)
Programmable data planes are barely used in the security community
12
NSDI
SIGCOMM
CCS
NDSS
23 papers
20
0
3
USENIX Sec 1
S&P 1
![Page 13: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/13.jpg)
Programmable data planes are barely used in the security community
13
NSDI
SIGCOMM
CCS
23 papers
20
0
USENIX Sec 1
S&P 1
NDSS 3
![Page 14: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/14.jpg)
Why?
Programmable data planes are barely used in the security community
![Page 15: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/15.jpg)
15
no sampling no impact on performance
Programmable data planes allow processing all packets at line rate
![Page 16: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/16.jpg)
P4 is a domain-specific programming language
16[Andy Fingerhut: P4 in 500 words]
C
loops
recursive callspointersmallocfree
parserstablesarchitectures
![Page 17: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/17.jpg)
Possibilities and limitations of programmable data planes
17
simple operations on all packets
extract information from packets
custom headers and protocols
complex operations
maintain (large) state
modify the payload
![Page 18: Programmable data planes for network security€¦ · NetHide: Secure and Practical Network Topology Obfuscation Roland Meier (1), Petar Tsankov , Vincent Lenders(2), Laurent Vanbever(1),](https://reader036.vdocuments.net/reader036/viewer/2022062606/60092ff7f4ee114ed67945f8/html5/thumbnails/18.jpg)
Let’s discuss these 2 topics (and more)
18
Roland [email protected]
Which network security applications can benefit from programmable data planes and how?
Which dangers does this new technology impose?e.g. related to attacks against data-plane programs