Overview of publications of the bwNET2020+ project

1. Secure Service Function Chaining in the Context of Zero Trust Security

Leonard Bradatsch, Marco Häberle, Benjamin Steinert, Frank Kargl, Michael Menth | 2022 | 2022 IEEE 47th Conference on Local Computer Networks (LCN)

Service Function Chaining (SFC) enables dynamic steering of traffic through a set of service functions based on classification of packets, allowing network operators fine-grained and flexible control of packet flows. New paradigms like Zero Trust (ZT) pose additional requirements to the security of network architectures. This includes client authentication, confidentiality, and integrity throughout the whole network, while also being able to perform operations on the unencrypted payload of packets. However, these requirements are only partially addressed in existing SFC literature. Therefore, we first present a comprehensive analysis of the security requirements for SFC architectures. Based on this analysis, we propose a concept towards the fulfillment of the requirements while maintaining the flexibility of SFC. In addition, we provide and evaluate a proof of concept implementation, and discuss the implications of the design choices.

2. A Caching SFC Proxy Based on eBPF

Häberle Marco, Steinert Benjamin, Weiss Michael, Menth Michael | 2022 | IEEE International Conference on Network Softwarization (NetSoft 2022)

Service Functions (SFs) are intermediate processing nodes on the path of IP packets. With SF chaining (SFC), packets can be steered to multiple physical or virtual SFs in a specific order. SFC-unaware SFs can be used flexibly but they do not support SFC-specific encapsulation of packets. Therefore, an SFC proxy needs to remove the encapsulation of a packet before processing by an SFC-unaware SF, and to add it again afterwards. Such an SFC proxy typically runs on a server hosting virtual network functions (VNFs) that serve as SFs. While simple SFC proxies adapt a flow-specific static header stack, the caching SFC proxy presented in this work caches packet-specific headers while packets are processed by a VNF. We present concept, use cases, and an eBPF-based implementation of the caching SFC proxy. In addition, we evaluate the performance of a prototype.

3. Recognition of Similar NetFlow Data in Decentralised Monitoring Environments

Eisenhart Georg, Volpert Simon, Braitinger Jan, Domaschka Jörg | 2022 | 3. KuVS Fachgespräch "Network Softwarization" (7.4. - 8.4.2022)

One of the main challenges in the analysis of NetFlow data in decentralised monitoring environments comes from merging datasets from different independent sites. One problem is to identify similar data points which can impact derived metrics from such data directly. This article provides a proof of concept how similarity measurements based on distance metrics can be used to identify similar or related flows from different datasets. For this, several domains are outlined which can benefit from this approach to support validation of research scenarios and data analysis.

4. Firewall-as-a-Service for Campus Networks Based on P4-SFC

Häberle Marco, Steinert Benjamin, Menth Michael | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

Taking care of security is a crucial task for every operator of a cam-pus network. One of the most fundamental security-related network functions thatcan be found in most networks for this purpose are stateful firewalls. However, de-ploying firewalls in large campus networks, e.g., at a university, can be challenging.Hardware appliances that can cope with today’s high data rates at the border of acampus network are not cost-effective enough for most deployments. Shifting theresponsibility to run firewalls to single departments at a university is not feasiblebecause the expertise to manage these devices is not available there. For this reason,we propose a cloud-like infrastructure based on service function chaining (SFC) andnetwork function virtualization (NFV) that allows users to deploy network functionslike firewalls at a central place while hiding most technical details from the users.

5. Zero Trust Service Function Chaining

Bradatsch Leonard, Kargl Frank, Miroshkin Oleksandr | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

In this paper, we address the inefficient handling of traditional security functions in Zero Trust networks. For this reason, we propose a novel network security concept that combines the ideas of Zero Trust and Service Function Chaining. This allows us to efficiently decide which security functions to apply to which packets and when.

6. P4-IPsec: Site-to-Site and Host-to-Site VPN With IPsec in P4-Based SDN

Frederik Hauser, Marco Häberle, Mark Schmidt, Michael Menth | 2020 | IEEE Access

In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

7. Service Function Chaining Based on SegmentRouting Using P4 and SR-IOV (P4-SFC)

Andreas Stockmayer, Stephan Hinselmann, Marco Häberle, Michael Menth | 2020 | 15th Workshop on Virtualization in High-Performance Cloud Computing (VHPC'20)

In this paper we describe P4-SFC to support service function chaining (SFC) based on a single P4-capable switch and off-the-shelfcomponents. It utilizes MPLS-based segment routing for traffic forwarding in the network and SR-IOV for efficient packet handling on hosts. We describe the P4-SFC architecture and demonstrate its feasibility by a prototype using the Tofino Edgecore Wedge 100BF-32X as P4 switch. Performance tests show that L2 throughput for VNFs on a host is significantly larger when connected via SR-IOV with the host’s networkinterface card instead of over a software switch.

8. P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

Frederik Hauser, Mark Schmidt, Marco Häberle, Michael Menth | 2020 | IEEE Access

We propose P4-MACsec to protect network links between P4-based SDN switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. MACsec is supported by switches and routers from many manufacturers. On these devices, it has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec suggests a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 targets. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 targets interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and a two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channels, generates keying material, and configures the P4 targets for each detected link between two P4 targets. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software target, validate the prototype through experiments, and evaluate its performance through experiments considering TCP goodput and round-trip time. We publish the prototype and experiment setup under the Apache v2 license on GitHub.


Overview of dissertations within the bwNET2020+ project

1. Security in high-bandwidth networks

Lukaseder Thomas | 2020 | Ph.D. Thesis | Institute of Distributed Systems, Ulm University

Ever-increasing bandwidth in networks presents a challenge to security mechanisms as the amount of traffic following Gilder's law) increases faster than the computational power (following Moore's law). This continuous increase in the amount of data not only impedes the effort to analyze the data in firewalls or Intrusion Detection Systems, but it can also be exploited by attackers to achieve ever stronger attacks. Moreover, testing network security mechanisms in high-bandwidth networks presents a challenge in itself as common testing tools are neither designed to produce nor to analyze such a vast amount of traffic. In this thesis, firstly, we look into testing of network applications, devices, and algorithms in high-bandwidth networks as a challenge in and of itself. We analyze traffic, build a network testing framework, and provide test data sets as groundwork for the other parts of this thesis. Following these insights, we work on improving security mechanisms to tackle the challenges of high-bandwidth networks. Hereby, we focus on two commonly used security mechanisms found in today's networks: Intrusion Detection Systems (IDS) and Mitigation Systems for Distributed Denial-of-Service (DDoS) attacks and investigate the impact of rising network traffic on their performance. We look into ways to raise IDS throughput through hardware-supported parallelization of regular expression matching. Matching regular expressions is a key component of the payload analysis in IDS and presents a major bottleneck for their throughput. Moreover, we present a framework able to detect DDoS attacks, identify attacking clients, and defend successfully against attacks. The system entails improvements in these areas with a particular focus on identifying slow DDoS attackers and defense against reflective attacks. The software developed, the data sets produced, and the insights gained in this work can help researchers, network administrators, and developers improve network security mechanisms and defend their networks more reliably against attacks.

MSc and BSc Theses

Overview of Master and Bachelor theses within the bwNET2020+ project

1. Implementation of a Web-Based Visualizer for Service Function Chaining Infrastructure

Rupp Charlotte | 2022 | B.Sc. Thesis | Supervisors: Häberle Marco, Steinert Benjamin | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

This thesis makes recent technological advancements in Cloud Computing accessible by designing and implementing a visualization system for Service Function Chaining (SFC) infrastructure. The visualized network architecture builds on technologies like Software Defined Networking (SDN), Virtual Network Function (VNF) and SFC. The project is supposed to become part of an application to simplify a SFC orchestrator to a point where it can be used without detailed knowledge about the underlying technical frameworks and processes. The web application and the visualization system are designed to be scalable and modular to ensure future reuse of the work. A flexible and interactive visualizer was implemented using Typescript and the D3.js package and integrated into a full-stack web application. It provides an overview of the network structure by creating a clear, interactive and multilayered network graph visualization from network infrastructure data. The application consists of an Angular frontend with a responsive user interface layout and a Django backend connected via a REST API. This bachelor thesis also offers necessary information on how the implemented visualizer can be used for arbitrary SFC architectures and possible ways to get the infrastructure data. The SFC Infrastructure Visualizer can be used for validating and debugging SFC infrastructure.

2. Design and Implementation of an Extensible eBFP-based Proxy for SFC-unaware VNFs

Weiss Michael | 2021 | M.Sc. Thesis | Supervisors: Häberle Marco, Steinert Benjamin | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

Service Function Chaining (SFC) is a technology that allows composing complex network services out of basic network functions, like firewalls and load balancers, by chaining them together. With the widespread and still rising use of cloud computing and virtualization, SFC is gaining much attention. Network services are becoming increasingly virtualized to build a highly dynamic, scalable, and cost-effective infrastructure. This is known as network function virtualization (NFV). SFC allows combining such virtualized network functions into an end-to-end network service, even if they are instantiated across multiple clouds. This enables service providers to benefit significantly from virtualized software-defined networking (SDN) infrastructure. SFC requires special encapsulation headers to forward packets through Service Function Chains (SFCs) and optionally transport per-packet metadata. These additional headers are a problem for legacy service functions (SFs) that are SFC-unaware. Large service providers have many such legacy SFs which is a challenge for transitioning to SFC. To support legacy SFs, a so-called SFC proxy can be used. SFC proxies are logical elements that remove and insert SFC encapsulation headers on behalf of SFC-unaware SFs. They allow SFC-aware and -unaware SFs to coexist in an SFC-enabled domain. Various designs for SFC proxies exist. Static SFC proxies require manual configuration and are pretty limited. Dynamic SFC proxies can automatically learn their configuration based on flows through their SFs. None of the existing designs are capable of caching the SFC encapsulation headers on a per-packet basis, but this is required for transporting metadata in the SFC headers. This work presents a design for a fully dynamic SFC proxy that can cache SFC encapsulation headers on a per-packet basis without any manual configuration. A high-performance prototype based on eBPF is implemented for the Linux kernel. This new SFC proxy is integrated into the P4-SFC framework and evaluated against the currently used static SFC proxy.

3. Optimization of mobile network access through the parallel use of multiple paths

Brummer Philipp | 2021 | M.Sc. Thesis | Supervisor: Prof. Dr. Oliver Waldhorst | Faculty of Computer Science and Business Information Systems, Karlsruhe University of Applied Science

Mobile devices, such as phones and laptops, provide access to digital content to enhance the teaching experience at universities. They provide students with a platform supporting the use of audiovisual teaching materials, such as slides, videos, questionnaires, Virtual Reality environments and other types of interactive media. These devices can establish multiple wireless network links, such as WiFi and cellular, to download or stream data from the respective services. However, in most conventional scenarios, only one of these physical connections is used at any one time. With the Transmission Control Protocol (TCP) not allowing for the concurrent use of multiple paths by a single TCP connection, Multipath TCP (MPTCP) was designed to facilitate the sending of packets belonging to the same TCP connection over multiple physical connections. With Multipath TCP finding its way into the mainline Linux kernel and Android’s Project Mainline aiming to provide a current kernel version for mobile devices, the number of devices supporting Multipath TCP can be assumed to grow significantly. This work evaluates various options to leverage the technology on its own, and in combination with Software Defined Networking, to improve quality of service for both bandwidth-intensive content delivery services and latency-sensitive services and compares their viability in a university classroom environment. The findings presented show, that Multipath TCP can lead to improved quality of service compared to single-path TCP, especially for bandwidth-intensive services. Additionally, this work proposes solutions to achieve improved quality of service for latencysensitive services as well, without sacrificing the additional bandwidth available through the combination of multiple network paths.

4. A Demonstrator for P4-SFC-Based Firewall-as-a-Service with Self-Service Portal Control

Steinert Benjamin | 2020 | M.Sc. Thesis | Supervisor: Häberle Marco | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

This thesis combines recent technology advancements in the areas of Software-Defined Networking (SDN), Network Function Virtualization (NFV), and Service Function Chaining (SFC) to implement the concept of Firewall-as-a-Service (FWaaS). By leveraging the P4-SFC architecture, a cloud-like system is established that allows end-to-end network service provisioning on-demand. The presented demonstrator features a web-based self-service portal, an SFC-orchestrator, and a P4-based SDN-controller together with a P4 data plane implementation suitable for service function chaining. Thereby the management of network services can be done via the self-service portal and is highly automated via the orchestrator. The presented solution supports not only firewalls but arbitrary virtual network functions.