Overview of publications of the bwNET2020+ project

1. A Caching SFC Proxy Based on eBPF

Häberle Marco, Steinert Benjamin, Weiss Michael, Menth Michael | 2022 | IEEE International Conference on Network Softwarization (NetSoft 2022)

Service Functions (SFs) are intermediate processing nodes on the path of IP packets. With SF chaining (SFC), packets can be steered to multiple physical or virtual SFs in a specific order. SFC-unaware SFs can be used flexibly but they do not support SFC-specific encapsulation of packets. Therefore, an SFC proxy needs to remove the encapsulation of a packet before processing by an SFC-unaware SF, and to add it again afterwards. Such an SFC proxy typically runs on a server hosting virtual network functions (VNFs) that serve as SFs. While simple SFC proxies adapt a flow-specific static header stack, the caching SFC proxy presented in this work caches packet-specific headers while packets are processed by a VNF. We present concept, use cases, and an eBPF-based implementation of the caching SFC proxy. In addition, we evaluate the performance of a prototype.

2. Recognition of Similar NetFlow Data in Decentralised Monitoring Environments

Eisenhart Georg, Volpert Simon, Braitinger Jan, Domaschka Jörg | 2022 | 3. KuVS Fachgespräch "Network Softwarization" (7.4. - 8.4.2022)

One of the main challenges in the analysis of NetFlow data in decentralised monitoring environments comes from merging datasets from different independent sites. One problem is to identify similar data points which can impact derived metrics from such data directly. This article provides a proof of concept how similarity measurements based on distance metrics can be used to identify similar or related flows from different datasets. For this, several domains are outlined which can benefit from this approach to support validation of research scenarios and data analysis.

3. Firewall-as-a-Service for Campus Networks Based on P4-SFC

Häberle Marco, Steinert Benjamin, Menth Michael | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

Taking care of security is a crucial task for every operator of a cam-pus network. One of the most fundamental security-related network functions thatcan be found in most networks for this purpose are stateful firewalls. However, de-ploying firewalls in large campus networks, e.g., at a university, can be challenging.Hardware appliances that can cope with today’s high data rates at the border of acampus network are not cost-effective enough for most deployments. Shifting theresponsibility to run firewalls to single departments at a university is not feasiblebecause the expertise to manage these devices is not available there. For this reason,we propose a cloud-like infrastructure based on service function chaining (SFC) andnetwork function virtualization (NFV) that allows users to deploy network functionslike firewalls at a central place while hiding most technical details from the users.

4. Zero Trust Service Function Chaining

Bradatsch Leonard, Kargl Frank, Miroshkin Oleksandr | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

In this paper, we address the inefficient handling of traditional security functions in Zero Trust networks. For this reason, we propose a novel network security concept that combines the ideas of Zero Trust and Service Function Chaining. This allows us to efficiently decide which security functions to apply to which packets and when.

5. P4-IPsec: Site-to-Site and Host-to-Site VPN With IPsec in P4-Based SDN

Frederik Hauser, Marco Häberle, Mark Schmidt, Michael Menth | 2020 | IEEE Access

In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

6. Service Function Chaining Based on SegmentRouting Using P4 and SR-IOV (P4-SFC)

Andreas Stockmayer, Stephan Hinselmann, Marco Häberle, Michael Menth | 2020 | 15th Workshop on Virtualization in High-Performance Cloud Computing (VHPC'20)

In this paper we describe P4-SFC to support service function chaining (SFC) based on a single P4-capable switch and off-the-shelfcomponents. It utilizes MPLS-based segment routing for traffic forwarding in the network and SR-IOV for efficient packet handling on hosts. We describe the P4-SFC architecture and demonstrate its feasibility by a prototype using the Tofino Edgecore Wedge 100BF-32X as P4 switch. Performance tests show that L2 throughput for VNFs on a host is significantly larger when connected via SR-IOV with the host’s networkinterface card instead of over a software switch.

7. P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

Frederik Hauser, Mark Schmidt, Marco Häberle, Michael Menth | 2020 | IEEE Access

We propose P4-MACsec to protect network links between P4-based SDN switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. MACsec is supported by switches and routers from many manufacturers. On these devices, it has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec suggests a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 targets. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 targets interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and a two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channels, generates keying material, and configures the P4 targets for each detected link between two P4 targets. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software target, validate the prototype through experiments, and evaluate its performance through experiments considering TCP goodput and round-trip time. We publish the prototype and experiment setup under the Apache v2 license on GitHub.