Programmable In-Network Obfuscation of Traffic

Recent advances in programmable switch hardware offer a fresh opportunity to protect user privacy. This paper presents PINOT, a lightweight in-network anonymity solution that runs at line rate within the memory and processing constraints of hardware switches. PINOT encrypts a client's IPv4 address with an efficient encryption scheme to hide the address from downstream ASes and the destination server. PINOT is readily deployable, requiring no end-user software or cooperation from networks other than the trusted network where it runs. We implement a PINOT prototype on the Barefoot Tofino switch, deploy PINOT in a campus network, and present results on protecting user identity against public DNS, NTP, and WireGuard VPN services.

[1]  Adi Shamir,et al.  Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes , 2015, Journal of Cryptology.

[2]  Björn Scheuermann,et al.  Mind the Gap: Towards a Backpressure-Based Transport Protocol for the Tor Network , 2016, NSDI.

[3]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[4]  Nick Feamster,et al.  SPINE: Surveillance Protection in the Network Elements , 2019, FOCI @ USENIX Security Symposium.

[5]  Hannes Federrath,et al.  Behavior-based tracking: Exploiting characteristic patterns in DNS traffic , 2013, Comput. Secur..

[6]  Matthew K. Wright,et al.  Dovetail: Stronger Anonymity in Next-Generation Internet Routing , 2014, Privacy Enhancing Technologies.

[7]  Nick Feamster,et al.  Oblivious DNS: Practical Privacy for DNS Queries , 2018, Proc. Priv. Enhancing Technol..

[8]  Michael Menth,et al.  P4-IPsec: Implementation of IPsec Gateways in P4 with SDN Control for Host-to-Site Scenarios , 2019, ArXiv.

[9]  Xiaoqi Chen,et al.  Implementing AES Encryption on Programmable Switches via Scrambled Lookup Tables , 2020, SPIN@SIGCOMM.

[10]  Carmela Troncoso,et al.  TARANET: Traffic-Analysis Resistant Anonymity at the Network Layer , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[11]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[12]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[13]  Akira Yamada,et al.  LAP: Lightweight Anonymity and Privacy , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced LED , 2015, IACR Cryptol. ePrint Arch..

[15]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[16]  Kouichi Sakurai,et al.  Analysis of Privacy Disclosure in DNS Query , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[17]  Nick Feamster,et al.  The Effect of DNS on Tor's Anonymity , 2016, NDSS.

[18]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[19]  Jason A. Donenfeld WireGuard: Next Generation Kernel Network Tunnel , 2017, NDSS.

[20]  David Wetherall,et al.  Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default , 2009, Privacy Enhancing Technologies.

[21]  Bart Preneel,et al.  Improved Meet-in-the-Middle Attacks on Reduced-Round DES , 2007, INDOCRYPT.

[22]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[23]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[24]  Chen Chen,et al.  PHI: Path-Hidden Lightweight Anonymity Protocol at Network Layer , 2017, Proc. Priv. Enhancing Technol..

[25]  George Danezis,et al.  HORNET: High-speed Onion Routing at the Network Layer , 2015, CCS.

[26]  Hamed Haddadi,et al.  A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients , 2015, Proc. Priv. Enhancing Technol..

[27]  Michael Menth,et al.  P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN , 2020, IEEE Access.

[28]  сети Обмен данными Substitution-Permutation Network , 2010 .

[29]  Fabien Geyer,et al.  Cryptographic Hashing in P4 Data Planes , 2019, 2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[30]  Vincent Rijmen,et al.  Two-Round AES Differentials , 2006, IACR Cryptol. ePrint Arch..