P4Knocking: Offloading host-based firewall functionalities to the network

The introduction of Software-Defined Networks (SDN) and the evolution towards programmable data planes bring the opportunity to offload several functions to the data plane. In this context, the P4 programming language opens the door to the customization of data planes. It can provide packet processing functionalities that can be applied to improve network security among other areas. This paper presents P4Knocking, a P4-based port knocking implementation that can externally open ports that appear to be closed. The goal of bringing port knocking capabilities to the network is to seamlessly deploy firewall functions in the data plane, reliving hosts from dealing with unintended traffic. Our work presents a total of four implementations that involve data and control planes in different degrees. In this case, P4Knocking can provide a more transparent and efficient way to deploy the port knocking service compared to a host-based port knocking implementation. In fact, it requires no specific purpose externs apart from registers, hence its higher portability and flexibility with local or remote control planes.

[1]  Fabio Pereira,et al.  Secure network monitoring using programmable data planes , 2017, 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN).

[2]  Paola Grosso,et al.  Tracking Network Flows with P4 , 2018, 2018 IEEE/ACM Innovating the Network for Data-Intensive Science (INDIS).

[3]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[4]  Lisandro Zambenedetti Granville,et al.  IDEAFIX: Identifying Elephant Flows in P4-Based IXP Networks , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[5]  Attila Kiss,et al.  Security Middleware Programming Using P4 , 2016, HCI.

[6]  Timothy Roscoe,et al.  Techniques for Lightweight Concealment and Authentication in IP Networks , 2002 .

[7]  Ren-Hung Hwang,et al.  StateFit: A Security Framework for SDN Programmable Data Plane Model , 2018, 2018 15th International Symposium on Pervasive Systems, Algorithms and Networks (I-SPAN).

[8]  Younghee Park,et al.  P4Guard: Designing P4 Based Firewall , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[9]  Jose M. Alcaraz-Calero,et al.  NetFPGA-Based Firewall Solution for 5G Multi-Tenant Architectures , 2019, 2019 IEEE International Conference on Edge Computing (EDGE).

[10]  Shan-Hsiang Shen,et al.  FlowSpy: An Efficient Network Monitoring Framework Using P4 in Software-Defined Networks , 2019, 2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall).

[11]  Luciano Paschoal Gaspary,et al.  Offloading Real-time DDoS Attack Detection to Programmable Data Planes , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[12]  P. Castoldi,et al.  P4-based Multi-Layer Traffic Engineering Encompassing Cyber Security , 2018, 2018 Optical Fiber Communications Conference and Exposition (OFC).

[13]  Xiaowen Zhang,et al.  Parallel hash collision search by Rho method with distinguished points , 2018, 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[14]  F. Civerchia,et al.  P4 Edge node enabling stateful traffic engineering and cyber security , 2018, IEEE/OSA Journal of Optical Communications and Networking.

[15]  Tobias Hoßfeld,et al.  Highlighting the Gap Between Expected and Actual Behavior in P4-enabled Networks , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).