Light at the middle of the tunnel: middleboxes for selective disclosure of network monitoring to distrusted parties

Network monitoring is vital to the administration and operation of networks, but it requires privileged access that only highly trusted parties are granted. This severely limits the opportunity for external parties, such as service or equipment providers, auditors, or even clients, to measure the health or operation of a network in which they are stakeholders, but do not have access to its internal structure. In this position paper we propose the use of middleboxes to open up network monitoring to external parties using privacy-preserving technology. This will allow distrusted parties to make more inferences about the network state than currently possible, without learning any precise information about the network or the data that crosses it. Thus the state of the network will be more transparent to external stakeholders, who will be empowered to verify claims made by network operators. Network operators will be able to provide more information about their network without compromising security or privacy.

[1]  Benjamin Livshits,et al.  ZØ: An Optimizing Distributing Zero-Knowledge Compiler , 2014, USENIX Security Symposium.

[2]  Margo I. Seltzer,et al.  A primer on provenance , 2014, CACM.

[3]  David Mazières,et al.  Tiny packet programs for low-latency network control and monitoring , 2013, HotNets.

[4]  Vyas Sekar,et al.  Verifiable resource accounting for cloud computing services , 2011, CCSW '11.

[5]  David Evans,et al.  Enforcing End-to-End Application Security in the Cloud - (Big Ideas Paper) , 2010, Middleware.

[6]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[8]  Paul Barford,et al.  Accurate and efficient SLA compliance monitoring , 2007, SIGCOMM '07.

[9]  Jennifer Rexford,et al.  Accountability in hosted virtual networks , 2009, VISA '09.

[10]  Antony I. T. Rowstron,et al.  Vigilante: End-to-end containment of Internet worm epidemics , 2006, TOCS.

[11]  Jonathan Katz,et al.  ALITHEIA: Towards Practical Verifiable Graph Processing , 2014, CCS.

[12]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[14]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[15]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Katerina J. Argyraki,et al.  Verifiable network-performance measurements , 2010, CoNEXT.

[17]  Christopher Frost,et al.  Spanner: Google's Globally-Distributed Database , 2012, OSDI.

[18]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[19]  Sateesh Addepalli,et al.  Fog computing and its role in the internet of things , 2012, MCC '12.

[20]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[21]  George Danezis,et al.  Privacy-preserving smart metering , 2011, ISSE.

[22]  Michael Backes,et al.  ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  George Danezis,et al.  ZQL: A Compiler for Privacy-Preserving Data Processing , 2013, USENIX Security Symposium.

[24]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.