Cryptographic Hashing in P4 Data Planes

P4 introduces a standardized, universal way for data plane programming. Secure and resilient communication typically involves the processing of payload data and specialized cryptographic hash functions. We observe that current P4 targets lack the support for both. Therefore, applications and protocols, which require message authentication codes or hashing structures that are resilient against attacks such as denial-of-service, cannot be implemented. To enable authentication and resilience, we make the case for extending P4 targets with cryptographic hash functions. We propose an extension of the P4 Portable Switch Architecture for cryptographic hashes and discuss our prototype implementations for three different P4 target platforms: CPU, NPU, and FPGA. To assess the practical applicability, we conduct a performance evaluation and analyze the resource consumption. Our prototype implementations show that cryptographic hashing can be integrated efficiently. We cannot identify a single hash function delivering satisfying performance on all investigated platforms. Therefore, we recommend a set of hash functions to optimize target-specific performance.

[1]  Nick McKeown,et al.  The P4->NetFPGA Workflow for Line-Rate Packet Processing , 2019, FPGA.

[2]  Jean-Philippe Aumasson,et al.  SipHash: A Fast Short-Input PRF , 2012, INDOCRYPT.

[3]  Michael Menth,et al.  P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN , 2020, IEEE Access.

[4]  Nick McKeown,et al.  AppSwitch: Application-layer Load Balancing within a Software Switch , 2017, APNet.

[5]  Jennifer Rexford,et al.  Dapper: Data Plane Performance Diagnosis of TCP , 2016, SOSR.

[6]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[7]  Tanja Zseby,et al.  Empirical evaluation of hash functions for multipoint measurements , 2008, CCRV.

[8]  Luca Fanucci,et al.  MACsec-Based Security for Automotive Ethernet Backbones , 2018, J. Circuits Syst. Comput..

[9]  Nan Hua,et al.  Non-crypto Hardware Hash Functions for High Performance Networking ASICs , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[10]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[11]  Sándor Laki,et al.  High speed packet forwarding compiled from protocol independent data plane specifications , 2016, SIGCOMM.

[12]  Mark Schmidt,et al.  P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN , 2019, IEEE Access.

[13]  Sung-Gi Min,et al.  MACsec Extension over Software-Defined Networks for in-Vehicle Secure Communication , 2018, 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN).

[14]  Michael Menth,et al.  P4-IPsec: Implementation of IPsec Gateways in P4 with SDN Control for Host-to-Site Scenarios , 2019, ArXiv.

[15]  J. Rexford,et al.  Security vulnerabilities and solutions for packet sampling , 2007, 2007 IEEE Sarnoff Symposium.

[16]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016 .

[17]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[18]  Ellen W. Zegura,et al.  Performance of hashing-based schemes for Internet load balancing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[19]  Paul E. Hoffman,et al.  Attacks on Cryptographic Hashes in Internet Protocols , 2005, RFC.

[20]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[21]  Diana Andreea Popescu,et al.  Seek and Push: Detecting Large Traffic Aggregates in the Dataplane , 2018, ArXiv.

[22]  Anat Bremler-Barr,et al.  Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks , 2013, IEEE Transactions on Computers.

[23]  M. Molinaa,et al.  A Comparative Experimental Study of Hash Functions Applied to Packet Sampling , 2005 .

[24]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[25]  Alexander Klein,et al.  Quality of service IP cabin infrastructure , 2010, 29th Digital Avionics Systems Conference.

[26]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[27]  Nate Foster,et al.  NetCache: Balancing Key-Value Stores with Fast In-Network Caching , 2017, SOSP.