SICS: Secure In-Cloud Service Function Chaining

There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.

[1]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[2]  Aditya Akella,et al.  OpenNF: enabling innovation in network function control , 2015, SIGCOMM 2015.

[3]  Aditya Akella,et al.  OpenNF , 2014, SIGCOMM.

[4]  Navendu Jain,et al.  Understanding network failures in data centers: measurement, analysis, and implications , 2011, SIGCOMM.

[5]  Meral Shirazipour,et al.  StEERING: A software-defined networking for inline service chaining , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[6]  Sylvia Ratnasamy,et al.  A Survey of Enterprise Middlebox Deployments , 2012 .

[7]  Ye Yu,et al.  Practical Network-Wide Packet Behavior Identification by AP Classifier , 2017, IEEE/ACM Transactions on Networking.

[8]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[9]  Scott Shenker,et al.  E2: a framework for NFV applications , 2015, SOSP.

[10]  Martín Casado,et al.  Fabric: a retrospective on evolving SDN , 2012, HotSDN '12.

[11]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[12]  Richard B. Bunt,et al.  An introduction to computer , 1979 .

[13]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[14]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[15]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[16]  Rasmus Pagh,et al.  Cuckoo Hashing , 2001, Encyclopedia of Algorithms.

[17]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[18]  Bin Fan,et al.  Cuckoo Filter: Practically Better Than Bloom , 2014, CoNEXT.

[19]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[20]  Cong Wang,et al.  Generalized pattern matching string search on encrypted data in cloud systems , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[21]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[22]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[23]  Hongkun Yang,et al.  Real-time verification of network properties using Atomic Predicates , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[24]  E BryantRandal Graph-Based Algorithms for Boolean Function Manipulation , 1986 .

[25]  Emiliano De Cristofaro,et al.  Private Processing of Outsourced Network Functions: Feasibility and Constructions , 2016, SDN-NFV@CODASPY.

[26]  Emiliano De Cristofaro,et al.  SplitBox: Toward Efficient Private Network Function Virtualization , 2016, HotMiddlebox@SIGCOMM.