Dependently-typed data plane programming

Programming languages like P4 enable specifying the behavior of network data planes in software. However, with increasingly powerful and complex applications running in the network, the risk of faults also increases. Hence, there is growing recognition of the need for methods and tools to statically verify the correctness of P4 code, especially as the language lacks basic safety guarantees. Type systems are a lightweight and compositional way to establish program properties, but there is a significant gap between the kinds of properties that can be proved using simple type systems (e.g., SafeP4) and those that can be obtained using full-blown verification tools (e.g., p4v). In this paper, we close this gap by developing Π4, a dependently-typed version of P4 based on decidable refinements. We motivate the design of Π4, prove the soundness of its type system, develop an SMT-based implementation, and present case studies that illustrate its applicability to a variety of data plane programs.

MSSA: Constant Time State Search through Multi-Scope State Area

In the stateful data plane, the switch can record the state and forward packets based on the local state. This approach makes it possible to integrate complex network applications into the data plane, thus reducing the amount of communication required between the switch and the controller. However, due to the time it takes to look up the state for packets, packet-forwarding latency has increased. With increased network traffic, a large number of states may be recorded in the switch, and the problem of increased packet-forwarding latency caused by the lookup state becomes more serious. In this paper, we propose the multi-scope state area (MSSA) for recording state inside the switch, which can achieve a fixed-time state lookup in a large-scale state. MSSA divides the state sharing scope by associating with the switch’s multiple match–action tables, and the shared scope is used to determine the state area for recording state. When processing a packet, the state required will only be in a limited number of states that are recorded in a few state areas. We implemented a prototype pipeline that supports MSSA based on Intel’s DPDK framework and investigated the effect of state type, number, location, and comparison method on state search/insertion time. The results show that the cost of MSSA search state is constant, regardless of the number of states, and MSSA has a high space utilization rate.

ZbSR: A Data Plane Security Model of SR-BE/TE based on Zero-Trust Architecture

Facing the untrusted threats of network elements and PKI/CA faced by SR-BE/TE(Segment Routing-BE/TE) data plane in the zero-trust network environment, firstly, this paper refines it into eight specific security issues. Secondly, an SR-BE/TE data plane security model ZbSR(ZTA-based SR) based on zero-trust architecture is proposed, which reconstructs the original SR control plane into a "trust-agent" two-layer plane based on 4 components of the controller, agent, cryptographic center and information base. On one hand, we distinguish between the two segment list generation modes and proposes corresponding data exchange security algorithms, by introducing north-south security verification based on identity authentication, trust evaluation, and key agreement before the terminal device establishes an east-west access connection, so reliable data exchange between terminal devices can be realized. On the other hand, for the network audit lacking SR-BE/TE, a network audit security algorithm based on solid authentication is proposed. By auditing the fields, behaviors, loops, labels, paths, and SIDs of messages, threats such as stream path tampering, SID tampering, DoS attacks, and loop attacks can be effectively detected. Finally, through the simulation test, the proposed model can provide security protection for the SR data plane with a 19.3% average incremental delay overhead for various threat scenarios.

An In-Network Cooperative Storage Schema Based on Neighbor Offloading in a Programmable Data Plane

In scientific domains such as high-energy particle physics and genomics, the quantity of high-speed data traffic generated may far exceed the storage throughput and be unable to be in time stored in the current node. Cooperating and utilizing multiple storage nodes on the forwarding path provides an opportunity for high-speed data storage. This paper proposes the use of flow entries to dynamically split traffic among selected neighbor nodes to sequentially amortize excess traffic. We propose a neighbor selection mechanism based on the Local Name Mapping and Resolution System, in which the node weights are computed by combing the link bandwidth and node storage capability, and determining whether to split traffic by comparing normalized weight values with thresholds. To dynamically offload traffic among multiple targets, the cooperative storage strategy implemented in a programmable data plane is presented using the relative weights and ID suffix matching. Evaluation shows that our proposed schema is more efficient compared with end-to-end transmission and ECMP in terms of bandwidth usage and transfer time, and is beneficial in big science.

A Strategy for Detection and Mitigation of DoS Attacks on Software-Defined Networks

Computer networks support applications in virtually every area of application and knowledge, and as such, they have widely distributed structures and are susceptible to security attacks in general.Software-Defined Networks (SDN), in turn, are a technological solution that has several advantages by separating the control plane from the data plane in the structuring of computer networks. Given this technological difference, software-defined networks are a network implementation paradigm used to mitigate network security attacks. In summary, the use of SDN to mitigate network attacks provides greater flexibility in implementing the attack strategy. However, the separation of control and data planes creates new points of vulnerability for the security of the network operation.The denial of service attack (DoS) of the type Syn-Flooding is one of the most common possible attacks. It can cause, concerning the network, the commitment to perform services and, concerning the operation of the SDN, the commitment in the bandwidth of the communication channel between the control planes and the data plane, the saturation of the ow table in the switch, and the increasing of the processing load in the controller.In general, the investigation about new strategies aimed at safety with SDN becomes necessary to improve security strategies for network attacks and maximize the reliability of SDN operation, allowing use in different application scenarios. This work presents a defense strategy against attacks of DoS Syn-Flooding using the SDN facilities of an integrated controller with an intrusion detection system (IDS).The proposed strategy aims to mitigate Syn-Flooding DoS attacks and the vulnerability arising from the use of SDN to mitigate attacks.

Intrusion Detection System in Software-Defined Networks Using Machine Learning and Deep Learning Techniques –A Comprehensive Survey

<div>At present, the Internet is facing numerous attacks of different kinds that put its data at risk. The safety of information within the network is, therefore, a significant concern. In order to prevent the loss of incredibly valuable information, the Intrusion Detection System (IDS) was developed to recognize the outbreak of a stream of attacks and notify the network system administrator providing network security. IDS is an extrapolative model used to detect network traffic as routine or attack. Software-Defined Networks (SDN) is a revolutionary paradigm that isolates the control plane from the data plane, transforming the concept of a software-driven network. Through this data and control plane separation, SDN provides us the opportunity to create a manageable and programmable network, allowing applications in the top plane to access physical devices via the controller. The controller functioning inside the control plane executes network modules and establishes flow rules to forward packets in the switches residing in the data plane. Cyber attackers target the SDN controller to subdue the control plane, which is considered the brain of the SDN, providing a plethora of functionalities such as regulating flow control to switches or routers in the data plane below via southbound Application Programming Interfaces (APIs) and business and application logic in the application plane above via northbound APIs to implement sophisticated networks. However, the control plane becomes a tempting prospect for security attacks from adversaries because of its centralization feature. This paper includes an in-depth overview of the notable published articles from 2015 to 2021 that used Machine Learning (ML) and Deep Learning (DL) techniques to construct an IDS solution to provide security for SDN. We also present two detailed taxonomic studies regarding IDS, and ML-DL techniques based on their learning categories, exploring various IDS solutions to secure the SDN paradigm. We have also conducted brief research on a few benchmark datasets used to construct IDS in the SDN paradigm. To conclude the survey, we provide a discussion that sheds light on continuous challenges and IDS issues for SDN security.</div>