Secure State Migration in the Data Plane Overview

Slide Note
Embed
Share

The data plane synchronization protocol for secure state migration addresses the challenges of untrusted networks, ensuring completeness, low overhead, and integrity guarantee. P4Sync offers a solution by running in the data plane with minimal local control plane involvement, ensuring completeness, low overhead, and integrity through per-packet MAC and periodic RSA signatures.

arran
arran Follow

Uploaded on Jul 16, 2024 | 2 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Secure State Migration in the Data Plane Jiarong Xing, Ang Chen, T.S. Eugene Ng Rice University

  2. The network is becoming programmable Switch control plane PCIe bus ALU Match/ Action Table Memory Match/ Action Table Stages Stages Match/ Action Table Programmable data planes (PDPs) Can be programmed in high-level languages (e.g., P4) Support customized protocols and match/actions, persistent state Run at linespeed (Tbps) 2

  3. Distributed PDP systems Load balancers Hula-SOSR 16 Performance-aware routing Contra-NSDI 20 Link-flooding defenses FastFlex-HotNets 19 Distributed systems require state synchronization Hula: Link utilization Least utilized paths Contra: Policy defined metrics Best routes FastFlex: Suspicious IPs Drop or reroute traffic 3

  4. Problem: Secure state synchronization Source Destination untrusted Copy data from the source to the destination periodically Data can be in different shapes The network is untrusted 4

  5. Three key goals Completeness Copying data from the source to the destination completely. Low overhead Do not utilize too much switch memory and link bandwidth. Integrity guarantee The data cannot be modified or spoofed by attackers. 5

  6. State of the art: Swing State (SOSR17) Normal traffic Register array Clone Normal destination Migration destination Completeness: Depends on normal traffic pattern Overhead: Has high traffic overhead. Integrity: No integrity guarantee. 6

  7. Can we design a data plane synchronization protocol that satisfies all three goals? P4Sync 7

  8. P4Sync overview Data plane protocol Runs in the data plane with minimal local control plane involvement Completeness Scans and copies the register array end to end P4Sync Low overhead Caches and aggregates dirty data in a delta array Integrity guarantee Per-packet MAC and periodic RSA signatures 8

  9. Outline - Motivation: Data plane state synchronization - State of the art: Cannot satisfy all three goals - Approach: P4Sync - P4Sync design - Challenge #1: Achieving completeness with low overhead - Challenge #2: Data integrity guarantee - Evaluation - Conclusion 9

  10. Challenge #1: Achieving completeness with low overhead Scanning register arrays Caching new updates Solution: Scanning register arrays end to end Caching and aggregating new updates in a delta array 10

  11. Scanning register arrays end to end 0 1 3 2 4 100 98 Register array Scanning direction Rate control Traffic generator Migration destination Using the traffic generator in programmable switches Controlling the synchronization to a reasonable rate Maintaining a progress index 11

  12. Caching and aggregating dirty data in a delta array Normal traffic 0 1 3 2 4 100 98 Register array 0 1 3 2 4 100 98 Delta array Rate control Migration destination Traffic generator Caching and aggregating dirty data in a delta array Scanning through the delta array at the end 12

  13. Challenge #2: Data integrity guarantee Limited arithmetic operations Software speed Na ve Solution: Signing every packet with RSA. In the data plane: Only support limited arithmetic operations In the control plane: Cannot handle Tbps traffic. Our solution: Amortizing overhead over a set of packets Inspired by stream authentication: EMSS (S&P 00) 13

  14. Amortizing overhead over a set of packets MAC MAC MAC MAC MAC MAC MAC RSA RSA 116 111 117 115 113 114 112 Packet header fields hash(i) = hash(PH, hash(i 1)) Hash of last packet Hash of this packet Building a hash chain in the data plane. Signing packets in batch in the control plane. How to handle packet loss and reordering? 14

  15. Outline - Motivation: Data plane state synchronization - State of the art: Cannot satisfy all three goals - Approach: P4Sync - P4Sync design - Challenge #1: Achieving completeness with low overhead - Challenge #2: Data integrity guarantee - Evaluation - Conclusion 15

  16. Experimental setup Proof-of-concept prototype: Runs in Mininet + P4 bmv2. Measured RSA speed in a Wedge 100BF-32X Tofino switch Scenario: A source switch transmits a hash array to a destination switch. The attacker in the middle tries to modify the data. Baseline: Swing State (SOSR 17) 16

  17. How much traffic overhead does P4Sync incur? Swing State achieves 100% completeness when overhead is 8. P4Sync achieves 100% completeness when overhead is 2. P4Sync can transmit data completely with low traffic overhead. 17

  18. How well can P4Sync defend against integrity attacks? Source Destination trusted trusted P4Sync can always detect the packet modification. RSA-2048: 2.15ms for signature; 0.07ms for verification. P4Sync can defend against integrity attacks effectively and efficiently! 18

  19. Outline - Motivation: Data plane state synchronization - State of the art: Cannot satisfy all three goals - Approach: P4Sync - P4Sync design - Challenge #1: Achieving completeness with low overhead - Challenge #2: Data integrity guarantee - Evaluation - Conclusion 19

  20. P4Sync overview Data plane protocol Runs in the data plane with minimal local control plane involvement Completeness Scans and copies the register array end to end P4Sync Low overhead Caches and aggregates dirty data in a delta array Integrity guarantee Per-packet MAC and periodic RSA signatures 20

  21. Conclusion Motivation: Data plane state synchronization Three key goals: Completeness Low overhead Integrity guarantee Our approach: P4Sync Scans and copies the register array end to end Caches and aggregates dirty data in a delta array Per-packet MAC and periodic RSA signatures Source code: https://github.com/jiarong0907/P4Sync Looking for internship in 2021 summer! Questions? 21

Related


Understanding South Asian Migration Dynamics

Understanding South Asian Migration Dynamics

jubal
Understanding General Plane Waves in Electromagnetic Theory

Understanding General Plane Waves in Electromagnetic Theory

philippa
Oracle Cloud Migration Methods Overview

Oracle Cloud Migration Methods Overview

samir
Integrated Verification and Repair in Control Plane

Integrated Verification and Repair in Control Plane

buddy
International Migration Policies in USA and India: Trends and Impacts

International Migration Policies in USA and India: Trends and Impacts

bliss
HART Migration to Oracle Analytics Server Overview

HART Migration to Oracle Analytics Server Overview

claudius
Understanding Migration: Factors and Impacts

Understanding Migration: Factors and Impacts

saanvi
Comprehensive E-commerce Platform Migration Checklist

Comprehensive E-commerce Platform Migration Checklist

ryatt
Empowering Youth Migrants: Challenges and Innovations in Global Migration Governance

Empowering Youth Migrants: Challenges and Innovations in Global Migration Governance

zeeshan
Human Evolution: Out of Africa Hypothesis

Human Evolution: Out of Africa Hypothesis

edelweiss
Paper Plane Design and Flight Test

Paper Plane Design and Flight Test

hiro
Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

jones
Introduction to Plane Table Surveying in Civil Engineering

Introduction to Plane Table Surveying in Civil Engineering

riley-james
Achieving Microsoft 365 Agency Migration Readiness

Achieving Microsoft 365 Agency Migration Readiness

alistairj
Survive Winter Plane Crash - Team Problem Solving Game Overview

Survive Winter Plane Crash - Team Problem Solving Game Overview

smith
Enhancing Health Data Usage for Transient Populations in Malawi

Enhancing Health Data Usage for Transient Populations in Malawi

annabel
Introduction to SFTP & PGP Encryption for Secure Data Transfer

Introduction to SFTP & PGP Encryption for Secure Data Transfer

bunty
“Global Britain” and the changing politics of migration

“Global Britain” and the changing politics of migration

shreya
Migration from Charleston, South Carolina: Causes and Effects

Migration from Charleston, South Carolina: Causes and Effects

violeta
Global Mobility and Legal Identity Strategy Presentation

Global Mobility and Legal Identity Strategy Presentation

paislee
Progress on Migration of Nursing and Agricultural Colleges to National Competence

Progress on Migration of Nursing and Agricultural Colleges to National Competence

journey
Understanding Urbanization: Causes, Impacts, and Migration Patterns

Understanding Urbanization: Causes, Impacts, and Migration Patterns

vivienne
Determinants of Migration

Determinants of Migration

caius
Addressing Migration, Climate Change, and Homelessness through Collaborative Efforts

Addressing Migration, Climate Change, and Homelessness through Collaborative Efforts

elvis

More Related Content

Gender and Migration Discourse in British Newspapers Study
Gender and Migration Discourse in British Newspapers Study
The Link Between Labour Market and Migration: Understanding the Dynamics
The Link Between Labour Market and Migration: Understanding the Dynamics
Challenges and Policies in Intraregional Migration Flow and EU Immigration
Challenges and Policies in Intraregional Migration Flow and EU Immigration
Comprehensive Approach to Migration Management in NATO's Southern Border
Comprehensive Approach to Migration Management in NATO's Southern Border
Understanding Economic Migration in Year Four Spring Lesson
Understanding Economic Migration in Year Four Spring Lesson
Understanding Reflection and Transmission of Plane Waves in Electromagnetic Fields
Understanding Reflection and Transmission of Plane Waves in Electromagnetic Fields
Understanding Plane Failures in Rock Slopes
Understanding Plane Failures in Rock Slopes
Determining Plane Traces and Projections in Geometry
Determining Plane Traces and Projections in Geometry
Understanding Reflection in Plane Mirrors
Understanding Reflection in Plane Mirrors
Understanding Plane Surfaces in Engineering Drawings
Understanding Plane Surfaces in Engineering Drawings
Understanding the Coordinate Plane: Unit 1 Lesson 12
Understanding the Coordinate Plane: Unit 1 Lesson 12
Exploring Management Plane Analytics in Networking
Exploring Management Plane Analytics in Networking
Midpoint and Distance in Coordinate Plane
Midpoint and Distance in Coordinate Plane
Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts
Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords
Important Updates: IT Directors Meeting July 2022 & Technology Migration
Important Updates: IT Directors Meeting July 2022 & Technology Migration
Petabyte Migration
Petabyte Migration
LJMU's New Curriculum Management System Project Overview
LJMU's New Curriculum Management System Project Overview
Secure Keyed Hashing on Programmable Switches
Secure Keyed Hashing on Programmable Switches
Ensuring Secure Testing Environments in Oregon Education System
Ensuring Secure Testing Environments in Oregon Education System
Secure Computation Techniques in RAM Models with Efficient Automation
Secure Computation Techniques in RAM Models with Efficient Automation
Secure Multiparty Computation: Enhancing Privacy in Data Sharing
Secure Multiparty Computation: Enhancing Privacy in Data Sharing
Cloud Migration
Cloud Migration
Understanding Secure Act 2.0 Key Provisions
Understanding Secure Act 2.0 Key Provisions