Security Applications with P4 Programmable Data Plane Switches
Monday, September 18, 1:00 PM - 4:30 PM
Minneapolis, MN
- University of South Carolina
- Energy Sciences Network (ESnet)
- The Engagement and Performance Operations Center (EPOC)
Overview
The emergence of the IoT, cloud systems, data centers, and 5G networks is increasing the demand for a rapid development of new applications and protocols at all levels of the protocol stack. However, traditional fixed-function data planes have been characterized by a lengthy and costly development process at the hand of chip manufacturers. Recently, data plane programmability has attracted significant attention, permitting network engineers to run customized packet processing functions using the P4 language. Security is one of the key areas using the capabilities of programmable switches. Moreover, applications can be reconfigured in the field without additional hardware upgrades, facilitating the deployment of new defenses against unforeseen attacks and vulnerabilities. This tutorial will provide Information Technology (IT) professionals and practitioners (network engineers, students, instructors) with an introduction to P4 programmable switches, followed by security applications that rely on the unique visibility provided by these devices. The tutorial will cover first the fundamentals of programmable switches: understanding P4 building blocks, implementing a customized packet parser, and programming match-action tables. Then, the tutorial will continue with security applications: implementing stateful packet filters, detecting and mitigating SYN flood attacks, detecting and mitigating DNS amplification attacks, extracting features at line rate for machine learning models, and implementing a simple URL filter in the data plane. Attendees will have access to a virtual platform and detailed manuals that will accompany the laboratory experiments running on the virtual platform. The virtual platform will be accessible from the Internet using a regular web browser (no SSH, Telnet, or other requirements). Access to the training platform will be granted for six months.
Audience
IT educators, practitioners, and professionals in general (network engineers, system administrators, etc.) with basic background in networking.
Required Equipment
No specialized equipment is required. All material will be accessible via web browsing. Presentations will be conducted via Zoom. For hands-on sessions, attendees will access a virtual platform deployed for the workshop.
Outcomes
By the end of this workshop, attendees will:
- Describe the elements of the Protocol Independent Switch Architecture (PISA)
- Define protocol headers and header fields in P4
- Write simple parsers using P4
- Define match-action tables
- Populate and manage match-action tables at runtime
- Leverage stateful elements (registers) to store arbitrary data in the data plane
- Develop in-network defenses to mitigate common cyberattacks
Agenda
Monday, September 18
| Time | Topic | Presenter |
|---|---|---|
| 1:00-1:30 |
Motivation for data plane programmability and in-network defenses [PDF, PPT] |
Elie Kfoury [Bio] |
| 1:30-2:05 | Hands-on session 1: implementing a stateful packet filter for the TCP protocol [PDF, PPT] | Ali AlSabeh [Bio] |
| 2:05-2:15 | Break | |
| 2:15-3:00 | Hands-on session 2: mitigating DNS amplification attack in P4 [PDF, PPT] | Ali AlSabeh |
| 3:00-3:05 | Break | Ali AlSabeh |
| 3:05-4:00 | Hands-on session 3: detecting and mitigating SYN flood attacks in P4 [PDF, PPT] | |
| 4:00-4:30 | Discussions, applications with P4 switches, Tofino pods [PDF, PPT, Video] | Jose Gomez [Bio], Ali AlSabeh |
| [Survey] | ||
Award Information
This activity is supported by NSF award 2118311. Link to official webpage: NSF-2118311
Resources
| Item | Note |
|---|---|
| VM for P4 Labs: Link | VM containing lab exercises |
| Cybertraining Material: Link | List of virtual labs on P4, SDN, network tools and protocols, ... |
| P4 Campus: Link | P4 applications for campus networks |
| FABRIC: Link | A programmable research infrastructure |
| Behavioral Model version 2 (BMv2): Link | Reference P4 software switch used as a tool for developing, testing and debugging P4 data planes |
| Software-Defined Networks: A Systems Approach: Link | A book that explores the key principles of Software-Defined Networking (SDN) |
| Mininet: Link | Virtual testbed enabling the development and testing of network tools and protocols |
| Containernet: Link | Mininet fork that allows to use Docker containers as hosts in emulated networks |
| Mininet Installation: Link | A guide that describes the steps to install Mininet on Linux |
| Wireshark: Link | Packet analyzer used for network troubleshooting, analysis, protocol development, and education |