Abstract

In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

Highlights

  • Virtual Private Networks (VPNs) extend private networks across public networks by adding authentication and encryption to network traffic

  • The authors mainly criticize the redundancy of functionality caused by AH, ESP, and the two operation modes, the complex key exchange with Internet Key Exchange (IKE), and the complex configuration caused by the Security Policy Database (SPD) and Security Association Database (SAD)

  • As legacy Internet Protocol Security (IPsec) devices already feature an IKE daemon, they can be extended by an interface to profit from software-defined networks (SDN)-assisted operation of IPsec

Read more

Summary

INTRODUCTION

Virtual Private Networks (VPNs) extend private networks across public networks by adding authentication and encryption to network traffic. Several works investigate how to leverage the centralized control plane of software-defined networking (SDN) to simplify IPsec operation. The control plane functions for IPsec operation are part of a central SDN controller that maintains IPsec tunnels without the help of distributed key exchange protocols such as IKE. As these components are steered by a centralized control plane through an authenticated and encrypted control connection, complex IKE-based key exchange protocols are substituted by controller-based tunnel setup and renewal procedures. The appendices include a list of the acronyms used in the paper

TECHNICAL BACKGROUND
PROTOTYPICAL IMPLEMENTATION
VIII. CONCLUSION
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call