Abstract

The inspection of packet contents, Deep Packet Inspection (DPI), is an important component in network security. However, DPI is provided by complex black-box firewalls which the network administrator has no choice but to trust. This raises the question: Can network administrators build their own DPI-capable filter using a standard programmable switch? The commonly-accepted answer is that standard switches are not powerful enough; the standard they support (the P4 language) does allow users to specify how to parse packet headers, but not packet payload fields (e.g. URL), as required by DPI. Even though software-defined networks are quite capable of handling various tasks, ranging from firewalling to flow analysis, these are all based on intelligent use of packet headers. DPI tasks, like URL filtering, still require dedicated middleboxes – or, if we insist on SDN solutions, middleboxes in addition to SDN. If we insist on developing a solution on the switch itself, we need either custom switch hardware, or heavy support from the SDN controller or an external firewall. This dissertation challenges this common consensus. For our first contribution, we demonstrate that clients send packets with a predictable structure, so a P4 switch can perform some DPI (enough for URL filtering). We then develop and demonstrate a URL-filtering firewall, DiP, completely in the data plane, taking no external help from the SDN controller, firewalls, etc. DiP is a proof-of-concept, but is quite robust, handles multiple protocols (HTTP(S), DNS), and outperforms standard netfilter firewall by orders of magnitude. However, DiP is not truly a general firewall: it is very specifically a URL filter, and it depends on the strong constraint of predictable URL location in a packet, which may not hold in future. Thus for our final contribution, we present a novel approach that allows general Deep Packet Inspection (DPI) – i.e. inspection of the packet payload – in the data plane, using P4 alone. We make use of the fact that in P4, a switch can clone and recirculate packets. One copy (clone) can be recirculated, slicing off a byte in each round, and using a finite-state machine to check if a target string has yet been seen. If the target string is found, the other copy (original packet) is discarded; if not, it is passed through. Our approach allows us to build DeeP4R, the first general-purpose application-layer firewall (URL filter) in the data plane, and to achieve essentially line-rate performance while filtering thousands of URLs, on a commodity programmable switch. We can therefore argue with assurance that any platform that supports P4 is powerful enough for Deep Packet Inspection, and in future it may be possible to use programmable switches for this task, rather than dedicated firewalls.

Library of Congress Subject Headings

Computer networks--Security measures; Packet switching (Data transmission)--Standards; Packet switching (Data transmission)--Technological innovations; Firewalls (Computer security)

Publication Date

5-2023

Document Type

Dissertation

Student Type

Graduate

Degree Name

Computing and Information Sciences (Ph.D.)

Department, Program, or Center

Computer Science (GCCIS)

Advisor

Hrishikesh B. Acharya

Advisor/Committee Member

Yin Pan

Advisor/Committee Member

Minseok Kwon

Campus

RIT – Main Campus

Plan Codes

COMPIS-PHD

Download

Share

COinS