High-speed programmable switches enable efficient in-network defences against cyberattacks. Unfortunately, many existing switch-based security applications are themselves vulnerable to attack, due to the compromises necessary to work within the constraints of today’s packet-processing hardware. Further advances are needed before we have efficient switch-based services that can withstand sophisticated adversaries.
Network operators need robust and efficient ways to protect their networks from cyberattacks. Dedicated hardware middleboxes such as firewalls and Intrusion Detection Systems (IDS) are the conventional choice, but they lack scalability and flexibility. Plus, managing a number of middleboxes also involves high operational and capital costs. Emerging programmable hardware switches offer an appealing alternative.
Unlike traditional fixed-function switches, programmable switches enable operators to develop and deploy customized, high-throughput in-network applications (for example, up to 12.8Tbs on the Intel Tofino2 switch) using high-level programming languages like P4. A single programmable hardware switch can serve multiple security and non-security applications like routing, greatly reducing hardware costs.
Researchers have leveraged P4 and programmable switches to support a diverse set of security tasks (such as firewalls, IDSes, and DDoS mitigation). In particular, researchers have demonstrated the feasibility of porting conventional end-host-based security solutions, such as host-based spoofing detection, to programmable switches. Running at the border of a network, programmable switches have the potential to provide the same security benefits as those end-host-based security solutions, to all hosts in the network at high speed, without modifications to the end-hosts and without deploying dedicated middleboxes.
Programmable switches seem to be a promising building block for developing performant and flexible security applications. However, before embracing this technology, we must understand the limitations.
The design space of programmable switch-based applications is quite different from that of traditional software systems, due to the switch’s limited memory and processing resources and its restricted programming model. For example, a programmable switch should only process each packet once through its processing pipeline to guarantee line-rate performance. This limits the number of allowed operations, therefore some common operations (loop, multiplication, and so on) and cryptographic functions, which serve as the foundation for security applications, are not available.
To cope with these constraints, switch-based applications tend to make certain compromises to maintain high performance. For instance, since the switch does not offer a secure hash function and implementing such functions in the switch can be expensive, an application may use a weak, easy-to-implement hash function instead. The security implications of these commonly made compromises in switch-based applications are, unfortunately, understudied. This leads to the question: Are switch-based security applications secure enough to be used in real-world networks?
Let’s look at an example.
Switch-based SYN Proxy
SYN proxy is a defence against TCP SYN flood attacks. In Figure 1, the SYN proxy responds to a SYN with a SYN-ACK, in which the initial TCP sequence number is a challenge — SYN cookies — generated by a secure hash function. If the ACK (for SYN-ACK) sent from the client contains the correct challenge, the proxy allowlists the corresponding five-tuple and forwards packets back and forth between the client and server. Compared to software-based SYN proxies, a SYN proxy implemented on the modern programmable hardware switch can easily keep up with the attack traffic of terabytes per second.
A secure SYN proxy should make sure the generated SYN cookies cannot be easily forged by the adversary. In Linux, SYN cookies are computed using two rounds of SipHash, a lightweight secure hash function. Unfortunately, implementing secure hash functions on the current generation of programmable switches is challenging and may require sacrificing performance.
A quick workaround is to replace hash functions with CRC functions, which are the built-in primitives in programmable switches. Two known switch-based SYN proxies (as seen here and here) have been implemented in this way. Furthermore, in both SYN proxies, cookies are computed as a function of source and destination IPs, ports, and a constant N, where N is reused across all flows for a given time epoch — the justification is that the switch avoids maintaining per-flow state in this way and achieves better performance.
Consequently, the adversary, who can craft arbitrary packets and observe the corresponding cookies generated by the proxy, can easily recover the exact CRC function and the constant N a switch-based SYN proxy is using, and thus compute the correct cookie for any given spoofed five-tuple to evade the proxies.
We do not want to undermine the security benefits provided by the two SYN proxies. The two SYN proxies indeed mitigate TCP SYN flood attacks launched by a ‘naïve’ attacker who has little insight into the proxy design. However, an ‘adaptive’ attacker that understands how the proxies work, can exploit the issues discussed above to evade the proxies. The attacker can recover the cookie-generation function and send extra packets to allowlist every spoofed IP.
Beyond SYN proxies, we examined five more switch-based security applications and all of them are vulnerable to either evasion (evading attack detection by the application) or disruption (exploiting the system to disrupt other users’ traffic) attacks under their original threat models.
Despite providing certain security and performance benefits, these security applications are not deployment-ready, considering the adversarial context in which they would need to operate. Please see our paper for more details.
Improving the status quo requires multifaceted efforts:
- Developers should perform more rigorous security analysis when developing applications.
- The networking research community should develop more security testing tools (for example, fuzz testing), and reusable, open-source reference implementations of common security building blocks.
- Equipment vendors should offer essential cryptographic primitives in their next-generation programmable switches.
As people begin to pay more attention to the importance of security and programmable switches become increasingly powerful, we believe more practical and deployable switch-based security applications will be developed in the foreseeable future.
Liang Wang is an Associate Research Scholar at Princeton University. His research interests include Internet security and privacy, with recent topics including PKI and BGP security, and security applications of emerging technologies.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.