Conference Paper

# Hardware-Accelerated Firewall for 5G Mobile Networks

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

## Abstract

The evolution from the current Fourth-Generation (4G) networks to the emerging Fifth-Generation (5G) technologies implies significant changes in the architecture and poses demanding requirements on network infrastructures. One of the Key Performance Indicators (KPIs) in 5G is to ensure a secure network with zero downtime. In this paper, we focus on the provisioning of protection capabilities for 5G infrastructures. Our objective is to implement a new 5G firewall that allows the detection, differentiation and selective blocking of 5G network traffic in the edge-to-core network segment of a 5G infrastructure, using a hardware-accelerated framework based on Field Programmable Gate Arrays (FPGA), developed using the P4 language. The proposed 5G firewall has been prototyped with the new capabilities proposed empirically validated.

## No full-text available

... Essentially, P4 programmable switches have removed the entry barrier to network design, previously reserved to chip manufacturers. Enabling users to program the switch ASIC has resulted in unforeseen applications: replacing hundreds of load balancer servers with one programmable switch [14], developing Fifth-Generation (5G) firewalls with General Packet Radio Service (GPRS) tunneling capability [15], devising in-network memory cache that can process over 2 billion queries per second [16], and others. ...
... Spoofing Attacks [45][46][47][48][49] DDoS Attacks [6,43,46,[50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66][67] Network Verification [68][69][70][71][72][73][74][75] Privacy and Anonymity [76][77][78][79] Cryptography and Security Protocols [36,[80][81][82][83][84][85] Firewalls [15,[86][87][88][89][90][91][92] Generic Defenses [93][94][95][96][97][98][99][100] ...
... However, efforts in P4 are not exclusive to such infrastructures, but rather they extend to support mobile networks. Accordingly, Ricart et al. [15] propose a firewall for 5G network infrastructure located between the edge and the core networks. In a follow up work [92], the authors extended their work to support multi-tenant 5G infrastructures. ...
Article
Full-text available
The emergence of the IoT, cloud systems, data centers, and 5G networks is increasing the demand for a rapid development of new applications and protocols at all levels of the protocol stack. However, traditional fixed-function data planes have been characterized by a lengthy and costly development process at the hand of few chip manufacturers. Recently, data plane programmability has attracted significant attention, permitting network owners to run customized packet processing functions using P4, the de facto data plane programming language. Network security is one of the key research areas exploiting the capabilities of programmable switches. Examples include new encapsulations and secure tunnels implemented in short times, mitigation techniques for DDoS attacks that occur at terabit rates, customized firewalls that track hundreds of thousands of connections per second, and traffic anonymization systems that operate at line rate. Moreover, applications can be reconfigured in the field without additional hardware upgrades, facilitating the deployment of new defenses against unforeseen attacks and vulnerabilities. Furthermore, these security applications are designed by network owners who can meet their specific requirements, rather than by chip manufacturers. Despite the impressive advantages of programmable data plane switches, the literature has been missing a comprehensive survey on security applications. To this end, this paper provides a concise background on programmable switches and their main features that are relevant to security. It then presents a taxonomy that surveys, classifies, and analyzes articles related to security applications developed with P4. Additionally, the paper employs a STRIDE analysis to examine vulnerabilities related to general P4 applications (e.g., congestion control, load balancing, in-network cache) and proposes plausible remediation approaches. Furthermore, challenges associated with programmable data planes, the impact of these challenges on security implementations, and schemes to eliminate or mitigate them are discussed. Finally, the paper discusses future endeavors and open research problems. Keywords: P4 language, programmable data plane, P4 security applications and implications, STRIDE model, challenges and solutions in P4.
... • Reconfigurability: the parser and the processing logic can be redefined in the field. Variations [54][55][56][57][58][59][60][61][62] Collectors and Solutions [63][64][65][66][67] Congestion Control [68][69][70][71][72][73][74][75][76] Measurements AQM [99][100][101][102][103][104][105][106][107][108][109] QoS and TM [110][111][112][113][114] Multicast [115][116][117] Load Balancing [118][119][120][121][122][123][124][125][126] Caching [127][128][129][130][131][132][133][134][135][136] Telecom Services [137][138][139][140][141][142][143][144][145][146] Contentcentric Networking [147][148][149][150][151][152] Consensus [153][154][155][156][157][158][159][160] Machine Learning [161][162][163][164][165][166] Miscellaneous [167][168][169][170][171][172][173][174][175] Aggregation [176][177][178][179] Service Automation [180,181] Heavy Hitter [182][183][184][185][186][187][188][189][190] Cryptography [191][192][193][194][195] Anonymity [196][197][198][199][200] Access Control [201][202][203][204][205][206][207][208] Attacks and Defenses Troubleshoot [230][231][232][233][234] Verification [235][236][237][238][239][240][241][242][243] • Protocol independence: the switch is protocol-agnostic. The programmer defines the protocols, the parser, and the operations to process the headers. ...
... Ricart-Sanchez et al. [137] proposed a system that uses programmable data plane to enhance the performance of the data path from the edge to the core network, also known as the backhaul, in a 5G multi-tenant network. The same authors [138] proposed a 5G firewall that detects, differentiates and selectively blocks 5G network traffic in the backhaul network. ...
... For instance, the experiments conducted in [137] show that the attained QoS metrics meet the latency requirements of 5G. Similarly, the results reported in [138] demonstrate that the system meets the reliability KPI of 5G, which states that the network should be secured with zero downtime. Furthermore, the results reported in [142] show that there are 18% and 25% reductions in handover time with respect to legacy approaches, for two-and three-handover sequences, respectively. ...
Article
Full-text available
Traditionally, the data plane has been designed with fixed functions to forward packets using a small set of protocols. This closed-design paradigm has limited the capability of the switches to proprietary implementations which are hard-coded by vendors, inducing a lengthy, costly, and inflexible process. Recently, data plane programmability has attracted significant attention from both the research community and the industry, permitting operators and programmers in general to run customized packet processing functions. This open-design paradigm is paving the way for an unprecedented wave of innovation and experimentation by reducing the time of designing, testing, and adopting new protocols; enabling a customized, top-down approach to develop network applications; providing granular visibility of packet events defined by the programmer; reducing complexity and enhancing resource utilization of the programmable switches; and drastically improving the performance of applications that are offloaded to the data plane. Despite the impressive advantages of programmable data plane switches and their importance in modern networks, the literature has been missing a comprehensive survey. To this end, this paper provides a background encompassing an overview of the evolution of networks from legacy to programmable, describing the essentials of programmable switches, and summarizing their advantages over Software-defined Networking (SDN) and legacy devices. The paper then presents a unique, comprehensive taxonomy of applications developed with P4 language; surveying, classifying, and analyzing more than 200 articles; discussing challenges and considerations; and presenting future perspectives and open research issues.
... Control [68][69][70][71][72][73][74][75][76] Measurements AQM [99][100][101][102][103][104][105][106][107][108][109] QoS and TM [110][111][112][113][114] Multicast [115][116][117] Load Balancing [118][119][120][121][122][123][124][125][126] Caching [127][128][129][130][131][132][133][134][135][136] Telecom Services [137][138][139][140][141][142][143][144][145][146] Contentcentric Networking [147][148][149][150][151][152] Consensus [153][154][155][156][157][158][159][160] Machine Learning [161][162][163][164][165][166] Miscellaneous [167][168][169][170][171][172][173][174][175] Aggregation [176][177][178][179] Service Automation [180,181] Heavy Hitter [182][183][184][185][186][187][188][189][190] Cryptography [191][192][193][194][195] Anonymity [196][197][198][199][200] Access Control [201][202][203][204][205][206][207][208] Attacks and Defenses Troubleshoot [230][231][232][233][234] Verification [235][236][237][238][239][240][241][242][243] • Protocol independence: the switch is protocol-agnostic. The programmer defines the protocols, the parser, and the operations to process the headers. ...
... Ricart-Sanchez et al. [137] proposed a system that uses programmable data plane to enhance the performance of the data path from the edge to the core network, also known as the backhaul, in a 5G multi-tenant network. The same authors [138] proposed a 5G firewall that detects, differentiates and selectively blocks 5G network traffic in the backhaul network. ...
... For instance, the experiments conducted in [137] show that the attained QoS metrics meet the latency requirements of 5G. Similarly, the results reported in [138] demonstrate that the system meets the reliability KPI of 5G, which states that the network should be secured with zero downtime. Furthermore, the results reported in [142] show that there are 18% and 25% reductions in handover time with respect to legacy approaches, for two-and three-handover sequences, respectively. ...
Preprint
Full-text available
Traditionally, the data plane has been designed with fixed functions to forward packets using a small set of protocols. This closed-design paradigm has limited the capability of the switches to proprietary implementations which are hardcoded by vendors, inducing a lengthy, costly, and inflexible process. Recently, data plane programmability has attracted significant attention from both the research community and the industry, permitting operators and programmers in general to run customized packet processing function. This open-design paradigm is paving the way for an unprecedented wave of innovation and experimentation by reducing the time of designing, testing, and adopting new protocols; enabling a customized, top-down approach to develop network applications; providing granular visibility of packet events defined by the programmer; reducing complexity and enhancing resource utilization of the programmable switches; and drastically improving the performance of applications that are offloaded to the data plane. Despite the impressive advantages of programmable data plane switches and their importance in modern networks, the literature has been missing a comprehensive survey. To this end, this paper provides a background encompassing an overview of the evolution of networks from legacy to programmable, describing the essentials of programmable switches, and summarizing their advantages over Software-defined Networking (SDN) and legacy devices. The paper then presents a unique, comprehensive taxonomy of applications developed with P4 language; surveying, classifying, and analyzing more than 150 articles; discussing challenges and considerations; and presenting future perspectives and open research issues.
... The authors in [27] present a prototype for packet processing based on hardware using the programmable platform NetFPGA with the programmable data plane in the P4 language. The work consists of developing a firewall located between the core and the edge of 5G networks. ...
Article
Full-text available
Flexibility is considered a key feature of 5G softwarization to deliver a timely response to changes in network requirements that may be caused by traffic variation, user mobility, dynamic network function chains, slice lifecycle management operations, among others. In this article, we evolve the upf-bpf1 open-source project by proposing a new design to improve its flexibility by reducing the run-time adaptation time. The project proposes an in-kernel solution based on BPF and eXpress Data Path (XDP) for 5G User Plane Function (UPF) implementations. The Just-In-Time (JIT) compilation may have a huge impact on the adaptation time due to the in-kernel verification of the BPF programs at run-time. Our results show latency improvements of around 95% to inject the BPF program into the Linux kernel. Furthermore, the solution keeps the same functionalities and delivers a packet processing performance of around 10–11 Mpps using 6 cores with almost 70% of the CPU utilization in downlink/uplink directions.
... The authors in [23] present a prototype for packet processing based on hardware using the programmable platform NetF-PGA with the programmable data plane in the P4 language. The work consists of developing a firewall located between the core and the edge of 5G networks. ...
Conference Paper
Full-text available
The edge computing infrastructure can scale from datacenters to single device. The well-known technology for fast packet processing is DPDK, which has outstanding performance regarding the throughput and latency. However, there are some drawbacks when the usage is done in the edge: (i) the polling mechanism for packet processing keeps the CPU exclusively occupied even if there is no traffic, leading to wasted resources; and (ii) DPDK interface becomes unavailable for the applications inside the host, so the integration between a non-DPDK application and a DPDK application becomes a hard task. In this paper, we propose an open-source in-kernel 5G UPF solution based on 3GPP Release 16 to be deployed in a restrictive environment like MEC, where MEC host and UPF are collocated with the Base Station, sharing the same computational and network resources. The solution leverages the eBPF/XDP, a novel Linux kernel technology for fast packet processing. We show it can scale and achieve 10 Mpps using only 60% of the CPU with 6 cores.
... Ricart-Sanchez et al. [428] present a 5G firewall that analyzes GTP data transmitted between edge and core networks. P4 allows an implementation of parsing and matching GTP header fields such as 5G user source IP, 5G user destination IP, and identification number of the GTP tunnel. ...
Preprint
With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.
... Its authors focus on simplified updated processes by deploying recompiled versions of the P4 program. Ricart-Sanchez et al. [23] implement a P4-based firewall for 5G networks. It includes parser definitions for filtering GPRS tunneling protocol data. ...
Article
In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub [1]. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.
... [9][10][11], and network security e.g. [12][13][14][15][16]. However, conventional FPGAs do not have built-in ternary content addressable memory (TCAM). ...
... A network slice is defined by the following 6-tuple: 5G user source and destination IPs, 5G user source and destination ports, Differentiated Services Code Point (DSCP) and GTP Tunnel ID. The foundations of this parser stage are based on our previous publication, just in case the reader is interested [4]. ...
... The DPX firewall prototype has been implemented using the NetFPGA-SUME platform. Especially interesting is the use of FPGA technology in accelerating the execution of security functionalities in SDN-based 5G mobile networks, which are subject to strict delay and bandwidth requirements.Thus, in [23] has been introduced the implementation of a 5G firewall, which enables detection, differentiation and selective blocking of DoS traffic in the edge-to-core segment of the 5G network infrastructure. The prototype of the proposed 5G firewall has been implemented using the P4 language [24] and the NetFPGA-SUME platform. ...
Conference Paper
Full-text available
The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability.
... In the work of Ricart-Sanchez et al, 36 a NetFPGA-based data path for multitenant 5G traffic is proposed; this presents an exhaustive analysis in terms of performance, scalability, and reliability of the data path developed. In the work of Ricart-Sanchez et al, 37 a 5G NetFPGA-based firewall for network segment delimited by edge and core is presented, which owns an internal 5G data path to ensure the correct network traffic matching, processing, and control because of internal rule-based storage. However, no slicing is implemented in this contribution. ...
Article
Full-text available
The diverging requirements from various vertical industries have driven the paradigm shift in the next‐generation (5G) mobile networks, where network slicing has emerged as a major paradigm for this purpose by sharing and isolating resources over the same 5G physical infrastructure. To truly fulfill the different quality‐of‐service (QoS) requirements imposed by different network slices for different vertical applications, it is essential to introduce a programmable data plane that is aware of QoS and is configurable to enforce the QoS commitments. In this paper, we focus on designing, prototyping, and evaluating a novel QoS‐aware data‐plane network slicing framework for the edge and core network segments of a 5G network. The proposed framework is capable of dealing with differentiated services through hardware‐based traffic classification, priority configuration, and traffic scheduling. By leveraging the latest open‐source field‐programmable gate array platform, we prototype the proposed framework and empirically evaluate the performance of the prototyped system. Experiment results demonstrate the capabilities of the proposed framework in terms of achieving QoS‐aware network slicing at the data plane. • 5G hardware‐based network slicing for mobile edge computing architectures • Novel queuing architecture to implement 5G network slicing • Empirical demonstration implemented in hardware
... Authors provide an exhaustive analysis in terms of performance, scalability and reliability of the data-path developed, however they do not present any security solution for 5G multi-tenant scenarios which has been the main motivation of this research work. In [19] authors provide a firewall for 5G Edge to Core scenarios, but they do not provide multi-tenancy support and do not present experimental data about the solution proposed. ...
... In fact, not only OpenFlow-based switch, but also 5G mobile networks are highly dependent on TCAM update efficiency. It is reported that some new 5G firewall designs use TCAM to increase their detection, differentiation and selective blocking efficiency [19]. ...
Article
Full-text available
With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance and creates bottlenecks. To minimize the flow entry update time, a dependency graph, a kind of directed acyclic graph (DAG), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about $100 \times$ faster than state-of-the-art solutions with a flow table of $1k$ size.
Article
This article has been withdrawn at the request of the author(s) and/or editor. The Publisher apologizes for any inconvenience this may cause. The full Elsevier Policy on Article Withdrawal can be found at http://www.elsevier.com/locate/withdrawalpolicy. Subsequent to acceptance of this special issue paper by the responsible Guest Editor Sundhararajan Mahalingam, the integrity and rigor of the peer-review process was investigated and confirmed to fall beneath the high standards expected by Microprocessors & Microsystems. There are also indications that much of the Special Issue includes unoriginal and heavily paraphrased content. Due to a configuration error in the editorial system, unfortunately the Editor in Chief did not receive these papers for approval as per the journal’s standard workflow.
Article
Full-text available
The demand-led growth of datacenter networks has meant that many constituent technologies are beyond the research community's budget. NetFPGA SUME is an FPGA-based PCI Express board with I/O capabilities for 100 Gbps operation as a network interface card, multiport switch, firewall, or test and measurement environment. NetFPGA SUME provides an accessible development environment that both reuses existing codebases and enables new designs
Article
Full-text available
OpenFlow is a vendor-agnostic API for controlling hardware and software switches. In its current form, OpenFlow is specific to particular protocols, making it hard to add new protocol headers. It is also tied to a specific processing paradigm. In this paper we make a strawman proposal for how OpenFlow should evolve in the future, starting with the definition of an abstract forwarding model for switches. We have three goals: (1) Protocol independence: Switches should not be tied to any specific network protocols. (2) Target independence: Programmers should describe how switches are to process packets in a way that can be compiled down to any target switch that fits our abstract forwarding model. (3) Reconfigurability in the field: Programmers should be able to change the way switches process packets once they are deployed in a network. We describe how to write programs using our abstract forwarding model and our P4 programming language in order to configure switches and populate their forwarding tables.
Conference Paper
Full-text available
The NetFPGA platform enables students and researchers to build high-performance networking systems in hardware. A new version of the NetFPGA platform has been developed and is available for use by the academic community. The NetFPGA 2.1 platform now has interfaces that can be parameterized, therefore enabling development of modular hardware designs with varied word sizes. It also includes more logic and faster memory than the previous platform. Field Programmable Gate Array (FPGA) logic is used to implement the core data processing functions while software running on embedded cores within the FPGA and/or programs running on an attached host computer implement only control functions. Reference designs and component libraries have been developed for the CS344 course at Stanford University. Open-source Verilog code is available for download from the project website.