Conference Paper

Hardware-Accelerated Firewall for 5G Mobile Networks

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The evolution from the current Fourth-Generation (4G) networks to the emerging Fifth-Generation (5G) technologies implies significant changes in the architecture and poses demanding requirements on network infrastructures. One of the Key Performance Indicators (KPIs) in 5G is to ensure a secure network with zero downtime. In this paper, we focus on the provisioning of protection capabilities for 5G infrastructures. Our objective is to implement a new 5G firewall that allows the detection, differentiation and selective blocking of 5G network traffic in the edge-to-core network segment of a 5G infrastructure, using a hardware-accelerated framework based on Field Programmable Gate Arrays (FPGA), developed using the P4 language. The proposed 5G firewall has been prototyped with the new capabilities proposed empirically validated.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Essentially, P4 programmable switches have removed the entry barrier to network design, previously reserved to chip manufacturers. Enabling users to program the switch ASIC has resulted in unforeseen applications: replacing hundreds of load balancer servers with one programmable switch [14], developing Fifth-Generation (5G) firewalls with General Packet Radio Service (GPRS) tunneling capability [15], devising in-network memory cache that can process over 2 billion queries per second [16], and others. ...
... Spoofing Attacks [45][46][47][48][49] DDoS Attacks [6,43,46,[50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66][67] Network Verification [68][69][70][71][72][73][74][75] Privacy and Anonymity [76][77][78][79] Cryptography and Security Protocols [36,[80][81][82][83][84][85] Firewalls [15,[86][87][88][89][90][91][92] Generic Defenses [93][94][95][96][97][98][99][100] ...
... However, efforts in P4 are not exclusive to such infrastructures, but rather they extend to support mobile networks. Accordingly, Ricart et al. [15] propose a firewall for 5G network infrastructure located between the edge and the core networks. In a follow up work [92], the authors extended their work to support multi-tenant 5G infrastructures. ...
Article
Full-text available
The emergence of the IoT, cloud systems, data centers, and 5G networks is increasing the demand for a rapid development of new applications and protocols at all levels of the protocol stack. However, traditional fixed-function data planes have been characterized by a lengthy and costly development process at the hand of few chip manufacturers. Recently, data plane programmability has attracted significant attention, permitting network owners to run customized packet processing functions using P4, the de facto data plane programming language. Network security is one of the key research areas exploiting the capabilities of programmable switches. Examples include new encapsulations and secure tunnels implemented in short times, mitigation techniques for DDoS attacks that occur at terabit rates, customized firewalls that track hundreds of thousands of connections per second, and traffic anonymization systems that operate at line rate. Moreover, applications can be reconfigured in the field without additional hardware upgrades, facilitating the deployment of new defenses against unforeseen attacks and vulnerabilities. Furthermore, these security applications are designed by network owners who can meet their specific requirements, rather than by chip manufacturers. Despite the impressive advantages of programmable data plane switches, the literature has been missing a comprehensive survey on security applications. To this end, this paper provides a concise background on programmable switches and their main features that are relevant to security. It then presents a taxonomy that surveys, classifies, and analyzes articles related to security applications developed with P4. Additionally, the paper employs a STRIDE analysis to examine vulnerabilities related to general P4 applications (e.g., congestion control, load balancing, in-network cache) and proposes plausible remediation approaches. Furthermore, challenges associated with programmable data planes, the impact of these challenges on security implementations, and schemes to eliminate or mitigate them are discussed. Finally, the paper discusses future endeavors and open research problems. Keywords: P4 language, programmable data plane, P4 security applications and implications, STRIDE model, challenges and solutions in P4.
... • Reconfigurability: the parser and the processing logic can be redefined in the field. Variations [54][55][56][57][58][59][60][61][62] Collectors and Solutions [63][64][65][66][67] Congestion Control [68][69][70][71][72][73][74][75][76] Measurements AQM [99][100][101][102][103][104][105][106][107][108][109] QoS and TM [110][111][112][113][114] Multicast [115][116][117] Load Balancing [118][119][120][121][122][123][124][125][126] Caching [127][128][129][130][131][132][133][134][135][136] Telecom Services [137][138][139][140][141][142][143][144][145][146] Contentcentric Networking [147][148][149][150][151][152] Consensus [153][154][155][156][157][158][159][160] Machine Learning [161][162][163][164][165][166] Miscellaneous [167][168][169][170][171][172][173][174][175] Aggregation [176][177][178][179] Service Automation [180,181] Heavy Hitter [182][183][184][185][186][187][188][189][190] Cryptography [191][192][193][194][195] Anonymity [196][197][198][199][200] Access Control [201][202][203][204][205][206][207][208] Attacks and Defenses Troubleshoot [230][231][232][233][234] Verification [235][236][237][238][239][240][241][242][243] • Protocol independence: the switch is protocol-agnostic. The programmer defines the protocols, the parser, and the operations to process the headers. ...
... Ricart-Sanchez et al. [137] proposed a system that uses programmable data plane to enhance the performance of the data path from the edge to the core network, also known as the backhaul, in a 5G multi-tenant network. The same authors [138] proposed a 5G firewall that detects, differentiates and selectively blocks 5G network traffic in the backhaul network. ...
... For instance, the experiments conducted in [137] show that the attained QoS metrics meet the latency requirements of 5G. Similarly, the results reported in [138] demonstrate that the system meets the reliability KPI of 5G, which states that the network should be secured with zero downtime. Furthermore, the results reported in [142] show that there are 18% and 25% reductions in handover time with respect to legacy approaches, for two-and three-handover sequences, respectively. ...
Article
Full-text available
Traditionally, the data plane has been designed with fixed functions to forward packets using a small set of protocols. This closed-design paradigm has limited the capability of the switches to proprietary implementations which are hard-coded by vendors, inducing a lengthy, costly, and inflexible process. Recently, data plane programmability has attracted significant attention from both the research community and the industry, permitting operators and programmers in general to run customized packet processing functions. This open-design paradigm is paving the way for an unprecedented wave of innovation and experimentation by reducing the time of designing, testing, and adopting new protocols; enabling a customized, top-down approach to develop network applications; providing granular visibility of packet events defined by the programmer; reducing complexity and enhancing resource utilization of the programmable switches; and drastically improving the performance of applications that are offloaded to the data plane. Despite the impressive advantages of programmable data plane switches and their importance in modern networks, the literature has been missing a comprehensive survey. To this end, this paper provides a background encompassing an overview of the evolution of networks from legacy to programmable, describing the essentials of programmable switches, and summarizing their advantages over Software-defined Networking (SDN) and legacy devices. The paper then presents a unique, comprehensive taxonomy of applications developed with P4 language; surveying, classifying, and analyzing more than 200 articles; discussing challenges and considerations; and presenting future perspectives and open research issues.
... Control [68][69][70][71][72][73][74][75][76] Measurements AQM [99][100][101][102][103][104][105][106][107][108][109] QoS and TM [110][111][112][113][114] Multicast [115][116][117] Load Balancing [118][119][120][121][122][123][124][125][126] Caching [127][128][129][130][131][132][133][134][135][136] Telecom Services [137][138][139][140][141][142][143][144][145][146] Contentcentric Networking [147][148][149][150][151][152] Consensus [153][154][155][156][157][158][159][160] Machine Learning [161][162][163][164][165][166] Miscellaneous [167][168][169][170][171][172][173][174][175] Aggregation [176][177][178][179] Service Automation [180,181] Heavy Hitter [182][183][184][185][186][187][188][189][190] Cryptography [191][192][193][194][195] Anonymity [196][197][198][199][200] Access Control [201][202][203][204][205][206][207][208] Attacks and Defenses Troubleshoot [230][231][232][233][234] Verification [235][236][237][238][239][240][241][242][243] • Protocol independence: the switch is protocol-agnostic. The programmer defines the protocols, the parser, and the operations to process the headers. ...
... Ricart-Sanchez et al. [137] proposed a system that uses programmable data plane to enhance the performance of the data path from the edge to the core network, also known as the backhaul, in a 5G multi-tenant network. The same authors [138] proposed a 5G firewall that detects, differentiates and selectively blocks 5G network traffic in the backhaul network. ...
... For instance, the experiments conducted in [137] show that the attained QoS metrics meet the latency requirements of 5G. Similarly, the results reported in [138] demonstrate that the system meets the reliability KPI of 5G, which states that the network should be secured with zero downtime. Furthermore, the results reported in [142] show that there are 18% and 25% reductions in handover time with respect to legacy approaches, for two-and three-handover sequences, respectively. ...
Preprint
Full-text available
Traditionally, the data plane has been designed with fixed functions to forward packets using a small set of protocols. This closed-design paradigm has limited the capability of the switches to proprietary implementations which are hardcoded by vendors, inducing a lengthy, costly, and inflexible process. Recently, data plane programmability has attracted significant attention from both the research community and the industry, permitting operators and programmers in general to run customized packet processing function. This open-design paradigm is paving the way for an unprecedented wave of innovation and experimentation by reducing the time of designing, testing, and adopting new protocols; enabling a customized, top-down approach to develop network applications; providing granular visibility of packet events defined by the programmer; reducing complexity and enhancing resource utilization of the programmable switches; and drastically improving the performance of applications that are offloaded to the data plane. Despite the impressive advantages of programmable data plane switches and their importance in modern networks, the literature has been missing a comprehensive survey. To this end, this paper provides a background encompassing an overview of the evolution of networks from legacy to programmable, describing the essentials of programmable switches, and summarizing their advantages over Software-defined Networking (SDN) and legacy devices. The paper then presents a unique, comprehensive taxonomy of applications developed with P4 language; surveying, classifying, and analyzing more than 150 articles; discussing challenges and considerations; and presenting future perspectives and open research issues.
... The proposed solution leverages P4 FPGA boards to handle encapsulation protocols such as VXLAN, GTP, and GTP over VXLAN, enabling efficient traffic routing and forwarding. In their subsequent works [88,89], the authors introduce a firewall system for 5G multi-tenant scenarios that supports traffic detection, differentiation, and selective blocking in the backhaul network. The firewall rules are stored in the TCAM (ternary-content-addressable memory) table of the P4 FPGA boards. ...
... In [88,89], the authors describe a firewall implementation that effectively blocks malicious traffic and can manage up to 1,024 flows with minimal added delay. Another study on firewalls, presented in [66], reports that security rules are updated within 10 ms with a confidence interval of 95%. ...
Article
Full-text available
Applications in 5G and Beyond Architectures: A Systematic Review. Sensors 2023, 23, 6955. https:// Abstract: The rapid evolution of 5G and beyond technologies has sparked an unprecedented surge in the need for networking infrastructure that can deliver high speed, minimal latency, and remarkable flexibility. The programmable data plane, which enables the dynamic reconfiguration of network functions and protocols, is becoming increasingly important in meeting these requirements. This paper provides an overview of the current state of the art in programmable data planes implemented in 5G and beyond architectures. It proposes a classification of the reviewed studies based on system architecture and specific use cases. Furthermore, the article surveys the primary applications of programmable devices in emerging telecommunication networks, such as tunneling and forwarding, network slicing, cybersecurity, and in-band telemetry. Finally, this publication summarizes the open research challenges and future directions. In addition to offering a comprehensive review of programmable data plane applications in telecommunication networks, this article aims to guide further research in this promising field for network operators and researchers alike.
... Ricart et al. [158] propose a hardware accelerated layer 4 firewall for 5G mobile networks. The proposed firewall operates between the edge and the core network in order to provide protection for 5G users, as well as the infrastructure. ...
... They have leveraged network elements to perform some control plane procedures, or offloadable mobile packet core network functions like Serving Gateway and User Plane Function. The studies in [154], [155], [156], [157], [158] have leveraged in-network computing for faster processing in other areas of 4G/5G/6G including 5G network slicing, 6G applications, LTE serving IoT application, and monitoring/securing 5G networks. ...
Article
Full-text available
In comparison with cloud computing, edge computing offers processing at locations closer to end devices and reduces the user experienced latency. The new recent paradigm of innetwork computing employs programmable network elements to compute on the path and prior to traffic reaching the edge or cloud servers. It advances common edge/cloud server based computing through proposing line rate processing capabilities at closer locations to the end devices. This paper discusses use cases, enabler technologies and protocols for in-network computing. According to our study, considering programmable data plane as an enabler technology, potential in-network computing applications are in-network analytics, in-network caching, innetwork security, and in-network coordination. There are also technology specific applications of in-network computing in the scopes of cloud computing, edge computing, 5G/6G, and NFV. In this survey, the state of the art, in the framework of the proposed categorization, is reviewed. Furthermore, comparisons are provided in terms of a set of proposed criteria which assess the methods from the aspects of methodology, main results, as well as application-specific criteria. Finally, we discuss lessons learned and highlight some potential research directions.
... • 5GFirewall (5GF) [177] implements a preliminary firewall design to enhance the security of the edge-to-core network in 5G networks. This firewall matches several keys in 5G packets, including IP addresses, layer-4 ports, the transport protocol, and the tunnel identification number. ...
Article
With the growth of network applications such as 5G and artificial intelligence, network security techniques, i.e., the techniques that detect various attacks (e.g., well-known denial-of service (DDoS) attacks) and prevent production networks (e.g., data center networks) from being attacked, become increasingly essential for network management and have gained great popularity in the networking community. Generally, these techniques are built on proprietary hardware appliances, i.e., middleboxes, or the paradigm that combines both software-defined networking (SDN) and network function virtualization (NFV) to implement security functions. However, the techniques built on middleboxes are proven to be hard-to-manage, costly, and inflexible, thereby making them an out-of-date choice in network security. For the techniques built on SDN and NFV, they virtualize and softwarize security functions on commodity servers, leading to non-trivial performance degradation. Fortunately, the recent emergence of programmable switches brings new opportunities of empowering network security techniques with the characteristics of easy-tomanage, low cost, high flexibility, and Tbps-level performance. In this survey, we focus on this promising trend in network security. More precisely, this survey first presents the preliminaries of programmable switches, which are the primary driver of next-generation network security techniques. Next, we comprehensively review existing techniques built on programmable switches, classify these techniques, and discuss their background, motivation, design, implementation, and limitations case-by-case. Finally, we summarize open issues and future research directions in this promising research topic of network security.
... In References [140,141] authors propose a 5G hardware firewall able to meet the KPIs of 5G networks. The proposed firewall is implemented using the Xilinx NetFPGA board and programmed using P4. ...
Article
Full-text available
Software Defined Networking (SDN) marked the beginning of a new era in the field of networking by decoupling the control and forwarding processes through the OpenFlow protocol. The Next Generation SDN is defined by Open Interfaces and full programmability of the data plane. P4 is a domain specific language that fulfills these requirements and has known wide adoption over the last years from Academia and Industry. This work is an extensive survey of the P4 language covering domains of application, a detailed overview of the language and future directions.
... Ayrıca veri katmanı programlama ile hat hızında işlem kabiliyeti kazanıldığı için yeni teknolojileri destekleyecek güvenlik duvarlarının geliştirilmesi kolaylaşmaktadır. Özellikle 5G gibi yeni teknolojilerin ihtiyaçlarının karşılanabilmesi veri katmanı programlama ile sağlanabilecek çözümler geliştirilebilmektedir. 5G mobil ağlar için NetFP-GA kartı ve P4 programlama dili ile geliştirilen iki güvenlik duvarı uygulamasında [21], [22] ağ trafiğindeki paketlerin istenilen başlıkları ayrıştırılarak paketlerin düşürülüp düşürülmeyeceğine hızlı şekilde karar verilebilmektedir. Bu uygulamaların ilkinde pakette bulunan Ethernet, IP, TCP/UDP ve GTP protokol başlıkları ayrıştırılmaktadır. ...
Chapter
Full-text available
This chapter summarizes SDN (software defined networks) and NFV (network function virtualization) technologies that make up the network softwarization, comparison of programming features supported by P4 data plane programming language and OpenFlow protocol, and the capabilities of P4 to enable enhanced network level cyber security. Moreover, P4-based cyber security solutions in Literature are reviewed, and challenges and potential research questions are discussed. Bu bölümde; ağ yazılımlaştırma yaklaşımını oluşturan yazılım tanımlı ağlar ve ağ fonksiyonu sanallaştırma teknolojileri, OpenFlow protokolünün programlama için sunduğu özellikler, veri katmanının programlanabilmesi için kullanılan P4 programlama dilinin kabiliyetleri, P4 programlama dili özelliklerinin siber güvenliğe sağladığı katkılar özetlenmektedir. Sonrasında da veri katmanı programlama ile geliştirilebilen siber güvenlik çözümleri ve açıklanarak bu alanda yapılabilecek çalışmalar değerlendirilmiştir.
... The authors in [27] present a prototype for packet processing based on hardware using the programmable platform NetFPGA with the programmable data plane in the P4 language. The work consists of developing a firewall located between the core and the edge of 5G networks. ...
Article
Full-text available
Flexibility is considered a key feature of 5G softwarization to deliver a timely response to changes in network requirements that may be caused by traffic variation, user mobility, dynamic network function chains, slice lifecycle management operations, among others. In this article, we evolve the upf-bpf1 open-source project by proposing a new design to improve its flexibility by reducing the run-time adaptation time. The project proposes an in-kernel solution based on BPF and eXpress Data Path (XDP) for 5G User Plane Function (UPF) implementations. The Just-In-Time (JIT) compilation may have a huge impact on the adaptation time due to the in-kernel verification of the BPF programs at run-time. Our results show latency improvements of around 95% to inject the BPF program into the Linux kernel. Furthermore, the solution keeps the same functionalities and delivers a packet processing performance of around 10–11 Mpps using 6 cores with almost 70% of the CPU utilization in downlink/uplink directions.
... The authors in [23] present a prototype for packet processing based on hardware using the programmable platform NetF-PGA with the programmable data plane in the P4 language. The work consists of developing a firewall located between the core and the edge of 5G networks. ...
Conference Paper
Full-text available
The edge computing infrastructure can scale from datacenters to single device. The well-known technology for fast packet processing is DPDK, which has outstanding performance regarding the throughput and latency. However, there are some drawbacks when the usage is done in the edge: (i) the polling mechanism for packet processing keeps the CPU exclusively occupied even if there is no traffic, leading to wasted resources; and (ii) DPDK interface becomes unavailable for the applications inside the host, so the integration between a non-DPDK application and a DPDK application becomes a hard task. In this paper, we propose an open-source in-kernel 5G UPF solution based on 3GPP Release 16 to be deployed in a restrictive environment like MEC, where MEC host and UPF are collocated with the Base Station, sharing the same computational and network resources. The solution leverages the eBPF/XDP, a novel Linux kernel technology for fast packet processing. We show it can scale and achieve 10 Mpps using only 60% of the CPU with 6 cores.
... Ricart-Sanchez et al. [428] present a 5G firewall that analyzes GTP data transmitted between edge and core networks. P4 allows an implementation of parsing and matching GTP header fields such as 5G user source IP, 5G user destination IP, and identification number of the GTP tunnel. ...
Preprint
With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.
... Its authors focus on simplified updated processes by deploying recompiled versions of the P4 program. Ricart-Sanchez et al. [23] implement a P4-based firewall for 5G networks. It includes parser definitions for filtering GPRS tunneling protocol data. ...
Article
Full-text available
In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub [1]. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.
... [9][10][11], and network security e.g. [12][13][14][15][16]. However, conventional FPGAs do not have built-in ternary content addressable memory (TCAM). ...
... A network slice is defined by the following 6-tuple: 5G user source and destination IPs, 5G user source and destination ports, Differentiated Services Code Point (DSCP) and GTP Tunnel ID. The foundations of this parser stage are based on our previous publication, just in case the reader is interested [4]. ...
... The DPX firewall prototype has been implemented using the NetFPGA-SUME platform. Especially interesting is the use of FPGA technology in accelerating the execution of security functionalities in SDN-based 5G mobile networks, which are subject to strict delay and bandwidth requirements.Thus, in [23] has been introduced the implementation of a 5G firewall, which enables detection, differentiation and selective blocking of DoS traffic in the edge-to-core segment of the 5G network infrastructure. The prototype of the proposed 5G firewall has been implemented using the P4 language [24] and the NetFPGA-SUME platform. ...
Conference Paper
Full-text available
The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability.
... In the work of Ricart-Sanchez et al, 36 a NetFPGA-based data path for multitenant 5G traffic is proposed; this presents an exhaustive analysis in terms of performance, scalability, and reliability of the data path developed. In the work of Ricart-Sanchez et al, 37 a 5G NetFPGA-based firewall for network segment delimited by edge and core is presented, which owns an internal 5G data path to ensure the correct network traffic matching, processing, and control because of internal rule-based storage. However, no slicing is implemented in this contribution. ...
Article
Full-text available
The diverging requirements from various vertical industries have driven the paradigm shift in the next‐generation (5G) mobile networks, where network slicing has emerged as a major paradigm for this purpose by sharing and isolating resources over the same 5G physical infrastructure. To truly fulfill the different quality‐of‐service (QoS) requirements imposed by different network slices for different vertical applications, it is essential to introduce a programmable data plane that is aware of QoS and is configurable to enforce the QoS commitments. In this paper, we focus on designing, prototyping, and evaluating a novel QoS‐aware data‐plane network slicing framework for the edge and core network segments of a 5G network. The proposed framework is capable of dealing with differentiated services through hardware‐based traffic classification, priority configuration, and traffic scheduling. By leveraging the latest open‐source field‐programmable gate array platform, we prototype the proposed framework and empirically evaluate the performance of the prototyped system. Experiment results demonstrate the capabilities of the proposed framework in terms of achieving QoS‐aware network slicing at the data plane. • 5G hardware‐based network slicing for mobile edge computing architectures • Novel queuing architecture to implement 5G network slicing • Empirical demonstration implemented in hardware
... Authors provide an exhaustive analysis in terms of performance, scalability and reliability of the data-path developed, however they do not present any security solution for 5G multi-tenant scenarios which has been the main motivation of this research work. In [19] authors provide a firewall for 5G Edge to Core scenarios, but they do not provide multi-tenancy support and do not present experimental data about the solution proposed. ...
... In fact, not only OpenFlow-based switch, but also 5G mobile networks are highly dependent on TCAM update efficiency. It is reported that some new 5G firewall designs use TCAM to increase their detection, differentiation and selective blocking efficiency [19]. ...
Article
Full-text available
With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance and creates bottlenecks. To minimize the flow entry update time, a dependency graph, a kind of directed acyclic graph (DAG), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about $100 \times $ faster than state-of-the-art solutions with a flow table of $1k$ size.
Article
Maximum user systems on 5G networks will now not be consumer phones or computers, but IoT device. Via 2021, there might be about 30 billion such devices. The quantity of attacks on the IoT is growing. Device protection is terrible and malware distribution is without problems scalable. Protection has ended up the primary challenge in many telecommunications industries these days as risks may have high outcomes. especially, because the center and enable technologies might be related to the 5G network, the confidential information will pass at all layers in destiny Wi-Fi structures. Even with modern-day 4G networks, now not each operator succeeds in securely configuring the center network and protecting it from all angles. As SDN and NFV are carried out for network cutting in 5G, the administration will become even extra difficult. Flexibility in 5G networks comes at the fee of multiplied complexity and high bandwidth communication settings to monitor. 5G will offer broadband access anywhere, entertain better person mobility, and permit connectivity of a large number of devices in an ultra- reliable and low-priced manner. Furthermore, we present protection solutions to those demanding situations and future instructions for secure 5G systems.
Chapter
This paper is written as a continuation of works devoted to solving the task of increasing the firewall performance in conditions of high heterogeneity and variability of the parameters of the filtered network traffic. The paper shows a simulation model that is intended for the evaluation of the major performance indicators of a firewall when ranging a filtration rule set. We’ve evaluated the effectiveness of the method for ranging a filtration rule set (it was developed earlier by the authors) for various parameters of the simulation model and different scenarios of network traffic behavior.
Article
This article has been withdrawn at the request of the author(s) and/or editor. The Publisher apologizes for any inconvenience this may cause. The full Elsevier Policy on Article Withdrawal can be found at http://www.elsevier.com/locate/withdrawalpolicy. Subsequent to acceptance of this special issue paper by the responsible Guest Editor Sundhararajan Mahalingam, the integrity and rigor of the peer-review process was investigated and confirmed to fall beneath the high standards expected by Microprocessors & Microsystems. There are also indications that much of the Special Issue includes unoriginal and heavily paraphrased content. Due to a configuration error in the editorial system, unfortunately the Editor in Chief did not receive these papers for approval as per the journal’s standard workflow.
Article
Full-text available
The demand-led growth of datacenter networks has meant that many constituent technologies are beyond the research community's budget. NetFPGA SUME is an FPGA-based PCI Express board with I/O capabilities for 100 Gbps operation as a network interface card, multiport switch, firewall, or test and measurement environment. NetFPGA SUME provides an accessible development environment that both reuses existing codebases and enables new designs
Article
Full-text available
OpenFlow is a vendor-agnostic API for controlling hardware and software switches. In its current form, OpenFlow is specific to particular protocols, making it hard to add new protocol headers. It is also tied to a specific processing paradigm. In this paper we make a strawman proposal for how OpenFlow should evolve in the future, starting with the definition of an abstract forwarding model for switches. We have three goals: (1) Protocol independence: Switches should not be tied to any specific network protocols. (2) Target independence: Programmers should describe how switches are to process packets in a way that can be compiled down to any target switch that fits our abstract forwarding model. (3) Reconfigurability in the field: Programmers should be able to change the way switches process packets once they are deployed in a network. We describe how to write programs using our abstract forwarding model and our P4 programming language in order to configure switches and populate their forwarding tables.
Conference Paper
Full-text available
The NetFPGA platform enables students and researchers to build high-performance networking systems in hardware. A new version of the NetFPGA platform has been developed and is available for use by the academic community. The NetFPGA 2.1 platform now has interfaces that can be parameterized, therefore enabling development of modular hardware designs with varied word sizes. It also includes more logic and faster memory than the previous platform. Field Programmable Gate Array (FPGA) logic is used to implement the core data processing functions while software running on embedded cores within the FPGA and/or programs running on an attached host computer implement only control functions. Reference designs and component libraries have been developed for the CS344 course at Stanford University. Open-source Verilog code is available for download from the project website.