Conference Paper

NetFPGA-Based Firewall Solution for 5G Multi-Tenant Architectures

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Spoofing Attacks [45][46][47][48][49] DDoS Attacks [6,43,46,[50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66][67] Network Verification [68][69][70][71][72][73][74][75] Privacy and Anonymity [76][77][78][79] Cryptography and Security Protocols [36,[80][81][82][83][84][85] Firewalls [15,[86][87][88][89][90][91][92] Generic Defenses [93][94][95][96][97][98][99][100] ...
... Accordingly, Ricart et al. [15] propose a firewall for 5G network infrastructure located between the edge and the core networks. In a follow up work [92], the authors extended their work to support multi-tenant 5G infrastructures. Table 11 compares the aforementioned firewall schemes. ...
... In the communication process, a tunnel is created between two GPRS support nodes and the original IP packets are encapsulated within a GTP header [153]. As a result, the authors of [15] and [92] customized the parser to inspect deeper into the header fields than conventional firewalls. The firewall implements a TCAM table that stores firewall rules and performs packet filtering based on several keys (e.g., VXLAN, GTP, inner and outer IP and TCP/UDP headers). ...
Article
Full-text available
The emergence of the IoT, cloud systems, data centers, and 5G networks is increasing the demand for a rapid development of new applications and protocols at all levels of the protocol stack. However, traditional fixed-function data planes have been characterized by a lengthy and costly development process at the hand of few chip manufacturers. Recently, data plane programmability has attracted significant attention, permitting network owners to run customized packet processing functions using P4, the de facto data plane programming language. Network security is one of the key research areas exploiting the capabilities of programmable switches. Examples include new encapsulations and secure tunnels implemented in short times, mitigation techniques for DDoS attacks that occur at terabit rates, customized firewalls that track hundreds of thousands of connections per second, and traffic anonymization systems that operate at line rate. Moreover, applications can be reconfigured in the field without additional hardware upgrades, facilitating the deployment of new defenses against unforeseen attacks and vulnerabilities. Furthermore, these security applications are designed by network owners who can meet their specific requirements, rather than by chip manufacturers. Despite the impressive advantages of programmable data plane switches, the literature has been missing a comprehensive survey on security applications. To this end, this paper provides a concise background on programmable switches and their main features that are relevant to security. It then presents a taxonomy that surveys, classifies, and analyzes articles related to security applications developed with P4. Additionally, the paper employs a STRIDE analysis to examine vulnerabilities related to general P4 applications (e.g., congestion control, load balancing, in-network cache) and proposes plausible remediation approaches. Furthermore, challenges associated with programmable data planes, the impact of these challenges on security implementations, and schemes to eliminate or mitigate them are discussed. Finally, the paper discusses future endeavors and open research problems. Keywords: P4 language, programmable data plane, P4 security applications and implications, STRIDE model, challenges and solutions in P4.
... Ricart-Sanchez et al. [40] propose a full-featured 5G multitenant firewall based on FPGA to handle the GTP (GPRS tunneling protocol) data transmitted between the edge and the core network. Using the P4 programmable data plane to parse and match the GTP header fields, the TCAM table adds two parameters to the traditional quintuple, providing the firewall with the possibility of identifying different tenants and end users. ...
Article
Full-text available
Network attacks show a trend of increased attack intensity, enhanced diversity, and more concealed attack methods, which put forward higher requirements for the performance of network security equipment. Unlike the SDN (software defined network) switch with a fixed-function data plane, switches with programmable data planes can help users realize more network protocols. Programming Protocol-independent Packet Processors (P4) is proposed to define the operations of the data plane and to implement user’s applications, e.g., data center networks, security, or 5G. This paper provides a review of research papers on solving network security problems with P4-based programmable data plane. The work can be organized into two parts. In the first part, the programming language P4, P4 program, architectures, P4 compilers, P4 Runtime, and P4 target are introduced according to the workflow model. The advantages of P4-based programmable switching in solving network security are analyzed. In the second part, the existing network security research papers are divided into four parts according to the perspectives of passive defense, active defense, and combination of multiple technologies. The schemes in each category are compared, and the core ideas and limitations are clarified. In addition, a detailed comparison is made for the research on the performance of P4 targets. Finally, trends and challenges related to the P4-based programmable data plane are discussed.
... The P4 pipeline implements an allow-by-default policy, DROP actions for specific sets of keys can be installed via a data plane API. In a follow-up work [429], the authors extend the 5G firewall by support for multi-tenancy with VXLAN. ...
Preprint
With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.
... Keni and Mande [35] used the highly parallelized structure of FPGA to form a rule set for allowing incoming and outgoing IP addresses to filter the IPv4 protocol. Ricart-Sanchez et al. [36] proposed a fully functional, FPGA-based 5G firewall that is capable of effectively detecting cyberattacks in 5G multitenant scenarios with user mobility support. ...
Article
Full-text available
With the rapid development of the Internet, the security of network multimedia data has attracted increasingly more attention. The moving target defense (MTD) and cyber mimic defense (CMD) approaches provide a new way to solve this problem. To enhance the security of network multimedia data, this paper proposes a mimic encryption box for network multimedia data security. The mimic encryption box can directly access the network where the multimedia device is located, automatically complete the negotiation, provide safe and convenient encryption services, and effectively prevent network attacks. According to the principles of dynamization, diversification, and randomization, the mimic encryption box uses a reconfigurable encryption algorithm to encrypt network data and uses IP address hopping, port number hopping, protocol camouflage, and network channel change to increase the attack threshold. Second, the mimic encryption box has a built-in pseudorandom number generator and key management system, which can generate an initial random key and update the key with the hash value of the data packet to achieve "one packet, one key."Finally, through the cooperation of the ARM and the FPGA, an access control list can be used to filter illegal data and monitor the working status of the system in real time. If an abnormality is found, the feedback reconstruction mechanism is used to "clean"the FPGA to make it work normally again. The experimental results and analysis show that the mimic encryption box designed in this paper has high network encryption performance and can effectively prevent data leakage. At the same time, it provides a mimic security defense mechanism at multiple levels, which can effectively resist a variety of network attacks and has high security.
... There is significant absence of solutions to address the lack of support of firewall policies over the GTP protocol, used in LTE, LTE-Advanced (LTE-A) and 5G and on their respective adaptions for cellular IoT networks, LTE-M and NB-IoT. In the hardware side, Ricart et al. [2] provided a hardware appliance with these novel capabilities able to work up to 3.67 Gbps and up to 1024 wildcard-enabled firewall rules against 512 flows (305 kilo packet per second -kPPS). In the software side, Salva et al. [3] indicated that the maximum rules support for Linux IP tables, with an extended version to support GTP traffic, in the most ideal conditions, are 512 rules when traffic is transferred at 1 Gbps against 512 flows (666 kPPS). ...
... Regarding security applications based on P4, the published research has covered topics such as policy-based P4 firewalls or security middleware. P4Guard [2] and [9] are two examples of P4-based firewalls. The former is a software firewall with an easily reconfigurable data plane and the later is a hardwareaccelerated firewall for 5G architectures. ...
Article
Full-text available
Over the years, the cellular mobile network has evolved from a wireless plain telephone system to a very complex system providing telephone service, Internet connectivity and many interworking capabilities with other networks. Its air interface performance has increased drastically over time, leading to high throughput and low latency. Changes to the core network, however, have been slow and incremental, with increased complexity worsened by the necessity of backwards-compatibility with older-generation systems such as the Global System for Mobile communication (GSM). In this paper, a new virtualized Peer-to-Peer (P2P) core network architecture is presented. The key idea of our approach is that each user is assigned a private virtualized copy of the whole core network. This enables a higher degree of security and novel services that are not possible in today’s architecture. We describe the new architecture, focusing on its main elements, IP addressing, message flows, mobility management, and scalability. Furthermore, we will show some significant advantages this new architecture introduces. Finally, we investigate the performance of our architecture by analyzing voice-call traffic available in a database of a large U.S. cellular network provider.
Article
Full-text available
The on-going development of Fifth Generation (5G) mobile communication technology will be the cornerstone for applying Information and Communication Technology (ICT) to various fields, e.g., smart city, smart home, connected car, etc. The 3rd Generation Partnership Project (3GPP), which has developed the most successful standard technologies in the mobile communication market such as Universal Mobile Telecommunication System (UMTS) and Long Term Evolution (LTE), is currently carrying out the standardization of both 5G access network system and 5G core network system at the same time. Within 3GPP, Service and System Aspects Working Group 2 (SA2) is responsible for identifying the main functions and entities of the network. In December 2016, the 3GPP SA2 group finalized the first phase of study for the architecture and main functions of 5G mobile communication system under the study item of Next Generation system (NextGen). Currently, normative standardization is on-going based on the agreements made in the NextGen Phase 1 study. In this paper, we present the architecture and functions of 5G mobile communication system agreed in the NextGen study.
Article
Full-text available
The demand-led growth of datacenter networks has meant that many constituent technologies are beyond the research community's budget. NetFPGA SUME is an FPGA-based PCI Express board with I/O capabilities for 100 Gbps operation as a network interface card, multiport switch, firewall, or test and measurement environment. NetFPGA SUME provides an accessible development environment that both reuses existing codebases and enables new designs
Article
Full-text available
OpenFlow is a vendor-agnostic API for controlling hardware and software switches. In its current form, OpenFlow is specific to particular protocols, making it hard to add new protocol headers. It is also tied to a specific processing paradigm. In this paper we make a strawman proposal for how OpenFlow should evolve in the future, starting with the definition of an abstract forwarding model for switches. We have three goals: (1) Protocol independence: Switches should not be tied to any specific network protocols. (2) Target independence: Programmers should describe how switches are to process packets in a way that can be compiled down to any target switch that fits our abstract forwarding model. (3) Reconfigurability in the field: Programmers should be able to change the way switches process packets once they are deployed in a network. We describe how to write programs using our abstract forwarding model and our P4 programming language in order to configure switches and populate their forwarding tables.
Conference Paper
Full-text available
The NetFPGA platform enables students and researchers to build high-performance networking systems in hardware. A new version of the NetFPGA platform has been developed and is available for use by the academic community. The NetFPGA 2.1 platform now has interfaces that can be parameterized, therefore enabling development of modular hardware designs with varied word sizes. It also includes more logic and faster memory than the previous platform. Field Programmable Gate Array (FPGA) logic is used to implement the core data processing functions while software running on embedded cores within the FPGA and/or programs running on an attached host computer implement only control functions. Reference designs and component libraries have been developed for the CS344 course at Stanford University. Open-source Verilog code is available for download from the project website.
Article
Full-text available
The early successes of computer networks in the mid-1970's made it apparent that to utilize the full potential of computer networks, international standards would be required. In 1977, the International Standards Organization (ISO) initiated work on Open Systems Interconnection (OSI) to address these requirements. This paper briefly describes the OSI Reference Model. The OSI Reference Model is the highest level of abstraction in the OSI scheme. The paper first describes the basic building blocks used to construct the network model. Then the particular seven-layer model used by OSI is briefly described, followed by a discussion of outstanding issues and future extensions for the model.
Conference Paper
The evolution from the current Fourth-Generation (4G) networks to the emerging Fifth-Generation (5G) technologies implies significant changes in the architecture and poses demanding requirements on network infrastructures. One of the Key Performance Indicators (KPIs) in 5G is to ensure a secure network with zero downtime. In this paper, we focus on the provisioning of protection capabilities for 5G infrastructures. Our objective is to implement a new 5G firewall that allows the detection, differentiation and selective blocking of 5G network traffic in the edge-to-core network segment of a 5G infrastructure, using a hardware-accelerated framework based on Field Programmable Gate Arrays (FPGA), developed using the P4 language. The proposed 5G firewall has been prototyped with the new capabilities proposed empirically validated.
Article
The Fifth-Generation (5G) networks, as the emerging next generation mobile networks, are adopting softwarization and virtualization technologies as the cornerstones for the network operators to gain significant competitive advantages by reducing both capital and operational expenditure, enabling agile and flexible service creation and deployment, among others. Meanwhile, a virtualized and softwarized 5G network would suffer from downgraded system performance due to this unprecedented paradigm shift towards software-based networking. Addressing one of the top challenges in this context, this paper focuses on improving the performance of the data plane from the edge to the core network segment (backhaul) in a 5G multi-tenant network by leveraging and exploring the programmability introduced by software-based networking. A fully functional prototype has been designed and implemented utilizing a Field Programmable Gate Arrays (FPGAs) acceleration-based platform, and the prototyped system has been empirically tested and evaluated to demonstrate the superior performance enhancements. The proposed solution can effectively support 5G networks in delivering mission-critical or time-sensitive applications such as ultra-high definition video use cases as experimentally validated and shown in this paper, by fulfilling the strict Quality of Service (QoS) requirements imposed to the data plane.
Article
Currently, there is no any effective security solution which can detect cyber-attacks against 5G networks where multitenancy and user mobility are some unique characteristics that impose significant challenges over such security solutions. This paper focuses on addressing a transversal detection system to be able to protect at the same time, infrastructures, tenants and 5G users in both edge and core network segments of the 5G multi-tenant infrastructures. A novel approach which significantly extends the capabilities of a commonly used IDS, to accurately identify attacking nodes in a 5G network, regardless of multiple network traffic encapsulations, has been proposed in this paper. The proposed approach is suitable to be deployed in almost all 5G network segments including the Mobile Edge Computing. Both architectural design and data models are described in this contribution. Empirical experiments have been carried out a realistic 5G multi-tenant infrastructures to intensively validate the design of the proposed approach regarding scalability and flexibility.
Conference Paper
Traffic classification is a process which assorts computer network traffic into predefined traffic classes by utilizing packet header information or network packet statistics. Real-time traffic classification is mainly used in network management tasks comprising traffic shaping and flow prioritization as well as in network security applications for intrusion detection. Machine Learning (ML) based traffic classification that exploits statistical characteristics of traffic, has come into prominence recently, due to its ability to cope with encrypted traffic and newly emerging network applications utilizing non-standard ports to circumvent firewalls. To meet high data rates and achieve online classification with ML-based techniques, Field Programmable Gate Arrays (FPGAs) providing abundant parallelism and high operating frequency is the most appropriate platform. In this paper, we propose to use Simple Classification and Regression Trees (Simple CART) machine learning algorithm for traffic classification. However, the variations in node sizes of Simple CART decision tree caused by discretization pre-process incur memory and resource inefficiency problems when the tree is directly mapped onto the hardware. To resolve these problems, we propose to represent Simple CART decision tree by two stage hybrid data structure (Extended-Simple CART) that comprises multiple range trees in Stage 1 and a Simple CART decision tree enriched with bitmaps at its nodes in Stage 2. Our design is implemented on parallel and pipelined architectures using Field Programmable Gate Arrays (FPGAs) to acquire high throughput. Extended-Simple CART architecture can sustain 557 Gbps or 1741 million classification per second (MCPS) (for the minimum packet size of 40 Bytes) on a state-of-the-art FPGA and achieve an accuracy of 96.8% while classifying an internet traffic trace including eight application classes.
Article
Firewalls, key components for secured network in- frastructures, are faced with two different kinds of challenges: first, they must be fast enough to classify network packets at line speed, second, their packet processing capabilities should be versatile in order to support complex filtering policies. Unfortu- nately, most existing classification systems do not qualify equally well for both requirements: systems built on special-purpose hardware are fast, but limited in their filtering functionality. In contrast, software filters provide powerful matching semantics, but struggle to meet line speed. This motivates the combination of parallel, yet complexity-limited specialized circuitry with a slower, but versatile software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing. As a result we propose HyPaFilter+, a hybrid classification system consisting of an FPGA-based hardware matcher and a Linux netfilter firewall, which provides a simple, yet effective hardware/software packet shunting algorithm. Our evaluation shows up to 30-fold throughput gains over software packet processing.
Article
Ultra-High-Definition (UHD) video applications such as streaming are envisioned as a main driver for the emerging Fifth Generation (5G) mobile networks being developed worldwide. This paper focuses on addressing a major technical challenge in meeting UHD users' growing expectation for continuous high-quality video delivery in 5G hotspots where congestion is commonplace to occur. A novel 5G-UHD framework is proposed towards achieving adaptive video streaming in this demanding scenario to pave the way for self-optimisation oriented 5G UHD streaming. The architectural design and the video stream optimisation mechanism are described, and the system is prototyped based on a realistic virtualised 5G testbed. Empirical experiments validate the design of the framework and yield a set of insightful performance evaluation results.
Article
Firewalls, key components for secured network infrastructures, are faced with two different kinds of challenges: first, they must be fast enough to classify network packets at line speed, and second, their packet processing capabilities should be versatile in order to support complex filtering policies. Unfortunately, most existing classification systems do not qualify equally well for both requirements: systems built on special-purpose hardware are fast, but limited in their filtering functionality. In contrast, software filters provide powerful matching semantics, but struggle to meet line speed. This motivates the combination of parallel, yet complexity-limited specialized circuitry with a slower, but versatile software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. Therefore, we discuss approaches for partitioning and transforming rule sets for hybrid packet processing. As a result, we propose HyPaFilter+, a hybrid classification system consisting of an FPGA-based hardware matcher and a Linux netfilter firewall, which provides a simple, yet effective hardware/software packet shunting algorithm. Our evaluation shows up to 30-fold throughput gains over software packet processing.
Article
Service differentiation has been a subject of research for the past few years in the IETF; and in the current Internet, IP flows are mostly treated in a best-effort approach. However, for next generation networks it is expected that users would like to obtain service differentiation based on their preferences or profiles as well as the different types of multimedia they opt to receive or send. In addition, current Quality of Service (QoS) provisioning architectures have been designed mostly for the fixed networks without taking into consideration the wireless or radio links special requirements, such as low bandwidth availability, error prone communications, etc. In this paper we propose a QoS provisioning architecture for next generation networks that uses a hybrid approach to deal with both the wireless and wired (fixed) part of the network. For administering the scarce resource of the radio environment, we have developed a resource allocation algorithm based on micro-economic principles that uses associated piecewise linear utility functions which describe the benefit a user receives from the allocation of various amounts of resource. For the wired part of the network we have also developed a Core-Stateless Utility based Rate allocation Framework (SURF) for performing traffic policing where the flow's requirements are expressed using utility functions. The core routers maintain no per-flow state and implement a simple packet level admission control algorithm that is based on a threshold utility value that is computed dynamically. To tie in these two mechanisms, we developed a signaling mechanism that collect network statistics when a user starts a call and a QoS administrator entity (or Broker) perform the computations for allocating resources based on the information of available resources in the fixed and the wireless sections of the network. A comparison between the hybrid approach and the SURF approach to show the performance of the proposed architecture is presented later in the paper.
Article
Toward the fifth generation (5G) of wireless/mobile broadband, numerous devices and networks will be interconnected and traffic demand will constantly rise. Heterogeneity will also be a feature that is expected to characterize the emerging wireless world, as mixed usage of cells of diverse sizes and access points with different characteristics and technologies in an operating environment are necessary. Wireless networks pose specific requirements that need to be fulfilled. In this respect, approaches for introducing intelligence will be investigated by the research community. Intelligence shall provide energy- and cost-efficient solutions at which a certain application/service/quality provision is achieved. Particularly, the introduction of intelligence in heterogeneous network deployments and the cloud radio-access network (RAN) is investigated. Finally, elaboration on emerging enabling technologies for applying intelligence will focus on the recent concepts of software-defined networking (SDN) and network function virtualization (NFV). This article provided an overview for delivering intelligence toward the 5G of wireless/mobile broadband by taking into account the complex context of operation and essential requirements such as QoE, energy efficiency, cost efficiency, and resource efficiency.
Article
Computer security is a hard problem. Security on networked computers is much harder. Firewalls (barriers between two networks), when used properly, can provide a significant increase in computer security. The authors classify firewalls into three main categories: packet filtering, circuit gateways, and application gateways. Commonly, more than one of these is used at the same time. Their examples and discussion relate to UNIX systems and programs. The majority of multiuser machines on the Internet run some version of the UNIX operating system. Most application-level gateways are implemented in UNIX. This is not to say that other operating systems are more secure; however, there are fewer of them on the Internet, and they are less popular as targets for that reason. But the principles and philosophy apply to network gateways built on other operating systems as well. Their focus is on the TCP/IP protocol suite, especially as used on the Internet.< >
The netfilter.org project
  • P Ayuso
  • P Mchardy
  • J Kadlecsik
  • E Leblond
  • F Westphal
Netfilter/iptables u32
  • D Cohen
  • G Yang
  • S.-Y Chen
G. YANG and S.-y. CHEN, "Research on linux firewall based on netfilter/iptables [j]," Computer Engineering and Design, vol. 17, p. 022, 2007.
Internet assigned numbers authority (iana) procedures for the management of the service name and transport protocol port number registry
  • M Cotton
  • L Eggert
  • J Touch
  • M Westerlund
  • S Cheshire
M. Cotton, L. Eggert, J. Touch, M. Westerlund, and S. Cheshire, "Internet assigned numbers authority (iana) procedures for the management of the service name and transport protocol port number registry," Tech. Rep., 2011.
Research on linux firewall based on netfilter/iptables [j]
  • G Yang
  • S.-Y Chen