VCP4: Virtualization of the Programmable Data Plane for Security Protocol
-
摘要:
随着网络安全技术的发展,越来越多网络安全协议出现,因此需要网络转发设备对网络安全协议提供支持。可编程数据平面由于其协议的无关性,能够实现安全协议的快速部署。但当前可编程数据平面存在包头多次解析、独占数据平面和密码算法实现难的问题。针对上述问题,该文提出一种面向安全协议的虚拟化可编程数据平面(VCP4),其通过引入描述头降低包头解析次数,提高包头解析效率。使用控制流队列生成器和动态映射表实现可编程数据平面的虚拟化,实现多租户下数据平面的隔离,解决独占数据平面问题。在VCP4的语言编译器中添加密码算法原语,实现密码算法可重用。最后针对VCP4资源利用率,虚拟化性能和安全协议性能进行实验评估,结果显示在实现功能的基础上带来较小的性能损失,且能降低50%的代码量。
Abstract:With the development of network security technology, network security protocol emerges one by one, which requires functional support from network forwarding devices. Due to the independence of protocols, the programmable data plane enables rapid deployment of security protocols. However, the current programmable data plane has the problem that the header is parsed multiple times, the exclusive data plane and the cryptographic algorithm are difficult to implement. In view of the above problems, VCP4(Virtualization Cryptogram P4) as a virtualized programmable data plane for security protocols is proposed, which reduces the number of parsing times and improves the header parsing efficiency by introducing a description header. The control flow queue generator and the dynamic mapping table are used to achieve the virtualization of the programmable data plane, thereby realizing the isolation of the data plane under the multi-tenant and solving the problem of the exclusive data plane. A cryptographic algorithm primitive is added to the VCP4 language compiler to implement a cryptographic algorithm that can be reused. Finally, the VCP4 resource utilization, virtualization performance and security protocol performance are evaluated. The results show that the implementation of VCP4 brings less performance loss, and the code amount can be reduced by 50%.
-
表 1 密码算法原语列表
功能 引用注释 描述 欧几里得算法 @VCP4_gcd 求最大公约数 蒙哥马利算法 @VCP4_power 对索引变量进行模幂运算 循环 @VCP4_for 迭代索引变量 MD5 @VCP4_hash 对索引变量进行MD5运算 极大极小值 @VCP4_minmax 从输入列表中选择最大或最小值决定动作执行 循环移位 @VCP4_ROL 对索引变量进行循环移位 条件测试 @VCP4_cmp 对索引变量进行条件测试 比特置换 @VCP4_byte 对索引变量进行置换,实现扩散 S-盒运算 @VCP4_S 对二进制数进行盒运算 有限域乘法 @VCP4_GF 对索引变量进行有限域乘法运算 同步多播 @VCP4_sync 多个可编程平面共享状态 同步单播 @VCP4_echo 与目标可编程平面共享状态 
下载: 导出CSV
-
MCKEOWN N. Software-defined networking[C]. IEEE International Conference on Computer Communications, Rio de Janeiro, Brazil, 2009: 30–32. MCKEOWN N. OpenFlow 1.3[EB/OL].https://github.com/CPqD/ofsoftswitch1.3/, 2006. 曹作伟, 陈晓, 倪宏, 等. 应用于协议无感知转发交换机的流缓存方法[J]. 电子与信息学报, 2018, 40(11): 2772–2778. doi: 10.11999/JEIT180042CAO Zuowei, CHEN Xiao, NI Hong, et al. Flow caching in protocol oblivious forwarding switches[J]. Journal of Electronics &Information Technology, 2018, 40(11): 2772–2778. doi: 10.11999/JEIT180042 CHOLE S, FINGERHUT A, MA Sha, et al. dRMT: Disaggregated programmable switching[C]. ACM Special Interest Group on Data Communication, Los Angeles, USA, 2017: 1–14. doi: 10.1145/3098822.3098823. BOSSHART P, DALY D, GIBB G, et al. Programming protocol-independent packet processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87–95. doi: 10.1145/2656877.2656890 HANCOCK D and VAN DER MERWE J. Hyper4: Using P4 to virtualize the programmable data plane[C]. The 12th International on Conference on Emerging Networking Experiments and Technologies, Irvine, USA, 2016: 35–49. doi: 10.1145/2999572.2999607. ZHANG Cheng, BI Jun, ZHOU Yu, et al. HyperVDP: High-performance virtualization of the programmable data plane[J]. IEEE Journal on Selected Areas in Communications, 2019, 37(3): 556–569. doi: 10.1109/JSAC.2019.2894308 ZHOU Yu and BI Jun. ClickP4: Towards modular programming of P4[C]. SIGCOMM Posters and Demos, Los Angeles, USA, 2017: 100–102. doi: 10.1145/3123878.3132000. 季新生, 徐水灵, 刘文彦, 等. 一种面向安全的虚拟网络功能动态异构调度方法[J]. 电子与信息学报, 2019, 41(10): 2435–2441. doi: 10.11999/JEIT181130JI Xinsheng, XU Shuiling, LIU Wenyan, et al. A security-oriented dynamic and heterogeneous scheduling method for virtual network function[J]. Journal of Electronics &Information Technology, 2019, 41(10): 2435–2441. doi: 10.11999/JEIT181130 BANSAL M, MEHLMAN J, KATTI S, et al. OpenRadio: A programmable wireless dataplane[C]. The 1st Workshop on Hot Topics in Software Defined Networks, Helsinki, Finland, 2012: 109–114. doi: 10.1145/2342441.2342464. NORDAL A Ø, KVALNES Å, PETTERSEN R, et al. Streaming as a hypervisor service[C]. The 7th International Workshop on Virtualization Technologies in Distributed Computing, New York, USA: 2013: 33–40. doi: 10.1145/2465829.2465831. BOSSHART P. P4-bmv2[EB. OL]. https://github.com/p4lang/behavioral-model, 2017. LIU J, HALLAHAN W, SCHLESINGER C, et al. P4v: Practical verification for programmable data planes[C]. 2018 ACM Special Interest Group on Data Communication, Budapest, Hungary, 2018: 490–503. doi: 10.1145/3230543.3230582. IBANEZ S, BREBNER G, MCKEOWN N, et al. The P4-> NetFPGA workflow for line-rate packet processing[C]. 2019 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, Seaside, USA, 2019: 1–9. doi: 145/3289602.3293924. MARTINEZ-YELMO I, ALVAREZ-HORCAJO J, BRISO-MONTIANO M, et al. ARP-P4: A hybrid Arp-path/p4runtime switch[C]. The 26th IEEE International Conference on Network Protocols, Cambridge, UK, 2018: 438–439. doi: 10.1109/ICNP.2018.00062. BOSSHART P. Behavioral-model[EB/OL]. https://github.com/p4lang/behavioral-model, 2017. -
计量
- 文章访问数: 790
- HTML全文浏览量: 383
- PDF下载量: 58
- 被引次数: 0
下载:
