skip to main content
10.1145/3426744.3431320acmconferencesArticle/Chapter ViewAbstractPublication PagesconextConference Proceedingsconference-collections
research-article

Comparative Evaluation of IP Address Anti-Spoofing Mechanisms using a P4/NetFPGA-based Switch

Published: 01 December 2020 Publication History

Abstract

IP source addresses can be easily spoofed and are often deployed for launching network attacks. Several anti-spoofing mechanisms (ASMs) have been implemented in commercial routers. However, the problem still remains fully unaddressed. This paper explores the use of programmable data plane (PDP) concepts for building better ASMs. The objective of this paper is to implement some common ASMs in P4 (a PDP language), in order to understand the feasibility of P4-based routers/switches for realizing anti-spoofing functions. This paper also presents results from the P4 implementation, realized using the NetFPGA SUME hardware platform. Experimental results describe FGPA resource utilization, throughput and latency characteristics.

Supplementary Material

MP4 File (3426744.3431320.mp4)
Presentation Video

References

[1]
F. Baker and P. Savola. 2004. Ingress Filtering for Multihomed Networks. https://tools.ietf.org/html/rfc3704.
[2]
J. Bi, J. Wu, G. Yao, and F. Baker. 2015. Source Address Validation Improvement (SAVI) Solution for DHCP. https://tools.ietf.org/html/rfc7513.
[3]
P. Bosshart et al. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review 44, 3 (July 2014), 88--95.
[4]
A. Bremler-Barr and H. Levy. 2005. Spoofing prevention method. In Proc. of IEEE INFOCOM. 536--547.
[5]
Z. Duan, X. Yuan, and J. Chandrashekar. 2008. Controlling IP Spoofing through Interdomain Packet Filters. IEEE Transactions on Dependable and Secure Computing 5, 1 (2008), 22--36.
[6]
T. Ehrenkranz and J. Li. 2009. On the State of IP Spoofing Defense. ACM Transactions on Internet Technologies 9, 2, Article 6 (May 2009), 29 pages.
[7]
P. Emmerich, S. Gallenmüller, D. Raumer, F. Wohlfart, and G. Carle. 2015. Moon-Gen: A Scriptable High-Speed Packet Generator. In Proc. of ACM Internet Measurement Conference. 275--287.
[8]
P. Ferguson and D. Senie. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. https://tools.ietf.org/html/rfc2827.
[9]
Harsh Gondaliya. 2020. P4/NetFPGA-based Implementation of IP Address Anti-Spoofing Mechanisms. https://github.com/harshgondaliya/P4-NetFPGA-ASMs.
[10]
J. Hawkinson and T. Bates. 1996. Guidelines for creation, selection, and registration of an Autonomous System (AS). https://tools.ietf.org/html/rfc1930.
[11]
S. Ibanez, G. Brebner, N. McKeown, and N. Zilberman. 2019. The P4→NetFPGA Workflow for Line-Rate Packet Processing. In Proc. of ACM/SIGDA International Symposium on Field-Programmable Gate Arrays ((California, USA)). 1--9.
[12]
Internet Society. 2015. Addressing the challenge of IP spoofing. https://www.internetsociety.org/resources/doc/2015/addressing-the-challenge-of-ip-spoofing/.
[13]
F. Lichtblau, F. Streibelt, T. Krüger, P. Richter, and A. Feldmann. 2017. Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses. In Proceedings of ACM Internet Measurement Conference (London, United Kingdom). 86--99.
[14]
NetFPGA GitHub Organization. 2020. P4→NetFPGA Workflow Overview. https://github.com/NetFPGA/P4-NetFPGA-public/wiki/Workflow-Overview.
[15]
K. Park and H. Lee. 2001. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In Proc. ACM SIGCOMM. 15--26.
[16]
Paul Emmerich. 2020. MoonGen - Hardware Timestamping. https://github.com/emmericp/MoonGen#hardware-timestamping.
[17]
K. Sriram and D. Montgomery. 2020. Enhanced Feasible-Path Unicast Reverse Path Forwarding. https://tools.ietf.org/html/rfc8704.
[18]
The Linux Foundation Projects. 2020. Data Plane Development Kit (DPDK). https://www.dpdk.org/about/.
[19]
H.Wang, C.Jin, and K. G. Shin. 2007. Defense against Spoofed IP Traffic Using Hop-Count Filtering. IEEE/ACM Transactions on Networking 15, 1 (Feb. 2007), 40--53.
[20]
J. Wu, J. Bi, M. Bagnulo, F. Baker, and C. Vogt. 2013. Source Address Validation Improvement (SAVI) Framework. https://tools.ietf.org/html/rfc7039.
[21]
Xilinx, Inc. 2018. P4-SDNet User Guide. https://www.xilinx.com/support/documentation/sw_manuals/xilinx2018_2/ug1252-p4-sdnet.pdf.
[22]
Xilinx, Inc. 2018. UG1012 - SDNet Packet Processor User Guide (v2018.2), Page 13. https://www.xilinx.com/support/documentation/sw_manuals/xilinx2018_2/ug1012-sdnet-packet-processor.pdf.
[23]
Xilinx, Inc. 2020. Xilinx Vivado Design Suite - HLx Editions. https://www.xilinx.com/products/design-tools/vivado.html.
[24]
A. Yaar, A. Perrig, and D. Song. 2006. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. IEEE Journal on Selected Areas in Communications 24, 10 (2006), 1853--1863.
[25]
N. Zilberman, Y. Audzevich, G. A. Covington, and A. W. Moore. 2014. NetFPGA SUME: Toward 100 Gbps as research commodity. IEEE Micro 34, 5 (Sept. 2014), 32--41.

Cited By

View all
  • (2024)Enabling Programmable Data Planes with C++ and High-Level Synthesis for Custom Packet Forwarding2024 37th SBC/SBMicro/IEEE Symposium on Integrated Circuits and Systems Design (SBCCI)10.1109/SBCCI62366.2024.10704008(1-5)Online publication date: 2-Sep-2024
  • (2024)P4 Cybersecurity Solutions: Taxonomy and Open ChallengesIEEE Access10.1109/ACCESS.2023.334733212(6376-6399)Online publication date: 2024
  • (2024)Security applications in P4: Implementation and lessons learnedComputer Networks10.1016/j.comnet.2024.111011(111011)Online publication date: Dec-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EuroP4'20: Proceedings of the 3rd P4 Workshop in Europe
December 2020
71 pages
ISBN:9781450381819
DOI:10.1145/3426744
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2020

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

CoNEXT '20
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Enabling Programmable Data Planes with C++ and High-Level Synthesis for Custom Packet Forwarding2024 37th SBC/SBMicro/IEEE Symposium on Integrated Circuits and Systems Design (SBCCI)10.1109/SBCCI62366.2024.10704008(1-5)Online publication date: 2-Sep-2024
  • (2024)P4 Cybersecurity Solutions: Taxonomy and Open ChallengesIEEE Access10.1109/ACCESS.2023.334733212(6376-6399)Online publication date: 2024
  • (2024)Security applications in P4: Implementation and lessons learnedComputer Networks10.1016/j.comnet.2024.111011(111011)Online publication date: Dec-2024
  • (2023)Enhancing Mitigation of Volumetric DDoS Attacks: A Hybrid FPGA/Software Filtering DatapathSensors10.3390/s2317763623:17(7636)Online publication date: 3-Sep-2023
  • (2023)Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning OffloadProceedings of the 6th on European P4 Workshop10.1145/3630047.3630251(53-56)Online publication date: 8-Dec-2023
  • (2023)In-Network Security Applications with P4RROTProceedings of the Twenty-fourth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing10.1145/3565287.3617612(346-351)Online publication date: 23-Oct-2023
  • (2023)Empowering Network Security With Programmable Switches: A Comprehensive SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2023.326598425:3(1653-1704)Online publication date: Nov-2024
  • (2023)A Survey on In-Network Computing: Programmable Data Plane and Technology Specific ApplicationsIEEE Communications Surveys & Tutorials10.1109/COMST.2022.321323725:1(701-761)Online publication date: Sep-2024
  • (2023)A survey on data plane programming with P4: Fundamentals, advances, and applied researchJournal of Network and Computer Applications10.1016/j.jnca.2022.103561212(103561)Online publication date: Mar-2023
  • (2022)A survey on security applications of P4 programmable switches and a STRIDE-based vulnerability assessmentComputer Networks10.1016/j.comnet.2022.108800207(108800)Online publication date: Apr-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media