Proceedings ArticleDOI
Scaling IoT MUD Enforcement using Programmable Data Planes
Swathy Harish,Suvrima Datta,Hemanth Kothapalli,Praveen Tammana,Achmad Basuki,Ko Kataoka,Selvakumar Manickam,U. Venkanna,Yung-Wey Chong +8 more
- pp 1-9
TLDR
In this paper , the authors propose a scalable data plane primitive and a system on top of the primitive, which together enforce MUD profiles of thousands of IoT devices in a P4 programmable switch data plane.Abstract:
IoT-based intrusions and network attacks are becoming ever more concerning. As a mitigatory measure, the IETF standardized Manufacturer Usage Description (MUD) which allows IoT device vendors to specify the legitimate communication patterns (as a MUD profile) of an IoT device. A MUD profile allows the validation of the actual communication pattern of an IoT device with the intended behavior at runtime. However, as the number of IoT devices increases, validation at runtime has scalability challenges in terms of the number of switch resources (e.g., TCAM) required to maintain MUD profiles.In this work, we propose a scalable data plane primitive and a system on top of the primitive, which together enforce MUD profiles of thousands of IoT devices in a P4 programmable switch data plane. Our main idea is to avoid inefficiencies because of the repetition of header values while representing MUD profile-based ACL rules. Further, we exploit the characteristics of header values in ACL rules of real IoT devices and carefully partition the rules across multiple hash-based exact match-action tables in the switch data plane. Since hash-based data structures can be implemented using SRAM which is cheap and abundantly available (order of MBs) in commodity programmable switches, our approach scales well for a large IoT network.read more
References
More filters
Proceedings ArticleDOI
SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs
TL;DR: The system, called SilkRoad, is defined in a 400 line P4 program and when compiled to a state-of-the-art switching ASIC, it can load-balance ten million connections simultaneously at line rate.
Book
Network algorithmics : an interdisciplinary approach to designing fast networked devices
TL;DR: 1 Introducing Network Algorithmics 2 Network Implementation Models 3 Fifteen Implementation Principles 4 Principles in Action 5 Copying Data 6 Transfering Control 7 Maintaining Timers 8 Demultiplexing 9 Protocol Processing 10 Exact Match Lookups 11 Prefix Match lookups 12 Packet Classification 13 Switching 14 Scheduling Packets 15 Routers as Distributed Systems 16 Measuring Network Traffic 17 Network Security 18 Conclusions
Proceedings ArticleDOI
B4 and after: managing hierarchy, partitioning, and asymmetry for availability and scale in google's software-defined WAN
Chi-Yao Hong,Subhasree Mandal,Mohammad Al-Fares,Min Zhu,Richard Alimi,B Kondapa Naidu,Chandan Bhagat,Sourabh Jain,Jay Kaimal,Shiyu Liang,Kirill Mendelev,Steven Padgett,Faro Rabe,Saikat Ray,Malveeka Tewari,Matt Tierney,Monika Zahn,Jonathan Zolla,Joon Ong,Amin Vahdat +19 more
TL;DR: This paper presents the five-year evolution of B4, Google's private software-defined WAN, and describes the techniques employed to incrementally move from offering best-effort content-copy services to carrier-grade availability, while concurrently scaling B4 to accommodate 100x more traffic.
Proceedings ArticleDOI
Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity
TL;DR: SDN is used to monitor compliance with the MUD behavioral profile, and machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices are developed.
Proceedings ArticleDOI
Clear as MUD: Generating, Validating and Applying IoT Behavioral Profiles
TL;DR: This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing.