Fast privacy-preserving network function outsourcing

In this paper, we present the design and implementation of SplitBox, a system for privacy-preserving processing of network functions outsourced to cloud middleboxes—i.e., without revealing the policies governing these functions. SplitBox is built to provide privacy for a generic network function tha...

Full description

Saved in:
Bibliographic Details
Published in:Computer networks (Amsterdam, Netherlands : 1999) Netherlands : 1999), 2019-11, Vol.163, p.106893, Article 106893
Main Authors: Asghar, Hassan Jameel, De Cristofaro, Emiliano, Jourjon, Guillaume, Kaafar, Mohammed Ali, Mathy, Laurent, Melis, Luca, Russell, Craig, Yu, Mang
Format: Article
Language:English
Subjects:
Bottlenecks
Firewalls
Inspection
Middlebox
NFV
Outsourcing
Policies
Privacy
Translators
Virtual environments
Virtual local area networks
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In this paper, we present the design and implementation of SplitBox, a system for privacy-preserving processing of network functions outsourced to cloud middleboxes—i.e., without revealing the policies governing these functions. SplitBox is built to provide privacy for a generic network function that abstracts the functionality of a variety of network functions and associated policies, including firewalls, virtual LANs, network address translators (NATs), deep packet inspection, and load balancers. We present a scalable design aiming to provide high throughput and low latency, by distributing functionalities to a few virtual machines (VMs), while providing provably secure guarantees. We implement SplitBox inside FastClick, an extension of the Click modular router, using Intel’s DPDK to handle packet I/O. We evaluate our prototype experimentally to find its bottlenecks and stress-test its different components, vis-à-vis two widely used network functions, i.e., firewall and VLAN tagging. Our evaluation shows that, on commodity hardware, SplitBox can process packets close to line rate (i.e., 8.9Gbps) with up to 50 traversed policies.
ISSN:1389-1286
1872-7069
DOI:10.1016/j.comnet.2019.106893