P4Runtime Security and Man-in-the-Middle Attacks
A. Katsikis (TU Delft - Electrical Engineering, Mathematics and Computer Science)
F. Kuipers – Mentor (TU Delft - Embedded Systems)
C. Ji – Mentor (TU Delft - Embedded Systems)
M.L. Molenaar – Graduation committee member (TU Delft - Computer Graphics and Visualisation)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
In software defined networking a controller can control where the data-plane routes packets to. Programmable data-planes make networks even more flexible, as the algorithms on the data-plane can be updated. The P4 programming language can be used to program data-planes, and the P4Runtime data-plane API can be used for controller to data-plane communication. The possibility of man-in-the-middle attacks when using P4Runtime was investigated. Man-in-the-middle attacks are possible either between the controller and data-plane, or between two hosts on the network. A virtual network in Mininet was used to try and demonstrate the difference between secure and insecure channels in these two scenarios. A malicious controller can take control of a switch in order to use it for man-in-the-middle attacks when the P4Runtime channel is insecure, but not in a secure channel. The man-in-the-middle attack between the controller and switch was not achieved due to the switches in Mininet only running on localhost and not being able to run the controller in-band. It was concluded that it is indeed recommended to only use secure P4Runtime channels, and possible extensions to this research could be to attempt the same experiment using a different setup or to research the effects that a successful man-in-the-middle attack can have.