27 research outputs found
Firewall-as-a-Service for Campus Networks Based on P4-SFC
Taking care of security is a crucial task for every operator of a campus network. One of the most fundamental security-related network functions that can be found in most networks for this purpose are stateful firewalls. However, deploying firewalls in large campus networks, e.g., at a university, can be challenging. Hardware appliances that can cope with today's high data rates at the border of a campus network are not cost-effective enough for most deployments. Shifting the responsibility to run firewalls to single departments at a university is not feasible because the expertise to manage these devices is not available there. For this reason, we propose a cloud-like infrastructure based on service function chaining (SFC) and network function virtualization (NFV) that allows users to deploy network functions like firewalls at a central place while hiding most technical details from the users
Implementation and Evaluation of Activity-Based Congestion Management Using P4 (P4-ABC)
Activity-Based Congestion management (ABC) is a novel domain-based QoS mechanism providing more fairness among customers on bottleneck links. It avoids per-flow or per-customer states in the core network and is suitable for application in future 5G networks. However, ABC cannot be configured on standard devices. P4 is a novel programmable data plane specification which allows defining new headers and forwarding behavior. In this work, we implement an ABC prototype using P4 and point out challenges experienced during implementation. Experimental validation of ABC using the P4-based prototype reveals the desired fairness results
A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research
With traditional networking, users can configure control plane protocols to
match the specific network configuration, but without the ability to
fundamentally change the underlying algorithms. With SDN, the users may provide
their own control plane, that can control network devices through their data
plane APIs. Programmable data planes allow users to define their own data plane
algorithms for network devices including appropriate data plane APIs which may
be leveraged by user-defined SDN control. Thus, programmable data planes and
SDN offer great flexibility for network customization, be it for specialized,
commercial appliances, e.g., in 5G or data center networks, or for rapid
prototyping in industrial and academic research. Programming
protocol-independent packet processors (P4) has emerged as the currently most
widespread abstraction, programming language, and concept for data plane
programming. It is developed and standardized by an open community and it is
supported by various software and hardware platforms. In this paper, we survey
the literature from 2015 to 2020 on data plane programming with P4. Our survey
covers 497 references of which 367 are scientific publications. We organize our
work into two parts. In the first part, we give an overview of data plane
programming models, the programming language, architectures, compilers,
targets, and data plane APIs. We also consider research efforts to advance P4
technology. In the second part, we analyze a large body of literature
considering P4-based applied research. We categorize 241 research papers into
different application domains, summarize their contributions, and extract
prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on
2021-01-2
Genome-wide association study identifies 32 novel breast cancer susceptibility loci from overall and subtype-specific analyses.
Breast cancer susceptibility variants frequently show heterogeneity in associations by tumor subtype1-3. To identify novel loci, we performed a genome-wide association study including 133,384 breast cancer cases and 113,789 controls, plus 18,908 BRCA1 mutation carriers (9,414 with breast cancer) of European ancestry, using both standard and novel methodologies that account for underlying tumor heterogeneity by estrogen receptor, progesterone receptor and human epidermal growth factor receptor 2 status and tumor grade. We identified 32 novel susceptibility loci (P < 5.0 × 10-8), 15 of which showed evidence for associations with at least one tumor feature (false discovery rate < 0.05). Five loci showed associations (P < 0.05) in opposite directions between luminal and non-luminal subtypes. In silico analyses showed that these five loci contained cell-specific enhancers that differed between normal luminal and basal mammary cells. The genetic correlations between five intrinsic-like subtypes ranged from 0.35 to 0.80. The proportion of genome-wide chip heritability explained by all known susceptibility loci was 54.2% for luminal A-like disease and 37.6% for triple-negative disease. The odds ratios of polygenic risk scores, which included 330 variants, for the highest 1% of quantiles compared with middle quantiles were 5.63 and 3.02 for luminal A-like and triple-negative disease, respectively. These findings provide an improved understanding of genetic predisposition to breast cancer subtypes and will inform the development of subtype-specific polygenic risk scores
P4-Protect: 1+1 Path Protection for P4
1+1 protection is a method to secure traffic between two nodes against
failures in between. The sending node duplicates the traffic and forwards it
over two disjoint paths. The receiving node assures that only a single copy of
the traffic is further forwarded to its destination. In contrast to other
protection schemes, this method prevents almost any packet loss in case of
failures. 1+1 protection is usually applied on the optical layer, on Ethernet,
or on MPLS.
In this work we propose the application of 1+1 for P4-based IP networks. We
define an 1+1 protection header for that purpose. We describe the behavior of
sending and receiving nodes and provide a P4-based implementation for the BMv2
software switch and the hardware switch Tofino Edgecore Wedge 100BF-32X. We
illustrate how to secure traffic, e.g. individual TCP flows, on the Internet
with this approach. Finally, we present performance results showing that the
P4-based implementation efficiently works on the Tofino Edgecore Wedge
100BF-32X.Comment: 5 pages, 4 figure
P4-IPsec: Site-to-Site and Host-to-Site VPN With IPsec in P4-Based SDN
In this work, we present P4-IPsec, a concept for IPsec in software-defined
networks (SDN) using P4 programmable data planes. The prototype implementation
features ESP in tunnel mode and supports different cipher suites. P4-capable
switches are programmed to serve as IPsec tunnel endpoints. We also provide a
client agent to configure tunnel endpoints on Linux hosts so that site-to-site
and host-to-site application scenarios can be supported which are the base for
virtual private networks (VPNs). While traditional VPNs require complex key
exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec
benefits from an SDN controller to accomplish these tasks. One goal of this
experimental work is to investigate how well P4-IPsec can be implemented on
existing P4 switches. We present a prototype for the BMv2 P4 software switch,
evaluate its performance, and publish its source code on GitHub. We explain why
we could not provide a useful implementation with the NetFPGA SUME board. For
the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype
implementations to cope with a missing crypto unit. As another contribution of
this paper, we provide technological background of P4 and IPsec and give a
comprehensive review of security applications in P4, IPsec in SDN, and IPsec
data plane implementations. According to our knowledge, P4-IPsec is the first
implementation of IPsec for P4-based SDN