TARN: A SDN-based Traffic Analysis Resistant Network Architecture

TL;DR

This paper proposes a novel SDN-based network architecture called TARN that enhances privacy and security by disassociating IP addresses from destination networks, enabling dynamic, pseudo-random IP addresses to resist traffic analysis and attacks.

Contribution

It introduces a scalable SDN-based approach to fundamentally change Internet addressing, creating a traffic analysis resistant network with prototypes on existing testbeds.

Findings

Demonstrated feasibility with SDN strategies on IPv4 and IPv6.

Implemented prototypes using OpenvSwitches on BGP testbed.

Showed potential for large-scale, secure, and customizable network services.

Abstract

Destination IP prefix-based routing protocols are core to Internet routing today. Internet autonomous systems (AS) possess fixed IP prefixes, while packets carry the intended destination AS's prefix in their headers, in clear text. As a result, network communications can be easily identified using IP addresses and become targets of a wide variety of attacks, such as DNS/IP filtering, distributed Denial-of-Service (DDoS) attacks, man-in-the-middle (MITM) attacks, etc. In this work, we explore an alternative network architecture that fundamentally removes such vulnerabilities by disassociating the relationship between IP prefixes and destination networks, and by allowing any end-to-end communication session to have dynamic, short-lived, and pseudo-random IP addresses drawn from a range of IP prefixes rather than one. The concept is seemingly impossible to realize in todays Internet. We demonstrate how this is doable today with three different strategies using software defined networking (SDN), and how this can be done at scale to transform the Internet addressing and routing paradigms with the novel concept of a distributed software defined Internet exchange (SDX). The solution works with both IPv4 and IPv6, whereas the latter provides higher degrees of IP addressing freedom. Prototypes based on OpenvSwitches (OVS) have been implemented for experimentation across the PEERING BGP testbed. The SDX solution not only provides a technically sustainable pathway towards large-scale traffic analysis resistant network (TARN) support, it also unveils a new business model for customer driven, customizable and trustable end-to-end network services.