# P4-IPsec: Site-to-Site and Host-to-Site VPN with IPsec in P4-Based SDN

**Authors:** Frederik Hauser, Marco H\"aberle, Mark Schmidt, Michael Menth

arXiv: 1907.03593 · 2023-01-25

## TL;DR

This paper introduces P4-IPsec, the first implementation of IPsec in P4-based SDN, enabling VPNs with programmable data planes, and evaluates its performance on different hardware switches.

## Contribution

It presents the first P4-based IPsec implementation, including prototypes for software and hardware switches, and provides a comprehensive review of related security applications.

## Key findings

- Prototype implementation on BMv2 switch demonstrates feasibility.
- Performance evaluation shows acceptable throughput and latency.
- Analysis explains challenges with hardware crypto support.

## Abstract

In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.03593/full.md

## Figures

25 figures with captions in the complete paper: https://tomesphere.com/paper/1907.03593/full.md

## References

85 references — full list in the complete paper: https://tomesphere.com/paper/1907.03593/full.md

---
Source: https://tomesphere.com/paper/1907.03593