Programmable Data Planes for Network Security

TL;DR

Programmable data planes, especially P4 switches, enable advanced, high-speed network security functions like attack detection, mitigation, and in-network cryptography, overcoming hardware constraints through innovative techniques.

Contribution

This paper systematizes recent advances in security applications on programmable switches, emphasizing design techniques and architectural workarounds for complex in-network security functions.

Findings

Programmable switches support DDoS detection and mitigation.

Techniques like recirculate-and-truncate enable complex security functions.

Remaining challenges include hardware limitations and emerging research directions.

Abstract

The emergence of programmable data planes, and particularly switches supporting the P4 language, has transformed network security by enabling customized, line-rate packet processing. These switches, originally intended for flexible forwarding, now play a broader role: detecting and mitigating attacks such as DDoS and spoofing, enforcing next-generation firewall policies, and even supporting in-network cryptography and machine learning. These capabilities are made possible by techniques such as recirculate-and-truncate and lookup-table precomputation, which work around architectural constraints like limited memory and restricted instruction sets. In this paper, we systematize recent advances in security applications built on programmable switches, with an emphasis on the capabilities, challenges, and architectural workarounds. We highlight the non-obvious design techniques that make complex in-network security functions feasible despite the constraints of the hardware platform, and also comment on remaining issues and emerging research directions.