The Case for Transport-Level Encryption in Datacenter Networks

Read original: arXiv:2406.15686 - Published 6/26/2024 by Tianyi Gao, Xinshu Ma, Suhas Narreddy, Eugenio Luo, Steven W. D. Chien, Michio Honda

🧪

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

🧪

The Case for Transport-Level Encryption in Datacenter Networks

Tianyi Gao, Xinshu Ma, Suhas Narreddy, Eugenio Luo, Steven W. D. Chien, Michio Honda

Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eavesdroppers in the network infrastructure. This paper presents SDP, a protocol design for emerging datacenter transport protocols, such as pHost, NDP, and Homa, to integrate data encryption with the use of existing NIC offloading of cryptographic operations designed for TLS over TCP. Therefore, SDP could enable a deployment path of new transport protocols in datacenters without giving up hardware offloading support, which would otherwise make encryption on those protocols even slower than TLS over TCP. SDP is based on Homa, and outperforms TLS over TCP by up to 29 % in throughput. SDP currently supports two real-world applications, Redis, improving throughput by up to 24 %, and in-kernel NVMe-oF, cutting P99 latency by up to 21 %.

6/26/2024

Security Evaluation in Software-Defined Networks

Igor Ivki'c, Dominik Thiede, Nicholas Race, Matthew Broadbent, Antonios Gouglidis

Cloud computing has grown in importance in recent years which has led to a significant increase in Data Centre (DC) network requirements. A major driver of this change is virtualisation, which allows computing resources to be deployed on a large scale. However, traditional DCs, with their network topology and proliferation of network endpoints, are struggling to meet the flexible, centrally managed requirements of cloud computing applications. Software-Defined Networks (SDN) promise to offer a solution to these growing networking requirements by separating control functions from data routing. This shift adds more flexibility to networks but also introduces new security issues. This article presents a framework for evaluating security of SDN architectures. In addition, through an experimental study, we demonstrate how this framework can identify the threats and vulnerabilities, calculate their risks and severity, and provide the necessary measures to mitigate them. The proposed framework helps administrators to evaluate SDN security, address identified threats and meet network security requirements.

8/22/2024

D3: An Adaptive Reconfigurable Datacenter Network

Johannes Zerwas, Chen Griner, Stefan Schmid, Chen Avin

The explosively growing communication traffic in datacenters imposes increasingly stringent performance requirements on the underlying networks. Over the last years, researchers have developed innovative optical switching technologies that enable reconfigurable datacenter networks (RCDNs) which support very fast topology reconfigurations. This paper presents D3, a novel and feasible RDCN architecture that improves throughput and flow completion time. D3 quickly and jointly adapts its links and packet scheduling toward the evolving demand, combining both demand-oblivious and demand-aware behaviors when needed. D3 relies on a decentralized network control plane supporting greedy, integrated-multihop, IP-based routing, allowing to react, quickly and locally, to topological changes without overheads. A rack-local synchronization and transport layer further support fast network adjustments. Moreover, we argue that D3 can be implemented using the recently proposed Sirius architecture (SIGCOMM 2020). We report on an extensive empirical evaluation using packet-level simulations. We find that D3 improves throughput by up to 15% and preserves competitive flow completion times compared to the state of the art. We further provide an analytical explanation of the superiority of D3, introducing an extension of the well-known Birkhoff-von Neumann decomposition, which may be of independent interest.

6/21/2024

🤔

A Flexible Cryptographic Infrastructure for High-security SDR-based Systems

Peter Hillmann, Bjorn Stelte

Military software defined radio (SDR) systems are a major factor in future network-centric operations due to their flexibility and support for more capable radio communications systems. The inherent nature of software-based systems requires a more complex auxiliary infrastructure and multiple independent levels of security compared with typical systems: Secure booting of the SDR device, cryptographically signed software, real time operating platform software as well as radio applications. This technology raises new challenges with respect to the management. The largest impact on SDR deployments is due to the auxiliary cryptographic infrastructure for the security of the software life cycle and the cyclic update of the keys. Compared to conventional radio devices, the SDR system with the cryptographic infrastructure described in this paper reaches a higher security level and is more flexible. The advantage is the possibility to deploy trunked radio system and further waveforms, such as coalition wideband, which will be standardized in the future. Also it is possible to update cryptographic mechanisms. In this work, we analyze the requirements for a high secure SDR deployment and model the life cycle of the components of a deployed SDR node based on the Joint Program Executive Office (JPEO) Software Communication Architecture (SCA).

6/26/2024