Name
Abstract | ||
|---|---|---|
Over the past few years, enterprises start adopting software middlebox services from cloud or NFV service providers. Although this new service model is recognized to be cost-effective and scalable for traffic processing, privacy concerns arise because of traffic redirection to outsourced middleboxes. To ease these concerns, recent efforts are made to design secure middlebox services that can directly function over encrypted traffic and middlebox rules. But prior designs only work for portions of frequently-used network functions. To push forward this area, in this work, we investigate header matching based functions like firewall filtering and packet classification. To enable privacy-preserving processing on encrypted packets, we start from the latest primitive “order-revealing encryption (ORE)” for encrypted range search. In particular, we devise a new practical ORE construction tailored for network functions. The advantages include: 1) guaranteed protection of packet headers and rule specified ranges; 2) reduced accessible information during comparisons; 3) rule-aware size reduction for ORE ciphertexts. We implement a fully functional system prototype and deploy it at Microsoft Azure Cloud. Evaluation results show that our system can achieve per packet matching latency 0.53 to 15.87 millisecond over 1.6K firewall rules. |
Year | DOI | Venue |
|---|---|---|
2018 | 10.1109/IWQoS.2018.8624187 | 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS) |
Keywords | Field | DocType |
traffic encryption,privacy-preserving header matching,header matching based functions,firewall filtering,packet classification,ORE ciphertexts,packets encryption,Microsoft Azure Cloud,fully functional system prototype,rule-aware size reduction,packet headers,practical ORE construction,order-revealing encryption,frequently-used network functions,secure middlebox services,traffic redirection,software middlebox services,outsourced middleboxes | Middlebox,Firewall (construction),Computer science,Network packet,Computer network,Encryption,Service provider,Header,Scalability,Cloud computing | Conference |
ISSN | ISBN | Citations |
1548-615X | 978-1-5386-2543-9 | 1 |
PageRank | References | Authors |
0.35 | 0 | 4 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Yu Guo | 1 | 15 | 3.26 |
| Cong Wang | 2 | 4463 | 204.50 |
| Xingliang Yuan | 3 | 171 | 25.91 |
| Xiaohua Jia | 4 | 4609 | 303.30 |