Security applications in P4: Implementation and lessons learned

Abstract

The data plane, which used to provide a limited and fixed set of operations in legacy networking devices, is now programmable. The de-facto language to program the data plane is Programming Protocol-independent Packet Processors (P4). After compiling a P4 program, the resulting binary is loaded into the Application Specific Integrated Circuit (ASIC). The ASIC processes the packets based on the logic defined by the P4 program. The flexibility and granularity offered by programmable data plane devices allowed many security applications to be offloaded to the data plane. Thus, P4 and programmable devices allow the security applications to run on the hardware while sustaining the software’s flexibility, which enhances their performance. However, developing a P4 program is not straightforward.

The complexity associated with developing P4 applications has often been an obstacle for researchers. They mainly follow a trial-and-error approach to compile and fit their program into the ASIC. This paper tackles the issue by providing a comprehensive guide to the process of designing P4 security applications. It goes beyond theory and delves into practical implementation by showcasing the creation of several security applications on P4 programmable switches and sharing the P4 source code of these applications. In this paper, the authors will discuss the lessons they learned from implementing multiple security applications on programmable switches using P4, providing the reader with guidelines and insightful considerations.