A clean-slate security vision for future networks: Simultaneously ensuring information security and establishing smart in-network services using the example of blind packet forwarding

To solve many of the challenges identified in Future Network debates, there are approaches, which suggest that a network should be service-oriented, flexibly and dynamically orchestrated from atomic smart in-network services. In these approaches in-network services require access to various control data signalled in different ways to utilise the complete functionality of the orchestrated network. The diversity and amount of required control data rises progressively so that the communication endpoints have to allow more and more access to information about themselves. To ensure information confidentiality and integrity for two communicating end points, the de facto method applied so far is end-to-end encryption of information transferred between the two end points. However, in-network services have then no longer access to the encrypted control data and they cannot accomplish their tasks anymore. Thus, we can either ensure information security or establish smart in-network services. Our paper focuses on this dilemma and introduces an approach where we redesign the smart in-network services to blind but still smart ones that can still correctly process masked control data by using a new kind of cryptographic algorithms. The feasibility of our approach is demonstrated by redesigning the packet forwarding service to a blind one. Additionally, we present our prototype implementation of the blind packet forwarding and evaluate it.