Abstract
|
The accuracy provided by traditional sampl … The accuracy provided by traditional sampling-based
monitoring approaches, such as NetFlow, is increasingly
being considered insufficient to meet the requirements of today’s
networks. By summarizing all traffic for specific statistics of
interest, sketch-based alternatives have been shown to achieve
higher levels of accuracy for the same cost. Existing switches,
however, lack the necessary capability to perform the sort
of processing required by this approach. The emergence of
programmable switches and the processing they enable in the
data plane has recently led sketch-based solutions to be made
possible in switching hardware.
One limitation of existing solutions is that they lack security. At
the scale of the datacenter networks that power cloud computing,
this limitation becomes a serious concern. For instance, there is
evidence of security incidents perpetrated by malicious insiders
inside cloud infrastructures. By compromising the monitoring
algorithm, such an attacker can render the monitoring process
useless, leading to undesirable actions (such as routing sensitive
traffic to disallowed locations). In this paper we propose, for
the first time, a secure sketch-based monitoring solution that
can run in programmable switches. Our algorithm – a secure
version of the well-known count-min sketch – was implemented
in P4, a programming language for switches. The evaluation of
our solution demonstrates the performance penalty introduced
by security to be negligible. y introduced
by security to be negligible.
|