dh-aes-p4: On-premise encryption and in-band key-exchange in P4 fully programmable data planes

Software-Defined Networking (SDN) fostered unprecedented advances over legacy networks by employing a central-logic control plane to coordinate data-plane nodes in a net-programmable manner. From the security view, control applications that run atop the SDN controller are in charge of establishing secure data-plane connections between pairs of data-plane forwarding nodes. The Diffie–Hellman (DH) is a widely used solution for cryptographic key exchange between endpoints. However, traditional DH implementations impose high computational costs and key management hazards, leading to issues in the SDN central-logic control plane. This paper introduces the dh-aes-p4, which tackles the penalties of legacy SDN security solutions by turning the data plane into fully programmable P4 nodes. The proposed solution allows P4-enabled data plane nodes to establish secure channels between each other. In doing that, it is possible to harness in-band DH key exchange with AES encryption, enclosing on-site features to generate keys dynamically and enforcing them autonomously and high-agile without SDN controller central-logic intervention. A prototype was designed to validate the feasibility and estimate performance impacts of dh-aes-p4 concerning regular SDN central logic.