Predictable Internet Clients and In-Switch Deep Packet Inspection.

Deep packet inspection (DPI) is important for network security and is currently provided by complex black-box firewalls. This raises the question: Can network administrators build their own DPI-capable filter using a standard programmable switch? The common answer is that standard switches support P4, which allows users to specify how to parse packet headers, but not packet payload fields (e.g. URL) thus DPI tasks, like URL filtering, require dedicated middleboxes. In this paper, we challenge this common answer. First, we demonstrate that clients send packets with a predictable structure, so a P4 switch can perform some DPI (enough for URL filtering). Second, we demonstrate a URL-filtering firewall completely in the data plane, with no external help from the SDN controller, firewalls, etc. and no custom logic. Our proof-of-concept, P4Wall, handles multiple protocols (HTTP, HTTPS, DNS) with high performance - orders of magnitude faster than a standard Linux (netfilter) firewall.