Network Function Virtualisation (NFV) advances the adoption of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require the enterprise gateway to tokenise packet payloads via sliding windows. Such tokenisation induces a considerable communication overhead, which can be over 100$\times$ to the packet size. To overcome this bottleneck, in this paper, we propose the first bandwidth-efficient encrypted pattern matching protocol for secure middleboxes. We resort to a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to achieve constant and moderate communication cost. To speed up, we devise encrypted filters to reduce the number of accesses to SHVE+ during matching highly. We formalise the security of our proposed protocol and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20k rules within 100 $\mu$s. Compared to prior work, it brings a saving of $94\%$ in bandwidth consumption.
翻译:网络功能 网络虚拟化(NFV) 推动采用可合成软件中继箱。 因此, 云式数据中心成为了企业交通处理的主要 NFV 供应商。 由于对交通向云的移动的隐私关注, 安全的中继箱系统( 如 BlintBox ) 引起很多注意; 它们可以直接处理加密的包件, 并使用加密规则。 但是, 支持模式匹配网络功能的现有系统大多需要企业网关, 通过滑动窗口将有效载荷标识化。 这样象征性化会吸引大量的通信管理费, 其金额可能超过100美元。 为了克服这个瓶颈, 我们提议了第一个带宽高效的加密模式, 以匹配安全的中继箱。 我们使用原始的称为对称的隐藏矢量加密( SHVE ), 并提议一个变式, aka SHVE+, 以达到固定和中度的通信成本。 为了加快速度, 我们设计了加密过滤器, 以便在高度匹配时减少 SHVE+的访问次数。 我们正式确定了拟议协议的安全性, 并对真实值规则进行全面评估 $ $ 100 和 之前的系统 。 。 将结果显示 保存到 $ $ x 。
相关内容
微信扫码咨询专知VIP会员