Mitigation Of Security Attacks In The Sdn Data Plane Using P4-Enabled Switches

This paper presents a study and demonstration of some of the commonly seen internal security attacks and related countermeasures using P4, a dataplane programming language. The idea is that the vulnerabilities arising in programmable data planes are sufficiently mitigated with this P4 implementation. This also provides users with the flexibility to add or drop security features in the deployed switches, better visibility into the defense system owing to its open source nature and the portability of these P4 programs across many different vendors and devices. We evaluate our P4 code on software and hardware switches to detect IP-address spoofing attacks. The results show that attack packets are always detected and dropped, while the throughput remains unaffected and nearly constant across varying fractions of malicious packets injected in the network.