Abstract
In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).
Original language | English |
---|---|
Title of host publication | CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | Association for Computing Machinery |
Pages | 1679-1693 |
Number of pages | 15 |
ISBN (Electronic) | 9781450394505 |
DOIs | |
State | Published - 7 Nov 2022 |
Event | 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States Duration: 7 Nov 2022 → 11 Nov 2022 |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
ISSN (Print) | 1543-7221 |
Conference
Conference | 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 |
---|---|
Country/Territory | United States |
City | Los Angeles |
Period | 7/11/22 → 11/11/22 |
Bibliographical note
Publisher Copyright:© 2022 ACM.
Keywords
- dynamic management
- in-network acl
- low-latency defense
- scalable port (range) matching