TY - GEN
T1 - A Scalable and Dynamic ACL System for In-Network Defense
AU - Jung, Changhun
AU - Kim, Sian
AU - Jang, Rhongho
AU - Mohaisen, David
AU - Nyang, Dae Hun
N1 - Funding Information:
This research was supported by the Global Research Laboratory (GRL) Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science and ICT (NRF-2016K1A1A2 912757) and by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (NRF-2020R1A2C2 009372). DaeHun Nyang and Rhongho Jang are the corresponding authors. The authors would like to thank the anonymous reviewers of CCS’22 for the thorough feedback that helped improve this paper.
Publisher Copyright:
© 2022 ACM.
PY - 2022/11/7
Y1 - 2022/11/7
N2 - In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).
AB - In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).
KW - dynamic management
KW - in-network acl
KW - low-latency defense
KW - scalable port (range) matching
UR - http://www.scopus.com/inward/record.url?scp=85143049653&partnerID=8YFLogxK
U2 - 10.1145/3548606.3560606
DO - 10.1145/3548606.3560606
M3 - Conference contribution
AN - SCOPUS:85143049653
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1679
EP - 1693
BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 7 November 2022 through 11 November 2022
ER -