iTAP: In-network Traffic Analysis Prevention
using Software-Defined Networks
iTAP is a partially deployable network-level system that enables anonymous communication within the premises of a network. The key insight behind iTAP is to leverage the programmability offered by Software-Defined Networking (SDN) to dynamically rewrite packet headers at the edge of the network to varying randomized identifiers. iTAP is useful with as few as two SDN devices and its anonymity guarantees grow linearly with the number of SDN devices from thereafter.
Randomized packet headers
With iTAP in place, in-network eavesdroppers only see randomized IDs (which carry no information) as headers and cannot single out hosts unless they eavesdrop on all links of a path, which is unlikely in practice. As an illustration, the Figure on the left shows the distribution of source and destination IP addresses observed by a link-level eavesdropper with and without iTAP. Without iTAP, it is evident that 18 clients and six servers are communicating with each other. With iTAP, the observed IP addresses are spread over the whole address range and neither the real addresses nor the number of communicating hosts is recognizable.
Example of information leakage. Observed source and destination IP addresses without (left) and with iTAP (right).
Overview
An iTAP-enabled network consists of SDN-enabled switches along with traditional L2 switches controlled by an iTAP controller. The main functionality provided by iTAP is flow obfuscation at scale. To do so, iTAP leverages an adaptative hybrid obfuscation scheme where the obfuscation scheme is adapted before any attacker can learn enough information to break it. In addition to traffic obfuscation, iTAP can detect the attackers position by monitoring unexpected entry points for obfuscated traffic (e.g., an attacker trying to probe an obfuscated header). iTAP supports partial deployment and does not require a network solely consisting of OpenFlow switches to be useful.
iTAP overview. The network consists of SDN-enabled switches and traditional MAC-learning switches. The headers of flows are rewritten between the ingress and the egress switch.
Publications
iTAP: In-network Traffic Analysis Prevention using Software-Defined Networks
Roland Meier, David Gugelmann, Laurent Vanbever
ACM SOSR 2017. Santa Clara, CA, USA (April 2017).
Advances in layer 2 networking technologies have fostered the deployment of large, geographically distributed LANs. Due to their large diameter, such LANs provide many vantage points for wiretapping. As an example, Google's internal network was reportedly tapped by governmental agencies, forcing the Web giant to encrypt its internal traffic. While using encryption certainly helps, eavesdroppers can still access traffic metadata which often reveals sensitive information, such as who communicates with whom and which are the critical hubs in the infrastructure.
This paper presents iTAP, a system for providing strong anonymity guarantees within a network. iTAP is network-based and can be partially deployed. Akin to onion routing, iTAP rewrites packet headers at the network edges by leveraging SDN devices. As large LANs can see millions of flows, the key challenge is to rewrite headers in a way that guarantees strong anonymity while, at the same time, scaling the control-plane (number of events) and the data-plane (number of flow rules). iTAP addresses these challenges by adopting a hybrid rewriting scheme. Specifically, iTAP scales by reusing rewriting rules across distinct flows and by distributing them on multiple switches. As reusing headers leaks information, iTAP monitors this leakage and adapts the rewriting rules before any eavesdropper could provably de-anonymize any host.
We implemented iTAP and evaluated it using real network traffic traces. We show that iTAP works in practice, on existing hardware, and that deploying few SDN switches is enough to protect a large share of the network traffic.
Presentations
iTAP: In-network Traffic Analysis Prevention using Software-Defined Networks
Roland Meier
ACM SOSR 2017. Santa Clara, CA, USA (April 2017).
Code
iTAP prototype implementation
We implemented a prototype of iTAP on top of Floodlight, a Java-based OpenFlow-controller. Overall, our implementation consists of approximately 2,000 lines of Java-code.
The source code of the iTAP prototype implementation is publicly available on GitHub.
People
- Roland Meier, ETH Zürich, meierrol ethz ch
- David Gugelmann, ETH Zürich, gugelmann tik ee ethz ch
- Laurent Vanbever, ETH Zürich, lvanbever ethz ch
