EuroP4 2023 took place December 8th in conjunction with ACM CoNEXT 2023 in Paris (France). This event brought together networking researchers and practitioners to discuss cutting-edge, P4-enabled research and P4-based technology. The workshop provided a venue for presenting and discussing research and projects related to P4, as well as for more broadly discussing the needs of this research community. The workshop aimed to forge new connections between researchers who already work with P4, introduce more networking researchers to the P4 community, and seed future top-tier publications, innovation and contributions to this community.
View proceedings from the 2023 EuroP4 Workshop
Session 1: P4 Networking
LANTERN: Layered Adaptive Network Telemetry Collection for Programmable Data Planes
Kaiyu Hou (Alibaba Cloud), Dhiraj Saharia (Georgetown University), Vinod Yegneswaran (SRI International), Phil Porras (SRI International)
Abstract:
Managing next-generation enterprise networks requires collecting and analyzing enormous volumes (tens of Tbps) of network traffic data in real time to detect potential anomalies, classify attacks, identify root causes, and rapidly deploy effective mitigations. Conducting robust and scalable analysis on such traffic volumes is a daunting ”haystack” problem that demands intelligent strategies to winnow traffic to extract and pinpoint ”needles” of interest. Recent advances in software-defined networking and programmable dataplanes, that enable dynamic reconfiguration of switching hardware to adapt to changing traffic conditions, provide a foundational building block. However, they lack the resources and programming primitives for complex computational models.
Toward that end, we present LANTERN, a layered and adaptive network telemetry system that facilitates joint collection and analysis of network traffic at multiple resolutions in coordination with the controller. Our design offloads complex machine-learning analysis to the controller, while still enabling proactive telemetry refinement and reactive mitigation triggers at the data-plane level. We evaluate our layered approach by replaying a labeled CIC-IDS attack dataset through both software and hardware P4 switches. LANTERN is able to detect most anomalies, accurately classify them, and introduces negligible switching overhead (1% latency).
Per Priority Data Rate Measurement in Data Plane
Habib Mostafaei (Eindhoven University of Technology), Georgios Smaragdakis (Delft University of Technology)
Abstract:
Many applications, such as video streaming, congestion control, and server selection, can benefit when the data rate of different priority groups between two endpoints is accurately estimated over the end-to-end path. With the introduction of programmable networks, e.g., P4, it is now possible to offload the measurements to the data plane of intermediate devices. Recently, tools have been developed to react to changes in available bandwidth, but a tool to accurately estimate end-to-end per-priority data rates needs to be added. This motivates us to design and implement a new end-to-end and per-priority data rate estimation tool, PrioMeter. PrioMeter can accurately report the data rate per priority group of flows in programmable networks using high-precision timestamps for arbitrary traffic scales. PrioMeter leverages two primitives: quantization and truncation, to achieve its goals. We implement PrioMeter in P4 and test it on BMv2 switches, and our preliminary results using NS3 simulations show that it can accurately estimate the data rate of different priority flows with minimal overhead.
Cryptographic Path Validation for SCION in P4
Lars-Christian Schulz (OVGU Magdeburg), Robin Wehner (OVGU Magdeburg), David Hausheer (OVGU Magdeburg)
Abstract:
SCION has been proposed as a new Internet architecture addressing security and scalability shortcomings in the current Internet. Multiple real-world deployments of SCION exist already, nevertheless few hardware implementations of SCION routers are available.
In this paper, we implement a SCION border router on a programmable 12.8 Tbit/s Intel Tofino 2 switch. Our router utilizes the multiple separately programmable packet pipelines of Tofino 2 in order to compute SCION’s AES-CMAC-based hop authenticators in general-purpose P4 without assistance from specialized hardware.
Using three out of four available pipelines, we achieve 394.7 Gbit/s throughput per port on 8 ports for a total of 3.16 Tbit/s capacity. Using only two pipelines we still achieve line rate throughput on 4 ports for a total of 1.58 Tbit/s capacity. To our knowledge there is no other SCION router including the AES-CMAC validation that offers a comparable performance.
Session 2 – P4 Control & Targets
Introducing P4TC – A P4 Implementation on Linux Kernel using Traffic Control
Jamal Hadi Salim (Mojatatu Networks), Deb Chatterjee (Intel Corporation), Victor Nogueira (Mojatatu Networks), Pedro Tammela (Mojatatu Networks), Tomasz Osinski (Intel Corporation), Evangelos Haleplidis (
Abstract:
The networking industry is at an inflection point with ever increasing network link capacities coupled with the presence of programmable hardware ASICs. These set of circumstances call out for a robust approach to hardware and software co-existence for network programmability.
P4TC is a P4 Linux kernel-native implementation on top of the Linux Traffic Control (TC) infrastructure that provides a vendor-neutral, kernel-independent and architecture-independent interface for Match-Action packet processing compatible with the P4 specification. P4TC facilitates both a hardware datapath and a functionally equivalent kernel eBPF-assisted software datapath making it ideal to deal with both high speed links and programmable hardware.
In this paper, we describe the goals and motivation of P4TC, the design and architecture as well as illustrate the different concepts of the P4TC infrastructure via an example of a simple L2 switch.
NAP: Programming data planes with Approximate Data Structures
Mengying Pan (Princeton University), Hyojoon Kim (University of Virginia), Jennifer Rexford (Princeton University), David Walker (Princeton University)
Abstract:
Many applications that run on programmable data planes rely on approximate data structures, due to insufficient in-network memory. However, programming with approximate data structures is challenging because it requires (1) expertise in streaming algorithms to select the data structures that best match an application’s requirements, (2) meticulous configuration to minimize approximation error while fitting within the hardware constraints, and (3) proficiency in the low-level P4 language. To address these issues, we propose NAP, a high-level network programming language. The core of NAP is the versatile approximate dictionary abstraction that captures a wide range of compact data structures, while allowing programmers to simply specify the kinds of error an application can tolerate. We demonstrate the language’s expressiveness, conciseness, and efficiency through a variety of network applications, each compiling to P4 for the Intel Tofino in less than a second and featuring 25X–50X fewer lines of code compared to the P4 output. We evaluate an approximate stateful firewall written in NAP with real campus traffic, achieving performance consistent with the predicted accuracy.
P4EAD: Securing the In-band Control Channels on Commodity Programmable Switches
Archit Bhatnagar (Birla Institute of Technology & Science, Pilani), Xin Zhe Khooi (National University of Singapore), Cha Hwan Song (National University of Singapore), Mun Choon Chan (National University of Singapore)
Abstract:
Conventionally, the control channel on network switches has always been out-of-band. With the emergence of high-performance systems built upon programmable switches, the out-of-band control channel has become the bottleneck. Thus, there is an emerging trend of implementing the control channel in the data path (i.e., in-band) on programmable switches to achieve high throughput and low-latency control actions. However, the use of in-band control channels comes with the risk of security vulnerabilities that have not been explored in prior literature. In this paper, we present P4EAD, a cryptographic primitive to secure the in-band control channels on programmable switches entirely in the data plane. This ensures the integrity, authenticity, and confidentiality of in-band control messages. We conduct micro-benchmarks on P4EAD and demonstrate its integration with an existing high-performance in-band control framework, showcasing minimal performance impact when securing the control channel.
Posters and Demos Session
Poster: High-Speed Per-Packet Checksums on the Intel Tofino
David Grölle (OVGU Magdeburg), Lars-Christian Schulz (OVGU Magdeburg), Robin Wehner (OVGU Magdeburg), David Hausheer (OVGU Magdeburg)
Abstract:
Path-aware networking has introduced new possibilities to monitor and control network access and solved a multitude of modern-day Internet security issues. Being able to authorize usage of specific paths enables network operators to offer high-quality services to customers requiring highly reliable network access.
Currently, securing a network path or an end host is only possible by using high-level solutions like VPNs. With EPIC-HP (Every Packet Is Checked – Hidden Path), it has been shown that it is possible to move this functionality down into the network itself. EPIC-HP extends the path-aware Internet architecture SCION by offering per-packet checksums, adding authentication to network traffic. This is used to combat DoS attacks on the network’s end hosts and give high-priority access to specific end users. In this paper, we show that it is possible to implement the functionality of EPIC-HP along with SCION on the Intel Tofino 2 ASIC. EPIC-HP requires AES-based MAC verification with per-path keys in the data plane. By using the multi-pipeline structure of the Tofino, we implemented the required AES and AES-CMAC cryptography using three pipes of the switch’s total four independent pipes.
The throughput we achieve is an order of magnitude above the data rates previously achieved for EPIC-HP and is a significant step towards a more secure Internet.
Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning Offload
Juan Vanerio (University of Vienna), Csaba Györgyi (University of Vienna), Stefan Schmid (TU Berlin, Fraunhofer SIT)
Abstract:
The ever-evolving cybersecurity landscape demands innovative solutions to safeguard critical network infrastructure such as the Domain Name System (DNS). This paper presents P4DME, a novel approach that harnesses the potential of Machine Learning (ML) in conjunction with P4 programmable switches to tackle DNS threats efficiently. P4DME’s primary benefit lies in offloading filtering from resource-intensive ML processing tasks on dedicated servers. This offloading boosts the overall traffic throughput that can be inspected or achieves the same throughput with reduced resource consumption while preserving the servers’ capabilities for high-performance threat identification. This work uses P4-based in-network elements to handle crucial DNS threats, dynamic white- and blacklisting, and an online popularity-based anomaly detection heuristic. The latter serves as a trigger for dedicated ML-based inspection. Furthermore, we introduce in-network mitigation filters updated through the control plane to provide adaptable and responsive threat mitigation. Preliminary simulation results show more than 99.9% offload ratio at 5% increased False Negative Ratio.
Poster: Maintaining Sets With Deletions in the Data Plane
Jonathan Diamant (The Open University of Israel), Shir Landau Feibish (The Open University of Israel)
Abstract:
Sets are one of the most fundamental data types in Computer Science, and data structures used to maintain sets are used in many algorithms. These structures normally support three basic operations: insertion, look-up (i.e. set-membership query), and deletion. The most common set-membership data structure used in the data plane is the Bloom Filter (BF). While BFs are relatively easy to adapt to the data plane, they offer a limited set-membership functionality as they do not support deletions. If deletions are required, a Counting Bloom Filter (CBF) (which maintains counters instead of bits) may be used. Yet, if a key was inserted multiple times, multiple deletions would be needed to completely remove the key from the structure. We present MEM-D, a fast and lightweight set-membership data structure for the data plane, which supports all three operations: look-up, insertion, and deletion. MEM-D supports the uniqueness property, meaning that a key would be removed with a single deletion operation even if it was inserted multiple times. MEM-D provides a false positive (FP) error rate similar to the rate of the standard BF and additionally may incur a small false negative (FN) error. We have implemented MEM-D on a hardware Tofino target using P4. To the best of our knowledge, MEM-D is the first data structure for set-membership in the data plane, which supports deletion.
Poster: Adaptive In-Network Inference using Early-Exits
Heewon Kim (Korea University), Seongyeon Yoon (Korea University), Sangheon Pack (Korea University)
Abstract:
In-network (or on-path) inference over programmable data planes allows fast and low-overhead inference in deep neural networks. In this work, we propose an adaptive approach to strike the balance between accuracy and processing cost. To be specific, the confidence score is evaluated at the end of each layer, and an early exit is triggered if the confidence score is sufficiently high. We implement this early-exit scheme over BMv2 software switches and the results demonstrate that the proposed scheme successfully controls the trade-off by making use of the confidence score.
Demo: Enabling DNN-Based Inference in the Network Data Plane
Siddhartha (AMD), Justin Tan (AMD & NUS), Rajesh Bansal (AMD), Chee Chung Chan (AMD), Yuta Tokusashi (AMD), Yew Kwan Chong (AMD), Haris Javaid (AMD), Mario Baldi (AMD)
Abstract:
Advancements in programmable packet processing technologies have fostered innovation across a range of networking applications. Integration of deep neural networks (DNN) in the network data plane, however, has remained largely unaddressed due to the high compute requirements of the underlying algebraic kernels. In this paper, we show how P4 packet processing pipelines can be augmented with DNN inference engines on devices readily available in the market today. We share a network security case study, where we train a DNN-based anomaly detector that classifies active traffic flows as either malicious or benign using per-packet inference. Our implementation runs on an AMD AlveotextsuperscriptTM U250 FPGA accelerator card, and is capable of servicing network traffic of up to approx~98~Mpps on 100~GbpE links.
Workshop General Chairs
Fernando Ramos, University of Lisbon
Muhammad Shahbaz, Purdue University
Program Chairs
Vladimir Gurevich, P4ica
Salvatore Signorello, Telefonica Research, Spain
Publicity Chairs
Denise Barton, ONF
Sandor Laki, Eötvös Loránd University
Program Committee
Alan Lo, NVIDIA
Alan Zaoxing Liu, University of Maryland
Andy Fingerhut, Intel
Anirudh Sivaraman, New York University
Christian Esteve Rothenberg, University of Campinas
Daehyeok Kim, University of Texas at Austin
Davide Sanvito, NEC Labs
Ennan Zhai, Alibaba Cloud
Gianni Antichi, Politecnico di Milano & Queen Mary University of London
Jiarong Xing, Rice University
Mario Baldi, AMD & Politecnico di Torino
Nate Foster, Cornell University
Nik Sultana, Illinois Institute of Technology
Robert Soulé, Yale University
Shir Landau Feibish – The Open University of Israel