P4EAD: Securing the In-band Control Channels on Commodity Programmable Switches

Conventionally, the control channel on network switches has always been out-of-band. With the emergence of high-performance systems built upon programmable switches, the out-of-band control channel has become the bottleneck. Thus, there is an emerging trend of implementing the control channel in the data path (i.e., in-band) on programmable switches to achieve high throughput and low-latency control actions. However, the use of in-band control channels comes with the risk of security vulnerabilities that have not been explored in prior literature. In this paper, we present P4EAD, a cryptographic primitive to secure the in-band control channels on programmable switches entirely in the data plane. This ensures the integrity, authenticity, and confidentiality of in-band control messages. We conduct micro-benchmarks on P4EAD and demonstrate its integration with an existing high-performance inband control framework, showcasing minimal performance impact when securing the control channel.