Hello,
I am implementing an IPsec VPN using P4, with bmv2 and mininet for my bachelors thesis. I’m not sure if this is the correct place to ask, but I am looking for someone who could provide private tutoring to help me understand the concepts needed for the implementation. If someone knows where I might be able to find this, that would be extremely useful.
The steps I need help with implementing are:
Setting up a site to site topology
Creating a Python script to send packets for testing
Implementing externs to the bmv2 which deal with encryption and decryption (this is the main part I am struggling with)
EDIT: Before saying anything else, you can get help here without needing a private tutor (particularly, if that implies any cost). Many people in the forum are happy to help you further if you need help. Not sure if private tutoring, but as long as they have free time and are willing to spend time solving anyone’s doubts, then they will answer you. I always recommend on asking your questions here so other people benefit from it.
I think you can have two or three other people who can give a more precise answer, particularly, in terms of extern implementation and the exact steps you have to take. I can give you my perspective, but a few other people in the P4 community might extend my answer, and I encourage them to do so.
I would like to say that the project you describe here, for a bachelor thesis, is probably complex, but not impossible. If you are not familiar with network protocols, P4, C++ and Python (to name a few of the concepts), this is likely a complex task to achieve in (a few?) months. If you feel comfortable in one or more of the aforementioned topics, then that’s fantastic. However, one or more of the topics you mentioned can already be found in papers or repositories, so let’s see if this answer helps you.
When I first read IPsec and P4, two papers came to mind from the same author. One is “P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN” (paper, repository). But most importantly, “P4-IPsec: Site-to-Site and Host-to-Site VPN with IPsec in P4-Based SDN” (paper, repository).
Ok let’s see…
If you need help establishing a topology in Mininet you can check the P4 tutorial and I would suggest to practice, first, with all the exercises. I recommend you complete the tutorial yourself, without looking into the solutions. It will give you a good intro to P4 and Mininet. The topologies in the tutorial are created with a helper file, but Mininet has some examples here too. Consider that the script for P4 switch used in the tutorial does not OVS, but the bmv2 Simple Switch.
I would like to believe this was done, already, by Hauser et al. at the previous repository and paper. However, it is a long time since I last read it, so you should confirm this. If you want to go your own way (which I do not recommend unless you have plenty of time or really need to), then you probably need to modify bmv2 framework and/or the Simple Switch target. This implies a certain level of expertise in C++ and being extremely familiar with how all pieces are tied in regard to bmv2 and the ss target. You can do it yourself, but it will take quite some time if you are not familiar with all the different components when it comes to implementing custom externs (see this fantastic introductory reply at Github issues tab).
You will be able to do this after you complete the tutorial, there is a simple exercise about tunneling too. However, I am pretty sure that Hauser has already looked at it. Also, when I was reading more about IPsec, I found this article by Steve Friedl, which I believe is well explained and provides a fairly deep look into it compared to other websites.
I am not completely aware about the internals of P4-IPsec by Hauser et al. but from the public version of the linked paper, it seems that IKE was replaced by moving it to the controller and there could be a good reason for that (as per the opinion of the authors). If this method is not viable for you, then you will have to design a way to include IKE into the implementation done to Hauser’s prototype, or your own, of course. There is a rather detailed discussion about IKE and the different options in the first third block of the paper. In any way, I am guessing that handling IKE should be done by an “agent” in the switch that handles peering and channel encryption (maybe using a config file) partially independent to the P4 program (you could choose to encrypt any switch-to-switch communication channel). However, I wonder if adding target-specific metadata to a packet could let a programmer decide between an encrypted default channel, a new encrypted channel (perhaps for a flow?) or an unencrypted channel. That would be interesting to analyze.
If you can create encrypted channel either switch-to-switch, ingress-to-egress or end-to-end (and all these scenarios need different development efforts), then you can use some available tools like iperf to achieve your goal. I do not think you will have many issues to build a consistent set of tests, and you can always base yourself in the paper I mentioned before (e.g., Section VI of P4-IPsec).
Thank you for your fast and thorough reply. I have ultimately decided to change my project as the scope was too large for the time and my level of knowledge.
I have seen the paper by Hauser et al. on IPsec implementation in P4 and was attempting to recreate their work.
The part of (re)implementing the externs is where I really struggled, the introductory Github issues tab was helpful to understand what the process would entail, but a step by step guide may be quite useful for others in the future.
if adding target-specific metadata to a packet could let a programmer decide between an encrypted default channel, a new encrypted channel (perhaps for a flow?) or an unencrypted channel. That would be interesting to analyze.