SplitBox: Toward Efficient Private Network Function Virtualization
This addresses privacy concerns for network operators outsourcing functions to cloud providers, though it is incremental as it builds on existing models and systems.
The paper tackles the problem of privately processing outsourced network functions in the cloud without revealing network policies, and achieves a throughput of over 2 Gbps with 1 kB-sized packets handling up to 60 firewall rules in a proof-of-concept implementation.
This paper presents SplitBox, a scalable system for privately processing network functions that are outsourced as software processes to the cloud. Specifically, providers processing the network functions do not learn the network policies instructing how the functions are to be processed. We first propose an abstract model of a generic network function based on match-action pairs, assuming that this is processed in a distributed manner by multiple honest-but-curious providers. Then, we introduce our SplitBox system for private network function virtualization and present a proof-of-concept implementation on FastClick -- an extension of the Click modular router -- using a firewall as a use case. Our experimental results show that SplitBox achieves a throughput of over 2 Gbps with 1 kB-sized packets on average, traversing up to 60 firewall rules.