Programmable In-Network Obfuscation of Traffic
This addresses privacy concerns for users in networks by providing a deployable solution without requiring end-user modifications, though it is incremental as it builds on existing programmable switch hardware.
The paper tackles the problem of user privacy by introducing PINOT, a lightweight in-network anonymity solution that encrypts IPv4 addresses at line rate on programmable switches, and demonstrates its deployment in a campus network to protect user identity against services like DNS, NTP, and WireGuard VPN.
Recent advances in programmable switch hardware offer a fresh opportunity to protect user privacy. This paper presents PINOT, a lightweight in-network anonymity solution that runs at line rate within the memory and processing constraints of hardware switches. PINOT encrypts a client's IPv4 address with an efficient encryption scheme to hide the address from downstream ASes and the destination server. PINOT is readily deployable, requiring no end-user software or cooperation from networks other than the trusted network where it runs. We implement a PINOT prototype on the Barefoot Tofino switch, deploy PINOT in a campus network, and present results on protecting user identity against public DNS, NTP, and WireGuard VPN services.