Transparent Security

P4 is the primary language used for programming the data plane. (The project is hosted at https://p4.org.) Switches running P4 chips are controlled via standard GRPC calls and support:

• Protocol independent—P4 programs specify how to process packets.
• Target Independent—P4 is suitable for describing everything from high-performance data center switches to software switches.
• Field Reconfigurable—P4 supports dynamic changes to the way packets are processed.

Extended Berkeley Packet Filters (eBPF) and Micro-C are alternative programming languages that perform similar functions to P4. The eBPF and Micro-C languages are targeted at servers and may be better suited for gateway devices.

Micronets, a CableLabs innovation project now being commercialized, creates additional layers of security at the customer premises to help protect devices from becoming infected. To do so, Micronets uses SDN combined with device identity to secure devices on a local network. Transparent Security is focused on identifying southbound devices participating in a DDoS attack and stopping infected packets at the source. The programmable data plane, analytics engine and controller used in Transparent Security can be leveraged by  Micronets to improve the packet-processing performance and help Transparent Security confirm the identity of the attacking device.

The expected CPE costs should be similar to that of the general-purpose CPUs currently performing network functions. These CPUs would be swapped out for a chiplet.

Transparent Security mitigates the attack from the home in less than 1 second. Current solutions can take several minutes to recognize the attack and still cannot monitor egress traffic.

Chiplets are composed of cores of different types, including MIPS-based cores as well as specialized cores used in the programmable data plane. Chiplets refer to an open standard being developed by the OCP Open Domain-Specific Architecture subgroup under OCP Server Working Group.

Yes, the Transparent Security source-based DDoS use case is just one of many that can benefit from the programmable data plane. Once deployed, this architecture will open our networks to new waves of innovation and can improve many operations we do today.

With the programmable data plane, it is possible to change the behavior of the network after the hardware has been deployed. Using an analytics engine and controller, as we do with Transparent Security, can provide closed-loop automation or a range of network management capabilities.

Providing new services frequently requires installing new purpose-built hardware or deploying a virtual machine (VM). With the programmable data plane, we can now deploy some of these services on existing switches with very good performance. The following list contains some examples of services that can be deployed with a programmable data plane:

• Firewall,
• Future-generation platform for Micronets,
• Managed router as a service,
• Layer 4 load balancer, and
• SD-WAN.

Yes, you can implement NetFlow- and IPFIX-compatible protocols in P4 to coexist with established network monitoring solutions.

Many of the top networking vendors offer switches that support P4. These switches comply with the P4 language standard and can be reprogrammed in the field.

Transparent Security can be applied to all customers. With the increased IoT adoption in both the home and work Transparent Security provides the ideal solution for both types of premises.

No. This architecture and solution will work for any access network, including fiber and mobile.

Transparent Security uses programmable data plane capabilities in network equipment to enable real-time packet processing, high-resolution packet inspection and in-band network telemetry. Although this new technology allows network operators to identify DDoS traffic patterns, the data required to conduct this analysis includes customers’ personal data because of the granularity required to identify and stop attacks at the source device. This analysis examines the header of each packet, which includes source and destination IP addresses and device MAC addresses, among other data fields. As an organization considers deploying Transparent Security, it should also consider implementing necessarily robust and holistic privacy-protection practices within all elements of Transparent Security and its data flows (e.g., data minimization, processing and data retention limitations, access limitations, encryption), given the potential privacy risks to consumers. For more information, please see our Transparent Security Privacy Warning.