Go to DBLP homepageSafeLib: A Comprehensive Framework for Secure Outsourcing of Network Functions
Abstract: Outsourcing virtual network functions (VNFs) to third-party service providers, such as public clouds, has become the norm. While outsourcing brings many benefits, including scalability, streamlined management, and lower CapEx, it also introduces security concerns. Owing to the lack of trust in the cloud, organizations may opt to shield both their network functions and the traffic flowing through them. Existing outsourcing mechanisms, however, fall short of the functionality, security, and/or performance requirements. This paper presents SafeLib, a comprehensive, Intel SGX based, open-source, secure network function outsourcing framework. To the best of our knowledge, SafeLib is the first trusted hardware based solution providing i) support for both stateful and stateless virtual NFs, ii) strong security properties with regard to both user traffic and VNF execution, state, policies, and code, iii) high performance, iv) enhanced usability for VNF developers and v) flexibility in choosing the network stack by providing support for both kernel and kernel-bypass mechanisms. We corroborate our performance claims through an extensive testbed evaluation. In addition, we provide insights on the performance penalty of major SGX limitations and also refute the popular belief that using a library OS within an SGX enclave necessarily reduces performance. We believe that SafeLib provides a flexible and performant tool with strong security guarantees for building secure, carrier-grade cloud-based services.
Loading