在瀏覽網路時，保有高度的匿名性與良好的通訊品質往往是個無法兼顧的難題。現有的大多數匿名系統，都有著傳輸效能不彰的問題；而其他修改網路協定的方法，雖在測試中能夠保有良好的傳輸效能，但在實際部署上卻有著很高的困難度。隨著軟體定義網路(Software Defined Networking)與可程式化數據平面交換器(Programmable Data Plane Switches)的出現，帶來了能夠在不犧牲傳輸性能的前提之下，同時能提供給使用著匿名性的新契機。

在本文中，我們提出了一種匿名系統，該系統還可以在提供良好的傳輸性能情況下，防止來自於控制平面中的竊聽攻擊。我們透過自定義可程式化交換機的行為，讓它可以修改數據包頭以保護敏感資訊。並且，我們利用了可程式化交換機內部可以運行雜湊函式的特性，將轉發規則中的敏感資訊隱藏，以防止資訊在透過控制平面從控制器分發到交換器時被洩漏。這使得攻擊者即使能竊聽到控制平面內的消息，依舊很難弄清拓樸當中我們所實際使用的路由，並進行進一步的分析攻擊。我們使用P4程式語言，在BMv2軟體交換器上實現了我們的原型；同時以ONOS作為我們的控制器，並在其中加入了我們編寫的控制應用程式。通過在Mininet的虛擬環境中進行的實驗結果顯示，我們能夠在保有高流量以及低延遲的情況下，同時提供匿名服務。

Communicating on the Internet anonymously often comes at the cost of inconvenience to the user. Most of the anonymity systems suffer from bad performance, while other approaches that modify the existing protocols have high deployment barriers. With the advent of software defined networking (SDN) and programmable data plane switches, opens up new opportunities to provide anonymity without sacrificing performance.

In this paper, we introduced an anonymity system that could also defend against eavesdropping in the control plane, while having good performance. We customize the behavior of the programmable switches so that it would modify packet headers to protect sensitive information. Moreover, we leverage the ability of hashing inside the programmable switches, to prevent information leakage in the rules that are distributed into the switches. This makes attackers that have the ability to eavesdrop on the messages inside the control plane difficult to figure out the route and perform further analysis attacks. We implemented our prototype on the BMv2 software switch using the P4 programming language, along with a customized application running on ONOS as our controller. With the experiments done on the prototype implemented in virtual environments, we are able to provide anonymity service while maintaining high throughput and having a low latency overhead.

[1] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-generation onionrouter,” tech. rep., Naval Research Lab Washington DC, 2004.
[2] H.-C. Hsiao, T. H.-J. Kim, A. Perrig, A. Yamada, S. C. Nelson, M. Gruteser, andW. Meng, “Lap: Lightweight anonymity and privacy,” in2012 IEEE Symposium onSecurity and Privacy, pp. 506–520, IEEE, 2012.
[3] J. Sankey and M. Wright, “Dovetail: Stronger anonymity in next-generation internetrouting,” inInternational Symposium on Privacy Enhancing Technologies Sympo-sium, pp. 283–303, Springer, 2014.
[4] C. Chen, D. E. Asoni, D. Barrera, G. Danezis, and A. Perrig, “Hornet: High-speedonion routing at the network layer,” inProceedings of the 22nd ACM SIGSAC Con-ference on Computer and Communications Security, pp. 1441–1454, 2015.
[5] C. Chen, D. E. Asoni, A. Perrig, D. Barrera, G. Danezis, and C. Troncoso, “Taranet:Traffic-analysis resistant anonymity at the network layer,” in2018 IEEE EuropeanSymposium on Security and Privacy (EuroS&P), pp. 137–152, IEEE, 2018.
[6] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,S. Shenker, and J. Turner, “Openflow: enabling innovation in campus networks,”ACM SIGCOMM computer communication review, vol. 38, no. 2, pp. 69–74, 2008.
[7] T. Zeng, M. Shen, M. Wang, L. Zhu, and F. Li, “Self-adaptive anonymous com-munication scheme under sdn architecture,” in2015 IEEE 34th International Per-formance Computing and Communications Conference (IPCCC), pp. 1–8, IEEE,2015.
[8] R. Meier, D. Gugelmann, and L. Vanbever, “itap: In-network traffic analysis preven-tion using software-defined networks,” inProceedings of the Symposium on SDNResearch, pp. 102–114, 2017.
[9] T. Zhu, D. Feng, F. Wang, Y. Hua, Q. Shi, J. Liu, Y. Cheng, and Y. Wan, “Efficientanonymous communication in sdn-based data center networks,”IEEE/ACM Trans-actions on Networking, vol. 25, no. 6, pp. 3767–3780, 2017.
[10] P. Bosshart, D. Daly, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Ta-layco, A. Vahdat, G. Varghese, and D. Walker, “Programming protocol-independentpacket processors,” 2014.
[11] The P4.org API Working Group, “P4runtime specification.”https://p4lang.github.io/p4runtime/spec/v1.2.0/P4Runtime-Spec.html, 2020.
[12] D. L. Chaum, “Untraceable electronic mail, return addresses, and digitalpseudonyms,”Communications of the ACM, vol. 24, no. 2, pp. 84–90, 1981.
[13] U. Moeller, “Mixmaster Protocol Version 2,” Internet-Draft draft-sassaman-mixmaster-03, Internet Engineering Task Force, Dec. 2004. Work in Progress.
[14] G. Danezis, R. Dingledine, and N. Mathewson, “Mixminion: Design of a type iiianonymous remailer protocol,” in2003 Symposium on Security and Privacy, 2003.,pp. 2–15, IEEE, 2003.
[15] M. K. Reiter and A. D. Rubin, “Crowds: Anonymity for web transactions,”ACMtransactions on information and system security (TISSEC), vol. 1, no. 1, pp. 66–92,1998.
[16] M. J. Freedman and R. Morris, “Tarzan: A peer-to-peer anonymizing network layer,”inProceedings of the 9th ACM Conference on Computer and Communications Se-curity, pp. 193–206, 2002.
[17] M. Rennhard and B. Plattner, “Introducing morphmix: Peer-to-peer based anony-mous internet usage with collusion detection,” inProceedings of the 2002 ACMWorkshop on Privacy in the Electronic Society, pp. 91–102, 2002.
[18] M. AlSabah and I. Goldberg, “Performance and security improvements for tor: Asurvey,”ACM Computing Surveys (CSUR), vol. 49, no. 2, pp. 1–36, 2016.
[19] I. Karunanayake, N. Ahmed, R. Malaney, R. Islam, and S. Jha, “Anonymity withtor: A survey on tor attacks,”arXiv preprint arXiv:2009.13018, 2020.
[20] M. Schuchard, A. Mohaisen, D. Foo Kune, N. Hopper, Y. Kim, and E. Y. Vasserman,“Losing control of the internet: using the data plane to attack the control plane,” inProceedings of the 17th ACM conference on Computer and communications secu-rity, pp. 726–728, 2010.
[21] A. Azzouni, O. Braham, T. M. T. Nguyen, G. Pujolle, and R. Boutaba, “Fingerprint-ing openflow controllers: The first step to attack an sdn control plane,” in2016 IEEEGlobal Communications Conference (GLOBECOM), pp. 1–6, IEEE, 2016.
[22] L. Xu, J. Huang, S. Hong, J. Zhang, and G. Gu, “Attacking the brain: Races in the{SDN}control plane,” in26th{USENIX}Security Symposium ({USENIX}Security17), pp. 451–468, 2017.
[23] H. M. Moghaddam and A. Mosenia, “Anonymizing masses: Practical light-weightanonymity at the network level,”arXiv preprint arXiv:1911.09642, 2019.
[24] H. Kim and A. Gupta, “Ontas: Flexible and scalable online network trafficanonymization system,” inProceedings of the 2019 Workshop on Network MeetsAI & ML, pp. 15–21, 2019.
[25] X. Chen, “Implementing aes encryption on programmable switches via scrambledlookup tables,” inProceedings of the Workshop on Secure Programmable NetworkInfrastructure, pp. 8–14, 2020.
[26] T. Datta, N. Feamster, J. Rexford, and L. Wang, “{SPINE}: Surveillance protectionin the network elements,” in9th{USENIX}Workshop on Free and Open Communi-cations on the Internet ({FOCI}19), 2019.
[27] L. Wang, H. Kim, P. Mittal, and J. Rexford, “Programmable in-network obfuscationof traffic,”arXiv preprint arXiv:2006.00097, 2020.
[28] S. Knight, H. Nguyen, N. Falkner, R. Bowden, and M. Roughan, “The internet topol-ogy zoo,”Selected Areas in Communications, IEEE Journal on, vol. 29, pp. 1765–1775, october 2011.
[29] The P4 Language Consortium, “P416language specification.”https://p4lang.github.io/p4-spec/docs/P4-16-v1.2.2.pdf, 2021.
[30] Open Networking Foundation, “Open network operating system project.”https://wiki.onosproject.org/display/ONOS/ONOS, 2020.
[31] Mininet Project, “The mininet project.”http://mininet.org, 2021.
[32] O. Berthold, A. Pfitzmann, and R. Standtke, “The disadvantages of free mix routesand how to overcome them,” inDesigning Privacy Enhancing Technologies, pp. 30–45, Springer, 2001.
[33] C. Diaz, S. Seys, J. Claessens, and B. Preneel, “Towards measuring anonymity,” inInternational Workshop on Privacy Enhancing Technologies, pp. 54–68, Springer,2002.
[34] C. Diaz, “Anonymity and privacy in electronic services,”Heverlee: Katholieke Uni-versiteit Leuven. Faculteit Ingenieurswetenschappen, 2005.
[35] A. Serjantov and G. Danezis, “Towards an information theoretic metric foranonymity,” inInternational Workshop on Privacy Enhancing Technologies, pp. 41–53, Springer, 2002.
[36] C. E. Shannon, “A mathematical theory of communication,”The Bell System Tech-nical Journal, vol. 27, no. 3, pp. 379–423, 1948.
[37] C. Shannon, “Communication in the presence of noise,”Proceedings of the IRE,vol. 37, no. 1, pp. 10–21, 1949.
[38] ESnet,“iperf3 and iperf2 user documentation.”https://iperf.fr/iperf-doc.php, 2020.