PINOT Programmable In-Network Obfuscation of Traffic
Internet Protocol (IP) addresses reveal the sender and receiver of a network traffic. IP address is not obfuscated even when the rest of the traffic is encrypted, fundamentally because it also serves as endpoints in network-layer communication. To blur the tie between the actual sender and receiver from IP addresses, existing solutions heavily rely on custom software (e.g., Tor) or hardware solutions that are expensive to deploy (e.g., IPSec VPN).
PINOT is a lightweight in-network anonymity solution that encrypts a client’s IPv4 address in the data plane for connectionless traffic. PINOT does not require any end-user software or cooperation from networks other than the trusted network where it runs. SPINE is a variation of PINOT that runs with two participating ASes, and conceals the original IP addresses and TCP fields in the traffic.
Code for Tofino
PINOT: This is a work in progress.SPINE: This is a work in progress.
Project leads
Liang Wang (lw19@princeton.edu)
Hyojoon Kim (joonk@princeton.edu)
Prateek Mittal (pmittal@princeton.edu)
Jennifer Rexford (jrex@cs.princeton.edu)
Publications
-
SPINE: Surveillance protection in the network elements
[paper (pdf)]
Trisha Datta, Nick Feamster, Jennifer Rexford, and Liang Wang
USENIX Workshop on Free and Open Communications on the Internet, August 2019 (FOCI 2019).