Empowering Network Security With Programmable Switches: A Comprehensive Survey

With the growth of network applications such as 5G and artificial intelligence, network security techniques, i.e., the techniques that detect various attacks (e.g., well-known denial-of-service (DDoS) attacks) and prevent production networks (e.g., data center networks) from being attacked, become increasingly essential for network management and have gained great popularity in the networking community. Generally, these techniques are built on proprietary hardware appliances, i.e., middleboxes, or the paradigm that combines both software-defined networking (SDN) and network function virtualization (NFV) to implement security functions. However, the techniques built on middleboxes are proven to be hard-to-manage, costly, and inflexible, thereby making them an out-of-date choice in network security. For the techniques built on SDN and NFV, they virtualize and softwarize security functions on commodity servers, leading to non-trivial performance degradation. Fortunately, the recent emergence of programmable switches brings new opportunities of empowering network security techniques with the characteristics of easy-to-manage, low cost, high flexibility, and Tbps-level performance. In this survey, we focus on this promising trend in network security. More precisely, this survey first presents the preliminaries of programmable switches, which are the primary driver of next-generation network security techniques. Next, we comprehensively review existing techniques built on programmable switches, classify these techniques, and discuss their background, motivation, design, implementation, and limitations case-by-case. Finally, we summarize open issues and future research directions in this promising research topic of network security.