Recent advances in programmable switch hardware offer a fresh opportunity to protect user privacy. This paper presents PINOT, a lightweight in-network anonymity solution that runs at line rate within the memory and processing constraints of hardware switches. PINOT encrypts a client's IPv4 address with an efficient encryption scheme to hide the address from downstream ASes and the destination server. PINOT is readily deployable, requiring no end-user software or cooperation from networks other than the trusted network where it runs. We implement a PINOT prototype on the Barefoot Tofino switch, deploy PINOT in a campus network, and present results on protecting user identity against public DNS, NTP, and WireGuard VPN services.
Cite
@article{arxiv.2006.00097,
title = {Programmable In-Network Obfuscation of Traffic},
author = {Liang Wang and Hyojoon Kim and Prateek Mittal and Jennifer Rexford},
journal= {arXiv preprint arXiv:2006.00097},
year = {2020}
}