SPINE: Surveillance Protection in the Network Elements

Abstract

Internet Protocol (IP) addresses can reveal information about communicating Internet users and devices, even when the rest of the traffic between them is encrypted. At the same time, IP addresses serve as endpoints for network-layer communication and, as a result, are typically visible to the intermediate routers to allow them to forward traffic to its ultimate destination. Previous approaches to obfuscate the IP addresses of the sender and receiver commonly depend on either custom user software (e.g., Tor browser) or significant modifications to network hardware along the end-to-end path (which has proved to be a major roadblock). SPINE, on the other hand, conceals IP addresses and relevant TCP fields from intermediate—and potentially adversarial—autonomous systems (ASes) but requires only two participating ASes and no cooperation from end hosts. To demonstrate SPINE’s practicality, we have implemented it on commodity programmable switches using the P4 programming language. Our evaluation shows that SPINE can run at hardware rates on commodity switches, paving the way to real-world deployment.