Abstract

IoT and sensor networks are now a critical part of public infrastructure. At the same time, they remain infamous for becoming insecure as new exploits arise. Software dataplanes give us the power to retrofit security functions, and are well-researched in datacentres. Yet the server-grade hardware such frameworks are optimised for is a poor fit for vulnerable low-power, low-space IoT gateways. Single-board computers (SBCs) are a cheaper and better fit on all these metrics, yet no service function chaining (SFC) approaches are tailored to these devices. In addition, modern OS features like XDP give us the capability to minimise power use and provide the lowest latency processing these devices can offer—meaning quicker response to network events, suited to the needs of the network edge. We present Galette, a device-portable SFC framework designed for the inexpensive defence of IoT networks by SBCs. Galette builds on Linux's XDP tooling to provide a CPU-efficient, low latency dataplane. Due to SBC hardware designs, we divide traffic between an XDP fast path and userland to schedule expensive packet analysis without harming normal traffic. Our API makes it easy to write network functions (NFs) that compile to both eBPF and native code, while being portable across heterogeneous SBCs. Testbed evaluations show Galette is more efficient and uses less power than AF_PACKET on Raspberry Pi.