Fast privacy-preserving network function outsourcing

Hassan Jameel Asghar*, Emiliano De Cristofaro, Guillaume Jourjon, Mohammed Ali Kaafar, Laurent Mathy, Luca Melis, Craig Russell, Mang Yu

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


In this paper, we present the design and implementation of SplitBox, a system for privacy-preserving processing of network functions outsourced to cloud middleboxes—i.e., without revealing the policies governing these functions. SplitBox is built to provide privacy for a generic network function that abstracts the functionality of a variety of network functions and associated policies, including firewalls, virtual LANs, network address translators (NATs), deep packet inspection, and load balancers. We present a scalable design aiming to provide high throughput and low latency, by distributing functionalities to a few virtual machines (VMs), while providing provably secure guarantees. We implement SplitBox inside FastClick, an extension of the Click modular router, using Intel's DPDK to handle packet I/O. We evaluate our prototype experimentally to find its bottlenecks and stress-test its different components, vis-à-vis two widely used network functions, i.e., firewall and VLAN tagging. Our evaluation shows that, on commodity hardware, SplitBox can process packets close to line rate (i.e., 8.9Gbps) with up to 50 traversed policies.

Original languageEnglish
Article number106893
Pages (from-to)1-15
Number of pages15
JournalComputer Networks
Publication statusPublished - 9 Nov 2019


  • NFV
  • privacy
  • Middlebox


Dive into the research topics of 'Fast privacy-preserving network function outsourcing'. Together they form a unique fingerprint.

Cite this