Designing Transport-Level Encryption for Datacenter Networks

Tianyi Gao; Xinshu Ma; Suhas Narreddy; Eugenio Luo; Steven Chien; Michio Honda

doi:10.1145/3735358.3735389

Designing Transport-Level Encryption for Datacenter Networks

Tianyi Gao, Xinshu Ma, Suhas Narreddy, Eugenio Luo, Steven Chien, Michio Honda

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eavesdroppers in the network infrastructure. This paper presents SDT, a protocol design for emerging datacenter
transport protocols, such as NDP and Homa, to integrate data encryption. SDT uses per-message record sequence number spaces in a secure session, which ensures unique message identities for its messages to prevent replay attacks. This design enables transport-level encryption that supports existing NIC offloads designed for TLS over TCP, native protocol number alongside TCP and UDP, and message-based abstraction that mitigates head-of-line blocking and enables the network or host stack to identify the message boundaries for load balancing. We implement SDT in the Linux kernel by extending Homa/Linux and improves RPC throughput by up to 41 % and latency by up to 35 % in comparison to TLS/TCP.

Original language	English
Title of host publication	Proceedings of the 9th Asia-Pacific Workshop on Networking
Publisher	Association for Computing Machinery (ACM)
Pages	142-149
Number of pages	17
DOIs	https://doi.org/10.1145/3735358.3735389
Publication status	Published - 6 Aug 2025
Event	Proceedings of the 9th Asia-Pacific Workshop on Networking - Shanghai, China Duration: 7 Aug 2025 → 8 Aug 2025 Conference number: 9 https://conferences.sigcomm.org/events/apnet2025/index.php

Conference

Conference	Proceedings of the 9th Asia-Pacific Workshop on Networking
Abbreviated title	APNET 25
Country/Territory	China
City	Shanghai
Period	7/08/25 → 8/08/25
Internet address	https://conferences.sigcomm.org/events/apnet2025/index.php

Keywords / Materials (for Non-textual outputs)

Security
Networking
Data center networks

Access to Document

10.1145/3735358.3735389Licence: Creative Commons: Attribution (CC-BY)

GaoEtalAPNET25DesigningTransport-LevelEncryptionforDatacenterNetworksFinal published version, 861 KBLicence: Creative Commons: Attribution (CC-BY)

Cite this

@inproceedings{7d288ad43b244f048b4852e97d774a67,

title = "Designing Transport-Level Encryption for Datacenter Networks",

abstract = "Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eavesdroppers in the network infrastructure. This paper presents SDT, a protocol design for emerging datacenter transport protocols, such as NDP and Homa, to integrate data encryption. SDT uses per-message record sequence number spaces in a secure session, which ensures unique message identities for its messages to prevent replay attacks. This design enables transport-level encryption that supports existing NIC offloads designed for TLS over TCP, native protocol number alongside TCP and UDP, and message-based abstraction that mitigates head-of-line blocking and enables the network or host stack to identify the message boundaries for load balancing. We implement SDT in the Linux kernel by extending Homa/Linux and improves RPC throughput by up to 41 \% and latency by up to 35 \% in comparison to TLS/TCP.",

keywords = "Security, Networking, Data center networks",

author = "Tianyi Gao and Xinshu Ma and Suhas Narreddy and Eugenio Luo and Steven Chien and Michio Honda",

year = "2025",

month = aug,

day = "6",

doi = "10.1145/3735358.3735389",

language = "English",

pages = "142--149",

booktitle = "Proceedings of the 9th Asia-Pacific Workshop on Networking",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "Proceedings of the 9th Asia-Pacific Workshop on Networking, APNET 25 ; Conference date: 07-08-2025 Through 08-08-2025",

url = "https://conferences.sigcomm.org/events/apnet2025/index.php",

}

TY - GEN

T1 - Designing Transport-Level Encryption for Datacenter Networks

AU - Gao, Tianyi

AU - Ma, Xinshu

AU - Narreddy, Suhas

AU - Luo, Eugenio

AU - Chien, Steven

AU - Honda, Michio

N1 - Conference code: 9

PY - 2025/8/6

Y1 - 2025/8/6

N2 - Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eavesdroppers in the network infrastructure. This paper presents SDT, a protocol design for emerging datacenter transport protocols, such as NDP and Homa, to integrate data encryption. SDT uses per-message record sequence number spaces in a secure session, which ensures unique message identities for its messages to prevent replay attacks. This design enables transport-level encryption that supports existing NIC offloads designed for TLS over TCP, native protocol number alongside TCP and UDP, and message-based abstraction that mitigates head-of-line blocking and enables the network or host stack to identify the message boundaries for load balancing. We implement SDT in the Linux kernel by extending Homa/Linux and improves RPC throughput by up to 41 % and latency by up to 35 % in comparison to TLS/TCP.

AB - Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eavesdroppers in the network infrastructure. This paper presents SDT, a protocol design for emerging datacenter transport protocols, such as NDP and Homa, to integrate data encryption. SDT uses per-message record sequence number spaces in a secure session, which ensures unique message identities for its messages to prevent replay attacks. This design enables transport-level encryption that supports existing NIC offloads designed for TLS over TCP, native protocol number alongside TCP and UDP, and message-based abstraction that mitigates head-of-line blocking and enables the network or host stack to identify the message boundaries for load balancing. We implement SDT in the Linux kernel by extending Homa/Linux and improves RPC throughput by up to 41 % and latency by up to 35 % in comparison to TLS/TCP.

KW - Security

KW - Networking

KW - Data center networks

U2 - 10.1145/3735358.3735389

DO - 10.1145/3735358.3735389

M3 - Conference contribution

SP - 142

EP - 149

BT - Proceedings of the 9th Asia-Pacific Workshop on Networking

PB - Association for Computing Machinery (ACM)

T2 - Proceedings of the 9th Asia-Pacific Workshop on Networking

Y2 - 7 August 2025 through 8 August 2025

ER -

Designing Transport-Level Encryption for Datacenter Networks

Abstract

Conference

Keywords / Materials (for Non-textual outputs)

Access to Document

Fingerprint

Cite this