The recent Network Function Virtualization (NFV) paradigm advocates the move of network services from specialized hardware appliances to software implementations. Because they need to be frequently updated to defend against new classes of attacks, network security functions are ideal candidates for software implementations. Efficient software designs are however required to allow cloud providers to replace their proprietary appliances with more flexible software implementations.

In this papier, we introduce a software switch that can be extended at runtime to execute network security functions. Our software switch is based on Open vSwitch and relies on BPF to prevent crashes from faulty programs. We evaluate our approach with three network security functions, and measure a near 2x improvement of performance over existing approaches to execute software network functions.