Fosstodon
NETDEV VIDEOS
Session
Securing IOAM in the Linux Kernel: Toward Trustworthy In Situ Network Telemetry
Speakers
Maxime Goffart
Emilien Wansart
Benoit Donnet
Label
Nuts and Bolts
Session Type
Talk
Description
In Situ Operations, Administration, and Maintenance (IOAM) is an IETF-standardized in-band network telemetry protocol that enables routers to collect and embed operational telemetry data directly into IPv6 Extension Headers of in-transit packets. IOAM is designed to operate within a Limited Domain - such as an Internet Service Provider (ISP) or a datacenter network - where boundary filtering is assumed to prevent telemetry data from leaking outside the domain. However, IOAM provides no built-in confidentiality or integrity protection: telemetry fields are transmitted in plaintext and are not authenticated, leaving them vulnerable to interception and forgery by on-path adversaries in the event of a misconfiguration or boundary enforcement failure. To address this gap, we propose a security mechanism providing encryption and authentication for IOAM based on an AEAD scheme, supporting both AES-GCM and ChaCha20-Poly1305. We implement this solution directly in the Linux kernel, with a user-space configuration interface, and evaluate its impact on IPv6 packet forwarding performance. Both the kernel-space and user-space code are released as open source.
Recent News
Bronze Sponsor, Common Net
[Tue, 16, Jun. 2026]
Bronze Sponsor, secunet
[Fri, 12, Jun. 2026]
Bronze Sponsor, Red Hat
[Fri, 12, Jun. 2026]
Bronze Sponsor, Mpiric
[Tue, 09, Jun. 2026]
Bronze Sponsor, Viasat
[Mon, 08, Jun. 2026]
Important Dates
| Closing of CFS | June 1st |
| Notification by | June 10th |
| Conference dates | July 13th-16th |