NetShuffle is a censorship resistance system that offers “shuffle proxies,” where regular proxy services (e.g., HTTPS proxies, Tor bridges) and addresses are decoupled from each other via continuous in-network change. This makes shuffle proxies significantly more difficult to block compared to their traditional counterparts, because the network locations are now in constant flux. NetShuffle is also designed to engage a new class of support base–edge networks–which have received scant attention from existing work. NetShuffle uses emerging programmable switches to provide the shuffle, while staying otherwise transparent to services and clients, enabling it to be applied as a drop-in network appliance to help promote Internet freedom. We have prototyped NetShuffle in testbed environments and operated it seamlessly on a slice of a live campus network for more than a month, showing that it provides network shuffles in a way that is transparent and incurs negligible overheads.

Figure 2: Simplified networking landscape depicting edge networks.

*Edge networks are small autonomous systems, or entities that obtain IP address blocks from an upstream provider. They are mostly customers, rather than providers of Internet access/transit.


Patrick Tser Jern Kon, Aniket Gattani, Dhiraj Saharia, Tianyu Cao, Diogo Barradas, Ang Chen, Micah Sherr, and Benjamin E. Ujcich. “NetShuffle: Circumventing Censorship with Shuffle Proxies at the Edge.” In IEEE Symposium on Security and Privacy (S&P), 2024.