This paper addresses the fundamental tension between hardware resource constraints—limited memory and restricted instruction sets—and functional complexity in programmable data planes (P4 switches) for network security. To resolve this, we propose an efficient implementation paradigm tailored for security functions. Our approach integrates loop-based processing, lookup-table precomputation, recirculate-and-truncate mechanisms, and pipeline-level optimizations to enable line-rate execution of DDoS and spoofing attack detection/mitigation, fine-grained next-generation firewall policy enforcement, in-network encryption, and lightweight machine learning inference. Contributions include: (1) a systematic characterization of the P4 security design space and the first identification of general-purpose optimization patterns for resource-constrained environments; (2) empirical validation of feasibility and performance bounds for multiple critical security capabilities on commercial P4 platforms; and (3) identification of promising future directions—including architecture co-design, security-semantic abstraction, and heterogeneous offloading.

The emergence of programmable data planes, and particularly switches supporting the P4 language, has transformed network security by enabling customized, line-rate packet processing. These switches, originally intended for flexible forwarding, now play a broader role: detecting and mitigating attacks such as DDoS and spoofing, enforcing next-generation firewall policies, and even supporting in-network cryptography and machine learning. These capabilities are made possible by techniques such as recirculate-and-truncate and lookup-table precomputation, which work around architectural constraints like limited memory and restricted instruction sets. In this paper, we systematize recent advances in security applications built on programmable switches, with an emphasis on the capabilities, challenges, and architectural workarounds. We highlight the non-obvious design techniques that make complex in-network security functions feasible despite the constraints of the hardware platform, and also comment on remaining issues and emerging research directions.