Embed Size (px)
Citation preview
Open Virtual Network (OVN)
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical 1
OVN provides a logical network abstraction on top of a physical network
VM6 VM7
VM8 VM9
L-Switch
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
Logical
Open Virtual Network (OVN)
VMs are oblivious to the physical network states
2
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical
VM6 VM7
VM8 VM9
L-Switch
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
Logical
Open Virtual Network (OVN)
Network appliances can be implemented and placed inthe logical network
3
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical
VM6 VM7
VM8 VM9
L-Switch
Logical
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
L-Firewall
L-LoadBalancer
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Inner EthernetHeader
Inner IP
HeaderPayload
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Inner EthernetHeader
Inner IP
HeaderPayload
The Needs for Tunnel Encryption
• VMs compute and communicate sensitive data, e.g., financial and health data• Physical network devices (e.g., router, switch) cannot be trusted or might be
compromisedq Traffic across datacentersq Router misconfigurationq Attackers breaking into internal networkq Phishing or social engineering attacks on administrators
5
Encrypting Tunnel Traffic with IPsec
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
IPsec Encryption Outer
EthernetHeader
Outer IP
Header
ESPHeader
• Confidentiality• Integrity• Authenticity
6
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
User spaceKernel
7
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
User spaceKernel
8
IKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
Which traffic to protect
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
How to protect the selected traffic
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
IPsec kernel stack• Encryption and decryption• Checks integrity and authenticity User space
Kernel
10
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
User space
Kernel
11
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key User space
Kernel
12
For example:
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key • Using self-signed certificate
User space
Kernel
13
For example:
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key • Using self-signed certificate• Using CA-signed certificate
User space
Kernel
14
For example:
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon
security association
security policy
User space
Kernel
15
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon• IKE daemon sets up security policy
and security association security association
security policy
User space
Kernel
15
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
For example (geneve tunnel):
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon• IKE daemon sets up security policy
and security association security association
security policy
User space
Kernel
15
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
User space
Kernel
IPsec kernel stack • Encryption and decryption• Checks integrity and authenticity
unencryptedpacket
encryptedpacket
16
OVN IPsecnorthbound db
ovn-northd
southbound db
ovn-controller …
ovsdb
ovn-controller
Hypervisor 1 Hypervisor n
17
vswitchd ovsdb vswitchd
OVN IPsecnorthbound db
ovn-northd
southbound db
ovn-controller … ovn-controller
Hypervisor 1 Hypervisor n
• In each hypervisor, configure ovsdb to use CA-signed certificate for authentication
• Enable IPsec by configuring northbound database
17
ovsdb vswitchd ovsdb vswitchd
For example:
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
Current Status• Compatible with StrongSwan and LibreSwan IKE daemon• Packages for Ubuntu and Fedora• Tutorials on using OVN IPsec• Need to use OVS upstream kernel module
19
Future Directions
More flexible tunnel encryption policies:• Only encrypting tunnel traffic between certain hypervisors • Only encrypting tunnel traffic from certain logical network
20
Q&A
