encrypting ovn tunnels with ipsec
play

Encrypting OVN tunnels with IPsec Qiuyu Xiao - PowerPoint PPT Presentation

Encrypting OVN tunnels with IPsec Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org) Open Virtual Network (OVN) OVN provides a logical network abstraction on top of a physical network VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7


  1. Encrypting OVN tunnels with IPsec Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org)

  2. Open Virtual Network (OVN) OVN provides a logical network abstraction on top of a physical network VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7 Hypervisor 1 Hypervisor 2 L-Router L-Switch L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 1

  3. Open Virtual Network (OVN) VMs are oblivious to the physical network states VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7 Hypervisor 1 Hypervisor 2 L-Router L-Switch L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 2

  4. Open Virtual Network (OVN) Network appliances can be implemented and placed in VM1 VM2 the logical network L-Switch VM1 VM6 VM2 VM7 L-Firewall VM6 VM7 L-Router Hypervisor 1 Hypervisor 2 L-Switch L-LoadBalancer L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 3

  5. OVN Tunnel Traffic Inner Inner Ethernet IP Payload Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  6. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  7. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  8. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  9. OVN Tunnel Traffic Inner Inner Ethernet IP Payload Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  10. The Needs for Tunnel Encryption • VMs compute and communicate sensitive data, e.g., financial and health data • Physical network devices (e.g., router, switch) cannot be trusted or might be compromised q Traffic across datacenters q Router misconfiguration q Attackers breaking into internal network q Phishing or social engineering attacks on administrators 5

  11. Encrypting Tunnel Traffic with IPsec Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header IPsec Encryption Outer Outer ESP Ethernet IP Header Header Header • Confidentiality • Integrity • Authenticity 6

  12. IPsec in Linux IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack 7

  13. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy security association ESP/AH protocol IPsec kernel stack 8

  14. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol IPsec kernel stack 9

  15. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol Which traffic to protect IPsec kernel stack 9

  16. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol IPsec kernel stack How to protect the selected traffic 9

  17. IPsec in Linux IPsec kernel stack IKE protocol IKE daemon • Encryption and decryption • Checks integrity and authenticity User space Kernel security policy security association ESP/AH protocol IPsec kernel stack 10

  18. OVS IPsec Tunnel ovsdb ovs-monitor-ipsec IKE daemon User space Kernel IPsec kernel ovs datapath stack 11

  19. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel IPsec kernel ovs datapath stack For example: 12

  20. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel • Using self-signed certificate For example: IPsec kernel ovs datapath stack 13

  21. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel • Using self-signed certificate • Using CA-signed certificate For example: IPsec kernel ovs datapath stack 14

  22. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel security policy security association IPsec kernel ovs datapath stack 15

  23. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel • IKE daemon sets up security policy security policy and security association security association IPsec kernel ovs datapath stack 15

  24. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel • IKE daemon sets up security policy security policy and security association security association For example (geneve tunnel): IPsec kernel ovs datapath stack 15

  25. OVS IPsec Tunnel IPsec kernel stack ovsdb ovs-monitor-ipsec IKE daemon • Encryption and decryption • Checks integrity and authenticity User space Kernel unencrypted packet IPsec kernel ovs datapath stack encrypted packet 16

  26. OVN IPsec northbound db ovn-northd southbound db … ovn-controller ovn-controller ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n 17

  27. OVN IPsec • In each hypervisor, configure ovsdb to use northbound db CA-signed certificate for authentication • Enable IPsec by configuring northbound ovn-northd database southbound db For example: … ovn-controller ovn-controller ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n 17

  28. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  29. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  30. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  31. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  32. Current Status Compatible with StrongSwan and LibreSwan IKE daemon • Packages for Ubuntu and Fedora • Tutorials on using OVN IPsec • Need to use OVS upstream kernel module • 19

  33. Future Directions More flexible tunnel encryption policies: • Only encrypting tunnel traffic between certain hypervisors • Only encrypting tunnel traffic from certain logical network 20

  34. Q&A

Recommend


More recommend