mts bringing multi tenancy to virtual networking
play

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap - PowerPoint PPT Presentation

Aug 10, 2023 •367 likes •962 views

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

  1. MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gábor Rétvári and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA

  2. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Host OS Host OS 2

  3. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Virtual Switch Host OS Host OS 3

  4. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Host OS Host OS 4

  5. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Broadcast | Multicast | Unicast | Tunnel 1. Red 2. Blue 3. Green Host OS Host OS 5

  6. More Than 20 Virtual Switches Most emphasis has been on performance and flexibility 6

  7. Security Weaknesses of Virtual Switches 7

  8. Processes VM VM VM Untrusted Data $_ $_ $_ Host OS Host OS A malicious VM can send arbitrary packets to the virtual switch 8

  9. Privileged Packet VM VM VM VM Processing $_ $_ $_ $_ User Kernel Host OS Host OS Oftentimes runs in the kernel for performance 9

  10. Single Point of Failure Virtual network configurations are complex Screenshot from Karim Elatov’s blog: https://elatov.github.io/2018/01/openstack-ansible-and-kolla-on-ubuntu-1604/#5-packet-goes-from-ovs-inte 10 gration-bridge-br-int-to-ovs-tunnel-bridge-br-tun

  11. Single Point of VM VM VM Failure $_ $_ $_ Host OS Host OS Mis-configurations could lead to security issues 11

  12. Co-Located with VM VM VM VM the Host OS $_ $_ $_ $_ Host OS Host OS The consequence of a compromise can be severe, e.g., break out of VM isolation 12

  13. Exploiting Virtual VM VM VM Switches in the $_ $_ $_ Cloud Host OS Host OS SOSR’18: Remote-Code Exection OvS Con’19: Cross Tenant DoS 13

  14. Outline Motivation ● MTS ● Evaluation ● Scalability ● Pros and Cons ● Conclusion ● 14

  15. MTS: Multi-Tenant Switch 15

  16. Least Privilege VM Host VM Virtual Switch $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 16

  17. Least Common VM Host VM Mechanism $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 17

  18. Extra Security VM Host VM Boundary $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 18

  19. Complete VM Host VM Mediation $_ $_ $_ T T In/Out Gw In/Out Gw PF VF VF VF VF VF VF 1. Processes untrusted data 2. Privileged packet processing L2 Switch in NIC 3. Single point of failure 4. Co-located with the Host OS SR-IOV NIC 19

  20. Evaluation 20

  21. Experimental Setup Resources ● Traffic Patterns ● & Factors Mellanox ConnectX4, Open vSwitch, DPDK, QEMU, KVM More details in the paper 21

  22. Host OS Shared Resources Host OS pinned to 1 core ● CPU All vswitch-VMs pinned to 1 ● core Each Tenant VM got ● dedicated cores (not shown here) 22

  23. Traffic Patterns VM VM VM In Out In Out In Out NIC NIC NIC p2p p2v v2v 23

  24. B 1 4 2 Baseline vs MTS A S V V V Packet Processing E S S S Throughput L - - - I V V V Comparison N M M M E 64 byte UDP packets Roughly the same in p2p MTS is ~2x Baseline in p2v and v2v 24

  25. Baseline vs MTS Packet Processing Throughput Comparison 64 byte UDP packets Roughly the same in p2p MTS is ~2x Baseline in p2v and v2v 25

  26. Baseline vs MTS Network Application Throughput MTS beats Baseline in Apache and Memcached 26

  27. 1+ Physical Core 4x Network Isolation 1.5-2x Throughput 27

  28. Scaling MTS 28

  29. Containers in VMs Work in progress ● The packets per second throughput is ● the same as running it in a VM for 4 containers Can run 12 vswitches spread across 4 ● VMs Faced an issue with libvirt when ● adding 40 VFs to 16 vswitches spread Real cloud systems can host more across 4 VMs. The interfaces do not than just 4 tenants on a server appear in the VM although the configuration is present. 29

  30. Pros and Cons 30

  31. Limitations PCIe bus could become a bottleneck ● which our evaluation did not reveal The number of VFs on the NIC ● No clean solution for live migration of ● VMs with VFs 31

  32. Pricing State-of-the-art MTS Broadcast | Broadcast | Broadcast | Multicast | Multicast | Multicast | Unicast Unicast Unicast 1. Red $ $ Charge for CPU cycles used by the 2. Blue $ tenant-specific virtual switch 32

  33. Tenant Specific State-of-the-art MTS Virtual Switch Software Broadcast | Broadcast | Broadcast | Multicast | Multicast | Multicast | Unicast Unicast Unicast 1. Red 1. Reduce parsing logic 2. Blue 2. Support tenant-specific features 33

  34. Conclusion 34

  35. Key Takeaways 1. Many virtual switches can be exploited to compromise Host and Network isolation 2. MTS is based on secure design principles that addresses security weakness of existing designs 3. MTS with SR-IOV offers security and performance for modest resources Our scripts and data are on github www.github.com/securedataplane High High Mid Security Performance Resource

  36. Backup 36

  37. Protocol Growth for OvS 37

  38. Complex & Manual Protocol Parsers Virtual switches have to support an increasing number of protocols over time 38

  39. Vswitch Table Analysis 39

  40. So Many Virtual Switches More than 20 40

  41. So Many Virtual Switches More than 20 41

  42. So Many Virtual Switches More than 20 42

  43. Ingress Traffic Flow Example 43

  44. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 44

  45. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC Packet destined to VM $_ 45

  46. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC MAC address of the vswitch VF IP address of VM $_ 46

  47. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 47

  48. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 48

  49. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 49

  50. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 50

  51. VM HOST $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 51

  52. Pricing 52

  53. How it Helps Pricing Can charge for compute and memory used by the vswitch 53

  54. Latency 54

  55. Baseline vs MTS Latency Comparison 64 byte UDP packets Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 55

  56. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 56

  57. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 57

  58. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 58

Recommend

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

609 views • 40 slides
Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security Division of EMC John Field, Office of the CTO, EMC Also adapting prior content by Burt Kaliski DIMACS Workshop in Systems and Networking Advances

508 views • 18 slides
Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore? Workloads & API Multi-tenancy & Isolation Lessons Learned What is Edgestore Distributed Metadata Store built on top of MySQL

406 views • 36 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1 TENLAW - Tenancy Law and Housing Policy in Multi-level Europe State of the field I Comparative dimension: Crisis has increased the number of

442 views • 16 slides
PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum salesforce.com Platform as a Service Multi Tenancy and Open Standards Peter Chittum Developer Evangelist @pchittum Safe Harbor Safe harbor statement

545 views • 39 slides
Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale Willis, Suman Banerjee University of Wisconsin-Madison 2016 IEEE/ACM Symposium on Edge Computing Presented by Allen Leis and Patrick Jennings Agenda

509 views • 40 slides
IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group

IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group

IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group University of Florida Outline Virtual Networking + Grid Computing Making It Easy Deploying in Clusters and Workstations Demonstration

266 views • 13 slides
A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram {ylchen, jim.tuttle, waingram}@vt.edu Information Technologies and Services Virginia Tech Libraries Agenda Cloud-native concept Virginia

413 views • 20 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit

OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit

OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit (@Justin_D_Pettit) The Case for Network Virtualization Network provisioning needs to be self-service. Virtual networking needs to be abstracted

826 views • 37 slides
Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT

Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT

Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT Conference, Jaipur, 26 Feb 2010 Program NLO corrections Real Virtual Virtual part Feynman diagrams OPP Unitarity based Les

819 views • 42 slides
Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project

Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project

Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project public presentation Last update: October 2018 This project has received funding from the European Communitys H2020 Framework Programme under grant

578 views • 46 slides
Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal Huawei IETF98- ICNRG Meeting Thursday 3/30/17 Trends in AR/VR Augmented Reality and Virtual Reality are going to create tremendous growth in

632 views • 15 slides
Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
Tenancy Training Course and Landlord Workshops Louise Green Operational Manager Need As a

Tenancy Training Course and Landlord Workshops Louise Green Operational Manager Need As a

Tenancy Training Course and Landlord Workshops Louise Green Operational Manager Need As a result of recognised need the Brick are offering the following free courses 1 ) Tenancy (and so much more) Training Course eight sessions 2) Landlord

260 views • 6 slides
EXPLORING THE POTENTIAL OF MOOCS AS FACILITATORS OF VIRTUAL MOBILITY AND MULTI-STAKEHOLDER

EXPLORING THE POTENTIAL OF MOOCS AS FACILITATORS OF VIRTUAL MOBILITY AND MULTI-STAKEHOLDER

EXPLORING THE POTENTIAL OF MOOCS AS FACILITATORS OF VIRTUAL MOBILITY AND MULTI-STAKEHOLDER ENGAGEMENT Alessio Cavicchi Professor in Agribusiness, Rural Development and Branding University of Macerata (IT) Multi-stakeholder actions and wicked

243 views • 20 slides
DESIGN AND IMPLEMENTATION OF A VIRTUAL NETWORKING FRAMEWORK FOR THE MOBILITYFIRST FUTURE INTERNET

DESIGN AND IMPLEMENTATION OF A VIRTUAL NETWORKING FRAMEWORK FOR THE MOBILITYFIRST FUTURE INTERNET

DESIGN AND IMPLEMENTATION OF A VIRTUAL NETWORKING FRAMEWORK FOR THE MOBILITYFIRST FUTURE INTERNET ARCHITECTURE Aishwarya Babu Adviser: Dr. Dipankar Raychaudhuri Content Introduction MobilityFirst Overview Network Virtualization

692 views • 41 slides
Multi-Element Optical Wireless Modules for Mobile Networking and Lighting Murat Yuksel

Multi-Element Optical Wireless Modules for Mobile Networking and Lighting Murat Yuksel

Multi-Element Optical Wireless Modules for Mobile Networking and Lighting Murat Yuksel murat.yuksel@ucf.edu Networking and Wireless Systems Lab (NWSL) Electrical and Computer Engineering University of Central Florida Project Websites

709 views • 47 slides
Tenancy Strategy Local Authority Perspective Stephen Ward Housing Strategy & Research

Tenancy Strategy Local Authority Perspective Stephen Ward Housing Strategy & Research

Tenancy Strategy Local Authority Perspective Stephen Ward Housing Strategy & Research Officer Stafford Borough Council Local Authority Requirements Localism Bill received Royal Assent in November 2011 Section on Tenancy Strategy

115 views • 8 slides
Bringing Micro XRCE-DDS & micro-ROS to PX4-based flying systems PX4 Developer Summit Virtual

Bringing Micro XRCE-DDS & micro-ROS to PX4-based flying systems PX4 Developer Summit Virtual

Bringing Micro XRCE-DDS & micro-ROS to PX4-based flying systems PX4 Developer Summit Virtual 2020 07/07/2020 Jaime Martin Losa Nuno Marques eProsima - CEO Founder and Lead Developer jaimemartin@eprosima.com

364 views • 24 slides
Presentation to Australian Retailers Association "ARA Managing the Asset Retail Tenancy Forum

Presentation to Australian Retailers Association "ARA Managing the Asset Retail Tenancy Forum

Presentation to Australian Retailers Association "ARA Managing the Asset Retail Tenancy Forum 20 0 1" 27 February 20 0 1 The Trade Practices Act and retail tenancy is it working? Address by John Martin Com m issioner The Austra

404 views • 12 slides
Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to massive and rapid attacks. Knowing

1.25k views • 112 slides

More recommend