Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes Naab Wednesday 9 th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich
Introduction Virtual Machines in Lectures • VMs provide configured computers • Allows students to experiment • ∼ 1000 VMs • One layer 2 network with VMs • Layer 2 network is managed by one Open vSwitch • Students have root access Layer 2 security very important Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 2
Goals Security Protection against • MAC spoofing • ARP spoofing • VM answers to ARP request for the gateway • Other VMs consider the VM as true gateway • VMs send traffic to spoofing VM instead of gateway • → Spoofing VM is Man in the Middle • DHCP server spoofing • IP spoofing • IPv6 router spoofing • NDP spoofing Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 3
Goals Host CPU Load Reduction • Broadcasts reach every VM • Simultaneous processing of broadcast at every ma- chine • ∼ 250 ARP requests per minute in this network • Each ARP needs to be processed by every VM • Due to Spectre and Meltdown complete unload and load of VM from and to cache necessarry • Context switches are expensive → High CPU con- suption → Optimize ARP requests to reduce CPU load Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 4
Implementation Open Flow • Open vSwitch uses Open Flow • Per frame processing • Processing by rules with priorities • Rules organized in tables • Relevant filters • Incoming port table0 • MAC addresses * NORMAL • IP addresses • Protocols • Relevant actions • Drop • Normal • Output • Table J. Andre — Open vSwitch Config 5
Implementation Open Flow • Open vSwitch uses Open Flow • Per frame processing • Processing by rules with priorities • Rules organized in tables • Relevant filters table0 • Incoming port port=1 src_mac=vm.mac TABLE:1 • MAC addresses port=1 DROP • IP addresses * NORMAL • Protocols • Relevant actions • Drop • Normal • Output • Table J. Andre — Open vSwitch Config 5
Implementation Rule Creation • Existing script creating and starting VMs • Storing of MAC and IPs • During start of VM • Parsing of metadata by QEMU hook • Installing Rules based on metadata • During shutdown of VM • QEMU hook initiates rule deletion J. Andre — Open vSwitch Config 6
Implementation Open Flow Table Structure Implemented table structure table0 table1 table2 table3 MAC spoof IP spoof Direct ARP ICMP spoof ARP ARP spoof DHCP spoof J. Andre — Open vSwitch Config 7
Implementation table0 table0 table0 • VM sends with correct MAC → table1 correct MAC TABLE:1 • VM sends with spoofed MAC → DROP spoofed MAC DROP • ARP request not from VM → table2 IN:* ARP TABLE:2 * NORMAL • Frames not from VM and not ARP → NORMAL J. Andre — Open vSwitch Config 8
Implementation table1 table1 • Non spoofed ARP → table2 • DHCP and DHCPv6 server messages → DROP • Non spoofed IP address in ICMPv6 → table3 • Neighbor Solicitation unspecified address → table3 • Necessarry for Duplicate Address Detection • Non spoofed IP address → NORMAL • Other messages → DROP J. Andre — Open vSwitch Config 9
Implementation table2 table2 table2 • ARP request with known IP → OUT:VM IN:* ARP request VM_IP OUT:VM • ARP request with unknown IP IN:Internet ARP request DROP • From Internet → DROP IN:* ARP request OUT:Internet • From other → OUT:INTERNET * NORMAL • All other ARP packets → NORMAL J. Andre — Open vSwitch Config 10
Implementation table3 table3 • Router Advertisement → DROP • Neighbor Advertisement with correct IP → NORMAL • Spoofed Neighbor Advertisement → DROP • Redirect → DROP • All other ICMPv6 → NORMAL J. Andre — Open vSwitch Config 11
Conclusion Conclusion & Future Work Conclusion • Optimized script creating and deleting VMs • Hook scripts install and delete Open Flow rules • Network safe against spoofing attacks • Simple DHCP protection • ARP optimization to reduce CPU load Future Work • Protection against Network Overload • Protection against CPU overload by sending broadcasts • → dependent rate limiting J. Andre — Open vSwitch Config 12
Recommend
More recommend