open vswitch config for libvirt vms
play

Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes Naab Wednesday 9 th January, 2019 Chair of Network Architectures and


  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes Naab Wednesday 9 th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Introduction Virtual Machines in Lectures • VMs provide configured computers • Allows students to experiment • ∼ 1000 VMs • One layer 2 network with VMs • Layer 2 network is managed by one Open vSwitch • Students have root access Layer 2 security very important Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 2

  3. Goals Security Protection against • MAC spoofing • ARP spoofing • VM answers to ARP request for the gateway • Other VMs consider the VM as true gateway • VMs send traffic to spoofing VM instead of gateway • → Spoofing VM is Man in the Middle • DHCP server spoofing • IP spoofing • IPv6 router spoofing • NDP spoofing Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 3

  4. Goals Host CPU Load Reduction • Broadcasts reach every VM • Simultaneous processing of broadcast at every ma- chine • ∼ 250 ARP requests per minute in this network • Each ARP needs to be processed by every VM • Due to Spectre and Meltdown complete unload and load of VM from and to cache necessarry • Context switches are expensive → High CPU con- suption → Optimize ARP requests to reduce CPU load Figure 1: VMs in one layer 2 network J. Andre — Open vSwitch Config 4

  5. Implementation Open Flow • Open vSwitch uses Open Flow • Per frame processing • Processing by rules with priorities • Rules organized in tables • Relevant filters • Incoming port table0 • MAC addresses * NORMAL • IP addresses • Protocols • Relevant actions • Drop • Normal • Output • Table J. Andre — Open vSwitch Config 5

  6. Implementation Open Flow • Open vSwitch uses Open Flow • Per frame processing • Processing by rules with priorities • Rules organized in tables • Relevant filters table0 • Incoming port port=1 src_mac=vm.mac TABLE:1 • MAC addresses port=1 DROP • IP addresses * NORMAL • Protocols • Relevant actions • Drop • Normal • Output • Table J. Andre — Open vSwitch Config 5

  7. Implementation Rule Creation • Existing script creating and starting VMs • Storing of MAC and IPs • During start of VM • Parsing of metadata by QEMU hook • Installing Rules based on metadata • During shutdown of VM • QEMU hook initiates rule deletion J. Andre — Open vSwitch Config 6

  8. Implementation Open Flow Table Structure Implemented table structure table0 table1 table2 table3 MAC spoof IP spoof Direct ARP ICMP spoof ARP ARP spoof DHCP spoof J. Andre — Open vSwitch Config 7

  9. Implementation table0 table0 table0 • VM sends with correct MAC → table1 correct MAC TABLE:1 • VM sends with spoofed MAC → DROP spoofed MAC DROP • ARP request not from VM → table2 IN:* ARP TABLE:2 * NORMAL • Frames not from VM and not ARP → NORMAL J. Andre — Open vSwitch Config 8

  10. Implementation table1 table1 • Non spoofed ARP → table2 • DHCP and DHCPv6 server messages → DROP • Non spoofed IP address in ICMPv6 → table3 • Neighbor Solicitation unspecified address → table3 • Necessarry for Duplicate Address Detection • Non spoofed IP address → NORMAL • Other messages → DROP J. Andre — Open vSwitch Config 9

  11. Implementation table2 table2 table2 • ARP request with known IP → OUT:VM IN:* ARP request VM_IP OUT:VM • ARP request with unknown IP IN:Internet ARP request DROP • From Internet → DROP IN:* ARP request OUT:Internet • From other → OUT:INTERNET * NORMAL • All other ARP packets → NORMAL J. Andre — Open vSwitch Config 10

  12. Implementation table3 table3 • Router Advertisement → DROP • Neighbor Advertisement with correct IP → NORMAL • Spoofed Neighbor Advertisement → DROP • Redirect → DROP • All other ICMPv6 → NORMAL J. Andre — Open vSwitch Config 11

  13. Conclusion Conclusion & Future Work Conclusion • Optimized script creating and deleting VMs • Hook scripts install and delete Open Flow rules • Network safe against spoofing attacks • Simple DHCP protection • ARP optimization to reduce CPU load Future Work • Protection against Network Overload • Protection against CPU overload by sending broadcasts • → dependent rate limiting J. Andre — Open vSwitch Config 12

Recommend


More recommend