securing network traffic tunneled over kernel managed tcp
play

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP - PowerPoint PPT Presentation

Oct 09, 2023 •257 likes •628 views

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com) Agenda What problem are we trying to solve? Privacy, integrity protection, authentication of traffic that gets tunneled

  1. Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com)

  2. Agenda • What problem are we trying to solve? – Privacy, integrity protection, authentication of traffic that gets tunneled over kernel managed TCP and UDP sockets • Options at socket layer: TLS, DTLS – Pros and cons • Options at the IP layer: IPsec – Pros and cons • Ongoing and future work Linuxcon North America 2016, Toronto, Canada

  3. What problem are we trying to solve? • Security for kernel-managed TCP and UDP sockets – VXLAN, GUE, Geneve, and other NVO3 solutions – RDS-TCP, KCM: Application traffic sent over PF_RDS/PF_KCM socket, which gets tunnelled over TCP in the kernel • Security, with reasonable performance – Crypto has an unavoidable cost, but the rest of the perf should be streamlined • Security, without regressing on Failover requirements for Cluster/HA Linuxcon North America 2016, Toronto, Canada

  4. Typical model for kernel TCP/UDP sockets • Application data from sender: can come from Virtual Machine, DB application, HTTP/2.. • Typically gets encapsulated in some protocol specific header (VXLAN, GUE, Geneve, RDS) that tracks control plane state (Tenant ID, VNI, OVS state, RDS port numbers..) • Tunneled in the kernel over a UDP/TCP socket • Receiver parses control plane header and delivers to the appropriate sender (tenant VM, DB application) Linuxcon North America 2016, Toronto, Canada

  5. Privacy and Security Concerns • Traffic tunneled over kernel sockets goes out in the clear today. • As we scale multi-tenant Cloud environments, we have multiple tenants sharing the same physical infrastructure • Attack vectors that need to be considered: – Protecting tenant payload and tunneling protocol header ( privacy, integrity protection, authentication) – Protecting the control plane (TCP/IP, for RDS-TCP and KCM) Linuxcon North America 2016, Toronto, Canada

  6. Privacy for tenant traffic • Traffic that can traverse long internet paths: attackers should not be able to snoop/impersonate end-points – encrypt tenant data using encryption parameters that have been securely installed on both end-points after appropriate authentication. • Typical solution to provide this is by using TLS/DTLS at the socket layer • TLS has some attractive properties – Per-user authentication – Implemented at the application level, not the kernel. So easier support in multiple environments • But there are some issues with using TLS/DTLS with kernel sockets Linuxcon North America 2016, Toronto, Canada

  7. Challenges to using TLS/DTLS with RDS-TCP • Cannot use DTLS/TLS directly on new socket types like PF_RDS and PF_KCM. • No TLS in the kernel • TLS is a complex protocol- handshake and control-plane is complex • Can we move the TLS control-plane (including Handshake) to user-space, and just use the TLS negotiated keys for encryption in the kernel? – Attempted by Netflix for acceleration of encrypted sendfile () – Basis of recent kTLS RFC Linuxcon North America 2016, Toronto, Canada

  8. Netflix/OCA • Improve sendfile() throughput of encrypted data for the Netflix OpenConnect Appliance – https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf • Traditional implementation: web-server gets client request for object on disk, retrieves object into a local buffer, encrypts/sends over TLS on network. • Netflix optimization: when the client request comes in, issue sendfile() call on the file descriptor and socket descriptor: data would then never leave kernel address space. Linuxcon North America 2016, Toronto, Canada

  9. Netflix/OCA: TLS based encryption in kernel • Kernel needs to encrypt the data before sending it out on the socket to the network • Netflix model: TLS session parameters are negotiated in user-space, and pushed down via socket options to the kernel – TLS session management in user-space – Encryption in kernel • Primary goal is to provide faster encryption, not full support for a kernel TLS. Linuxcon North America 2016, Toronto, Canada

  10. Netflix/OCA: TLS customizations • Netflix/OCA ran into many questions when implementing this proposal – Encrypted messages like “Finished” can arrive before CCS has been processed, and keys are in place, so kernel data plane may end up having to buffer a lot of data – How will the kernel handle re-keying? – “..when you consider .. that messages in the TCP stream may arrive out of order, adding TLS for both sending and receiving adds a lot of complexity to the kernel” [Netflix/OCA] • Netflix/OCA proposal only implements sender side of TLS, since it is primarily interested in accelerating sendfile() Linuxcon North America 2016, Toronto, Canada

  11. Netflix/OCA results • The Netflix/OCA finds that the performance improvements were not that significant for BSD • Even if a Linux implementation could achieve better perf, the issues identified in the OCA experiment remain – Splitting the protocol into a control plane and a data plane is not what TLS intends, and such a split will result in new forms of asynchronicity. • For securing kernel TCP/UDP sockets, we want a complete security solution. Linuxcon North America 2016, Toronto, Canada

  12. HA/Failover in the split TLS model • CCS, Re-keying etc: Control plane changes state, data-plane needs to be correctly synchronized with that change. • HA/failover: data-plane can restart. Control plane needs to be in tandem with that. Examples: – Address/service migration for TCP connection, RDS-TCP module restart – RDS resets connection because it detects spurious headers or other compromise. Linuxcon North America 2016, Toronto, Canada

  13. Protecting from TCP attacks • TLS only secures the application data. • TCP connection is still exposed and vulnerable to RST attacks, sequence number attacks • Attacks to TCP throw off the state machine in RDS- TCP reassembly. – Sender depends on TCP ack# to determine when it can take a dgram off the resend queue. Bogus sequence number reinjection is not acceptable. • HA: when the RDS-TCP connection breaks, we try to re-connect today. If reconnecting, we should restart authentication, and preferably re-key. Linuxcon North America 2016, Toronto, Canada

  14. Alternatives to TLS? • TLS encrypts/authenticates at the socket layer • Alternative to TLS: IPsec • IPsec encrypts/authenticates at the IP layer – Fully integrated into the Linux kernel – Mature implementation; Interfaces between key management and kernel are well-understood. . Linuxcon North America 2016, Toronto, Canada

  15. What is IPsec? • IP Security • Suite of protocols for encryption (adding a “ESP” header) and Authentication (adding a “AUTH” header) • ESP/AH are each applied to a “Security Association” (SA) that is pushed to kernel from user-space. – SA is defined by Admin. – Parameters: IP endpoint addresses, ports, IP protocol. Ports, protocol can be wild-cards – MAY be a TCP/UDP 4-tuple • IKE (Internet Key Exchange) protocol for establishing keys (using pre-shared key, CA etc) from user-space Linuxcon North America 2016, Toronto, Canada

  16. IPsec encryption with ESP • Encrypts data (either TCP/UDP payload for transport mode, or IP packet for tunnel mode) – Confidentiality, data-origin authentication, integrity, anti-replay service. • Adds an ESP header with an “Security Parameter Index” (SPI) and sequence number – SPI uniquely identifies a “Security Assocation” (SA) for which the security parameters (keys, crypto algo etc) are defined. Thus SPI essentially identifies a flow for IPsec – Sequence number is used to protect against replay attacks • Adds an ESP trailer which contains the “original protocol” of the data that was encrypted. Linuxcon North America 2016, Toronto, Canada

  17. IPsec encryption with ESP • Encrypts data (either TCP/UDP payload for transport mode, or IP packet for tunnel mode) – Confidentiality, data-origin authentication, integrity, anti-replay service. • Adds an ESP header with an “Security Parameter Index” (SPI) and sequence number – SPI uniquely identifies a “Security Assocation” (SA) for which the security parameters (keys, crypto algo etc) are defined. Thus SPI essentially identifies a flow for IPsec – Sequence number is used to protect against replay attacks • Adds an ESP trailer which contains the “original protocol” of the data that was encrypted. Linuxcon North America 2016, Toronto, Canada

  18. IPsec Transport vs Tunnel mode • IPsec Transport mode: ESP/AH transforms apply to L4 (TCP or UDP) header and payload. – Protects TCP header – L3/routing information is not modified – Typically used for host-host IPsec • IPsec tunnel mode: IP packet is encapsulated inside another IP packet. The IPsec transforms are applied to the inner (original) IP packet. – Protects IP and TCP header of the original packet – Typically used for VPNs – Routing information MAY be modified • For Cloud/Cluster solutions IPsec Transport mode is sufficient as we do not wish to modify routing information. Linuxcon North America 2016, Toronto, Canada

Recommend

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra |

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra |

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra | Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef Outline Introduction Approach Research Results Conclusion

740 views • 19 slides
Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic

Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic

Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic Systems Group February 2020 PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM PSTN switch off - recap Incumbent telephone

679 views • 10 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark traffic flows - Police and shape traffic - Apply priority (managed scheduling) 1 Open-Loop Control / QoS Model Network performance is guaranteed to

408 views • 24 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Behavioural Network Traffic Analytics for Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th International Workshop on 5G Architecture (5GARCH) Presenter: Dr. Stavros Papadopoulos Post-doctoral research

426 views • 23 slides
Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple

Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple

Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple Strategies Anil Agarwal, MD, FASN, FNKF, FACP Professor of Clinical Medicine Director, Interventional Nephrology Chief, Section of Nephrology at

471 views • 28 slides
IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Control/Management (configuration) telnet/ftp: ssh, http: https , mail: PGP Network

1.4k views • 26 slides
Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC NEIGHBOURHOODS? Part of the response to the damage motor traffic causes road casualties, air quality, community, public health and active

257 views • 13 slides
1 Evolution of Managed Care Types of Network Based Managed Care Programs Indemnity

1 Evolution of Managed Care Types of Network Based Managed Care Programs Indemnity

Evolving Payor Cost Containment Strategies And How to Respond Presented to Hometown Health 2016 Elizabeth A. Spoto, CEO Spoto & Associates, LLC Evolution of Managed Care Historical Milestones In Managed Care 1929 Baylor started

271 views • 12 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port

Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port

Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port (18 hours of traffic to AT&T dial clients on July 22, 1997) N a m e port % bytes % packets bytes per packet w o r l d - w i d e

425 views • 31 slides
Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer

Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer

Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer run relay network designed for privacy, anonymity, and censorship resistance. Tor relays TCP connections (streams) Multiplexed on

225 views • 20 slides
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Network communication Who are you talking to?

636 views • 35 slides
S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada Gavrilovska Georgia Institute of Technology Network Function Virtualization (NFV) Virtualized Network Functions (VNFs) NAT IDS Web Caching VNF NF OS

542 views • 16 slides
Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive

Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive

Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive goals Topology exploration and visualization Network traffic capture Make network troubleshooting easier SDN agnostic Real-time

704 views • 10 slides
A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut Burchard University of Toronto Performance Analysis of Multihop Wireless Network z Cross traffic Cross traffic Cross traffic Through traffic n

659 views • 26 slides
Visualizing Network Traffic with Wireshark TROUBLESHOOTING WITH THE I/O GRAPH Chris Greer

Visualizing Network Traffic with Wireshark TROUBLESHOOTING WITH THE I/O GRAPH Chris Greer

Visualizing Network Traffic with Wireshark TROUBLESHOOTING WITH THE I/O GRAPH Chris Greer NETWORK ANALYST @packetpioneer www.packetpioneer.com Why So Important? James Packets can be very detailed Network Engineer Visualizing Traffic

221 views • 11 slides
The Biodiversity & Ecosystem Services Network What is BES-Net? A UNDP-managed capacity

The Biodiversity & Ecosystem Services Network What is BES-Net? A UNDP-managed capacity

The Biodiversity & Ecosystem Services Network What is BES-Net? A UNDP-managed capacity sharing Network of Networks of 85 organisa>ons Promo>ng dialogue between science, policy and prac>ce & build capacity for more

391 views • 9 slides
Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof. Raluca Ada Popa Feb 27, 2018 Some slides credit David Wagner Announcements Midterm grades released Regrades: Read the follow-ups on the

1.75k views • 156 slides
Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He,

Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He,

Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He, Zhibo Gong Network Technology Lab, Huawei Technologies Co., Ltd., Beijing, China 1 Background What is a QoS Model? Traffic D elay, jitter, packet

464 views • 27 slides
BES-Net Presentation 1 WHAT IS BES-NET? A UNDP- managed capacity sharing Network of

BES-Net Presentation 1 WHAT IS BES-NET? A UNDP- managed capacity sharing Network of

Entebbe, Uganda 7 th -9 th November 2017 Regional Bio-Bridge Initiative Round Table for Africa BES-Net Presentation 1 WHAT IS BES-NET? A UNDP- managed capacity sharing Network of Networks promoting dialogue between science, policy

652 views • 8 slides

More recommend