svlan secure scalable network virtualization
play

SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, - PowerPoint PPT Presentation

Mar 17, 2024 •373 likes •679 views

SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hhni, Adrian Perrig ETH Zrich, Network Security Group Jonghoon Kwon, Ph.D | | 25.02.2020 1 Current Inter-domain Network Virtualization: VLAN PM PM PM

  1. SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hähni, Adrian Perrig ETH Zürich, Network Security Group Jonghoon Kwon, Ph.D | | 25.02.2020 1

  2. Current Inter-domain Network Virtualization: VLAN PM PM PM PM Internet ETH | VLAN | IP | Data VID 101 VID 102 Virtual LAN (IEEE 802.1q) Layer-2 bridging Supporting apx. 4 K virtual networks with a 12-bit VID value Jonghoon Kwon, Ph.D | | 25.02.2020 2

  3. Current Inter-domain Network Virtualization: VXLAN Core Network Hypervisor Edge Network VM VM Hypervisor VM VM ETH | IP | Data VTEP ETH | IP | Data VTEP Internet VXLAN tunnel Outer ETH | Outer IP | Outer UDP | VXLAN | ETH | IP | Data VNI 1001 VNI 1002 Virtual eXtensible LAN Supporting 16 M virtual networks with a 24-bit VNI value Interconnecting layer-2 networks over an underlying layer-3 network Jonghoon Kwon, Ph.D | | 25.02.2020 3

  4. Adversarial Model and Desired Properties Security Compromise Network Isolation Scalability Disrupt Virtual Network Flexibility Jonghoon Kwon, Ph.D | | 25.02.2020 4

  5. VXLAN: Insufficient Security Trusted Core Network Hypervisor Trusted Edge Network VM VM Hypervisor VM VM VTEP Outer ETH | Outer IP | Outer UDP | VXLAN | ETH | IP | Data Untrusted VTEP Internet Attackers may manipulate VNIs and forward malicious traffic Jonghoon Kwon, Ph.D | | 25.02.2020 5

  6. VXLAN: Scalability Constraints Core Network Hypervisor Edge Network VM VM VM VM VM VM Hypervisor VM VM VM VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 6

  7. VXLAN: Insufficient Flexibility Core Network Hypervisor Edge Network VM VM Hypervisor VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 7

  8. VXLAN: Insufficient Flexibility Core Network Hypervisor Edge Network VM VM Hypervisor VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 8

  9. Challenges and Countermeasures Intra-domain network slicing Intra-domain Properties (Destination-driven connectivity) • Host-level granularity • Application-level granularity • Limited number of VNI • Unlimited virtual group • Frequent VNI update • Centralized management Verifiable Inter-domain routing Inter-domain Properties (Packet-carrying forwarding state) • Insecure overlay tunneling • Crypto-based protection • ARP broadcast • Separation of control & data plane • State routing • Stateless routing Jonghoon Kwon, Ph.D | | 25.02.2020 9

  10. Our Vision on Secure and Scalable Network Virtualization Edge network Core network Mobile Slice Untrusted Network Untrusted Network IoT Slice Mission critical Slice Jonghoon Kwon, Ph.D | | 25.02.2020 10

  11. SVLAN (Secure & Scalable Virtual LAN) Overview Receiver Sender Hypervisor Authorization Delegate Hypervisor VM VM VM VM SVTEP SVTEP SVLAN tunnel Verifier Jonghoon Kwon, Ph.D | | 25.02.2020 11

  12. Express Receiver’s Consent Receiving Policy Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Jonghoon Kwon, Ph.D | | 25.02.2020 12

  13. Acquiring Receiver’s Consent Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Authorization request Jonghoon Kwon, Ph.D | | 25.02.2020 13

  14. Acquiring Receiver’s Consent Authorization Proof Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Path Segments + Authorization Proof Jonghoon Kwon, Ph.D | | 25.02.2020 14

  15. SVLAN Packet Forwarding Receiver Sender Hypervisor Hypervisor VM VM Path Segment + VM VM Authorization Proof + SVTEP SVTEP Data Jonghoon Kwon, Ph.D | | 25.02.2020 15

  16. Verifying the Validity of Packets Receiver Sender Hypervisor Hypervisor VM VM Path Segment + VM VM Authorization Proof + SVTEP SVTEP Data Jonghoon Kwon, Ph.D | | 25.02.2020 16

  17. Proof-of-Concept Implementation in SCIONLab SCIONLab: Global Future Internet Testbed Secure and fine-grained inter-domain segment routing Testbed distributed across the world https://github.com/scionproto/scion https://www.scionlab.org Jonghoon Kwon, Ph.D | | 25.02.2020 17

  18. Cracking the Authorization Proof is Impractical Brute-force attack would require 60000 years on 100 Gbps line to break 64-bit MAC Jonghoon Kwon, Ph.D | | 25.02.2020 18

  19. No Significant Bandwidth Overhead § SR-MPLS § 36 bytes of additional header § 12 bytes of MPLS labels (three labels) § 24 bytes of proof § SCION § 60 bytes of additional header § 24 bytes of forwarding paths (three labels) § 32 bytes of extra header Jonghoon Kwon, Ph.D | | 25.02.2020 19

  20. Small Forwarding Performance Overhead iMIX profiles the proportion of packets of a certain size based on statistical sampling from actual Internet traces Jonghoon Kwon, Ph.D | | 25.02.2020 20

  21. Latency Inflation Measurements in Cloud Authorization Delegate Sender Receiver 14 Amazon EC2 instances Select 3 instances as the sender, receiver, and authorization delegate Measure the latency for TTFP (Time to First Packet) Jonghoon Kwon, Ph.D | | 25.02.2020 21

  22. Latency Inflation with AD on Amazon Cloud < 75% of latency inflation Jonghoon Kwon, Ph.D | | 25.02.2020 22

  23. Large-scale Simulation Jonghoon Kwon, Ph.D | | 25.02.2020 23

  24. SVLAN, Expected Benefits § Flexible network management § Highly scalable network virtualization § Receiving policy at different granularity § Unlimited number of VNI § Easy update for virtual network § Stateless VTEP § Reducing network overhead § Secure isolation from unwanted traffic § No ARP flooding § Only authorized packets get forwarded § Negligible latency influence § Adversaries cannot impersonate authorized senders Jonghoon Kwon, Ph.D | | 25.02.2020 24

  25. Thank you! SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hähni, Adrian Perrig (jong.kwon@inf.ethz.ch) ETH Zurich Network Security Group Universitätstrasse 6 8092 Zürich https://netsec.ethz.ch

  26. Backup Slides First name Surname (edit via “Insert” > “Header & Footer”) | | 1.12.2014 26

  27. Implementation Example SVLAN header format on SCION Jonghoon Kwon, Ph.D | | 25.02.2020 27

  28. Practical Consideration Location of Authorization Delegates Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Receiver’s AS Third party entity (Cloud) Jonghoon Kwon, Ph.D | | 25.02.2020 28

  29. Practical Consideration Location of Verifiers Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Receiver Receiver’s AS Sender’s AS Third party entity (Cloud) Jonghoon Kwon, Ph.D | | 25.02.2020 29

Recommend

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis

Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis

Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis Papadimitriou Leibniz Universitt Hannover, Germany Introduction Network virtualization in multi-tenant data-centers: Elastic provisioning

417 views • 30 slides
Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

4/1/2013 Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing physical hardware or software resources by Share physical network resources to form multiple multiple users and/or use cases diverse virtual

511 views • 5 slides
&lt;virtualization&gt; Feedback-directed emulation IP address assignment Scalable

&lt;virtualization&gt; Feedback-directed emulation IP address assignment Scalable

Emulab: Network Testbed Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller, Jonathon Duerig, Shashi Guruprasad, Tim Stack, Kirk Webb, Jay Lepreau 2 The Basic Idea: Whats Wrong? Use

298 views • 7 slides
Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F

Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F

WSB-2017 17 J January 2 2017 17 Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F Video Face R ce Recognition cognition Brian Lo Brian Lovell ll The Univer The Univ ersity of Queensland

784 views • 62 slides
The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett &amp; Nick Skelton Information Services, University of Bristol TNC 2003 Background 1999-2000: new technologies

1.22k views • 52 slides
EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong Liao Dong Yin Lixin Gao Yong Liao, Dong Yin, Lixin Gao Univ. of Massachusetts, Amherst Network Virtualization Platform Network Virtualization

367 views • 17 slides
Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin

Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin

Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin Jeong(ETRI), Myung-Ki Shin (ETRI) Takashi Egawa (NEC), Hideki Otsuki (NICT) March 23, 2010 Virtual Network RG meeting @ IETF77 Objective Discuss

628 views • 9 slides
Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization

High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization

High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization Node Yasusi Kanada &amp; Kei Shiraishi, Hitachi, Ltd. Akihiro Nakao, University of Tokyo Introduction We developed a network-virtualization

174 views • 13 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B. Taylor Bespoke Silicon Group University of Washington 1 Berkeleys Tethered Rocket core The host system provide support for: Rocket Core

1.24k views • 16 slides
Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt; libvirt: Background API for management of hypervisors Community (Red Hat, Fujitsu, Bull) Isolates apps from HV specific APIs Driver

608 views • 11 slides
CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown

CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown

CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown Network Virtualization in Multi-tenant Datacenters, [ Teemu Koponen et al, 2014] Spring 2020 Context Teemu Koponen Early employee Nicira

485 views • 32 slides
When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena

When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena

When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena Network Architects Workshop, Copenhagen Wouter Huisman What do we want from a network? Scalable Flexible Cost efficient Endusers

347 views • 31 slides
Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with

Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with

Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with Time-varied Workload Satyajit Padhy, Jerry Chou National Tsing Hua University The Third International Workshop on Systems and Network Telemetry and

725 views • 26 slides
Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel Computer Architecture Requirements and trade-offs at many levels Elegant mathematical structure Deep relationships to algorithm structure

691 views • 52 slides
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Hypervisor-based Virtualization Virtualization App App

539 views • 18 slides
OpenFlow network virtualization with FlowVisor Research Project 2 Sebastian Dabkiewicz System

OpenFlow network virtualization with FlowVisor Research Project 2 Sebastian Dabkiewicz System

OpenFlow network virtualization with FlowVisor Research Project 2 Sebastian Dabkiewicz System and Network Engineering University of Amsterdam 17th October 2012 Sebastian Dabkiewicz OpenFlow network virtualization with FlowVisor 17th October

384 views • 25 slides
Network Functions Virtualization Bernardus A. Jansen, BSc MSc System and Network Engineering

Network Functions Virtualization Bernardus A. Jansen, BSc MSc System and Network Engineering

Network Functions Virtualization Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam bernardus.jansen@os3.nl February 5, 2018 B.A. Jansen, BSc (UvA) Network Functions Virtualization February 5, 2018 1 / 16

387 views • 19 slides
Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University of Tokyo 2012/11/27 1 OpenFlow SDN OpenFlow Controller Fixed Data Plane Fixed Control Plane (OpenFlow API) Flow Pattern Match

626 views • 23 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
Virtualized ICN (vICN) Towards a Unified Network Virtualization Framework for ICN Experimentation

Virtualized ICN (vICN) Towards a Unified Network Virtualization Framework for ICN Experimentation

Virtualized ICN (vICN) Towards a Unified Network Virtualization Framework for ICN Experimentation M. Sardara*, L. Muscariello, J. Aug, M. Enguehard* , A. Compagno, G. Carofiglio September 28 th 2017 ACM ICN, Berlin *also with Telecom ParisTech

450 views • 15 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides

More recommend