virtual xfrm interfaces
play

Virtual xfrm interfaces Steffen Klassert secunet Security Networks - PowerPoint PPT Presentation

Oct 29, 2022 •344 likes •628 views

Virtual xfrm interfaces Virtual xfrm interfaces Steffen Klassert secunet Security Networks AG Dresden Linux IPsec Workshop, Dresden, March 26, 2018 Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

  1. Virtual xfrm interfaces Virtual xfrm interfaces Steffen Klassert secunet Security Networks AG Dresden Linux IPsec Workshop, Dresden, March 26, 2018

  2. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  3. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  4. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  5. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  6. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  7. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  8. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  9. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  10. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  11. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  12. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  13. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  14. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  15. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

Recommend

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

4/1/2018 Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions 2A. OS Services, Layers and Mechanisms processes, threads, virtual machines 2B. Service Interfaces virtual address spaces, shared

134 views • 10 slides
Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization Computer system architecture Process virtual machines System virtual machines 1 EECS 768 Virtual Machines Abstraction Mechanism to

704 views • 31 slides
CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When, Why, How? What: Code Structure used to express operations that multiple class have in common No method implementations No fields

611 views • 12 slides
Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual Reality? A high-end user interface that involves real-time simulation and interaction through multiple sensorial channels. (vision, sound, touch,

1.61k views • 83 slides
Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr. Marc-Oliver Pahl, Stefan Liebald Supervisor: Prof.

535 views • 9 slides
Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

4/5/2017 Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions 2A. OS Services, Layers and Mechanisms processes, threads, virtual machines 2B. Service Interfcaes virtual address spaces, shared

100 views • 7 slides
WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # ,

WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # ,

WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # , and Prasant Mohapatra* # Simula Metropolitan Center for Digital Engineering * University of California, Davis USA Norway Presented by: Jansen

443 views • 16 slides
3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D

3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D

Topics in Virtual Reality 3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D UIs Few fundamentally new techniques and metaphors for 3D interaction have been discovered in recent years In Virtual

431 views • 26 slides
T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces I prefer Agassiz in the abstract, rather than in the concrete. CS 307 Fundamentals of CS 307 Fundamentals of 1 2 Computer Science

325 views • 10 slides
3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications

3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications

3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications Mechanical CAD 3D Animation Virtual Environments Virtual Environments Scientific Visualization Mechanical CAD Component design

546 views • 36 slides
Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement. Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface Allows object with no common ancestor to act

268 views • 13 slides
Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

10/21/12 Interfaces Interfaces n interface : A list of methods that a class promises to implement. q Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface n Allows object with no common

420 views • 7 slides
CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

378 views • 23 slides
CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

603 views • 24 slides
CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

600 views • 20 slides
SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines

SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines

SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines ParisTech M. Othman Abdallah, Mines ParisTech J.-M. Temmos, Visteon Introduction HMI: human-machine interfaces Design of HMI displays for car

427 views • 24 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for Multi-Processor SoC for Multi-Processor SoC Dr. Ahmed Amine JERRAYA TIMA Laboratory 46 Avenue Felix Viallet 38031 Grenoble Cedex France Tel: +33 476 57 47

634 views • 36 slides
Topics in Brain Computer Interfaces Topics in Brain Computer Interfaces CS295- -7 7 CS295

Topics in Brain Computer Interfaces Topics in Brain Computer Interfaces CS295- -7 7 CS295

Topics in Brain Computer Interfaces Topics in Brain Computer Interfaces CS295- -7 7 CS295 Professor: M ICHAEL B LACK TA: F RANK W OOD Spring 2005 Automated Spike Sorting Frank Wood - fwood@cs.brown.edu Today Particle Filter Homework

718 views • 36 slides
Evaluating User Interfaces Evaluating User Interfaces Lecture slides modified from Eileen

Evaluating User Interfaces Evaluating User Interfaces Lecture slides modified from Eileen

Evaluating User Interfaces Evaluating User Interfaces Lecture slides modified from Eileen Kraemers HCI teaching material Department of Computer Science University of Georgia Outline The Role of Evaluation Usage Data: Observations,

1.29k views • 100 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides
Touchless Interfaces Managing sensor data Design considerations In-air and speech interfaces

Touchless Interfaces Managing sensor data Design considerations In-air and speech interfaces

Touchless Interfaces Managing sensor data Design considerations In-air and speech interfaces Sources Sensor and Recognition Based Input for Interaction, Human-Computer Interaction Handbook (Wilson, 2012) Designing SpeechActs:

384 views • 36 slides
Abstract classes, Interfaces & Comparators See also Java Precisely, section Classes

Abstract classes, Interfaces & Comparators See also Java Precisely, section Classes

Abstract classes, Interfaces & Comparators See also Java Precisely, section Classes and Interfaces Read more about Java interfaces here: http://docs.oracle.com/javase/tutorial/java/ concepts/interface.html This lecture

391 views • 20 slides
System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci & Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci & Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci & Eng U of South Florida 1 Basic Elements of HW/SW Interfaces 1. On-chip communica>on fabrics, ex. buses 2 Memory Mapped Interfaces To resolve simultaneous writes

722 views • 25 slides

More recommend