encrypting ovn tunnels with ipsec
play

Encrypting OVN tunnels with IPsec Qiuyu Xiao - PowerPoint PPT Presentation

Aug 08, 2023 •346 likes •692 views

Encrypting OVN tunnels with IPsec Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org) Open Virtual Network (OVN) OVN provides a logical network abstraction on top of a physical network VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7

  1. Encrypting OVN tunnels with IPsec Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org)

  2. Open Virtual Network (OVN) OVN provides a logical network abstraction on top of a physical network VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7 Hypervisor 1 Hypervisor 2 L-Router L-Switch L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 1

  3. Open Virtual Network (OVN) VMs are oblivious to the physical network states VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7 Hypervisor 1 Hypervisor 2 L-Router L-Switch L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 2

  4. Open Virtual Network (OVN) Network appliances can be implemented and placed in VM1 VM2 the logical network L-Switch VM1 VM6 VM2 VM7 L-Firewall VM6 VM7 L-Router Hypervisor 1 Hypervisor 2 L-Switch L-LoadBalancer L-Switch VM8 VM9 VM8 VM3 VM4 VM9 VM5 VM3 VM4 VM5 Physical Logical 3

  5. OVN Tunnel Traffic Inner Inner Ethernet IP Payload Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  6. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  7. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  8. OVN Tunnel Traffic Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  9. OVN Tunnel Traffic Inner Inner Ethernet IP Payload Header Header VM1 VM6 VM2 VM7 Hypervisor 1 Hypervisor 2 VM8 VM3 VM9 VM4 VM5 4

  10. The Needs for Tunnel Encryption • VMs compute and communicate sensitive data, e.g., financial and health data • Physical network devices (e.g., router, switch) cannot be trusted or might be compromised q Traffic across datacenters q Router misconfiguration q Attackers breaking into internal network q Phishing or social engineering attacks on administrators 5

  11. Encrypting Tunnel Traffic with IPsec Outer Outer Outer Inner Inner Geneve Ethernet IP UDP Ethernet IP Payload Header Header Header Header Header Header IPsec Encryption Outer Outer ESP Ethernet IP Header Header Header • Confidentiality • Integrity • Authenticity 6

  12. IPsec in Linux IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack 7

  13. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy security association ESP/AH protocol IPsec kernel stack 8

  14. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol IPsec kernel stack 9

  15. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol Which traffic to protect IPsec kernel stack 9

  16. IPsec in Linux IKE daemon IKE protocol IKE daemon • Authentication • Negotiates cryptographic algorithms User space • Generates keying material Kernel security policy • Installs security policy and security security association association ESP/AH protocol IPsec kernel stack How to protect the selected traffic 9

  17. IPsec in Linux IPsec kernel stack IKE protocol IKE daemon • Encryption and decryption • Checks integrity and authenticity User space Kernel security policy security association ESP/AH protocol IPsec kernel stack 10

  18. OVS IPsec Tunnel ovsdb ovs-monitor-ipsec IKE daemon User space Kernel IPsec kernel ovs datapath stack 11

  19. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel IPsec kernel ovs datapath stack For example: 12

  20. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel • Using self-signed certificate For example: IPsec kernel ovs datapath stack 13

  21. OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb ovs-monitor-ipsec IKE daemon ovsdb User space • Using pre-shared key Kernel • Using self-signed certificate • Using CA-signed certificate For example: IPsec kernel ovs datapath stack 14

  22. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel security policy security association IPsec kernel ovs datapath stack 15

  23. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel • IKE daemon sets up security policy security policy and security association security association IPsec kernel ovs datapath stack 15

  24. OVS IPsec Tunnel Establishing IPsec tunnel ovsdb ovs-monitor-ipsec IKE daemon • ovs-monitor-ipsec configures IKE daemon User space Kernel • IKE daemon sets up security policy security policy and security association security association For example (geneve tunnel): IPsec kernel ovs datapath stack 15

  25. OVS IPsec Tunnel IPsec kernel stack ovsdb ovs-monitor-ipsec IKE daemon • Encryption and decryption • Checks integrity and authenticity User space Kernel unencrypted packet IPsec kernel ovs datapath stack encrypted packet 16

  26. OVN IPsec northbound db ovn-northd southbound db … ovn-controller ovn-controller ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n 17

  27. OVN IPsec • In each hypervisor, configure ovsdb to use northbound db CA-signed certificate for authentication • Enable IPsec by configuring northbound ovn-northd database southbound db For example: … ovn-controller ovn-controller ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n 17

  28. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  29. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  30. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  31. IPsec Evaluation • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes256-sha256 aes-gcm no encryption aes256-sha256 aes-gcm no encryption Throughput (Mbps) iperf-client iperf-server 18

  32. Current Status Compatible with StrongSwan and LibreSwan IKE daemon • Packages for Ubuntu and Fedora • Tutorials on using OVN IPsec • Need to use OVS upstream kernel module • 19

  33. Future Directions More flexible tunnel encryption policies: • Only encrypting tunnel traffic between certain hypervisors • Only encrypting tunnel traffic from certain logical network 20

  34. Q&A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Connect 2 Connect 2 Bath 2 Tunnels Bath 2 Tunnels The Sustrans and RPL Bridges Team

Connect 2 Connect 2 Bath 2 Tunnels Bath 2 Tunnels The Sustrans and RPL Bridges Team

Bridge Owners Forum 21 st January 2014 Huw Davies National Cycle Network Director Paul Thomas Bridge Engineer Sustrans Railway Paths Limited (RPL) Connect 2 Connect 2 Bath 2 Tunnels Bath 2 Tunnels The Sustrans and RPL Bridges

652 views • 17 slides
Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Unit OS8: File System 8.3. Encrypting File System Security in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS

250 views • 12 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author Wei-Shyun Pan Po-Kang Chen Quincy Wu Outline Introduction Related works A Confused Document Encrypting Schemes and its

514 views • 33 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2 Conference Netdev 1.2 Conference Oct 5-7, 2016; Tokyo, Japan User-space TCP Traditionally, TCP stack in kernel space A TCP stack in user space can

557 views • 24 slides
q@i p@i p p p thanks to Jon Sterling for the artistic inspirations p p p x z q p x y

q@i p@i p p p thanks to Jon Sterling for the artistic inspirations p p p x z q p x y

q@i p@i p p p thanks to Jon Sterling for the artistic inspirations p p p x z q p x y y x p x x x y p x y filler the original composition problem

234 views • 8 slides
Proposed IP Regulations MISSION Our Mission To accelerate stem cell treatments to patients with

Proposed IP Regulations MISSION Our Mission To accelerate stem cell treatments to patients with

IP/Industry Subcommittee Meeting September 25 th , 2017 Proposed IP Regulations MISSION Our Mission To accelerate stem cell treatments to patients with unmet medical needs. 2 I. Goals for IP Revisions Ensure regulations are clear and

139 views • 9 slides
On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul

930 views • 68 slides
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service Many solutions

543 views • 25 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility

IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility

IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility Environment Fabien Allard Fabien Allard (FT R&D) (FT R&D) Jean-Marie Bonnin (Tlcom Bretagne) Jean-Marie Bonnin (Tlcom Bretagne)

441 views • 14 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides

More recommend