Encrypting OVN tunnels with IPsec Qiuyu Xiao - - PowerPoint PPT Presentation

encrypting ovn tunnels with ipsec
SMART_READER_LITE
LIVE PREVIEW

Encrypting OVN tunnels with IPsec Qiuyu Xiao - - PowerPoint PPT Presentation

Aug 08, 2023 346 likes •694 views

Encrypting OVN tunnels with IPsec Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org) Open Virtual Network (OVN) OVN provides a logical network abstraction on top of a physical network VM1 VM2 VM1 VM6 VM2 VM7 L-Switch VM6 VM7

slide-1
SLIDE 1

Encrypting OVN tunnels with IPsec

Qiuyu Xiao (qiuyu.xiao.qyx@gmail.com) Ben Pfaff (blp@ovn.org)

slide-2
SLIDE 2

Open Virtual Network (OVN)

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5

Physical

1

OVN provides a logical network abstraction on top of a physical network

VM6 VM7 VM8 VM9 L-Switch L-Switch VM1 VM2 L-Switch VM3 VM4 VM5 L-Router

Logical

slide-3
SLIDE 3

Open Virtual Network (OVN)

VMs are oblivious to the physical network states

2

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5

Physical

VM6 VM7 VM8 VM9 L-Switch L-Switch VM1 VM2 L-Switch VM3 VM4 VM5 L-Router

Logical

slide-4
SLIDE 4

Open Virtual Network (OVN)

Network appliances can be implemented and placed in the logical network

3

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5

Physical

VM6 VM7 VM8 VM9 L-Switch

Logical

L-Switch VM1 VM2 L-Switch VM3 VM4 VM5 L-Router L-Firewall L-LoadBalancer

slide-5
SLIDE 5

OVN Tunnel Traffic

4

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5 Inner Ethernet Header Inner IP Header Payload

slide-6
SLIDE 6

OVN Tunnel Traffic

4

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5 Outer Ethernet Header Outer IP Header Outer UDP Header Geneve Header Inner Ethernet Header Inner IP Header Payload

slide-7
SLIDE 7

OVN Tunnel Traffic

4

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5 Outer Ethernet Header Outer IP Header Outer UDP Header Geneve Header Inner Ethernet Header Inner IP Header Payload

slide-8
SLIDE 8

OVN Tunnel Traffic

4

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5 Outer Ethernet Header Outer IP Header Outer UDP Header Geneve Header Inner Ethernet Header Inner IP Header Payload

slide-9
SLIDE 9

OVN Tunnel Traffic

4

Hypervisor 1 Hypervisor 2

VM1 VM2 VM8 VM3 VM4 VM9 VM6 VM7 VM5 Inner Ethernet Header Inner IP Header Payload

slide-10
SLIDE 10

The Needs for Tunnel Encryption

  • VMs compute and communicate sensitive data, e.g., financial and health data
  • Physical network devices (e.g., router, switch) cannot be trusted or might be

compromised

q Traffic across datacenters q Router misconfiguration q Attackers breaking into internal network q Phishing or social engineering attacks on administrators

5

slide-11
SLIDE 11

Encrypting Tunnel Traffic with IPsec

Outer Ethernet Header Outer IP Header Outer UDP Header Geneve Header Inner Ethernet Header Inner IP Header Payload

IPsec Encryption

Outer Ethernet Header Outer IP Header ESP Header

  • Confidentiality
  • Integrity
  • Authenticity

6

slide-12
SLIDE 12

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol ESP/AH protocol

User space Kernel

7

slide-13
SLIDE 13

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol ESP/AH protocol

User space Kernel

8

IKE daemon

  • Authentication
  • Negotiates cryptographic algorithms
  • Generates keying material
slide-14
SLIDE 14

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol

IKE daemon

  • Authentication
  • Negotiates cryptographic algorithms
  • Generates keying material
  • Installs security policy and security

association

ESP/AH protocol

User space Kernel

9

slide-15
SLIDE 15

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol

IKE daemon

  • Authentication
  • Negotiates cryptographic algorithms
  • Generates keying material
  • Installs security policy and security

association

ESP/AH protocol

User space Kernel

9

Which traffic to protect

slide-16
SLIDE 16

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol

IKE daemon

  • Authentication
  • Negotiates cryptographic algorithms
  • Generates keying material
  • Installs security policy and security

association

ESP/AH protocol

User space Kernel

9

How to protect the selected traffic

slide-17
SLIDE 17

IPsec in Linux

IKE daemon IPsec kernel stack

security association security policy IKE protocol ESP/AH protocol

IPsec kernel stack

  • Encryption and decryption
  • Checks integrity and authenticity

User space Kernel

10

slide-18
SLIDE 18

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

User space Kernel

11

slide-19
SLIDE 19

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

Configuring IPsec tunnel via

  • vsdb
  • Using pre-shared key

User space Kernel

12

For example:

slide-20
SLIDE 20

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

Configuring IPsec tunnel via

  • vsdb
  • Using pre-shared key
  • Using self-signed certificate

User space Kernel

13

For example:

slide-21
SLIDE 21

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

Configuring IPsec tunnel via

  • vsdb
  • Using pre-shared key
  • Using self-signed certificate
  • Using CA-signed certificate

User space Kernel

14

For example:

slide-22
SLIDE 22

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

Establishing IPsec tunnel

  • ovs-monitor-ipsec configures IKE

daemon

security association security policy

User space Kernel

15

slide-23
SLIDE 23

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

Establishing IPsec tunnel

  • ovs-monitor-ipsec configures IKE

daemon

  • IKE daemon sets up security policy

and security association

security association security policy

User space Kernel

15

slide-24
SLIDE 24

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

For example (geneve tunnel): Establishing IPsec tunnel

  • ovs-monitor-ipsec configures IKE

daemon

  • IKE daemon sets up security policy

and security association

security association security policy

User space Kernel

15

slide-25
SLIDE 25

OVS IPsec Tunnel

IKE daemon IPsec kernel stack

  • vsdb
  • vs-monitor-ipsec
  • vs datapath

User space Kernel

IPsec kernel stack

  • Encryption and decryption
  • Checks integrity and authenticity

unencrypted packet encrypted packet

16

slide-26
SLIDE 26

OVN IPsec

northbound db

  • vn-northd

southbound db

  • vn-controller

  • vsdb
  • vn-controller

Hypervisor 1 Hypervisor n

17

vswitchd

  • vsdb

vswitchd

slide-27
SLIDE 27

OVN IPsec

northbound db

  • vn-northd

southbound db

  • vn-controller

  • vn-controller

Hypervisor 1 Hypervisor n

  • In each hypervisor, configure ovsdb to use

CA-signed certificate for authentication

  • Enable IPsec by configuring northbound

database

17

  • vsdb

vswitchd

  • vsdb

vswitchd

For example:

slide-28
SLIDE 28

IPsec Evaluation

  • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC
  • iperf generates TCP stream (window size: 85KB), which is encrypted in a single

core

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 aes256-sha256 aes-gcm no encryption

Throughput (Mbps)

Throughput (Mbps) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% aes256-sha256 aes-gcm no encryption

CPU Usage

iperf-client iperf-server

18

slide-29
SLIDE 29

IPsec Evaluation

  • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC
  • iperf generates TCP stream (window size: 85KB), which is encrypted in a single

core

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 aes256-sha256 aes-gcm no encryption

Throughput (Mbps)

Throughput (Mbps) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% aes256-sha256 aes-gcm no encryption

CPU Usage

iperf-client iperf-server

18

slide-30
SLIDE 30

IPsec Evaluation

  • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC
  • iperf generates TCP stream (window size: 85KB), which is encrypted in a single

core

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 aes256-sha256 aes-gcm no encryption

Throughput (Mbps)

Throughput (Mbps) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% aes256-sha256 aes-gcm no encryption

CPU Usage

iperf-client iperf-server

18

slide-31
SLIDE 31

IPsec Evaluation

  • Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC
  • iperf generates TCP stream (window size: 85KB), which is encrypted in a single

core

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 aes256-sha256 aes-gcm no encryption

Throughput (Mbps)

Throughput (Mbps) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% aes256-sha256 aes-gcm no encryption

CPU Usage

iperf-client iperf-server

18

slide-32
SLIDE 32

Current Status

  • Compatible with StrongSwan and LibreSwan IKE daemon
  • Packages for Ubuntu and Fedora
  • Tutorials on using OVN IPsec
  • Need to use OVS upstream kernel module

19

slide-33
SLIDE 33

Future Directions

More flexible tunnel encryption policies:

  • Only encrypting tunnel traffic between certain hypervisors
  • Only encrypting tunnel traffic from certain logical network

20

slide-34
SLIDE 34

Q&A