mts bringing multi tenancy to virtual networking
play

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap - PowerPoint PPT Presentation

Aug 10, 2023 •367 likes •962 views

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

  1. MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gábor Rétvári and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA

  2. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Host OS Host OS 2

  3. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Virtual Switch Host OS Host OS 3

  4. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Host OS Host OS 4

  5. Virtual Networks Using Virtual Switches VM VM VM VM VM VM $_ $_ $_ $_ $_ $_ Broadcast | Multicast | Unicast | Tunnel 1. Red 2. Blue 3. Green Host OS Host OS 5

  6. More Than 20 Virtual Switches Most emphasis has been on performance and flexibility 6

  7. Security Weaknesses of Virtual Switches 7

  8. Processes VM VM VM Untrusted Data $_ $_ $_ Host OS Host OS A malicious VM can send arbitrary packets to the virtual switch 8

  9. Privileged Packet VM VM VM VM Processing $_ $_ $_ $_ User Kernel Host OS Host OS Oftentimes runs in the kernel for performance 9

  10. Single Point of Failure Virtual network configurations are complex Screenshot from Karim Elatov’s blog: https://elatov.github.io/2018/01/openstack-ansible-and-kolla-on-ubuntu-1604/#5-packet-goes-from-ovs-inte 10 gration-bridge-br-int-to-ovs-tunnel-bridge-br-tun

  11. Single Point of VM VM VM Failure $_ $_ $_ Host OS Host OS Mis-configurations could lead to security issues 11

  12. Co-Located with VM VM VM VM the Host OS $_ $_ $_ $_ Host OS Host OS The consequence of a compromise can be severe, e.g., break out of VM isolation 12

  13. Exploiting Virtual VM VM VM Switches in the $_ $_ $_ Cloud Host OS Host OS SOSR’18: Remote-Code Exection OvS Con’19: Cross Tenant DoS 13

  14. Outline Motivation ● MTS ● Evaluation ● Scalability ● Pros and Cons ● Conclusion ● 14

  15. MTS: Multi-Tenant Switch 15

  16. Least Privilege VM Host VM Virtual Switch $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 16

  17. Least Common VM Host VM Mechanism $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 17

  18. Extra Security VM Host VM Boundary $_ $_ $_ 1. Processes untrusted data 2. Privileged packet processing 3. Single point of failure 4. Co-located with the Host OS 18

  19. Complete VM Host VM Mediation $_ $_ $_ T T In/Out Gw In/Out Gw PF VF VF VF VF VF VF 1. Processes untrusted data 2. Privileged packet processing L2 Switch in NIC 3. Single point of failure 4. Co-located with the Host OS SR-IOV NIC 19

  20. Evaluation 20

  21. Experimental Setup Resources ● Traffic Patterns ● & Factors Mellanox ConnectX4, Open vSwitch, DPDK, QEMU, KVM More details in the paper 21

  22. Host OS Shared Resources Host OS pinned to 1 core ● CPU All vswitch-VMs pinned to 1 ● core Each Tenant VM got ● dedicated cores (not shown here) 22

  23. Traffic Patterns VM VM VM In Out In Out In Out NIC NIC NIC p2p p2v v2v 23

  24. B 1 4 2 Baseline vs MTS A S V V V Packet Processing E S S S Throughput L - - - I V V V Comparison N M M M E 64 byte UDP packets Roughly the same in p2p MTS is ~2x Baseline in p2v and v2v 24

  25. Baseline vs MTS Packet Processing Throughput Comparison 64 byte UDP packets Roughly the same in p2p MTS is ~2x Baseline in p2v and v2v 25

  26. Baseline vs MTS Network Application Throughput MTS beats Baseline in Apache and Memcached 26

  27. 1+ Physical Core 4x Network Isolation 1.5-2x Throughput 27

  28. Scaling MTS 28

  29. Containers in VMs Work in progress ● The packets per second throughput is ● the same as running it in a VM for 4 containers Can run 12 vswitches spread across 4 ● VMs Faced an issue with libvirt when ● adding 40 VFs to 16 vswitches spread Real cloud systems can host more across 4 VMs. The interfaces do not than just 4 tenants on a server appear in the VM although the configuration is present. 29

  30. Pros and Cons 30

  31. Limitations PCIe bus could become a bottleneck ● which our evaluation did not reveal The number of VFs on the NIC ● No clean solution for live migration of ● VMs with VFs 31

  32. Pricing State-of-the-art MTS Broadcast | Broadcast | Broadcast | Multicast | Multicast | Multicast | Unicast Unicast Unicast 1. Red $ $ Charge for CPU cycles used by the 2. Blue $ tenant-specific virtual switch 32

  33. Tenant Specific State-of-the-art MTS Virtual Switch Software Broadcast | Broadcast | Broadcast | Multicast | Multicast | Multicast | Unicast Unicast Unicast 1. Red 1. Reduce parsing logic 2. Blue 2. Support tenant-specific features 33

  34. Conclusion 34

  35. Key Takeaways 1. Many virtual switches can be exploited to compromise Host and Network isolation 2. MTS is based on secure design principles that addresses security weakness of existing designs 3. MTS with SR-IOV offers security and performance for modest resources Our scripts and data are on github www.github.com/securedataplane High High Mid Security Performance Resource

  36. Backup 36

  37. Protocol Growth for OvS 37

  38. Complex & Manual Protocol Parsers Virtual switches have to support an increasing number of protocols over time 38

  39. Vswitch Table Analysis 39

  40. So Many Virtual Switches More than 20 40

  41. So Many Virtual Switches More than 20 41

  42. So Many Virtual Switches More than 20 42

  43. Ingress Traffic Flow Example 43

  44. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 44

  45. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC Packet destined to VM $_ 45

  46. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC MAC address of the vswitch VF IP address of VM $_ 46

  47. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 47

  48. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 48

  49. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 49

  50. VM VM HOST $_ $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 50

  51. VM HOST $_ $_ IN/ IN/ GW T GW T PF OUT OUT VF VF VF VF VF VF L2 Switch in NIC 51

  52. Pricing 52

  53. How it Helps Pricing Can charge for compute and memory used by the vswitch 53

  54. Latency 54

  55. Baseline vs MTS Latency Comparison 64 byte UDP packets Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 55

  56. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 56

  57. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 57

  58. Baseline vs MTS Latency Comparison Baseline is faster than MTS in p2p MTS is faster than Baseline in p2v and v2v 58

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

609 views • 40 slides
Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security Division of EMC John Field, Office of the CTO, EMC Also adapting prior content by Burt Kaliski DIMACS Workshop in Systems and Networking Advances

508 views • 18 slides
Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore? Workloads & API Multi-tenancy & Isolation Lessons Learned What is Edgestore Distributed Metadata Store built on top of MySQL

406 views • 36 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1 TENLAW - Tenancy Law and Housing Policy in Multi-level Europe State of the field I Comparative dimension: Crisis has increased the number of

442 views • 16 slides
PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum salesforce.com Platform as a Service Multi Tenancy and Open Standards Peter Chittum Developer Evangelist @pchittum Safe Harbor Safe harbor statement

545 views • 39 slides
Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale Willis, Suman Banerjee University of Wisconsin-Madison 2016 IEEE/ACM Symposium on Edge Computing Presented by Allen Leis and Patrick Jennings Agenda

509 views • 40 slides
IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group

IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group

IPOP IP over P2P Virtual Networking for Grid Computing David Wolinsky ACIS P2P Group University of Florida Outline Virtual Networking + Grid Computing Making It Easy Deploying in Clusters and Workstations Demonstration

266 views • 13 slides
A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram {ylchen, jim.tuttle, waingram}@vt.edu Information Technologies and Services Virginia Tech Libraries Agenda Cloud-native concept Virginia

411 views • 20 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit

OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit

OVN: Scaleable Virtual Networking for Open vSwitch Kyle Mestery (@mestery) Justin Pettit (@Justin_D_Pettit) The Case for Network Virtualization Network provisioning needs to be self-service. Virtual networking needs to be abstracted

826 views • 37 slides
Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT

Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT

Automation of multi-leg one-loop virtual amplitudes Daniel Matre IPPP, Durham, UK ACAT Conference, Jaipur, 26 Feb 2010 Program NLO corrections Real Virtual Virtual part Feynman diagrams OPP Unitarity based Les

819 views • 42 slides
Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project

Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project

Bringing flexibility provided by multi-energy carrier integration to a new MAGNITUDE Project public presentation Last update: October 2018 This project has received funding from the European Communitys H2020 Framework Programme under grant

578 views • 46 slides
Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal Huawei IETF98- ICNRG Meeting Thursday 3/30/17 Trends in AR/VR Augmented Reality and Virtual Reality are going to create tremendous growth in

632 views • 15 slides
Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer Security Announcements intermission Low-level vulnerabilities and attacks (combined lecture) Classic code injection attacks Stephen McCamant

391 views • 9 slides
Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of Distributed Applications with Virtual Topologies Richard POTTER NICT Akihiro NAKAO University of Tokyo NICT Virtual Infrastructure for Testbeds

161 views • 13 slides
FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net / @KamiSLO) October 2009 1. Table of contents 1. Table of

384 views • 14 slides
Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic

Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic

Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1 There are only two kinds of programming languages: the ones people complain about and the ones nobody uses. Bjarne

517 views • 28 slides
Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall Inria/LIP6/UPMC/Sorbonne University-Regal Modularity 2014 1 Modularity Wikipedia: Modularity is the degree to which a systems components may be

481 views • 30 slides
Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos D. Keromytis Department of Computer Science Columbia University, USA Clients securing their traffic to a server TLS unavailable at the server

682 views • 18 slides
Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

608 views • 35 slides
Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward hypotheses Downside are : verify to hard . " new SUN " To fix this create a : modified hypotheses with I " odds :* . entails

407 views • 13 slides

More recommend