N F V l a V D E wa y R e n z o D a v o l i F - - PowerPoint PPT Presentation

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

N F V à l a V D E wa y

R e n z

• D

a v

• l

i F O S D E M 2 1 8

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V i r t u a l D i s t r i b u t e d E t h e r n e t

• A

v i r t u a l n e t wo r k i n g s t a n d a r d s i n c e 2 4

• S

u p p

• r

t e d b y Q e mu / K V M, V i r t u a l B O X , ( u s e r

• mo

d e

• l

i n u x ) , P i c

• T

C P , L WI P v 6

• V

D E 4 f e a t u r e s :

– Mo

d u l a r d e s i g n

– N

e t wo r k i n g i mp l e me n t a t i

• n

p l u g i n s

– N

e t wo r k s

• f

N a me s p a c e s

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V D E P L U G 4 Mo d u l a r D e s i g n

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

I t i s l i k e a v i r t u a l S F P p

• r

t

• S

ma l l f

• r

m- f a c t

• r

p l u g g a b l e ( S F P ) s

• c

k e t

• V

D E p l u g i n s = S F P v i r t u a l t r a n c e i v e r s

Christophe.Finot [CC BY-SA 3.0], Wikimedia Commons Aurélien Rinaldi [CC BY-SA 4.0], Wikimedia Commons

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

L i b v d e p l u g 4

• B

a c k wa r d s c

• mp

a t i b l e wi t h l i b v d e p l u g 2 ( f

• r

a p p l i c a t i

• n

s : v i r t u a l ma c h i n e s , u s e r

• mo

d e s t a c k s )

• I

t p r

• v

i d e s a n u n i fi e d A P I f

• r

v i r t u a l n e t wo r k i n g s p e c i fi c a t i

• n
• e

. g . k v m:

kvm ... -netdev vde,id=vde0,sock=tap://tap0 kvm ... -netdev vde,id=vde0,sock=vxvde:// kvm ... -netdev vde,id=vde0,sock=slirp://

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

U V D E L : n e w U R L

• l

i k e n e t wo r k l

• c

a t

• r

s

• U

V D E L = U n i fi e d V D E L

• c

a t

• r
• P

l u g i n s a r e s h a r e d l i b s . T h e l i b r a r y libvdeplug_foo.so d e fi n e s a n e w t y p e

• f

U V D E L s foo://…

• E

x a mp l e s :

null:// vde:///var/run/myswitch tap://tap0 vxvde://234.0.0.1 slirp://

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

S

• me

v d e p l u g i n s :

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

v d e _ p l u g : t h e v d e c a b l e b u i l d e r

• v

d e _ p l u g c

• mma

n d s y n t a x s u p p

• r

t s e i t h e r

• n

e

• r

t wo U V D E L s .

– I

n c a s e

• f
• n

e U V D E L a v d e _ p l u g t r a n s l a t e s t h e n e t wo r k t r a f fi c i n a s t r e a m

• n

s t d i n / s t d

• u

t

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

v d e _ p l u g

vde_plug foo:// bar:// dpipe vde_plug foo:// = vde_plug bar://

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

E x a mp l e : t a p + s wi t c h + 2 * k v m

sudo ip tuntap add tapx mode tap user renzo vde_plug tap://tapx switch:///tmp/swx kvm … -netdev vde,id=vde0,sock=vde:///tmp/swx kvm … -netdev vde,id=vde0,sock=vde:///tmp/swx

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

Mo r e v d e p l u g i n s

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

E x a mp l e : k v m + c md + r e mo t e s l i r p

kvm … -netdev vde,id=vde0,\ sock=cmd://’ssh remote.host vde_plug slirp://’

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V X V D E & L

• c

a l A r e a C l

• u

d s

• J

u s t u s e v x v d e : / / mc a s t a d d r .

A p p s

• f

t h e s a me mc a s t a d d r fl

• c

k t

• g

e t h e r

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V X V D E X

• V

D E p l u g p l u g i n l i b r a r y + K e r n e l mo d u l e

• V

X V D E X i n h e r i t s a l l t h e p r

• s
• f

V X V D E b u t :

• V

X V D E X p r

• v

i d e s a c c e s s c

• n

t r

• l

a n d “ n e t wo r k p r i v a c y ” . A s y s a d m c a n d e fi n e wh i c h v i r t u a l n e t wo r k s a u s e r c a n j

• i

n

• r

n

• t

.

– T

h e c u r r e n t i mp l e me n t a t i

• n

u s e s t h e e f f e c t i v e g r

• u

p i d a s t h e V X V D E X n e t i d e n t i fi e r . ( s e e g e t e g i d ( 2 ) )

– A

u s e r c a n j

• i

n a v i r t u a l n e t wo r k

• n

l y i f s h e i s a me mb e r

• f

t h e c

• r

r e s p

• n

d i n g g r

• u

p .

• U

s e r s c a n h a v e f u l l s h e l l a c c e s s .

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

N e s t e d V D E P L U G ( t

• b

e r e l e a s e d s

• n

)

• S
• me

p l u g

• i

n s a r e d e s i g n e d a s wr a p p e r s f

• r
• t

h e r mo d u l e s

– a

g n

• :

a g n

• s

t i c e n c r y p t i

• n

– v

l a n : a d d / d e l / c h a n g e 8 2 . 1 Q t a g s

• e

. g .

a g n

• :

/ / { v d e : / / / t mp / my s wi t c h } v l a n : / / 2 { t a p : / / my t a p }

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

S e c u r i t y T a b l e

V i r t u a l Ma c h i n e u s e r S h e l l a c c e s s A c c e s s t

• t

h e n e t c a b l e V X V D E    V X V D E X    E n c r y p t i

• n

+ V X V D E   

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V D E N S : l i f e i n a n e t wo r k i n g n a me s p a c e

• V

D E N S c r e a t e s a n e t wo r k i n g n a me s p a c e a n d c

• n

n e c t s i t t

• a

V D E n e t wo r k .

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

E x a mp l e : v d e n s + p t p + k v m

kvm … -netdev vde,id=vde0,sock=ptp:///tmp/xxx vdens ptp:///tmp/xxx

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V D E N S u s a g e c a s e s

• S

e r v e r s i d e :

– I

• T

h V i r t u a l h

• s

t i n g

• C

l i e n t s i d e

– D

i f f e r e n t s e c u r i t y r e q u i r e me n t s

• V

P N a n d l

• c

a l s e r v i c e s

• I
• T

h i n a b a c k wa r d s c

• mp

a t i b l e wa y

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

N e t wo r k s

• f

N a me s p a c e s

V D E n a me s p a c e s c a n b e s c a t t e r e d a r

• u

n d t h e L

• c

a l A r e a C l

• u

d ( z e r

• c
• n

fi g u r a t i

• n

! )

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V D E N S – mu l t i

• A

V D E n a me s p a c e c a n h a v e s e v e r a l v i r t u a l i n t e r f a c e s

• S

t a n d a r d b r i d g i n g , r

• u

t i n g , p a c k e t fi l t e r i n g a n d s h a p i n g me t h

• d

s c a n b e i mp l e me n t e d i n t h e n a me s p a c e

• I

t i s p

• s

s i b l e t

• r

u n N e t wo r k F u n c t i

• n

v i r t u a l i z a t i

• n

t

• l

s f

• r

v i r t u a l n e t wo r k s ( V N F V ) .

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

N F V à l a V D E

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

V i r t u a l N e t wo r k F u n c t i

• n

s i n V D E N S

• S

t a n d a r d L i n u x p r

• g

r a ms a n d f e a t u r e s c a n r u n i n a V D E N S ( V N F )

– S

e r v e r s ( a p a c h e , n g i n x , t f t p d , … . )

– D

H C P s e r v e r s ( a n d c l i e n t s )

– P

r

• x

y s e r v e r s

– D

N S s e r v e r s

– I

p t a b l e s :

• P

a c k e t fi l t e r i n g / s h a p i n g ( i p t a b l e s )

• L
• a

d b a l a n c i n g

• F

i r e wa l l

• A

n e t wo r k n a me s p a c e i s a l i g h t a n d s a f e c h

• i

c e . . .

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

A v i r t u a l d e mo : s e t u p t h e g a t e wa y

# create a tap $ sudo ip tuntap add name tapr mode tap user renzo # create a bridge and add eth0 and tapr to it $ sudo brctl addbr br0 $ sudo brctl addif br0 eth0 $ sudo brctl addif br0 tapr # enable all the interfaces $ sudo ip link set eth0 up $ sudo ip link set br0 up $ sudo ip link set tapr up # set the ip addr of the bridge interface $ sudo ip addr add 10.0.0.1/24 dev br0 # from now on everthing is virtual and distributed # no more need for sudo

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

A v i r t u a l d e mo : s e t u p a “ r

• u

t e r ”

# create a multi-interface name space $ vdens --multi tap://tapr vxvde://234.0.0.1 vxvde://234.0.0.2 # enable the virtual interfaces vdens$ ip link set vde0 up vdens$ ip link set vde1 up vdens$ ip link set vde2 up # set up the link to the gateway vdens$ ip addr add 10.0.0.2/24 dev vde0 # now any tool working as a NVF can be applied here # this example creates a NAT-masqueraded virtual neton vxvde://234.0.0.1 vdens$ echo "1" > /proc/sys/net/ipv4/ip_forward vdens$ /sbin/iptables -t nat -A POSTROUTING -o vde0 -j MASQUERADE vdens$ ip addr add 10.10.10.1/24 dev vde1 # letus check the configuration vdens$ ip addr 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: vde0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state … link/ether 1e:c2:7e:cf:89:60 brd ff:ff:ff:ff:ff:ff inet 10.0.0.2/24 scope global vde0 valid_lft forever preferred_lft forever inet6 fe80::1cc2:7eff:fecf:8960/64 scope link valid_lft forever preferred_lft forever 3: vde1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state … link/ether 22:8e:2f:2f:32:2f brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/24 scope global vde1 valid_lft forever preferred_lft forever inet6 fe80::208e:2fff:fe2f:322f/64 scope link valid_lft forever preferred_lft forever 4: vde2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state … link/ether b6:9e:13:56:f9:cc brd ff:ff:ff:ff:ff:ff inet6 fe80::b49e:13ff:fe56:f9cc/64 scope link valid_lft forever preferred_lft forever

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

A v i r t u a l d e mo : s e t u p a n e t wo r k n

• d

e

# now on a random box of your LAN $ vdens vxvde://234.0.0.1 # set up the interface vdens$ ip link set vde0 up vdens$ ip addr add 10.10.10.2/24 dev vde0 vdens$ ip route add default via 10.10.10.1 # run your favourite processes (maybe servers) …

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

D e g r e e s

• f

V i r t u a l i z a t i

• n

: – n

• v

i r t u a l i z a t i

• n

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

D e g r e e s

• f

V i r t u a l i z a t i

• n

: 1 – v i r t u a l ma c h i n e s

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

D e g r e e s

• f

V i r t u a l i z a t i

• n

: 2 – N F V

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

D e g r e e s

• f

V i r t u a l i z a t i

• n

: 3 – N F V + V D E + N

• N

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified)

W e a r e s t i l l c r e a t i n g a r t a n d b e a u t y

• n

a c

• mp

u t e r : t h e a r t a n d b e a u t y

• f

r e v

• l

u t i

• n

a r y i d e a s t r a n s l a t e d i n t

• (

l i b r e ) c

• d

e . . . r e n z

• ,

r d 2 3 5 , i z 4 d j e