Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes - - PowerPoint PPT Presentation

open vswitch config for libvirt vms
SMART_READER_LITE
LIVE PREVIEW

Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes - - PowerPoint PPT Presentation

Jan 28, 2023 167 likes •312 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open vSwitch Config for libvirt VMs Jonas Andre advised by Johannes Naab Wednesday 9 th January, 2019 Chair of Network Architectures and

slide-1
SLIDE 1

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Open vSwitch Config for libvirt VMs

Jonas Andre

advised by Johannes Naab Wednesday 9th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

slide-2
SLIDE 2

Introduction

Virtual Machines in Lectures

  • VMs provide configured computers
  • Allows students to experiment
  • ∼1000 VMs
  • One layer 2 network with VMs
  • Layer 2 network is managed by one Open vSwitch
  • Students have root access

Layer 2 security very important

Figure 1: VMs in one layer 2 network

  • J. Andre — Open vSwitch Config

2

slide-3
SLIDE 3

Goals

Security Protection against

  • MAC spoofing
  • ARP spoofing
  • VM answers to ARP request for the gateway
  • Other VMs consider the VM as true gateway
  • VMs send traffic to spoofing VM instead of gateway
  • → Spoofing VM is Man in the Middle
  • DHCP server spoofing
  • IP spoofing
  • IPv6 router spoofing
  • NDP spoofing

Figure 1: VMs in one layer 2 network

  • J. Andre — Open vSwitch Config

3

slide-4
SLIDE 4

Goals

Host CPU Load Reduction

  • Broadcasts reach every VM
  • Simultaneous processing of broadcast at every ma-

chine

  • ∼250 ARP requests per minute in this network
  • Each ARP needs to be processed by every VM
  • Due to Spectre and Meltdown complete unload and

load of VM from and to cache necessarry

  • Context switches are expensive → High CPU con-

suption → Optimize ARP requests to reduce CPU load

Figure 1: VMs in one layer 2 network

  • J. Andre — Open vSwitch Config

4

slide-5
SLIDE 5

Implementation

Open Flow

  • Open vSwitch uses Open Flow
  • Per frame processing
  • Processing by rules with priorities
  • Rules organized in tables
  • Relevant filters
  • Incoming port
  • MAC addresses
  • IP addresses
  • Protocols
  • Relevant actions
  • Drop
  • Normal
  • Output
  • Table

table0 * NORMAL

  • J. Andre — Open vSwitch Config

5

slide-6
SLIDE 6

Implementation

Open Flow

  • Open vSwitch uses Open Flow
  • Per frame processing
  • Processing by rules with priorities
  • Rules organized in tables
  • Relevant filters
  • Incoming port
  • MAC addresses
  • IP addresses
  • Protocols
  • Relevant actions
  • Drop
  • Normal
  • Output
  • Table

table0 port=1 src_mac=vm.mac TABLE:1 port=1 DROP * NORMAL

  • J. Andre — Open vSwitch Config

5

slide-7
SLIDE 7

Implementation

Rule Creation

  • Existing script creating and starting VMs
  • Storing of MAC and IPs
  • During start of VM
  • Parsing of metadata by QEMU hook
  • Installing Rules based on metadata
  • During shutdown of VM
  • QEMU hook initiates rule deletion
  • J. Andre — Open vSwitch Config

6

slide-8
SLIDE 8

Implementation

Open Flow Table Structure Implemented table structure table0 MAC spoof ARP table1 IP spoof ARP spoof DHCP spoof table2 Direct ARP table3 ICMP spoof

  • J. Andre — Open vSwitch Config

7

slide-9
SLIDE 9

Implementation

table0 table0

  • VM sends with correct MAC → table1
  • VM sends with spoofed MAC → DROP
  • ARP request not from VM → table2
  • Frames not from VM and not ARP → NORMAL

table0 correct MAC TABLE:1 spoofed MAC DROP IN:* ARP TABLE:2 * NORMAL

  • J. Andre — Open vSwitch Config

8

slide-10
SLIDE 10

Implementation

table1 table1

  • Non spoofed ARP → table2
  • DHCP and DHCPv6 server messages → DROP
  • Non spoofed IP address in ICMPv6 → table3
  • Neighbor Solicitation unspecified address → table3
  • Necessarry for Duplicate Address Detection
  • Non spoofed IP address → NORMAL
  • Other messages → DROP
  • J. Andre — Open vSwitch Config

9

slide-11
SLIDE 11

Implementation

table2 table2

  • ARP request with known IP → OUT:VM
  • ARP request with unknown IP
  • From Internet → DROP
  • From other → OUT:INTERNET
  • All other ARP packets → NORMAL

table2 IN:* ARP request VM_IP OUT:VM IN:Internet ARP request DROP IN:* ARP request OUT:Internet * NORMAL

  • J. Andre — Open vSwitch Config

10

slide-12
SLIDE 12

Implementation

table3 table3

  • Router Advertisement → DROP
  • Neighbor Advertisement with correct IP → NORMAL
  • Spoofed Neighbor Advertisement → DROP
  • Redirect → DROP
  • All other ICMPv6 → NORMAL
  • J. Andre — Open vSwitch Config

11

slide-13
SLIDE 13

Conclusion

Conclusion & Future Work Conclusion

  • Optimized script creating and deleting VMs
  • Hook scripts install and delete Open Flow rules
  • Network safe against spoofing attacks
  • Simple DHCP protection
  • ARP optimization to reduce CPU load

Future Work

  • Protection against Network Overload
  • Protection against CPU overload by sending broadcasts
  • → dependent rate limiting
  • J. Andre — Open vSwitch Config

12