securing network traffic tunneled over kernel managed tcp
play

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP - PowerPoint PPT Presentation

Oct 09, 2023 •257 likes •628 views

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com) Agenda What problem are we trying to solve? Privacy, integrity protection, authentication of traffic that gets tunneled

  1. Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com)

  2. Agenda • What problem are we trying to solve? – Privacy, integrity protection, authentication of traffic that gets tunneled over kernel managed TCP and UDP sockets • Options at socket layer: TLS, DTLS – Pros and cons • Options at the IP layer: IPsec – Pros and cons • Ongoing and future work Linuxcon North America 2016, Toronto, Canada

  3. What problem are we trying to solve? • Security for kernel-managed TCP and UDP sockets – VXLAN, GUE, Geneve, and other NVO3 solutions – RDS-TCP, KCM: Application traffic sent over PF_RDS/PF_KCM socket, which gets tunnelled over TCP in the kernel • Security, with reasonable performance – Crypto has an unavoidable cost, but the rest of the perf should be streamlined • Security, without regressing on Failover requirements for Cluster/HA Linuxcon North America 2016, Toronto, Canada

  4. Typical model for kernel TCP/UDP sockets • Application data from sender: can come from Virtual Machine, DB application, HTTP/2.. • Typically gets encapsulated in some protocol specific header (VXLAN, GUE, Geneve, RDS) that tracks control plane state (Tenant ID, VNI, OVS state, RDS port numbers..) • Tunneled in the kernel over a UDP/TCP socket • Receiver parses control plane header and delivers to the appropriate sender (tenant VM, DB application) Linuxcon North America 2016, Toronto, Canada

  5. Privacy and Security Concerns • Traffic tunneled over kernel sockets goes out in the clear today. • As we scale multi-tenant Cloud environments, we have multiple tenants sharing the same physical infrastructure • Attack vectors that need to be considered: – Protecting tenant payload and tunneling protocol header ( privacy, integrity protection, authentication) – Protecting the control plane (TCP/IP, for RDS-TCP and KCM) Linuxcon North America 2016, Toronto, Canada

  6. Privacy for tenant traffic • Traffic that can traverse long internet paths: attackers should not be able to snoop/impersonate end-points – encrypt tenant data using encryption parameters that have been securely installed on both end-points after appropriate authentication. • Typical solution to provide this is by using TLS/DTLS at the socket layer • TLS has some attractive properties – Per-user authentication – Implemented at the application level, not the kernel. So easier support in multiple environments • But there are some issues with using TLS/DTLS with kernel sockets Linuxcon North America 2016, Toronto, Canada

  7. Challenges to using TLS/DTLS with RDS-TCP • Cannot use DTLS/TLS directly on new socket types like PF_RDS and PF_KCM. • No TLS in the kernel • TLS is a complex protocol- handshake and control-plane is complex • Can we move the TLS control-plane (including Handshake) to user-space, and just use the TLS negotiated keys for encryption in the kernel? – Attempted by Netflix for acceleration of encrypted sendfile () – Basis of recent kTLS RFC Linuxcon North America 2016, Toronto, Canada

  8. Netflix/OCA • Improve sendfile() throughput of encrypted data for the Netflix OpenConnect Appliance – https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf • Traditional implementation: web-server gets client request for object on disk, retrieves object into a local buffer, encrypts/sends over TLS on network. • Netflix optimization: when the client request comes in, issue sendfile() call on the file descriptor and socket descriptor: data would then never leave kernel address space. Linuxcon North America 2016, Toronto, Canada

  9. Netflix/OCA: TLS based encryption in kernel • Kernel needs to encrypt the data before sending it out on the socket to the network • Netflix model: TLS session parameters are negotiated in user-space, and pushed down via socket options to the kernel – TLS session management in user-space – Encryption in kernel • Primary goal is to provide faster encryption, not full support for a kernel TLS. Linuxcon North America 2016, Toronto, Canada

  10. Netflix/OCA: TLS customizations • Netflix/OCA ran into many questions when implementing this proposal – Encrypted messages like “Finished” can arrive before CCS has been processed, and keys are in place, so kernel data plane may end up having to buffer a lot of data – How will the kernel handle re-keying? – “..when you consider .. that messages in the TCP stream may arrive out of order, adding TLS for both sending and receiving adds a lot of complexity to the kernel” [Netflix/OCA] • Netflix/OCA proposal only implements sender side of TLS, since it is primarily interested in accelerating sendfile() Linuxcon North America 2016, Toronto, Canada

  11. Netflix/OCA results • The Netflix/OCA finds that the performance improvements were not that significant for BSD • Even if a Linux implementation could achieve better perf, the issues identified in the OCA experiment remain – Splitting the protocol into a control plane and a data plane is not what TLS intends, and such a split will result in new forms of asynchronicity. • For securing kernel TCP/UDP sockets, we want a complete security solution. Linuxcon North America 2016, Toronto, Canada

  12. HA/Failover in the split TLS model • CCS, Re-keying etc: Control plane changes state, data-plane needs to be correctly synchronized with that change. • HA/failover: data-plane can restart. Control plane needs to be in tandem with that. Examples: – Address/service migration for TCP connection, RDS-TCP module restart – RDS resets connection because it detects spurious headers or other compromise. Linuxcon North America 2016, Toronto, Canada

  13. Protecting from TCP attacks • TLS only secures the application data. • TCP connection is still exposed and vulnerable to RST attacks, sequence number attacks • Attacks to TCP throw off the state machine in RDS- TCP reassembly. – Sender depends on TCP ack# to determine when it can take a dgram off the resend queue. Bogus sequence number reinjection is not acceptable. • HA: when the RDS-TCP connection breaks, we try to re-connect today. If reconnecting, we should restart authentication, and preferably re-key. Linuxcon North America 2016, Toronto, Canada

  14. Alternatives to TLS? • TLS encrypts/authenticates at the socket layer • Alternative to TLS: IPsec • IPsec encrypts/authenticates at the IP layer – Fully integrated into the Linux kernel – Mature implementation; Interfaces between key management and kernel are well-understood. . Linuxcon North America 2016, Toronto, Canada

  15. What is IPsec? • IP Security • Suite of protocols for encryption (adding a “ESP” header) and Authentication (adding a “AUTH” header) • ESP/AH are each applied to a “Security Association” (SA) that is pushed to kernel from user-space. – SA is defined by Admin. – Parameters: IP endpoint addresses, ports, IP protocol. Ports, protocol can be wild-cards – MAY be a TCP/UDP 4-tuple • IKE (Internet Key Exchange) protocol for establishing keys (using pre-shared key, CA etc) from user-space Linuxcon North America 2016, Toronto, Canada

  16. IPsec encryption with ESP • Encrypts data (either TCP/UDP payload for transport mode, or IP packet for tunnel mode) – Confidentiality, data-origin authentication, integrity, anti-replay service. • Adds an ESP header with an “Security Parameter Index” (SPI) and sequence number – SPI uniquely identifies a “Security Assocation” (SA) for which the security parameters (keys, crypto algo etc) are defined. Thus SPI essentially identifies a flow for IPsec – Sequence number is used to protect against replay attacks • Adds an ESP trailer which contains the “original protocol” of the data that was encrypted. Linuxcon North America 2016, Toronto, Canada

  17. IPsec encryption with ESP • Encrypts data (either TCP/UDP payload for transport mode, or IP packet for tunnel mode) – Confidentiality, data-origin authentication, integrity, anti-replay service. • Adds an ESP header with an “Security Parameter Index” (SPI) and sequence number – SPI uniquely identifies a “Security Assocation” (SA) for which the security parameters (keys, crypto algo etc) are defined. Thus SPI essentially identifies a flow for IPsec – Sequence number is used to protect against replay attacks • Adds an ESP trailer which contains the “original protocol” of the data that was encrypted. Linuxcon North America 2016, Toronto, Canada

  18. IPsec Transport vs Tunnel mode • IPsec Transport mode: ESP/AH transforms apply to L4 (TCP or UDP) header and payload. – Protects TCP header – L3/routing information is not modified – Typically used for host-host IPsec • IPsec tunnel mode: IP packet is encapsulated inside another IP packet. The IPsec transforms are applied to the inner (original) IP packet. – Protects IP and TCP header of the original packet – Typically used for VPNs – Routing information MAY be modified • For Cloud/Cluster solutions IPsec Transport mode is sufficient as we do not wish to modify routing information. Linuxcon North America 2016, Toronto, Canada

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra |

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra |

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra | Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef Outline Introduction Approach Research Results Conclusion

740 views • 19 slides
Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic

Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic

Migration to All-IP Networks Huw Saunders Director of Network Infrastructure, Ofcom Traffic Systems Group February 2020 PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM PSTN switch off - recap Incumbent telephone

679 views • 10 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark traffic flows - Police and shape traffic - Apply priority (managed scheduling) 1 Open-Loop Control / QoS Model Network performance is guaranteed to

408 views • 24 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Behavioural Network Traffic Analytics for Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th International Workshop on 5G Architecture (5GARCH) Presenter: Dr. Stavros Papadopoulos Post-doctoral research

426 views • 23 slides
Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple

Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple

Thank You for Joining Us! We Will Begin Shortly Tunneled Catheter Avoidance- Seven Simple Strategies Anil Agarwal, MD, FASN, FNKF, FACP Professor of Clinical Medicine Director, Interventional Nephrology Chief, Section of Nephrology at

471 views • 28 slides
IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Control/Management (configuration) telnet/ftp: ssh, http: https , mail: PGP Network

1.4k views • 26 slides
Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC NEIGHBOURHOODS? Part of the response to the damage motor traffic causes road casualties, air quality, community, public health and active

257 views • 13 slides
1 Evolution of Managed Care Types of Network Based Managed Care Programs Indemnity

1 Evolution of Managed Care Types of Network Based Managed Care Programs Indemnity

Evolving Payor Cost Containment Strategies And How to Respond Presented to Hometown Health 2016 Elizabeth A. Spoto, CEO Spoto & Associates, LLC Evolution of Managed Care Historical Milestones In Managed Care 1929 Baylor started

271 views • 12 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port

Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port

Network traffic characterization A historical perspective 1 Incoming AT&T traffic by port (18 hours of traffic to AT&T dial clients on July 22, 1997) N a m e port % bytes % packets bytes per packet w o r l d - w i d e

425 views • 31 slides
Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer

Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer

Securing the Tor Network Mike Perry Black Hat USA 2007 Defcon 2007 What is Tor? Volunteer run relay network designed for privacy, anonymity, and censorship resistance. Tor relays TCP connections (streams) Multiplexed on

225 views • 20 slides
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Network communication Who are you talking to?

636 views • 35 slides
Open Colorings, Perfect Sets and Games on Generalized Baire Spaces Dorottya Szirki MTA Alfrd

Open Colorings, Perfect Sets and Games on Generalized Baire Spaces Dorottya Szirki MTA Alfrd

Open Colorings, Perfect Sets and Games on Generalized Baire Spaces Dorottya Szirki MTA Alfrd Rnyi Institute of Mathematics SETTOP 2018 Novi Sad Conference in Set Theory and General Topology July 5, 2018 Generalized Baire spaces Let

616 views • 49 slides
Set theoretic aspects of the space of ultrafilters N Boban Velickovic Equipe de Logique

Set theoretic aspects of the space of ultrafilters N Boban Velickovic Equipe de Logique

Set theoretic aspects of the space of ultrafilters N Boban Velickovic Equipe de Logique Universit e de Paris 7 Outline Introduction 1 The spaces N and N under CH 2 A characterization of N Continuous images of N

1.09k views • 91 slides
Parikhs theorem from the complexity viewpoint Dmitry Chistikov University of Warwick, United

Parikhs theorem from the complexity viewpoint Dmitry Chistikov University of Warwick, United

Parikhs theorem from the complexity viewpoint Dmitry Chistikov University of Warwick, United Kingdom YR-OWLS, 03 June 2020 State complexity Program size complexity of problem: the minimum size of program that solves the problem State

1.55k views • 105 slides
L Leveraging Internet Data i I t t D t IM2GPS: Estimating Geographic Information from a

L Leveraging Internet Data i I t t D t IM2GPS: Estimating Geographic Information from a

L Leveraging Internet Data i I t t D t IM2GPS: Estimating Geographic Information from a Single Image (by James Hays and Alexei Efros) (by James Hays and Alexei Efros) Adriana Kovashka CS PhD Student Wh Where is this? is this? Italy

856 views • 69 slides
DBE UPDATES MEETING OCTOBER 2, 2017 PURPOSE OF TODAYS MEETING Kimberly Watson, Assistant

DBE UPDATES MEETING OCTOBER 2, 2017 PURPOSE OF TODAYS MEETING Kimberly Watson, Assistant

DBE UPDATES MEETING OCTOBER 2, 2017 PURPOSE OF TODAYS MEETING Kimberly Watson, Assistant Deputy Director Division of Opportunity, Diversity & Inclusion 2 | DBE Updates Meeting DBE ROUNDTABLES Lauren Purdy, Deputy Director

673 views • 21 slides
Q3 2018 Results 26 26 th th Oct ctober ober Key Messages Good perfo formanc mance e in a

Q3 2018 Results 26 26 th th Oct ctober ober Key Messages Good perfo formanc mance e in a

Q3 2018 Results 26 26 th th Oct ctober ober Key Messages Good perfo formanc mance e in a highly competit itive ive market et and u uncert rtain ain econ onom omic ic outloo ook Q3 2018 18 Attributab able le profi fit t

656 views • 16 slides
WELCOME North Country ry RPC Call to Order & Welcome Lee Rivers 3/27/2020 Board

WELCOME North Country ry RPC Call to Order & Welcome Lee Rivers 3/27/2020 Board

North Country Regional Planning Consortium WELCOME North Country ry RPC Call to Order & Welcome Lee Rivers 3/27/2020 Board Roll Call & Confirm Quorum Karen Meeting New 2020 2022 Board! Approve December 20,

439 views • 15 slides
Octave Tutorial Daniel Lamprecht Graz University of Technology March 26, 2012 Slides based on

Octave Tutorial Daniel Lamprecht Graz University of Technology March 26, 2012 Slides based on

Octave Tutorial Daniel Lamprecht Graz University of Technology March 26, 2012 Slides based on previous work by Ingo Holzmann Introduction Language basics Scripts and Functions Plotting Introduction What is Octave? GNU Octave is a

816 views • 25 slides

More recommend