svlan secure scalable network virtualization
play

SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, - PowerPoint PPT Presentation

Mar 17, 2024 •373 likes •679 views

SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hhni, Adrian Perrig ETH Zrich, Network Security Group Jonghoon Kwon, Ph.D | | 25.02.2020 1 Current Inter-domain Network Virtualization: VLAN PM PM PM

  1. SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hähni, Adrian Perrig ETH Zürich, Network Security Group Jonghoon Kwon, Ph.D | | 25.02.2020 1

  2. Current Inter-domain Network Virtualization: VLAN PM PM PM PM Internet ETH | VLAN | IP | Data VID 101 VID 102 Virtual LAN (IEEE 802.1q) Layer-2 bridging Supporting apx. 4 K virtual networks with a 12-bit VID value Jonghoon Kwon, Ph.D | | 25.02.2020 2

  3. Current Inter-domain Network Virtualization: VXLAN Core Network Hypervisor Edge Network VM VM Hypervisor VM VM ETH | IP | Data VTEP ETH | IP | Data VTEP Internet VXLAN tunnel Outer ETH | Outer IP | Outer UDP | VXLAN | ETH | IP | Data VNI 1001 VNI 1002 Virtual eXtensible LAN Supporting 16 M virtual networks with a 24-bit VNI value Interconnecting layer-2 networks over an underlying layer-3 network Jonghoon Kwon, Ph.D | | 25.02.2020 3

  4. Adversarial Model and Desired Properties Security Compromise Network Isolation Scalability Disrupt Virtual Network Flexibility Jonghoon Kwon, Ph.D | | 25.02.2020 4

  5. VXLAN: Insufficient Security Trusted Core Network Hypervisor Trusted Edge Network VM VM Hypervisor VM VM VTEP Outer ETH | Outer IP | Outer UDP | VXLAN | ETH | IP | Data Untrusted VTEP Internet Attackers may manipulate VNIs and forward malicious traffic Jonghoon Kwon, Ph.D | | 25.02.2020 5

  6. VXLAN: Scalability Constraints Core Network Hypervisor Edge Network VM VM VM VM VM VM Hypervisor VM VM VM VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 6

  7. VXLAN: Insufficient Flexibility Core Network Hypervisor Edge Network VM VM Hypervisor VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 7

  8. VXLAN: Insufficient Flexibility Core Network Hypervisor Edge Network VM VM Hypervisor VM VM VTEP VTEP Internet Jonghoon Kwon, Ph.D | | 25.02.2020 8

  9. Challenges and Countermeasures Intra-domain network slicing Intra-domain Properties (Destination-driven connectivity) • Host-level granularity • Application-level granularity • Limited number of VNI • Unlimited virtual group • Frequent VNI update • Centralized management Verifiable Inter-domain routing Inter-domain Properties (Packet-carrying forwarding state) • Insecure overlay tunneling • Crypto-based protection • ARP broadcast • Separation of control & data plane • State routing • Stateless routing Jonghoon Kwon, Ph.D | | 25.02.2020 9

  10. Our Vision on Secure and Scalable Network Virtualization Edge network Core network Mobile Slice Untrusted Network Untrusted Network IoT Slice Mission critical Slice Jonghoon Kwon, Ph.D | | 25.02.2020 10

  11. SVLAN (Secure & Scalable Virtual LAN) Overview Receiver Sender Hypervisor Authorization Delegate Hypervisor VM VM VM VM SVTEP SVTEP SVLAN tunnel Verifier Jonghoon Kwon, Ph.D | | 25.02.2020 11

  12. Express Receiver’s Consent Receiving Policy Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Jonghoon Kwon, Ph.D | | 25.02.2020 12

  13. Acquiring Receiver’s Consent Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Authorization request Jonghoon Kwon, Ph.D | | 25.02.2020 13

  14. Acquiring Receiver’s Consent Authorization Proof Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Path Segments + Authorization Proof Jonghoon Kwon, Ph.D | | 25.02.2020 14

  15. SVLAN Packet Forwarding Receiver Sender Hypervisor Hypervisor VM VM Path Segment + VM VM Authorization Proof + SVTEP SVTEP Data Jonghoon Kwon, Ph.D | | 25.02.2020 15

  16. Verifying the Validity of Packets Receiver Sender Hypervisor Hypervisor VM VM Path Segment + VM VM Authorization Proof + SVTEP SVTEP Data Jonghoon Kwon, Ph.D | | 25.02.2020 16

  17. Proof-of-Concept Implementation in SCIONLab SCIONLab: Global Future Internet Testbed Secure and fine-grained inter-domain segment routing Testbed distributed across the world https://github.com/scionproto/scion https://www.scionlab.org Jonghoon Kwon, Ph.D | | 25.02.2020 17

  18. Cracking the Authorization Proof is Impractical Brute-force attack would require 60000 years on 100 Gbps line to break 64-bit MAC Jonghoon Kwon, Ph.D | | 25.02.2020 18

  19. No Significant Bandwidth Overhead § SR-MPLS § 36 bytes of additional header § 12 bytes of MPLS labels (three labels) § 24 bytes of proof § SCION § 60 bytes of additional header § 24 bytes of forwarding paths (three labels) § 32 bytes of extra header Jonghoon Kwon, Ph.D | | 25.02.2020 19

  20. Small Forwarding Performance Overhead iMIX profiles the proportion of packets of a certain size based on statistical sampling from actual Internet traces Jonghoon Kwon, Ph.D | | 25.02.2020 20

  21. Latency Inflation Measurements in Cloud Authorization Delegate Sender Receiver 14 Amazon EC2 instances Select 3 instances as the sender, receiver, and authorization delegate Measure the latency for TTFP (Time to First Packet) Jonghoon Kwon, Ph.D | | 25.02.2020 21

  22. Latency Inflation with AD on Amazon Cloud < 75% of latency inflation Jonghoon Kwon, Ph.D | | 25.02.2020 22

  23. Large-scale Simulation Jonghoon Kwon, Ph.D | | 25.02.2020 23

  24. SVLAN, Expected Benefits § Flexible network management § Highly scalable network virtualization § Receiving policy at different granularity § Unlimited number of VNI § Easy update for virtual network § Stateless VTEP § Reducing network overhead § Secure isolation from unwanted traffic § No ARP flooding § Only authorized packets get forwarded § Negligible latency influence § Adversaries cannot impersonate authorized senders Jonghoon Kwon, Ph.D | | 25.02.2020 24

  25. Thank you! SVLAN: Secure & Scalable Network Virtualization Jonghoon Kwon, Taeho Lee, Claude Hähni, Adrian Perrig (jong.kwon@inf.ethz.ch) ETH Zurich Network Security Group Universitätstrasse 6 8092 Zürich https://netsec.ethz.ch

  26. Backup Slides First name Surname (edit via “Insert” > “Header & Footer”) | | 1.12.2014 26

  27. Implementation Example SVLAN header format on SCION Jonghoon Kwon, Ph.D | | 25.02.2020 27

  28. Practical Consideration Location of Authorization Delegates Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Receiver’s AS Third party entity (Cloud) Jonghoon Kwon, Ph.D | | 25.02.2020 28

  29. Practical Consideration Location of Verifiers Receiver Sender Hypervisor Hypervisor VM VM VM VM SVTEP SVTEP Receiver Receiver’s AS Sender’s AS Third party entity (Cloud) Jonghoon Kwon, Ph.D | | 25.02.2020 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis

Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis

Towards a Scalable SDN Virtualization Platform IFIP/IEEE SDNMO 2014 Zdravko Bozakov, Panagiotis Papadimitriou Leibniz Universitt Hannover, Germany Introduction Network virtualization in multi-tenant data-centers: Elastic provisioning

417 views • 30 slides
Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

4/1/2013 Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing physical hardware or software resources by Share physical network resources to form multiple multiple users and/or use cases diverse virtual

511 views • 5 slides
&lt;virtualization&gt; Feedback-directed emulation IP address assignment Scalable

&lt;virtualization&gt; Feedback-directed emulation IP address assignment Scalable

Emulab: Network Testbed Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller, Jonathon Duerig, Shashi Guruprasad, Tim Stack, Kirk Webb, Jay Lepreau 2 The Basic Idea: Whats Wrong? Use

298 views • 7 slides
Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F

Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F

WSB-2017 17 J January 2 2017 17 Secure Scalable CCT Secure Scalable CCTV, Mobile, and W Mobile, and Wearable earable Video F Video Face R ce Recognition cognition Brian Lo Brian Lovell ll The Univer The Univ ersity of Queensland

784 views • 62 slides
The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett &amp; Nick Skelton Information Services, University of Bristol TNC 2003 Background 1999-2000: new technologies

1.22k views • 52 slides
EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong Liao Dong Yin Lixin Gao Yong Liao, Dong Yin, Lixin Gao Univ. of Massachusetts, Amherst Network Virtualization Platform Network Virtualization

367 views • 17 slides
Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin

Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin

Network Virtualization Problem Statement draft-shin-virtualization-meta-arch-01.txt Sangjin Jeong(ETRI), Myung-Ki Shin (ETRI) Takashi Egawa (NEC), Hideki Otsuki (NICT) March 23, 2010 Virtual Network RG meeting @ IETF77 Objective Discuss

628 views • 9 slides
Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization

High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization

High-performance Network Accommodation and Intra-slice Switching Using a Type of Virtualization Node Yasusi Kanada &amp; Kei Shiraishi, Hitachi, Ltd. Akihiro Nakao, University of Tokyo Introduction We developed a network-virtualization

174 views • 13 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B. Taylor Bespoke Silicon Group University of Washington 1 Berkeleys Tethered Rocket core The host system provide support for: Rocket Core

1.24k views • 16 slides
Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt; libvirt: Background API for management of hypervisors Community (Red Hat, Fujitsu, Bull) Isolates apps from HV specific APIs Driver

608 views • 11 slides
CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown

CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown

CS244 Advanced Topics in Networking Lecture 9: SDN (2) Network Virtualization Nick McKeown Network Virtualization in Multi-tenant Datacenters, [ Teemu Koponen et al, 2014] Spring 2020 Context Teemu Koponen Early employee Nicira

485 views • 32 slides
When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena

When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena

When simplicity becomes complex On the road to a scalable and dynamic SURFnet7 network Terena Network Architects Workshop, Copenhagen Wouter Huisman What do we want from a network? Scalable Flexible Cost efficient Endusers

347 views • 31 slides
Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with

Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with

Finding the Optimal Reconfiguration for Network Function Virtualization Orchestration with Time-varied Workload Satyajit Padhy, Jerry Chou National Tsing Hua University The Third International Workshop on Systems and Network Telemetry and

725 views • 26 slides
Interdisciplinary Care and Maximizing Community Partnerships to Serve Youth Experiencing

Interdisciplinary Care and Maximizing Community Partnerships to Serve Youth Experiencing

Interdisciplinary Care and Maximizing Community Partnerships to Serve Youth Experiencing Homelessness 2 Agenda Who We Are Defining Homelessness Interdisciplinary Care Community Partnerships This activity is made possible by the Health

600 views • 23 slides
Student assessment in an inquiry-based module Assessment of Inquiry How do we assess inquiry

Student assessment in an inquiry-based module Assessment of Inquiry How do we assess inquiry

Student assessment in an inquiry-based module Assessment of Inquiry How do we assess inquiry skills? Written evidence? Which inquiry skills? How many skills? During inquiry or at the end How much teacher time and effort?

614 views • 33 slides
The high 5 C. difficile C. difficile guidelines: infection control recommendations Continue

The high 5 C. difficile C. difficile guidelines: infection control recommendations Continue

2/19/19 5. When can my hospitalized patient with C. difficile come off contact precautions? What are the Infection Control Questions: recommended precautions after Inpatient and Outpatient discharge home? The high 5 C. difficile C. difficile

95 views • 7 slides
Novel Transport Phenomena with Chirality, Vorticity and Magnetic field Jinfeng Liao 1

Novel Transport Phenomena with Chirality, Vorticity and Magnetic field Jinfeng Liao 1

Jun. 23~25, 2019 Novel Transport Phenomena with Chirality, Vorticity and Magnetic field Jinfeng Liao 1 Fascinating New Frontiers of XQCD It is all about quarks &amp; gluons under extreme conditions! 2 Spin: Chirality, Vorticity

950 views • 80 slides
ENROLLING YOUR STUDENT Child must turn 5 on or before August 31, 2020 (No Exceptions)

ENROLLING YOUR STUDENT Child must turn 5 on or before August 31, 2020 (No Exceptions)

ENROLLING YOUR STUDENT Child must turn 5 on or before August 31, 2020 (No Exceptions) Centralized Enrollment: Wednesday, July 29, 2020 at Leavenworth High School Sign-up for transportation, meal plans, Horizon Kids, etc.

504 views • 17 slides
02.07.2019 INGLS LAWDO ESTUDO DE TEXTO ESCOLA NATELL E EXERCICIO DE FIXAO 1) TEXT

02.07.2019 INGLS LAWDO ESTUDO DE TEXTO ESCOLA NATELL E EXERCICIO DE FIXAO 1) TEXT

SADE NA 02.07.2019 INGLS LAWDO ESTUDO DE TEXTO ESCOLA NATELL E EXERCICIO DE FIXAO 1) TEXT STUDY 2) VOCABULARY 3) OVERVIEW PLURAL OF NOUNS ( DE OLHO NO VESTIBULAR ) 4) REVIEW 2 ESTUDO DE TEXTO E EXERCICIO DE FIXAO

508 views • 12 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry Standards Course Objectives By the end of this presentation, you should be able to, as appropriate for guinea pigs, hamsters or rabbits: 1.

571 views • 33 slides

More recommend