Tired of iptables based security groups? Here's how to gain - - PowerPoint PPT Presentation

▶

Sep 16, 2023 91 likes •402 views

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead! Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer

SLIDE 1

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead!

SLIDE 2

Who we are?

Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer rodolfo.alonso.hernandez@intel.com

2/29

SLIDE 3

Index

Security groups overview
How OVS based firewall drivers work
Handy tools

3/29

SLIDE 4

How Neutron Security Groups works

4/29

Database SG App SG Web SG

Web server Client Application server Database server

SLIDE 5

iptables hybrid firewall driver (I)

5/29

br-int (openvswitch) MTU 1450 qbrfa00f53b-48 (bridge) MTU 1450 qvofa00f53b-48 (veth) MTU 1450 fe80::9cc6:7bff:feb6:b758/64 tag 1 qvbfa00f53b-48 (veth) MTU 1450 fe80::b456:b7ff:fef3:1cce/64 tapfa00f53b-48 (tun) MTU 1450 fe80::fc16:3eff:fe45:b407/64 qbr427c97a6-d4 (bridge) MTU 1450 qvo427c97a6-d4 (veth) MTU 1450 fe80::c45:71ff:fe3f:717c/64 tag 1 qvb427c97a6-d4 (veth) MTU 1450 fe80::f410:70ff:fea9:891e/64 tap427c97a6-d4 (tun) MTU 1450 fe80::fc16:3eff:fec5:e381/64

SLIDE 6

iptables hybrid firewall driver (II)

6/29

br-int (openvswitch) MTU 1450 tapda36ad27-40 (tun) MTU 1450 fe80::fc16:3eff:fe9e:491e/64 tag 1 tape800225d-3e (tun) MTU 1450 fe80::fc16:3eff:fe37:1f31/64 tag 1

SLIDE 7

Firewall dissection: evolution (I)

Packet filtering: static rules, based on source and destination address, protocol and port

7/29

SLIDE 8

Firewall dissection: evolution (II)

Stateful packet inspection: connection tracking and recording this state

8/29 Source: http://www.iptables.info/en/connection-state.html

SLIDE 9

Firewall dissection: evolution (III)

Application firewalls: full OSI stack inspection, DPI systems

9/29 Source: http://opennetsummit.org/

SLIDE 10

Firewall dissection: sections

Allow network discovery: ARP/ND messages Allow network services: DHCP, ICMP, IGMP (or MLD using ICMPv6) Prevent ARP spoofing: filtering by MAC address DHCP snooping: filtering by protocol and port Manage connection tracking: TCP, UDP Manage user rules

10/29

SLIDE 11

Firewall implementation: OpenFlow “learn action” (I)

OpenFlow “learn action”: allow to create a new rule when a packet hits a previous one Used to track incoming connections inside the switch and allow the traffic replied going back to the source of the communication

IN PORT = 5 VLAN = 1410 DST MAC = ca:fe:ca:fe:ca:fe SRC MAC = 00:11:22:33:44:55 PROTOCOL = ipv4, TCP DST IP: 192.168.1.1 SRC IP: 192.168.1.100 DST PORT: 2000 SRC PORT: 5000 ACTIONS = learn(dst_mac=SRC_MAC, src_mac=DST_MAC, src_ip=DST_IP, dst_ip=SRC_IP, src_port=DST_PORT, dst_port=SRC_PORT, proto=PROTO, vlan=VLAN, actions=normal) VLAN = 1410 DST MAC = 00:11:22:33:44:55 SRC MAC = ca:fe:ca:fe:ca:fe PROTOCOL = ipv4, TCP DST IP: 192.168.1.100 SRC IP: 192.168.1.1 DST PORT: 5000 SRC PORT: 2000 ACTIONS = normal 11/29

SLIDE 12

Firewall implementation: OpenFlow “learn action” (II)

Flow path description:

Zero table: MAC and in_port matching, VLAN management, ARP/ND
Traffic selection: service rules, multicast management, traffic selection
Input traffic: traffic coming into the OVS
Output traffic: traffic going out the OVS into a VM
External output traffic: traffic going out the OVS, external destination (physical, external or

tunnel bridge)

ZERO TABLE TRAFFIC SELECTION INPUT TRAFFIC OUTPUT TRAFFIC EXTERNAL OUTPUT TRAFFIC

12/29

SLIDE 13

Firewall implementation: OpenFlow “learn action” (III)

13/29 200 400 600 800 1,000 1,200 1,400 200 400 600 800 1000 1200 1400 1600

1000 users, OVS 2.4 MB/bytes per packet

OVS 2.4, no firewall OVS 2.4, iptables OVS 2.4, "learn action"

priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=70,ct_state=+new-est,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=50,ct_state=+inv+trk actions=drop priority=50,ct_mark=0x1,reg5=0x1 actions=drop priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=40,ct_state=-est,reg5=0x1 actions=drop priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1- >NXM_NX_CT_MARK[])) priority=0 actions=drop

19/29

Egress rules

SLIDE 20

Firewall implementation: connection tracking (VI)

table=73, priority=100,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],resubmit(,81) table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]), NORMAL table=73, priority=80,reg5=0x1 actions=NORMAL table=73, priority=0 actions=drop

20/29

Egress accepted

SLIDE 21

Firewall implementation: connection tracking (VII)

21/29 200 400 600 800 1,000 1,200 1,400 1,600 200 400 600 800 1000 1200 1400 1600

1000 users, OVS 2.5 MB/bytes per packet

OVS 2.4, iptables OVS 2.5, conntrack

SLIDE 22

Handy tools and commands: ovs-vsctl (I)

show: prints a brief overview of the database contents

root@compute:~# ovs-vsctl show c0a5a68d-2236-409c-9721-4382c4d7825d Bridge "br-eth4" Port "eth4" Interface "eth4" Port "phy-br-eth4" Interface "phy-br-eth4" type: patch

ptions: {peer="int-br-eth4"}

Bridge br-int fail_mode: secure Port "tapdf053558-6f" tag: 1 Interface "tapdf053558-6f" Port "int-br-eth4" Interface "int-br-eth4" type: patch

ptions: {peer="phy-br-eth4"}

Port br-int Interface br-int type: internal

vs_version: "2.5.90"

22/29

SLIDE 23

Handy tools and commands: ovs-vsctl (II)

add-br bridge: creates a new bridge del-br bridge: deletes the bridge list-ports bridge: list all ports within bridge

root@compute:~# ovs-vsctl list-ports br-int int-br-eth4 qr-fa59f34c-4a qr-fc4cbc61-38 tap423ef4df-75 tapdf053558-6f

23/29

SLIDE 24

Handy tools and commands: ovs-ofctl

dump-flows bridge [flows]: prints to the console all flow entries in switch's tables that match “flows”

root@computer:~# ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4): cookie=0xaa8bf9e1635b7423, duration=502959.645s, table=0, n_packets=5824755, n_bytes=454330890, idle_age=65534, hard_age=65534, priority=2,in_port=1 actions=drop cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=7509495125, n_bytes=5044309725863, idle_age=43, hard_age=65534, priority=100,in_port=5 actions=load:0x5- >NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,71) cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=11131317812, n_bytes=7510404375704, idle_age=47, hard_age=65534, priority=90,dl_dst=fa:16:3e:54:b6:ad actions=load:0x5->NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,81) cookie=0xaa8bf9e1635b7423, duration=502955.155s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=3,in_port=1,dl_vlan=1404 actions=mod_vlan_vid:1,NORMAL cookie=0xaa8bf9e1635b7423, duration=502970.137s, table=0, n_packets=7790, n_bytes=918512, idle_age=43, hard_age=65534, priority=0 actions=NORMAL

24/29

SLIDE 25

Handy tools and commands: ovs-appctl (I)

dpctl/dump-flows: prints the dataplane active flows

root@compute:~# ovs-appctl -t /usr/var/run/openvswitch/ovs-vswitchd.24766.ctl dpctl/dump-flows system@ovs-system recirc_id(0xb92),in_port(7),ct_state(+new-est-rel-rpl),eth(dst=fa:16:3e:54:b6:ad), eth_type(0x8100),vlan(vid=1404,pcp=0),encap(eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=5000/ 0xfffe)), packets:9765, bytes:4960620, used:3.452s, actions:ct(commit,zone=4095),pop_vlan,8 recirc_id(0),in_port(8),ct_state(-trk),eth(src=fa:16:3e:54:b6:ad),eth_type(0x0800), ipv4(src=10.0.0.3,proto=17,frag=no), udp(src=4096/0xf000), packets:506822, bytes:255438288, used:0.000s, actions:ct(zone=4095),recirc(0xb93)

25/29

SLIDE 26

Handy tools and commands: ovs-appctl (I)

fproto/trace bridge flow_description: prints the megaflow path inside the bridge

root@silpixa0038521:~# ovs-appctl -t /usr/var/run/openvswitch/ovs-vswitchd.24766.ctl

fproto/trace br-int "in_port=1,dl_vlan=1404"

Bridge: br-int Flow: in_port=1,dl_vlan=1404,dl_vlan_pcp=0,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00, dl_type=0x0000 Rule: table=0 cookie=0xaa8bf9e1635b7423 priority=3,in_port=1,dl_vlan=1404 OpenFlow actions=mod_vlan_vid:1,NORMAL no learned MAC for destination, flooding Final flow: in_port=1,dl_vlan=1,dl_vlan_pcp=0,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00, dl_type=0x0000 Megaflow: recirc_id=0,in_port=1,dl_vlan=1404,dl_vlan_pcp=0,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:0 0,dl_type=0x0000 Datapath actions: pop_vlan,push_vlan(vid=1,pcp=0),1,pop_vlan,3,4,6,8

26/29

SLIDE 27

How to enable the firewall in Neutron

OVS Connection Tracking Firewall Driver Edit /etc/neutron/plugins/ml2/ml2_conf.ini: OVS “Learn Action” Firewall Driver Install networking-ovs-dpdk: Edit /etc/neutron/plugins/ml2/ml2_conf.ini:

[securitygroup] firewall_driver = openvswitch [securitygroup] firewall_driver = ovs_learn_action root@compute:~# pip install networking-ovs-dpdk

27/29

SLIDE 28

Future work

Connection tracking in user space Migration path from iptables Implement bundles for ofctl commands User conjunctions to simplify rules with remote security groups Implement fullstack tests Introduce new bugs with features above so we can fix them!!

28/29

SLIDE 29

References

https://github.com/openstack/neutron/blob/master/doc/source/devref/openvswitch_firewall.rst https://github.com/openstack/networking-ovs-dpdk

29/29