Virtual xfrm interfaces Steffen Klassert secunet Security Networks - - PowerPoint PPT Presentation

virtual xfrm interfaces
SMART_READER_LITE
LIVE PREVIEW

Virtual xfrm interfaces Steffen Klassert secunet Security Networks - - PowerPoint PPT Presentation

Oct 29, 2022 344 likes •630 views

Virtual xfrm interfaces Virtual xfrm interfaces Steffen Klassert secunet Security Networks AG Dresden Linux IPsec Workshop, Dresden, March 26, 2018 Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

slide-1
SLIDE 1

Virtual xfrm interfaces

Virtual xfrm interfaces

Steffen Klassert

secunet Security Networks AG Dresden

Linux IPsec Workshop, Dresden, March 26, 2018

slide-2
SLIDE 2

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-3
SLIDE 3

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-4
SLIDE 4

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-5
SLIDE 5

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-6
SLIDE 6

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-7
SLIDE 7

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-8
SLIDE 8

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-9
SLIDE 9

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-10
SLIDE 10

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-11
SLIDE 11

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Disadvantages of IPsec VTI interfaces

◮ VTI interfaces are L3 tunnels with configurable endpoints.

◮ The tunnel endpoints are already determined by the SA.

◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints.

◮ Problematic if you need more than one (e.g. for namespaces).

◮ VTI is configured with GRE keys and routing marks.

◮ Neither GRE keys nor routing marks were designated to

configure a VTI.

◮ VTI works just with tunnel mode SAs.

◮ Not an interface to route transport or beet mode.

slide-12
SLIDE 12

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-13
SLIDE 13

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-14
SLIDE 14

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-15
SLIDE 15

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-16
SLIDE 16

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-17
SLIDE 17

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-18
SLIDE 18

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-19
SLIDE 19

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

New design for XFRM interfaces

◮ Should be a virtual interface that ensures IPsec

transformation.

◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move

to different namespaces).

◮ Interfaces should be configured with an interface ID that must

match a (new) policy/SA lookup key.

◮ Should be possible to tunnel IPv4 and IPv6 through the same

interface.

◮ Should be possible to use IPsec hardware offloads of the

underlying interface.

◮ Anything else?

slide-20
SLIDE 20

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-21
SLIDE 21

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-22
SLIDE 22

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-23
SLIDE 23

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-24
SLIDE 24

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-25
SLIDE 25

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-26
SLIDE 26

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

◮ Stripped-down the VTI6 implementation to provide the basic

interface.

◮ Created a new lookup key for policies and SAs, the xfrm

interface id.

◮ It is possible to insert policies and SAs that differ only in the

xfrm interface id.

◮ The policy and SA lookups need some advanced testing!!!

◮ Known problem:

Currently needs to be bound to a physical interface.

◮ Known problem:

Policy wildcard src/dst addresses (0.0.0.0/0) → routing loop

slide-27
SLIDE 27

Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

Current implementation of the XFRM interfaces

Does it match all usecases? What is missing? Bugs?