virtual xfrm interfaces
play

Virtual xfrm interfaces Steffen Klassert secunet Security Networks - PowerPoint PPT Presentation

Oct 29, 2022 •344 likes •628 views

Virtual xfrm interfaces Virtual xfrm interfaces Steffen Klassert secunet Security Networks AG Dresden Linux IPsec Workshop, Dresden, March 26, 2018 Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces

  1. Virtual xfrm interfaces Virtual xfrm interfaces Steffen Klassert secunet Security Networks AG Dresden Linux IPsec Workshop, Dresden, March 26, 2018

  2. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  3. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  4. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  5. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  6. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  7. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  8. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  9. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  10. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  11. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces Disadvantages of IPsec VTI interfaces ◮ VTI interfaces are L3 tunnels with configurable endpoints. ◮ The tunnel endpoints are already determined by the SA. ◮ Separate interfaces for IPv4 and IPv6 tunnels needed. ◮ Only one VTI with wildcard tunnel endpoints. ◮ Problematic if you need more than one (e.g. for namespaces). ◮ VTI is configured with GRE keys and routing marks. ◮ Neither GRE keys nor routing marks were designated to configure a VTI. ◮ VTI works just with tunnel mode SAs. ◮ Not an interface to route transport or beet mode.

  12. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  13. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  14. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

  15. Virtual xfrm interfaces Redesigning the IPsec VTI interfaces / creating xfrm interfaces New design for XFRM interfaces ◮ Should be a virtual interface that ensures IPsec transformation. ◮ No limitation on xfrm mode (tunnel, transport and beet). ◮ Should be possible to create multiple interfaces (e.g. to move to different namespaces). ◮ Interfaces should be configured with an interface ID that must match a (new) policy/SA lookup key. ◮ Should be possible to tunnel IPv4 and IPv6 through the same interface. ◮ Should be possible to use IPsec hardware offloads of the underlying interface. ◮ Anything else?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

4/1/2018 Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions 2A. OS Services, Layers and Mechanisms processes, threads, virtual machines 2B. Service Interfaces virtual address spaces, shared

134 views • 10 slides
Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization Computer system architecture Process virtual machines System virtual machines 1 EECS 768 Virtual Machines Abstraction Mechanism to

704 views • 31 slides
CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When, Why, How? What: Code Structure used to express operations that multiple class have in common No method implementations No fields

611 views • 12 slides
Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual Reality? A high-end user interface that involves real-time simulation and interaction through multiple sensorial channels. (vision, sound, touch,

1.61k views • 83 slides
Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr. Marc-Oliver Pahl, Stefan Liebald Supervisor: Prof.

535 views • 9 slides
Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

4/5/2017 Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions 2A. OS Services, Layers and Mechanisms processes, threads, virtual machines 2B. Service Interfcaes virtual address spaces, shared

100 views • 7 slides
WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # ,

WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # ,

WiFi and Multiple Interfaces: Adequate for Virtual Reality? Huanle Zhang*, Ahmed Elmokashfi # , and Prasant Mohapatra* # Simula Metropolitan Center for Digital Engineering * University of California, Davis USA Norway Presented by: Jansen

443 views • 16 slides
3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D

3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D

Topics in Virtual Reality 3D User Interfaces Advisor: Michael Jenkin By: Elliott Tsai 2009 Apr. 27 New Directions in 3D UIs Few fundamentally new techniques and metaphors for 3D interaction have been discovered in recent years In Virtual

431 views • 26 slides
T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces I prefer Agassiz in the abstract, rather than in the concrete. CS 307 Fundamentals of CS 307 Fundamentals of 1 2 Computer Science

325 views • 10 slides
3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications

3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications

3D U 3D User Interfaces I t f and Augmented Reality Augmented Reality Applications Mechanical CAD 3D Animation Virtual Environments Virtual Environments Scientific Visualization Mechanical CAD Component design

546 views • 36 slides
Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement. Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface Allows object with no common ancestor to act

268 views • 13 slides
Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

10/21/12 Interfaces Interfaces n interface : A list of methods that a class promises to implement. q Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface n Allows object with no common

420 views • 7 slides
CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

378 views • 23 slides
CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focusses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

603 views • 24 slides
CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including

CS 349: User Interfaces This course focuses on creating user interfaces (UIs), including underlying UI architecture and algorithms, practice implementing UIs using frameworks, and theories and methods relevant to interface design.

600 views • 20 slides
SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines

SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines

SVG for Automotive User SVG for Automotive User Interfaces Interfaces S. Boisgrault, Mines ParisTech M. Othman Abdallah, Mines ParisTech J.-M. Temmos, Visteon Introduction HMI: human-machine interfaces Design of HMI displays for car

427 views • 24 slides
Advanced Configuration Management with Config Split et al. Fabian Bircher fabian@nuvole.org web:

Advanced Configuration Management with Config Split et al. Fabian Bircher fabian@nuvole.org web:

Advanced Configuration Management with Config Split et al. Fabian Bircher fabian@nuvole.org web: nuvole.org twitter: @nuvoleweb Our Distributed Team Nuvole: a 100% Drupal company with a distributed team in: Italy Belgium Czech Republic

725 views • 56 slides
Easy multi-panel plotting with grcomb Alex Gamma Swiss Stata User Group meeting Bern,

Easy multi-panel plotting with grcomb Alex Gamma Swiss Stata User Group meeting Bern,

Easy multi-panel plotting with grcomb Alex Gamma Swiss Stata User Group meeting Bern, Switzerland 17.11.2016 Content The problem Enter grcomb grcomb in action grcomb syntax Limits & improvements The problem

419 views • 13 slides
CISC 5500 Data Analytics Tools and Scripting SQL: retrieving and filtering Computer and

CISC 5500 Data Analytics Tools and Scripting SQL: retrieving and filtering Computer and

CISC 5500 Data Analytics Tools and Scripting SQL: retrieving and filtering Computer and Information Science Fordham University Table of contents 1. introduction 2. SQL sorting filtering 1 review find, grep, xargs, scp homework and

463 views • 17 slides
Combinatorial lines Nina Kam ev , joint work with David Conlon and Christoph with few

Combinatorial lines Nina Kam ev , joint work with David Conlon and Christoph with few

Combinatorial lines Nina Kam ev , joint work with David Conlon and Christoph with few intervals Spiegel The Hales-Jewett Theorem N OTATION E XAMPLE : a combinatorial line in 3 12 Ground set , usually 3 = 22 32

236 views • 11 slides
Goal Give an overview of generics for the Java programming language What are generics?

Goal Give an overview of generics for the Java programming language What are generics?

Generics Written in the Java Programming Language with Parameterized Types in Java Platform 5.0 Angelika Langer Trainer/Consultant www.AngelikaLanger.com TS-5627 2005 JavaOne SM Conference | Session TS-5627 1 Goal Give an overview

561 views • 28 slides
DIFANE MinlanYu PrincetonUniversity Joint work with Mike Freedman, Jennifer

DIFANE MinlanYu PrincetonUniversity Joint work with Mike Freedman, Jennifer

ScalableFlowBasedNetworkingwith DIFANE MinlanYu PrincetonUniversity Joint work with Mike Freedman, Jennifer Rexford and Jia Wang 1 WhatsDIFANE? Tradi?onalenterprise

616 views • 28 slides
More on Verilog Sign extension: Example 1 wire [3:0] c, d reg [4:0] sum; always @ (c or d)

More on Verilog Sign extension: Example 1 wire [3:0] c, d reg [4:0] sum; always @ (c or d)

More on Verilog Sign extension: Example 1 wire [3:0] c, d reg [4:0] sum; always @ (c or d) begin sum= {c[3],c} + {d[3],d}; end 2 Sign extension: Example 2 input [2:0] in; reg [3:0] d; wire [3:0] c; output [4:0] sum; reg [4:0] sum;

209 views • 9 slides
Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di

Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di

Object Detection Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di ff erent approaches tackle detection di ff erently. They can roughly be categorized into three main types: Find interest points ,

1.2k views • 51 slides

More recommend