Encrypting OVN tunnels with IPsec Qiuyu Xiao qiuyu

  • Slides: 23
Download presentation
Encrypting OVN tunnels with IPsec Qiuyu Xiao qiuyu. xiao. qyx@gmail. com The University of

Encrypting OVN tunnels with IPsec Qiuyu Xiao qiuyu. xiao. qyx@gmail. com The University of North Carolina at Chapel Hill

Motivations Why do we need encryption? • VMs compute and communicate sensitive data -

Motivations Why do we need encryption? • VMs compute and communicate sensitive data - Financial data - Health records • Physical network devices (e. g. , router, switch) cannot be trusted or might be compromised - Traffic across datacenters Router misconfiguration Attackers breaking into internal network Phishing or social engineering attacks on administrators 1

Motivations IPsec configuration is complicated • Many configuration fields • Various cryptographic algorithms and

Motivations IPsec configuration is complicated • Many configuration fields • Various cryptographic algorithms and parameters • Different configuration interfaces from different IKE daemons • Verifying security configuration is hard 2

OVS/OVN IPsec Offer an easy-to-use interface to configure IPsec encryption for tunnel traffic Outer

OVS/OVN IPsec Offer an easy-to-use interface to configure IPsec encryption for tunnel traffic Outer Ethernet Header Outer IP Header Tunnel Header Inner Ethernet Header Inner IP Header Payload IPsec Encryption Outer Ethernet Header Outer IP Header • Confidentiality • Integrity • Authenticity ESP Header 3

IPsec in Linux IKE protocol IKE daemon User space Kernel security policy security association

IPsec in Linux IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 4

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying material IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 5

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying material • Installs security policy and security association IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 6

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying material • Installs security policy and security association Which traffic to protect IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 6

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying

IPsec in Linux IKE daemon • Authentication • Negotiates cryptographic algorithms • Generates keying material • Installs security policy and security association How to protect the selected traffic IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 6

IPsec in Linux IPsec kernel stack • Encryption and decryption • Checks integrity and

IPsec in Linux IPsec kernel stack • Encryption and decryption • Checks integrity and authenticity IKE protocol IKE daemon User space Kernel security policy security association IPsec kernel stack ESP/AH protocol 7

OVS IPsec Tunnel ovsdb OVS IPsec daemon IKE daemon User space Kernel ovs datapath

OVS IPsec Tunnel ovsdb OVS IPsec daemon IKE daemon User space Kernel ovs datapath IPsec kernel stack 8

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using pre-shared key ovsdb OVS

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using pre-shared key ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: $ ovs-vsctl set interface tun type=geneve options: remote_ip=10. 33. 79. 149 options: psk=swordfish ovs datapath IPsec kernel stack 8

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using self-signed certificate ovsdb OVS

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using self-signed certificate ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: ovs $ ovs-vsctl set Open_v. Switch. datapath other_config: certificate=/etc/ipsec. d/certs/vm 1 -cert. pem IPsec kernel stack other_config: private_key=/etc/ipsec. d/certs/vm 1 -privkey. pem $ ovs-vsctl set interface tun type=geneve options: remote_ip=10. 33. 79. 149 options: remote_cert=/etc/ipsec. d/certs/vm 2 -cert. pem 9

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using CA-signed certificate ovsdb OVS

OVS IPsec Tunnel Configuring IPsec tunnel via ovsdb • Using CA-signed certificate ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: ovs $ ovs-vsctl set Open_v. Switch. datapath other_config: certificate=/etc/ipsec. d/certs/vm 1 -cert. pem other_config: private_key=/etc/ipsec. d/certs/vm 1 -privkey. pem other_config: ca_cert=/etc/ipsec. d/cacerts/cacert. pem $ ovs-vsctl set interface tun type=geneve options: remote_ip=10. 33. 79. 149 options: remote_name=vm 2 IPsec kernel stack 10

OVS IPsec Tunnel Establishing IPsec tunnel • OVS IPsec daemon configures IKE daemon ovsdb

OVS IPsec Tunnel Establishing IPsec tunnel • OVS IPsec daemon configures IKE daemon ovsdb OVS IPsec daemon IKE daemon User space Kernel ovs datapath IPsec kernel stack 11

OVS IPsec Tunnel Establishing IPsec tunnel • OVS IPsec daemon configures IKE daemon •

OVS IPsec Tunnel Establishing IPsec tunnel • OVS IPsec daemon configures IKE daemon • IKE daemon sets up security policy and security association For example (geneve tunnel): ovsdb IKE daemon OVS IPsec daemon User space Kernel security policy security association ovs datapath IPsec kernel stack 12

OVS IPsec Tunnel IPsec kernel stack • Encryption and decryption • Checks integrity and

OVS IPsec Tunnel IPsec kernel stack • Encryption and decryption • Checks integrity and authenticity ovsdb IKE daemon OVS IPsec daemon User space Kernel ovs datapath unencrypted packet IPsec kernel stack encrypted packet 13

OVN IPsec northbound db ovn-northd southbound db ovn-controller ovsdb vswitchd Hypervisor 1 … ovn-controller

OVN IPsec northbound db ovn-northd southbound db ovn-controller ovsdb vswitchd Hypervisor 1 … ovn-controller ovsdb vswitchd Hypervisor n 14

OVN IPsec northbound db • In each hypervisor, configure ovsdb to use CA-signed certificate

OVN IPsec northbound db • In each hypervisor, configure ovsdb to use CA-signed certificate for authentication • Enable IPsec by configuring northbound database ovn-northd southbound db For example: $ ovn-nbctl set nb_global. ipsec=true ovn-controller ovsdb vswitchd Hypervisor 1 … ovn-controller ovsdb vswitchd Hypervisor n 15

IPsec Evaluation • Environment: Strong. Swan 5. 3. 5, Linux 4. 4. 0, Intel

IPsec Evaluation • Environment: Strong. Swan 5. 3. 5, Linux 4. 4. 0, Intel Xeon 2 GHz, 10 Gbps NIC • iperf generates TCP stream (window size: 85 KB), which is encrypted in a single core Throughput (Mbps) CPU Usage 10000 100% 9000 90% 8000 80% 7000 70% 6000 60% 5000 50% 4000 40% 3000 30% 2000 20% 1000 10% 0 0% aes 256 -sha 256 aes-gcm Throughput (Mbps) no encryption aes 256 -sha 256 iperf-client aes-gcm iperf-server no encryption 16

Current Status • • Compatible with Strong. Swan and Libre. Swan IKE daemon Packages

Current Status • • Compatible with Strong. Swan and Libre. Swan IKE daemon Packages for Ubuntu and Fedora Tutorials on using OVS/OVN IPsec Need to use OVS out-of-tree kernel module 17

Possible Extensions More flexible tunnel encryption policies: • Only encrypting tunnel traffic between certain

Possible Extensions More flexible tunnel encryption policies: • Only encrypting tunnel traffic between certain hypervisors • Only encrypting tunnel traffic from certain logical network 18

Q&A

Q&A

Encrypting OVN tunnels with IPsec Qiuyu Xiao qiuyuEncrypting OVN tunnels with IPsec Qiuyu Xiao qiuyu
THE IPSEC PROTOCOL SUITE IPSEC IPsec is aTHE IPSEC PROTOCOL SUITE IPSEC IPsec is a
La suite di protocolli IPSec IPSec IPsec unaLa suite di protocolli IPSec IPSec IPsec una
MS Windows 2000 Encrypting File System 1 EncryptingMS Windows 2000 Encrypting File System 1 Encrypting
Tunnels Underground works October 2020 Experience Tunnels andTunnels Underground works October 2020 Experience Tunnels and
draftlefaucheurrsvpipsec00 txt Aggregate RSVP Reservations for IPsec Tunnelsdraftlefaucheurrsvpipsec00 txt Aggregate RSVP Reservations for IPsec Tunnels
IP Security IPSec Matt Hermanson What is IPSecIP Security IPSec Matt Hermanson What is IPSec
IPsec IPsec IP security Security for transmission overIPsec IPsec IP security Security for transmission over
TCPIP Example IP Security IPSec l IPSec isTCPIP Example IP Security IPSec l IPSec is
IPSec 1 Outline Internet Protocol IPv 6 IPSecIPSec 1 Outline Internet Protocol IPv 6 IPSec
IPSec IP Security IPSec 126 Groep T LeuvenIPSec IP Security IPSec 126 Groep T Leuven
Lecture 15 IPsec AH and ESP IPsec introductionLecture 15 IPsec AH and ESP IPsec introduction
COEN 350 IPSec SSL SSH IPSec n RFCCOEN 350 IPSec SSL SSH IPSec n RFC
IP Security IPSec protocol n Introduction n IPSecIP Security IPSec protocol n Introduction n IPSec
CSE 4905 IPsec 8 1 IPsec v securityCSE 4905 IPsec 8 1 IPsec v security
IPsec Policy IPsec does not define policy howeverIPsec Policy IPsec does not define policy however
IPSec and TLS Lesson Introduction IPSec and theIPSec and TLS Lesson Introduction IPSec and the
Network Security IPsec Tuomas Aura IPsec architecture andNetwork Security IPsec Tuomas Aura IPsec architecture and
IP Security IPSec protocol n Introduction n IPSecIP Security IPSec protocol n Introduction n IPSec
Deployment of IPSec VPN IPSec PKI Smart CardsDeployment of IPSec VPN IPSec PKI Smart Cards
202211 IPSec Synchronization Requirements IPSec in Mobile Backhaul202211 IPSec Synchronization Requirements IPSec in Mobile Backhaul
Chapter 13 IPsec IPsec IP Security A collectionChapter 13 IPsec IPsec IP Security A collection