VIRTUAL TRUSTED DOMAIN
Garrett Drown
Tianyi Xing
Group #4
CSE548 – Advanced Computer Network Security
Virtual Trusted Domains
What are Virtual Trusted Domains?
A virtual trusted domain (VTD) is a collection of machines, regardless of physical boundaries, that trust one another.
Project Goal Create and manage virtual trusted
domains for virtual machines through the use of a NetFPGA.
Provide the virtual machines with reliable, secure, and fast connections to others in their virtual trusted domain.
What is NetFPGA? Low-cost platform, primarily designed as
a tool for teaching networking hardware and router design
Technical DetailsRoadmap of project: By midterm:
Research how to program NetFPGAs. Research and design an implementation for Virtual Trusted Domains on
a NetFPGA. Research Path Splicing, which implements similar features that we
would like to use in our project. Setup environment and begin coding our program which creates and
manages Virtual Trusted Domains on a NetFPGA Find and (if time permitting) set up an existing similar solution (if there is
one) for VTDs as a basis for our work. By final:
Modify the existing solution which can or potentially can implement the VTD.
Deploy the program and setup a test-bed on a NetFPGA. Tested and debugged. Final documents completed.
Design of VTD for NetFPGA
Our idea: Have the controller maintain and utilize a
database which contains the list of approved computers, their domain, and security level.
The packet header will be modified to include the user’s trust level and the VTD he wishes to communicate with.
Virtual Trusted Model
Two fields:Domain
○ This domain field is used for indicating the domain that a group of VMs belong to.
○ Machines in the same domain are able to talk with each other
Trust Level○ Trust level indicates the trust relationship among
different machines in the same domain
System Setup Hardware
Pre-build NetFPGA serverDell Rack Server (Xenserver)
SoftwareCentOS 5NetFPGA base packageOpenflow SwitchNox Controller
Network Structure
Cloudserver1 Cloudserver2
VM1
VM2
VM3
VM4
6 3
6 3
6 2
0 3
NetFPGA-Based Openflow Switch
NOX Controller
DataBase
How to Implement the VTD field?
Domain/Trust Level
Details of the VTD Field
Domain Field10 bits, so it can support up to 1024 domains in
the system. Trust Level (TL)
2 bits, so it has 4 trust levels (from 0 to 3). And we defined that 3 is the highest trust level.
Domain Field Trust Level
10Bits 2Bit
Working Flow (cont.) The VM1(6,3) initiates the traffic to
VM2(6,2) The Openflow Switch receives the
packet from VM1 There is not entry in the flow table The packet is sent to the NOX controller.
NOX controller checks the domain and TL, found in the packet, and compares these with the destination in the database. If they are not in the same domain, then the packet is dropped.
If src and dst are in the same domain, then check the trust level.
If the TL(src) ≥ TL(dst), traffic is forwarded, otherwise, traffic is disallowed.
Working Flow
Conclusion We design a virtual trust domain concept for
cloud system. We deploy a innovative platform (Openflow
over NetFPGA) We successfully implemented our VTD
concept in the real cloud system
Questions?