encrypting ovn tunnels with ipsec - ovs orbitipsec evaluation •environment: strongswan5.3.5, linux...
TRANSCRIPT
![Page 2: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/2.jpg)
Open Virtual Network (OVN)
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical 1
OVN provides a logical network abstraction on top of a physical network
VM6 VM7
VM8 VM9
L-Switch
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
Logical
![Page 3: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/3.jpg)
Open Virtual Network (OVN)
VMs are oblivious to the physical network states
2
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical
VM6 VM7
VM8 VM9
L-Switch
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
Logical
![Page 4: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/4.jpg)
Open Virtual Network (OVN)
Network appliances can be implemented and placed inthe logical network
3
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Physical
VM6 VM7
VM8 VM9
L-Switch
Logical
L-Switch
VM1 VM2
L-Switch
VM3 VM4 VM5
L-Router
L-Firewall
L-LoadBalancer
![Page 5: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/5.jpg)
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Inner EthernetHeader
Inner IP
HeaderPayload
![Page 6: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/6.jpg)
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
![Page 7: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/7.jpg)
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
![Page 8: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/8.jpg)
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
![Page 9: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/9.jpg)
OVN Tunnel Traffic
4
Hypervisor 1 Hypervisor 2
VM1 VM2
VM8 VM3 VM4 VM9
VM6 VM7
VM5
Inner EthernetHeader
Inner IP
HeaderPayload
![Page 10: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/10.jpg)
The Needs for Tunnel Encryption
• VMs compute and communicate sensitive data, e.g., financial and health data• Physical network devices (e.g., router, switch) cannot be trusted or might be
compromisedq Traffic across datacentersq Router misconfigurationq Attackers breaking into internal networkq Phishing or social engineering attacks on administrators
5
![Page 11: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/11.jpg)
Encrypting Tunnel Traffic with IPsec
Outer EthernetHeader
Outer IP
Header
Outer UDP
Header
GeneveHeader
Inner EthernetHeader
Inner IP
HeaderPayload
IPsec Encryption Outer
EthernetHeader
Outer IP
Header
ESPHeader
• Confidentiality• Integrity• Authenticity
6
![Page 12: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/12.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
User spaceKernel
7
![Page 13: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/13.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
User spaceKernel
8
IKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material
![Page 14: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/14.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
![Page 15: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/15.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
Which traffic to protect
![Page 16: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/16.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocolIKE daemon• Authentication• Negotiates cryptographic algorithms• Generates keying material• Installs security policy and security
associationESP/AH protocol
User spaceKernel
9
How to protect the selected traffic
![Page 17: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/17.jpg)
IPsec in Linux
IKE daemon
IPsec kernel stack
security association
security policy
IKE protocol
ESP/AH protocol
IPsec kernel stack• Encryption and decryption• Checks integrity and authenticity User space
Kernel
10
![Page 18: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/18.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
User space
Kernel
11
![Page 19: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/19.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key User space
Kernel
12
For example:
![Page 20: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/20.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key • Using self-signed certificate
User space
Kernel
13
For example:
![Page 21: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/21.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Configuring IPsec tunnel via ovsdb• Using pre-shared key • Using self-signed certificate• Using CA-signed certificate
User space
Kernel
14
For example:
![Page 22: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/22.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon
security association
security policy
User space
Kernel
15
![Page 23: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/23.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon• IKE daemon sets up security policy
and security association security association
security policy
User space
Kernel
15
![Page 24: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/24.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
For example (geneve tunnel):
Establishing IPsec tunnel• ovs-monitor-ipsec configures IKE
daemon• IKE daemon sets up security policy
and security association security association
security policy
User space
Kernel
15
![Page 25: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/25.jpg)
OVS IPsec Tunnel
IKE daemon
IPsec kernel stack
ovsdb ovs-monitor-ipsec
ovs datapath
User space
Kernel
IPsec kernel stack • Encryption and decryption• Checks integrity and authenticity
unencryptedpacket
encryptedpacket
16
![Page 26: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/26.jpg)
OVN IPsecnorthbound db
ovn-northd
southbound db
ovn-controller …
ovsdb
ovn-controller
Hypervisor 1 Hypervisor n
17
vswitchd ovsdb vswitchd
![Page 27: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/27.jpg)
OVN IPsecnorthbound db
ovn-northd
southbound db
ovn-controller … ovn-controller
Hypervisor 1 Hypervisor n
• In each hypervisor, configure ovsdb to use CA-signed certificate for authentication
• Enable IPsec by configuring northbound database
17
ovsdb vswitchd ovsdb vswitchd
For example:
![Page 28: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/28.jpg)
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
![Page 29: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/29.jpg)
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
![Page 30: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/30.jpg)
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
![Page 31: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/31.jpg)
IPsec Evaluation
• Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC• iperf generates TCP stream (window size: 85KB), which is encrypted in a single
core
0100020003000400050006000700080009000
10000
aes256-sha256 aes-gcm no encryption
Throughput (Mbps)
Throughput (Mbps)
0%10%20%30%40%50%60%70%80%90%
100%
aes256-sha256 aes-gcm no encryption
CPU Usage
iperf-client iperf-server 18
![Page 32: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/32.jpg)
Current Status• Compatible with StrongSwan and LibreSwan IKE daemon• Packages for Ubuntu and Fedora• Tutorials on using OVN IPsec• Need to use OVS upstream kernel module
19
![Page 33: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/33.jpg)
Future Directions
More flexible tunnel encryption policies:• Only encrypting tunnel traffic between certain hypervisors • Only encrypting tunnel traffic from certain logical network
20
![Page 34: Encrypting OVN tunnels with IPsec - OVS OrbitIPsec Evaluation •Environment: StrongSwan5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC •iperfgenerates TCP stream (window size:](https://reader036.vdocuments.us/reader036/viewer/2022062608/60b13a7e3da1af4407283976/html5/thumbnails/34.jpg)
Q&A