Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encrypting OVN tunnels with IPsec

Published byIvar Bundgaard Modified over 5 years ago

Similar presentations

Presentation on theme: "Encrypting OVN tunnels with IPsec"— Presentation transcript:

1 Encrypting OVN tunnels with IPsec
Qiuyu Xiao The University of North Carolina at Chapel Hill Introduce myself in the talk

2 Motivations Why do we need encryption?
VMs compute and communicate sensitive data Financial data Health records Physical network devices (e.g., router, switch) cannot be trusted or might be compromised Traffic across datacenters Router misconfiguration Attackers breaking into internal network Phishing or social engineering attacks on administrators Give an overview here

3 Motivations IPsec configuration is complicated
Many configuration fields Various cryptographic algorithms and parameters Different configuration interfaces from different IKE daemons Verifying security configuration is hard Give an overview here

4 OVS/OVN IPsec Offer an easy-to-use interface to configure IPsec encryption for tunnel traffic Outer Ethernet Header Outer IP Header Tunnel Header Inner Ethernet Header Inner IP Header Payload IPsec Encryption Outer Ethernet Header Outer IP Header ESP Header Give an overview here Confidentiality Integrity Authenticity

5 IPsec in Linux IKE daemon IPsec kernel stack IKE protocol User space
security policy security association ESP/AH protocol IPsec kernel stack Give an overview here

6 IPsec in Linux IKE daemon Authentication IKE daemon
Negotiates cryptographic algorithms Generates keying material IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack

7 IPsec in Linux IKE daemon Authentication IKE daemon
Negotiates cryptographic algorithms Generates keying material Installs security policy and security association IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack

8 IPsec in Linux IKE daemon Authentication IKE daemon
Negotiates cryptographic algorithms Generates keying material Installs security policy and security association IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol Which traffic to protect IPsec kernel stack

9 IPsec in Linux IKE daemon Authentication IKE daemon
Negotiates cryptographic algorithms Generates keying material Installs security policy and security association IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack How to protect the selected traffic

10 IPsec in Linux IPsec kernel stack Encryption and decryption IKE daemon
Checks integrity and authenticity IKE protocol IKE daemon User space Kernel security policy security association ESP/AH protocol IPsec kernel stack

11 OVS IPsec Tunnel OVS IPsec daemon IKE daemon ovsdb ovs datapath
User space Kernel ovs datapath IPsec kernel stack

12 OVS IPsec Tunnel For example: Configuring IPsec tunnel via ovsdb
Using pre-shared key ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: $ ovs-vsctl set interface tun type=geneve \ options:remote_ip= \ options:psk=swordfish ovs datapath IPsec kernel stack

13 OVS IPsec Tunnel For example: Configuring IPsec tunnel via ovsdb
Using self-signed certificate ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: $ ovs-vsctl set Open_vSwitch . \ other_config:certificate=/etc/ipsec.d/certs/vm1-cert.pem other_config:private_key=/etc/ipsec.d/certs/vm1-privkey.pem $ ovs-vsctl set interface tun type=geneve \ options:remote_ip= \ options:remote_cert=/etc/ipsec.d/certs/vm2-cert.pem ovs datapath IPsec kernel stack

14 OVS IPsec Tunnel For example: Configuring IPsec tunnel via ovsdb
Using CA-signed certificate ovsdb OVS IPsec daemon IKE daemon User space Kernel For example: $ ovs-vsctl set Open_vSwitch . \ other_config:certificate=/etc/ipsec.d/certs/vm1-cert.pem other_config:private_key=/etc/ipsec.d/certs/vm1-privkey.pem other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem $ ovs-vsctl set interface tun type=geneve \ options:remote_ip= \ options:remote_name=vm2 ovs datapath IPsec kernel stack

15 OVS IPsec Tunnel Establishing IPsec tunnel OVS IPsec daemon IKE daemon
OVS IPsec daemon configures IKE daemon ovsdb OVS IPsec daemon IKE daemon User space Kernel ovs datapath IPsec kernel stack

16 OVS IPsec Tunnel For example (geneve tunnel):
Establishing IPsec tunnel OVS IPsec daemon configures IKE daemon IKE daemon sets up security policy and security association ovsdb OVS IPsec daemon IKE daemon User space Kernel security policy security association For example (geneve tunnel): ovs datapath IPsec kernel stack

17 OVS IPsec Tunnel IPsec kernel stack OVS IPsec daemon IKE daemon
Encryption and decryption Checks integrity and authenticity ovsdb OVS IPsec daemon IKE daemon User space Kernel unencrypted packet ovs datapath IPsec kernel stack encrypted packet

18 OVN IPsec northbound db ovn-northd southbound db ovn-controller
ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n

19 OVN IPsec northbound db In each hypervisor, configure ovsdb to use CA-signed certificate for authentication Enable IPsec by configuring northbound database ovn-northd southbound db For example: $ ovn-nbctl set nb_global . ipsec=true ovn-controller ovn-controller ovsdb vswitchd ovsdb vswitchd Hypervisor 1 Hypervisor n

20 IPsec Evaluation Environment: StrongSwan 5.3.5, Linux 4.4.0, Intel Xeon 2 GHz, 10 Gbps NIC iperf generates TCP stream (window size: 85KB), which is encrypted in a single core Use a Ipsec

21 Current Status Compatible with StrongSwan and LibreSwan IKE daemon
Packages for Ubuntu and Fedora Tutorials on using OVS/OVN IPsec Need to use OVS out-of-tree kernel module Status of the current project. Both works on LibreSwan and StrongSwan. Fedora and ubuntu packages.

22 Possible Extensions More flexible tunnel encryption policies:
Only encrypting tunnel traffic between certain hypervisors Only encrypting tunnel traffic from certain logical network

23 Q&A

Download ppt "Encrypting OVN tunnels with IPsec"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
IPsec. 18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Similar presentations

Ads by Google