research-article

Free access

Virtual Network Isolation: Are We There Yet?

Authors:

Kashyap Thimmaraju,

Gábor Rétvári,

Stefan SchmidAuthors Info & Claims

SecSoN '18: Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges

Pages 1 - 7

https://doi.org/10.1145/3229616.3229618

Published: 07 August 2018 Publication History

Abstract

While multi-tenant cloud computing provides great benefits in terms of resource sharing, it introduces a new security landscape and requires strong network isolation guarantees between the tenants. Such network isolation is typically implemented using network virtualization: Virtual switches residing in the virtualization layer enforce isolation, e.g., via tunnel protocols and per-tenant flow rules. The design of such switches is a very active topic: Since 2009 alone, at least 22 different designs have been introduced. Our systematic analysis of 22 virtual switches uncovers 4 security weaknesses: Co-location, single point of failure, privileged packet processing and manual packet parsing. An attacker can easily undermine network isolation by exploiting those weaknesses. Hence, we introduce 3 secure design principles to build a resilient virtual switch, thereby offering strong virtual network isolation.

References

[1]

AWS. 2018. Enhanced Networking on Linux. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html. (2018). Accessed: 24-01-2018.

[2]

Microsoft Azure. 2018. Create a Linux virtual machine with Accelerated Networking. https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli. (2018). Accessed: 24-01-2018.

[3]

Adam Bates et al. 2014. On detecting co-resident cloud instances using network flow watermarking techniques. Springer International Journal of Information Security (2014).

Digital Library

[4]

BESS Comitters. 2017. BESS (Berkeley Extensible Software Switch). https://github.com/NetSys/bess. (2017). Accessed: 09-05-2017.

[5]

Bhanuprakash Bodireddy and Antonio Fischetti. 2016. OVS-DPDK Datapath Classifier. https://software.intel.com/en-us/articles/ovs-dpdk-datapath-classifier. (2016). Accessed: 05-06-2018.

[6]

Sean Choi, Xiang Long, Muhammad Shahbaz, Skip Booth, Andy Keep, John Marshall, and Changhoon Kim. 2017. PVPP: A Programmable Vector Packet Processor. In Proc. SOSR. ACM, 197--198.

Digital Library

[7]

Michael Dalton et al. 2018. Andromeda: Performance, Isolation, and Velocity at Scale in Cloud Network Virtualization. In Proc. NSDI. 373--387.

[8]

Daniel Firestone. 2017. VFP: A Virtual Switch Platform for Host SDN in the Public Cloud. In Proc. NSDI. 315--328.

Digital Library

[9]

Daniel Firestone et al. 2018. Azure Accelerated Networking: SmartNICs in the Public Cloud. In Proc. NSDI. 51--66.

[10]

Andy Gospodarek. 2017. The Rise of SmartNICs -- offloading dataplane traffic to...software. https://youtu.be/AGSy51VlKaM. (2017). Open vSwitch Conference.

[11]

Sangjin Han, Keon Jang, Aurojit Panda, Shoumik Palkar, Dongsu Han, and Sylvia Ratnasamy. 2015. SoftNIC: A software NIC to augment hardware. (2015). Tech. Rep. UCB/EECS-2015-155.

[12]

Michio Honda, Felipe Huici, Giuseppe Lettieri, and Luigi Rizzo. 2015. mSwitch: a highly-scalable, modular software switch. In Proc. SOSR. 1.

Digital Library

[13]

Jinho Hwang, KK Ramakrishnan, and Timothy Wood. 2014. NetVM: high performance and flexible networking using virtualization on commodity platforms. In Proc. NSDI. 445--458.

Digital Library

[14]

Xin Jin, Eric Keller, and Jennifer Rexford. 2012. Virtual Switching Without a Hypervisor for a More Secure Cloud. In Proc. USENIX Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (HotICE). San Jose, CA.

Digital Library

[15]

Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M Frans Kaashoek. 2000. The Click modular router. ACM Trans. Computer Systems 18, 3 (2000), 263--297.

Digital Library

[16]

Patrick Kutch. 2011. PCI-SIG SR-IOV primer: An introduction to SR-IOV technology. Intel application note (2011), 321211--002.

[17]

Mellanox. 2017. Mellanox BlueField SmartNIC. https://bit.ly/2JaMitA. (2017). Accessed: 05-06-2018.

[18]

Microsoft. 2013. Hyper-V Virtual Switch Overview. https://technet.microsoft.com/en-us/library/hh831823(v=ws.11).aspx. (2013). Accessed: 27-01-2017.

[19]

László Molnár, Gergely Pongrácz, Gábor Enyedi, Zoltán Lajos Kis, Levente Csikor, Ferenc Juhász, Attila KőBrösi, and Gábor Rétvári. 2016. Dataplane Specialization for High-performance OpenFlow Software Switching. In Proc. ACM SIGCOMM. 539--552.

Digital Library

[20]

Aurojit Panda et al. 2016. NetBricks: Taking the V out of NFV. In Proc. OSDI. 203--216.

Digital Library

[21]

Manoj Panicker. 2017. Enabling Hardware Offload of OVS Control & Data plane using LiquidIO. https://youtu.be/qjXBRCFhbqU. (2017). Open vSwitch Conference.

[22]

Ben Pfaff. 2013. Open vSwitch: Past, Present, and Future. http://openvswitch.org/slides/ppf.pdf. (2013). Accessed: 27-01-2017.

[23]

Gergely Pongrácz, László Molnár, and Zoltán Lajos Kis. 2013. Removing roadblocks from SDN: OpenFlow software switch performance on Intel DPDK. In European Workshop on Software Defined Networking. IEEE, 62--67.

Digital Library

[24]

Kaushik Kumar Ram, Alan L Cox, Mehul Chadha, Scott Rixner, and TW Barr. 2013. Hyper-Switch: A Scalable Software Virtual Switching Architecture. In Usenix Annual Technical Conference (ATC). 13--24.

Digital Library

[25]

Luigi Rizzo and Giuseppe Lettieri. 2012. VALE, a Switched Ethernet for Virtual Machines. In Proc. ACM CoNEXT. 61--72.

Digital Library

[26]

Robin G. 2016. Open vSwitch with DPDK Overview. https://software.intel.com/en-us/articles/open-vswitch-with-dpdk-overview. (2016). Accessed: 27-01-2017.

[27]

Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278--1308.

[28]

Len Sassaman et al. 2013. Security Applications of Formal Language Theory. IEEE Systems Journal 7, 3 (Sept 2013), 489--500.

[29]

Muhammad Shahbaz, Sean Choi, Ben Pfaff, Changhoon Kim, Nick Feamster, Nick McKeown, and Jennifer Rexford. 2016. Pisces: A programmable, protocol-independent software switch. In Proc. ACM SIGCOMM. 525--538.

Digital Library

[30]

Igor Smolyar, Muli Ben-Yehuda, and Dan Tsafrir. 2015. Securing Self-Virtualizing Ethernet Devices. In Proc. Usenix Security Symp. 335--350.

Digital Library

[31]

Julian Stecklina. 2014. Shrinking the Hypervisor One Subsystem at a Time: A Userspace Packet Switch for Virtual Machines. In Proc. ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE).

Digital Library

[32]

The Fast Data Project. 2017. What is the Fast Data Project (FD.io)? https://fd.io/about. (2017). Accessed: 05-06-2018.

[33]

Kashyap Thimmaraju et al. 2017. The vAMP Attack: Compromising Cloud Systems via the Unified Packet Processor. In Proc. ACM Workshop on Cloud Computing Security Workshop.

Digital Library

[34]

Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking Control of SDN-based Cloud Systems via the Data Plane. In Proc. SOSR.

Digital Library

[35]

Janet Tseng et al. 2017. Accelerating Open vSwitch with Integrated GPU. In Proc. ACM Workshop on Kernel-Bypass Networks.

Digital Library

[36]

Rick Vanover. 2008. Virtual switching to become enhanced with Cisco and VMware announcement. http://www.techrepublic.com/blog/data-center/virtual-switching-to-become-enhanced-with-cisco-and-vmware-announcement. (2008). Accessed: 27-01-2017.

[37]

VMware. 2009. VMware ESX 4.0 Update 1 Release Notes. https://bit.ly/2sFTuTy. (2009). Accessed: 05-06-2018.

[38]

Zhe Zhou, Zhou Li, and Kehuan Zhang. 2017. All Your VMs are Disconnected: Attacking Hardware Virtualized Network. In Proc. ACM Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

Cited By

Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Thimmaraju KHermak SRétvári GSchmid SDan TDahlia M(2019)MTSProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358851(521-536)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.5555/3358807.3358851

Index Terms

Virtual Network Isolation: Are We There Yet?

Recommendations

Characterizing the Performance of Concurrent Virtualized Network Functions with OVS-DPDK, FD.IO VPP and SR-IOV
ICPE '18: Proceedings of the 2018 ACM/SPEC International Conference on Performance Engineering

The virtualization of network functions is promising significant cost reductions for network operators. Running multiple network functions on a standard x86 server instead of dedicated appliances can increase the utilization of the underlying hardware,...
The vAMP Attack: Taking Control of Cloud Systems via the Unified Packet Parser
CCSW '17: Proceedings of the 2017 on Cloud Computing Security Workshop

Virtual switches are a crucial component of cloud operating systems that interconnect virtual machines in a flexible manner. They implement complex network protocol parsing in the unified packet parser - parsing all supported packet header fields in a ...
Taking Control of SDN-based Cloud Systems via the Data Plane
SOSR '18: Proceedings of the Symposium on SDN Research

Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and "software-defined" manner. This paper raises the alarm on the security implications of virtual switches. In ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SecSoN '18: Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges

August 2018

59 pages

ISBN:9781450359122

DOI:10.1145/3229616

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SIGCOMM '18

Sponsor:

SIGCOMM

SIGCOMM '18: ACM SIGCOMM 2018 Conference

August 24, 2018

Budapest, Hungary

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
667
Total Downloads

Downloads (Last 12 months)130
Downloads (Last 6 weeks)23

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Thimmaraju KHermak SRétvári GSchmid SDan TDahlia M(2019)MTSProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358851(521-536)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.5555/3358807.3358851

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents