Automating Network Security Profiles. Vivek Kashyap Senior Technical Staff Member Linux Technology Center IBM

Automating Network Security Profiles Vivek Kashyap Senior Technical Staff Member Linux Technology Center IBM

Cloud Interface Cloud Controller Image repository Domain 1 Control Domain N Control Host 1 Host 2 Host 3 Domain 1 Image Application Operating System Virtualization Image Application Operating System Image Application Operating System Virtual Server Virtual Server Virtual Server Compute Storage Memory Network Host 1 Host 2 Host 3 Domain n Multiple images deployed on physical nodes in the DataCenter/Cloud Network isolation a must for a viable multi-tenant solution Collaborative applications may be on same virtual network vivk@us.ibm.com Linux Collaboration Summit, 2011 2

Network View Switch Virtual Switch Port Profile Server Virtual Switch Switch Switch Domain Edge Port Definition External External Network Network DataCenter consists of large number of physical and virtual switches Applications with different network profiles Host vswitch provides guest-guest switching, filtering, bandwidth control Error-prone managing large deployments Virtual switch is not integrated with network fabric management > inconsistencies and manual verification For load-balancing, resiliency the K guests are mobile Network policies must continue to be applied to the K guest workload > Manually ensure target are correctly configured to support network profiles > Physical port security/profiles need to be re-programmed with mobility vivk@us.ibm.com Linux Collaboration Summit, 2011

Linux Virtual Networking Linux/K * VEB VEB * F PCIe Adapter Enet Port PF VF * VF : VEB Enet Port VF PCIe IOV *Packet switching and filtering function * Adjacent Switch vivk@us.ibm.com Linux Collaboration Summit, 2011 4

Automating Physical/Virtual Switching * F PCIe Adapter Enet Port Linux/K VEB * VEPA F PCIe Adapter Enet Port Adjacent Switch Port in Reflective Relay Mode Edge Virtual Bridging: IEEE 802.1Qbg Offload switching function to external bridge 's virtual interface directly tied to physical switch port policies Simplified VEPA (Virtual Ethernet Port Aggregator) bridging in hypervisor to send all packets to adjacent bridge. > Provides packet replication of inbound frames. Physical switch port put in 'reflective relay' mode > Sends packets back over same port Con: Introduces limited latency VEPA: Virtual Ethernet Port Aggregator VEB: Virtual Ethernet Bridge (or, Linux bridge) vivk@us.ibm.com Linux Collaboration Summit, 2011 5

How Does it Work? The network profile Used by one or more s Unique id Stored in database Switch advertises 802.1Qbg support Linux/K host receives advertisement Configures switch port in VEPA (hairpin_mode) Offloads switching function Linux/K sends to switch unique id of network profile MAC/VLAN information Switch retrieves profile vswitch (a.k.a. VEB) Domain Edge Port Definition Switch VEPA Switch Port Profile Database External Network External Network Switch VEB Enforces bandwidth, Access controls vivk@us.ibm.com Linux Collaboration Summit, 2011 6

Creating a K Guest System Admin Create new s network state (i.e. MAC Address, VLAN ID, VSI state*) Network Admin 3 System Manager Query available VSI types Obtain a VSI instance 2 Network (VSI Type) Manager Request creation of. Send VSI state*, MAC address, VLAN id. 4 Load VSI Type 6 Server Linux host Libvirt CIM Libvirt VSI Discovery and Configuration Protocol (VDP) associate LLDPAD EDP/VDP User Space Daemon Apps K with VEPA 5 On success from step 5, libvirt instantiates and starts the 7 8 Apps Switch (a.k.a. Bridge) begins communication, through K VEPA 0 Create set of VSI Types VSI Type Database L2 net(s) *VSI state consists of the following: VSI Manager ID, VSI Instance ID, VSI Type ID, VSI Type Version. vivk@us.ibm.com Linux Collaboration Summit, 2011 7

Simple extension to libvirt The VSI state is specified using the following domain XML extension <interface type='direct'/> <source dev='device name' mode='vepa' /> <model type='virtio'/> <virtualport type='802.1qbg'> <parameters managerid='12' typeid='0x123456' typeidversion='1' instanceid='insert-uuid-here' /> </virtualport> </interface> Libvirt parses 'virtualport type' Sends netlink message with 'ASSOCIATE' request to LLDPAD LLDPAD sends ASSOCIATE VDP message Returns success or failure On success K guest is created vivk@us.ibm.com Linux Collaboration Summit, 2011 8

Migration Steps Source Server Apps 5 Move to VDP Pre-Associate state Switch (a.k.a. Bridge) Apps VEB or VEPA 8 Push Move After target up, De- Associate and terminate 4 System Admin migrate Manager VSI Type Database VSI Manager Pre-Associate to server s virtualization infrastructure Associate & Start-up 3 1 Retrieve VSI Information VDP Associate Target Server Apps Apps VEB or VEPA 6 2 7 Switch (a.k.a. Bridge) is brought on-line after VDP completes VDP Pre-Associate with Resource Reservation L2 net(s) vivk@us.ibm.com Linux Collaboration Summit, 2011 9

Automatic Host based Virtual Switching Host vswitch Linux bridge + ebtables/iptables + tc OpenVswitch (not in mainline) Administrative simplification: Associate filter rules to Virtual machines Rules enforced in the kernel when guest started Rules torn down when the guest is terminated Rules may be modified at runtime Rules may contain macros which get instantiated at runtime > IP Address, MAC address, more possible» DHCP Snooping/first packet to determine IP Address vivk@us.ibm.com Linux Collaboration Summit, 2011 10

Example Filter <filter name='no-ip-spoofing' chain='ipv4'> <uuid>fce8ae33-e69e-83bf-262e-30786c1f8072</uuid> <rule action='drop' direction='out' priority='500'> <ip match='no' srcipaddr='$ip'/> </rule> </filter> This filter may now be referenced with any guest by adding to the 'interface' element in the guest domain: <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source bridge='br1'/> <ip address=$ip/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='no-ip-spoofing'/> </interface> vivk@us.ibm.com Linux Collaboration Summit, 2011 11

Status Linux 2.6.34 onwards VEPA mode (for IEEE 802.1Qbg support) Bridging between virtual interfaces Vhost-net interface for Qemu GSO/GRO acceleration for macvtap Libvirt 0.8.7 (http://libvirt.org/formatnwfilter.html) VEPA and VSI support > Netlink notifications for VDP protocol (to LLDPAD) Support for host based filter rules LLDPAD: Version lldpad 0.9.41 (open-lldp.org) > EVB TLVs, ECP/VDP Libvirt-CIM: 0.5.12 Support for specifying VEPA, VSI state vivk@us.ibm.com Linux Collaboration Summit, 2011 12

A peek into the Future: Network Profile Automation Linux/K: Manager Push & vport 2 Configuration to CIM provider (libvirt CIM) Host or direct libvirt interface Based on host capabilities and domain policy: Create ACL rules utilizing the linux virtualization library(libvirt) or Image library OVF Create/use existing VSI profile to impose on the guest Network extensions Include filters in the Virtual Machine meta data (e.g. in the OVF) Filters takes macros, that are instantiated at deployment (as shown with libvirt) Management tooling uses it to create libvirt rules or vis data profiles Edge Query available port profile types vswitch 1 Port Profile Database DB Client Interface DB-to-switch Interface Switch Edge Retrieve Port D Configuration 4 A 3 C vport Discovery IEEE Server 802.1Qbg Edgeprotocol support B L2 net(s) Port Profile DB Schema vivk@us.ibm.com Linux Collaboration Summit, 2011

Legal Statement This work represents the view of the author and does not necessarily represent the view of IBM. IBM is a registered trademark of International Business Machines Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. vivk@us.ibm.com Linux Collaboration Summit, 2011 14

Questions? vivk@us.ibm.com Linux Collaboration Summit, 2011 15

802.1Qbg Protocols External Virtual Bridging protocol (EVB) uses LLDP as transport Defines locus of to switching > Set VEPA or Bridge mode Channel Discovery and Configuration Protocol (CDCP) [Not Implemented] Virtualize the physical link to simultaneously support multiple VEPA/VEB components Edge Control Protocol (ECP) ECP provides a reliable, acknowledged protocol for VDP rather than using LLDP. Virtual Station Interface (VSI) Discovery Protoco(VDP) Associate and De-associate interface MAC/VLAN to port profile For specification go to: IEEE 802.1Qbg version 0 Specification vivk@us.ibm.com Linux Collaboration Summit, 2011 16

Destroy Guest Server Linux host libvirt- CIM Libvirt LLDPAD EDP/VDP User Space Daemon Apps Apps 3 is destroyed 1 Virsh -c qemu:///system shutdown <kvm_guest> K with VEPA VSI Discovery and Configuration Protocol (VDP) deassociate 2 Switch (a.k.a. Bridge) L2 net(s) vivk@us.ibm.com Linux Collaboration Summit, 2011 17

Linux K Components Management Entity Libvirt-CIM Provider Libvirt LLDPAD ECP/VDP User Space Daemon Apps K with VEPA/VEB Apps Enablement of 'macvtap' Linux virtualization library framework (libvirt) Configure interfaces in VEPA or VEB (Bridge)Mode Enforce ACLs on the VEB virtual port Support for creation, destroy and migration of K guests () Trigger of IEEE 802.1Qbg protocols with K guest life-cycle events VSI Profile Database Switch (a.k.a. Bridge) L2 net(s) VSI: Virtual station interface (a.k.a virtual interface or vnic) 802.1Qbg protocols implemented in LLDPAD daemon VDP : VSI Discovery Protocol *VSI state consists of the following: VSI Manager ID, VSI Instance ID, VSI Type ID, VSI Type Version. vivk@us.ibm.com Linux Collaboration Summit, 2011 18 ECP: Edge Control Protocol LLDP extensions for switch mode (Ethernet Virtual Bridging TLVs)

MACVTAP: VEPA interface Goal: Share a single Ethernet NIC between K guest interfaces with no bridging function except replication of incoming multicast/broadcast packets Implementation: Utilize existing 'macvlan' driver already supported in Linux Create a 'macvtap' device driver that plugs into a macvlan driver to interface to K guest > Macvtap driver implements tun/tap-like interface > Frames sent from guest put directly into queue of outbound interface > Frames received put in guests receive path vivk@us.ibm.com Linux Collaboration Summit, 2011 19

Libvirt: VEPA interface Macvtap is tied specifically to an interface that provides uplink connectivity Define it in guest's domain xml as: <interface type='direct'/> <source dev='device name' mode='vepa' /> <model type='virtio'/> </interface> Additional modes defined: bridge and pepa Libvirt creates (and destroys) macvtap devices Passes macvtap file-descriptor to QEMU (similar to the case with tap interface) AF_NETLINK socket to create (and destroy) macvtap interface vivk@us.ibm.com Linux Collaboration Summit, 2011 20