Network Working Group S. Hartman
Internet-Draft Painless Security
Intended status: Experimental D. Zhang
Expires: August 22, 2013 Huawei
M. Wasserman
Painless Security
February 18, 2013
Security Requirements of NVO3
draft-hartman-nvo3-security-requirements-00
Abstract
This draft discusses the security requirements and several issues
which need to be considered in securing a virtualized data center
network for multiple tenants. In addition, the draft also attempts
to discuss how such issues could be addressed or mitigated.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 22, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Hartman, et al. Expires August 22, 2013 [Page 1]
Internet-Draft NVO3 security February 2013
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Basic Security Requirements . . . . . . . . . . . . . . . . . . 5
4.1. Security Requirements Between NVEs and TESes . . . . . . . 5
4.2. Security Requirements within Overlays . . . . . . . . . . . 6
4.2.1. Control Plan Security . . . . . . . . . . . . . . . . . 6
4.2.2. Data Plan Security . . . . . . . . . . . . . . . . . . 7
5. Security Issues Imposed by the New Overlay Design
Characteristics . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Scalability Issues . . . . . . . . . . . . . . . . . . . . 7
5.2. Influence on Security Devices . . . . . . . . . . . . . . . 8
5.3. Security Issues with VM Migration . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Hartman, et al. Expires August 22, 2013 [Page 2]
Internet-Draft NVO3 security February 2013
1. Introduction
In [I-D.ietf-nvo3-overlay-problem-statement], it is indicated that
there multiple properties that a virtualized data center network for
multiple tenants may need to provide ( e.g., large amounts of tenant
end devices (TESes), the support of TES (e.g., VM) migration, and
dynamic network provisioning). This draft introduces the basic
security requirements for such a data center network and introduce
several security issues brought by the new features.
The remainder of this document is organized as follows. (Section 3)
introduces the the attack model of this work and the properties that
a NOV3 security mechanism needs to enforce. Section 4 describes the
essential security requirements which should be fulfilled in the
generation of a virtual data center network supporting multiple
tenants. Then, in Section 5, we analyze the challenges brought by
the new features mentioned
in[I-D.ietf-nvo3-overlay-problem-statement].
2. Terminologies
Tenant End System (TES): An end system of a tenant, which can be,
e.g., a virtual machine(VM), a non-virtualized server, or a physical
appliance. A TES is attached to a Network Virtualization Edge(NVE)
node.
Network Virtualization Edge(NVE): An NVE implements network
virtualization functions that allow for L2/L3 tenant separation,
tenant-related control plane activity. An NVE contains one or more
tenant service instances whereby a TES interfaces with its associated
instance. The NVE also provides tunneling overlay functions.
Virtual Network Instance (VNI): This is one instance of a virtual
overlay network. Two Virtual Networks are isolated from one another
and may use overlapping addresses.
3. Threat Model
In the analysis, it is assumed that an attacker has the capability of
1. intercepting the packets transported through a virtual data
center network,
2. replaying the intercepted packets, and
Hartman, et al. Expires August 22, 2013 [Page 3]
Internet-Draft NVO3 security February 2013
3. generating fake packets and injecting them into the network.
When using the above capability to perform a successful attack on a
virtual data center network, an attacker may be able to
1. obtain the data which it is un-authorized to access,
2. analyze the traffic pattern of a tenant or a end device, or
3. disrupt and degrade the service quality of the network.
Under the attacks performed by an attacker, a virtual data center
network MUST guarantee the following security properties:
1. Isolation of the VNIs. Isolation benefits not only in
simplifying managemt operations but also in confining the damages
of attacks.In [I-D.ietf-nvo3-overlay-problem-statement], the data
plane isolation amongst different VNIs has been discussed. The
traffic within a virtual network can only be transited into
another one in a controlled fashion (e.g., via a configured
router and/or a security gateway). Apart from that, the control
plane isolation in the overlay is also very important. That is,
an entity cannot make use of its privilege obtained within a VNI
to manipulate the overlay control plane to affect on the
operations of other VNIs.
2. Integrity and origin authentication of the control plane: All the
control panel implementations of the overlay MUST support the
integrity protection on the signaling packets. No entity can
modify a overlay signaling packet during its transportation
without being detected. Also, an attacker cannot impersonate a
legal victim (e.g., a NVE or another servers within the overlay)
to send signaling packets without detection.
3. Availability of the control plane: The design of the control plan
must consider the DDOS attacks. Especially, when there are
centralized servers in the control plan of the overlay, the
servers must be well protected and make sure that they will not
become the bottle neck of the control plane especially under DDOS
attacks.
And the following properties SHOULD be optionally provided:
1. Confidentiality and integrity of the TES traffic. In some
conditions, the cryptographic protection on the TES traffic is
not necessary. For example, if most of the TES data is headed
towards the Internet and nothing is confidential, encryption is
redundant. In addition, in the cases where the underlay network
Hartman, et al. Expires August 22, 2013 [Page 4]
Internet-Draft NVO3 security February 2013
is secure enough, no additional cryptographic protection needs to
be provided.
2. Confidentiality of the control plane. On many occasions, the the
signaling messages can be transported in plaintext. However,
when some information contained within the signaling messages are
sensitive to a tenant (e.g., the location of a TES, when a TES
migration happens), the signaling messages related with that
tenant should be encrypted.
Note that the following two types of attacks is out of the scope of
this draft: the attacks taking advantage of social engineering, and
the attacks taking advantage of the weak security algorithms, the
drawbacks of security protocols, or the loopholes of security
implementations. In addition, NOV3 assumes all the NVO3 overlay is
within a administration domain, and so there is no issue with
federated authentication and authorization.
4. Basic Security Requirements
4.1. Security Requirements Between NVEs and TESes
A NVE and the TESes it supports can be deployed in a distributed way
(e.g., a NVE is implemented in an individual device, and VMs are
located on servers) or in a co-located way (e.g., a NVE and the VMs
it serves are located on the same server).
In the former case, the packets between the NVE and the TESes are
exchanged over a network. If the network connecting the NVE and the
TESes is potentially accessible to attackers, the protection on the
the security properties including the integrity, the confidentiality,
and the message origin authenticity of the data traffic of TESes
SHOULD be provided, e.g., by IPsec, SSL, and etc., according to
different security requirements. In addition, in the conditions
where there are signaling messages exchanged between the NVE and the
end devices (e.g., VMs or hypervisors) for the purposes of, e.g., VM
online detection or VM migration detection, the integrity of the
those packets MUST be ensured since such messages may be used to the
state of the NVE and then be distributed across the overlay. The end
devices sending the signaling messages SHOULD be authenticated, and
only the signaling messages from the authorized TESes will be
accepted. In addition, it is important to guarantee the isolation
between different VNIs. If a NVE supports multiple NVIs
concurrently, the traffic of the TESes in different VNIs must be
separated physically or by e.g., VLAN. In addition, to confine the
damage caused by a compromised TES, A TES in a VNI is not allowed to
distribute the information about other VNIs. For instance, When a
Hartman, et al. Expires August 22, 2013 [Page 5]
Internet-Draft NVO3 security February 2013
NVE receives an address mapping information, the NVE must guarantee
the information is from an authorized entity before updating its
mapping table.
In the latter case, all the communication between the NVE and the
TESes are located within the same device. It is also important to
keep the isolation of the TES traffic in different VNIs. In
addition, in the co-location fashion, because the NVE, the
hypervisor, and the VMs are deployed on the same device, the
computing and memory resources of the NVE , the hypervisor, and the
TESes need to be isolated to prevents a malicious or compromised TES
from accessing the memory of the NVE or affecting the performance of
the NVE by occupying large amounts of computing resources.
4.2. Security Requirements within Overlays
This section discusses the security issues within a virtual data
center overlay in the control plan and the data plan respectively.
4.2.1. Control Plan Security
In an overlay, the signaling messages must be transported over the
underlay network in a secure way, the integrity and origin
authentication of the messages must be guaranteed. The signaling
packets should also be encrypted if the signaling messages are
confidential.
The issues of DDOS attacks also need to be considered in designing
the overlay control plane. For instance, in the VXLAN
solution[I-D.mahalingam-dutt-dcops-vxlan], an attacker attached to a
NVE can try to manipulate the NVE to keep multicasting messages by
sending ARP packets to query the VMs which does not exist. In order
to mitigate this type of attack, the NVEs SHOULD be only allowed to
send signaling message in the overlay with a limited frequency. When
there are centralized servers (e.g., the backend oracles providing
mapping information for
NVEs[I-D.ietf-nvo3-overlay-problem-statement], or the SDN
controllers) are located within the overlay, the potential security
risks caused by DDOS attack on such servers can be more serious.
When considering inside attacks where one or more NVEes are
compromised, authentication between the communicating entities within
the overlay (NVEs, the centralized servers) is important. Only the
control messages from the authenticated entity will be adopted. In
addition, authorization MAY need to be performed. For instance, when
a NVE receives a control message about the operations in a VNI, the
NVE needs to verify whether the message comes from one which is
authorized to work for that VNI. If the authentication or the
Hartman, et al. Expires August 22, 2013 [Page 6]
Internet-Draft NVO3 security February 2013
authorization fail, the control message will be discarded. In order
enforce the security boundary of different VNIs, the signaling
messages of different VNIs need be protected by different keys.
Otherwise, a compromised NVE could use the key it got within a VNI to
impersonate the NVEs in other VNIs which it is not involved within
and generate fake signaling messages without being detected. If we
expect to provide a better attack confinement capability and prevent
a compromised NVE to impersonate other NVEs in the same VNI,
different NVEs working inside a NVI need to secure their signaling
messages with different keys. When there are centralized servers
providing mapping information within the overlay, it will be
important to prevent a compromised NVE from impersonating the
centralized servers to communicate with other NVEs. A
straightforward solution is to associate different NVEs with
different keys when they exchange information with the centralized
servers. Since the NVO3 overlay is expected to consist of a large
amount of NVEs, manual key management could be infeasible. First, it
becomes burdensome to deploy pre-shared keys for thousands of NVEs,
not to mention that multiple keys may need to be deployed on a single
device for different purposes. Key derivation can be used to
mitigate this problem. That is, multiple keys are derived from a
pre-shared master key for different usuages. However, key derivation
cannot protect against the situation where a system was incorrectly
trusted to have the key used to perform the derivation. If the
master key were somehow compromised, all the resulting keys would
need to be changed. In addition, TES migration will also introduce
challenges to manual key management. The migration of a VM in a VNI
may cause the change of the NVEs which are involved within the NVI.
A NVE newly involved within a VNI needs to get the key to join the
operations within the VNI. A NVE no longer supporting a VNI should
not keep the key associated with that VNI. All those updates of the
key are performed at run time and difficult to be performed by human
beings. As a result, it is feasible to introduce an auto key
management solution for NVO3 overlays.
4.2.2. Data Plan Security
As illustrated in Section 3, the security of data plan is optionally
provided.
5. Security Issues Imposed by the New Overlay Design Characteristics
5.1. Scalability Issues
NOV3 WG requires an overlay be able to work in an environment where
there are many thousands of NVEs (e.g. residing within the
hypervisors) and large amounts of trust domains (VNIs). Therefore,
Hartman, et al. Expires August 22, 2013 [Page 7]
Internet-Draft NVO3 security February 2013
the scalability issues should be considered. In the cases where a
NVE only has a limited number of NVEs to communicate with, the
scalability problem brought by the overhead of generating and
maintaining the security channels with the remote NVEs is not
serious. However, if a NVE needs to communicate with a large number
of peers, the scalability issue could be serious. For instance,
in[I-D.ietf-ipsecme-ad-vpn-problem], it has been demonstrated it is
not trivial to enabling a large number of systems to communicate
directly using IPsec to protect the traffic between them.
5.2. Influence on Security Devices
If the data packets transported through out an overlay are encrypted
(e.g., by NVEs), it is difficult for a security device, e,g., a
firewall deployed on the path to intercept the contents of the
packets. The firewall can only know which VNI the packets belong to
through the VNID transported in the outer header. If a firewall
would like to identify which end device sends a packets or which end
device a packet is sent to, the firewall can be deployed in some
place where it can access the packet before it is encapsulated or un-
encapsulated by NVEs. However, in this case, the firewall cannot get
VN ID from the packet. If the firewall is used to process two VNIs
concurrently and there are IP or MAC addresses of the end devices in
the two VNIs overlapped, confusion will be caused. If a firewall can
generate multiple firewalls instances for different tenants
respectively, this issue can be largely addressed.
5.3. Security Issues with VM Migration
The support of VM migration is an important issue considered in NVO3
WG. The migration may also cause security risks. Because the VMs
within a VNI may move from one server to another which connects to a
different NVE, the packets exchanging between two VMs may be
transferred in a new path. If the security policies deployed on the
firewalls of the two paths are conflict or the firewalls on the new
path lack essential state to process the packets. The communication
between the VMs may be broken. To address this problem, one option
is to enable the state migration and policy confliction detection
between firewalls. The other one is to force all the traffic within
a VNI be processed by a single firewall. However this solution may
cause traffic optimization issues.
6. IANA Considerations
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
Hartman, et al. Expires August 22, 2013 [Page 8]
Internet-Draft NVO3 security February 2013
RFC.
7. Security Considerations
TBD
8. Acknowledgements
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
9.2. Informative References
[I-D.ietf-ipsecme-ad-vpn-problem]
Hanna, S. and V. Manral, "Auto Discovery VPN Problem
Statement and Requirements",
draft-ietf-ipsecme-ad-vpn-problem-03 (work in progress),
December 2012.
[I-D.ietf-nvo3-overlay-problem-statement]
Narten, T., Gray, E., Black, D., Dutt, D., Fang, L.,
Kreeger, L., Napierala, M., and M. Sridharan, "Problem
Statement: Overlays for Network Virtualization",
draft-ietf-nvo3-overlay-problem-statement-02 (work in
progress), February 2013.
[I-D.mahalingam-dutt-dcops-vxlan]
Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "VXLAN: A
Framework for Overlaying Virtualized Layer 2 Networks over
Layer 3 Networks", draft-mahalingam-dutt-dcops-vxlan-02
(work in progress), August 2012.
Hartman, et al. Expires August 22, 2013 [Page 9]
Internet-Draft NVO3 security February 2013
Authors' Addresses
Sam Hartman
Painless Security
356 Abbott Street
North Andover, MA 01845
USA
Email: hartmans@painless-security.com
URI: http://www.painless-security.com
Dacheng Zhang
Huawei
Beijing,
China
Phone:
Fax:
Email: zhangdacheng@huawei.com
URI:
Margaret Wasserman
Painless Security
356 Abbott Street
North Andover, MA 01845
USA
Phone: +1 781 405 7464
Email: mrw@painless-security.com
URI: http://www.painless-security.com
Hartman, et al. Expires August 22, 2013 [Page 10]