nvo3 Y. Wei, Ed. Internet-Draft S. Zhang Intended status: Informational ZTE Corporation Expires: December 22, 2012 June 20, 2012 NVO3 Security Framework draft-wei-nvo3-security-framework-00 Abstract This document provides a security framework for overlay based network virtualization. It describes the security reference model, the security threats and security requirements. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 22, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Wei & Zhang Expires December 22, 2012 [Page 1] Internet-Draft nvo3-security-framework June 2012 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Security Reference Model . . . . . . . . . . . . . . . . . . . 4 4. Security Threats . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Attacks on Control Plane . . . . . . . . . . . . . . . . . 6 4.2. Attacks on Data Plane . . . . . . . . . . . . . . . . . . . 6 5. Security Requirements . . . . . . . . . . . . . . . . . . . . . 6 5.1. Control Plane Security Requirements . . . . . . . . . . . . 7 5.2. Data Plane Security Requirements . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Wei & Zhang Expires December 22, 2012 [Page 2] Internet-Draft nvo3-security-framework June 2012 1. Introduction Security is one of important factors in the envrionment of cloud computing. This issue should be addressed for the overlay based network virtualization, which supports multi-tenancy in data center. Security considerations have already been provided in each of the individual document on framework, control plane and data plane requirements of data center network virtualization over Layer 3(NVO3). [I-D.lasserre-nvo3-framework] describes that the tenant to overlay mapping function can introduce significant security risks if appropriate security mechanisms are not used for protocol. [I-D.kreeger-nvo3-overlay-cp] describes that the protocol should protect the integrity of the mapping, and overlay exposes virtual networks to attacks on the underlying network such as traffic injection. [I-D.bitar-lasserre-nvo3-dp-reqs] also describes the security risks of the tenant to overlay mapping function. The motivation of this document is to provide a general and consistent security description for NVO3, and to complement with security considerations in the current documents. This document is organized as follows. Section 3 describes the security reference model for NVO3. Section 4 describes the security threats under the security model. Section 5 addresses the security requirements corresponding to the security issues. 2. Terminology This document introduces no new terminology. For reader's convenience, this document repeats some of them defined in [I-D.lasserre-nvo3-framework] [I-D.kreeger-nvo3-overlay-cp] [I-D.bitar-lasserre-nvo3-dp-reqs]. Tenant End System(TES): An end system of a tenant, which can be for instance a virtual machine(VM), a non-virtualized server, or a physical appliance. A TES attaches to Network Virtualization Edge(NVE) node. Network Virtualization Edge(NVE): An NVE implements network virtualization functions that allow for L2/L3 tenant separation, tenant-related control plane activity. An NVE contains one or more tenant service instances whereby a TES interfaces with its associated instance. The NVE also provides tunneling overlay functions. Virtual Network(VN): This is one of a virtual overlay network. Two Virtual Networks are isolated from one another. Wei & Zhang Expires December 22, 2012 [Page 3] Internet-Draft nvo3-security-framework June 2012 Overlay Boundary Point(OBP): This is a network entity that is on the edge boundary of the overlay. It performs encapsulation to send packets to other OBPs across Underling Network for decapsulation. Underlying Network(UN): This is the network that provides the connectivity between the OBPs. 3. Security Reference Model This section defines security reference model for Overlay based Network Virtualization. The L3 overlay network provides virtual network to multi-tenants, which is deployed on the underlying network. The tenant end system attaches to the L3 overlay network. L3 overlay network provides isolation to each tenant, which provides security to its tenant. L3 overlay network can be regarded secure zone from the view of ONV3 operator. Other components outside of the ONV3 are considered as untrusted, which may impose some attacks on the ONV3. On the other hand, each virtual network may not trust other virtual network. This model is the basis to analyze the security of ONV3. Wei & Zhang Expires December 22, 2012 [Page 4] Internet-Draft nvo3-security-framework June 2012 +------------------------------------+ | Trusted | | +--------------------+ | | |+------------------+| | | || Virtual Network 1|| | | |+------------------+| | +----------+ | +-----++------------------++-----+ | |Tenant End| | | || Virtual Network 2|| | | +----------+ | System +----+ NV |+------------------+| NV | | |Tenant End| +----------+ | |Edge |+------------------+| Edge+----+ System | | | || Virtual Network 3|| | | +----------+ Untrusted | +-----++------------------++-----+ | | | L3 Overlay Network | | Untrusted | | | | | +--+---------------+-+ | | | Overlay | | | | Boundary Point| | | +-------+-------+ | +------------------|-----------------+ | +----------+---------+ | Underlying Network | Untrusted +--------------------+ Figure 1: Security Reference Model for Overlay based Network Virtualization 4. Security Threats This section describes the various security threats that may endanger overlay based network virtualization. For example, an attack on ONV3 may result in some unexpected effects: o Interrupt the connectivity of tenant's virtual network. o Inject some unwanted traffic into virtual network. o Eavesdrop sensitive information from tenant. o Degrade provider's service level. Security threats may be malicious or casual. For example, some of them may come from the following sources: o A tenant who rents one or more virtual networks may want to acquire some information from other tenants co-existed in the same data center. o Some persons who manipulate the activation, migration or deactivation of tenant's virtual machine. Wei & Zhang Expires December 22, 2012 [Page 5] Internet-Draft nvo3-security-framework June 2012 o Some persons who phyically access to underlying network. 4.1. Attacks on Control Plane 1. Attack association between VM and VN: one of the functionalities of ONV3 is to provide virtual network to multi-tenants. ONV3 associates a virtual machine's NIC with corresponding virtual network, and maintain that association as the VM is activated, migrated or deactivated. The signalling information between endpoint and access switch may be spoofed or altered. Thus the association between VM and VN may be invalid if the signaling is not properly protected. 2. Attack the mapping of a virtual network: The mapping between the inter and outer addresses may be affected through altering the mapping table. 3. Inject traffic: The comprised underlying network may inject traffic into virtual network. 4. Attack live migration: An attacker may cause guest VMs to be live migrated to the attacker's machine and gain full control over guest VMs[VM-Migration]. 5. Denial of Service attacks against endpoint by false resource advertising: for live migration are initiated automatically to distribute load across a number of servers, an attacker may falsely advertise available resources via the control plane. By pretending to have a large number of spare CPU cycles, that attacker may be able to influence the control plane to migrate a VM to a compromised endpoint. 4.2. Attacks on Data Plane 1. Unauthorized snooping of data traffic: This is attack results in leakage of sensitive information, an attacker can sniffer information from the user packets and extract their content. 2. Modification of data traffic: An attacker may modify, insert or delete data packets and impersonate them as legitimate ones. 3. Man-in-the-Middle attack on live migration of VM: When a virtual machine is migrated from one endpoint to another, the VM may be intercepted and modified in the middle of the migration. 5. Security Requirements This section describes security requirements for control plane and data plane of NVO3. Wei & Zhang Expires December 22, 2012 [Page 6] Internet-Draft nvo3-security-framework June 2012 5.1. Control Plane Security Requirements 1. The network infrastructure shall support mechanisms for authentication and integrity protection of the control plane. (1)When a protocol is used for the service auto-provisioning/ discovery, the information from endpoint shall not be spoofed or altered. (2)When a protocol is used to distribute address advertisement and tunneling information, the protocol shall provide integrity protection. (3)The protocol for tunnel management shall provide integrity and authentication protection. 2. NVEs shall assure the information in the mapping table is coming from a trusted source. 3. The virtual network should prevent malformed traffic injection from underlying network, other virtual network, or endpoint. 5.2. Data Plane Security Requirements 1. The mapping function from the tenant to overlay shall be protected. NVEs should verify VNID is not spoofed. 2. The data plane should protect VM's state against snooping and tampering. 3. IPsec can provide authentication, integrity and confidentiality protection. IPsec can be used to protect the data plane. 6. Acknowledgements We invite more feedbacks and contributors. 7. IANA Considerations IANA does not need to take any action for this draft. 8. Security Considerations TODO 9. References 9.1. Normative References [I-D.lasserre-nvo3-framework] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. Rekhter, "Framework for DC Network Virtualization", draft-lasserre-nvo3-framework-02 (work in progress), Wei & Zhang Expires December 22, 2012 [Page 7] Internet-Draft nvo3-security-framework June 2012 June 2012. [I-D.kreeger-nvo3-overlay-cp] Black, D., Dutt, D., Kreeger, L., Sridhavan, M., and T. Narten, "Network Virtualization Overlay Control Protocol Requirements", draft-kreeger-nvo3-overlay-cp-00 (work in progress), January 2012. [I-D.bitar-lasserre-nvo3-dp-reqs] Bitar, N., Lasserre, M., and F. Balus, "NVO3 Data Plane Requirements", draft-bitar-lasserre-nvo3-dp-reqs-00 (work in progress), May 2012. 9.2. Informative References [VM-Migration] Oberheide, Jon., Cooke, Evan., and Farnam. Jahanian, "Empirical Exploitation of Live Virtual Machine Migration", Feb 2011. Authors' Addresses Yinxing Wei (editor) ZTE Corporation No 68, Zijinghua Road Nanjing, Jiangsu 210012 China Phone: +86 25 52872328 Email: wei.yinxing@zte.com.cn Shiwei Zhang ZTE Corporation No 68, Zijinghua Road Nanjing, Jiangsu 210012 China Phone: +86 25 52870100 Email: zhang.shiwei@zte.com.cn Wei & Zhang Expires December 22, 2012 [Page 8]