[ovs-dev] [RFC PATCH v2 00/10] RFC for Userspace IPsec Interface

Ian Stokes ian.stokes at intel.com
Fri Aug 25 16:40:22 UTC 2017


Hi all,

I've started to work on enabling IPsec for userspace in OVS.

This RFC patchset provides a very basic implementation allowing users to test
a simple VM to VM setup. The patch set is far from complete and will require
a lot more work before I consider submitting from upstream but I'm sharing
what I have to date to gather feedback on the approach and some of the key
considerations I've come across.

I'd like to discuss 2 areas in this cover letter which are not directly
covered in the accompanying RFC patches.

(i) Usecase: Securing isolated tenant VM traffic.
(ii) Known Issues 

(i) Usecase: Securing isolated tenant VM traffic.

Users can isolate traffic between VMs in a data center by the use of an
appropriate tunneling protocol i.e. VXLAN.

However although the traffic is isolated in terms of its source and
destination, it is not encrypted.

A rogue entity with access to the network could listen and examine the clear
text payload of this traffic between VMs.

The aim of this work is to introduce IPsec in userspace to secure the traffic
payloads.

As such, the malicious entity could still see the traffic as it traverses the
network but the payload of the traffic will be secured via encryption and
authentication provided by IPsec.

The steps involved in securing the vxlan payload would be done with VXLAN over
IPsec (transport Mode). This would look as follows

1.) Original header | Payload ! before VXLAN

2.) Outer header | UDP |VXLAN | Original header | Payload ! after VXLAN

3.) Outer header | ESP | Encrypt ( UDP | VXLAN | Original header | Payload )
    ! after IPsec transport mode

A more detailed description of the expected packet format is given below.

   Outer Ethernet Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             Outer Destination MAC Address                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Outer Destination MAC Address | Outer Source MAC Address      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                Outer Source MAC Address                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |OptnlEthtype = C-Tag 802.1Q    | Outer.VLAN Tag Information    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Ethertype = 0x0800            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Outer IPv4 Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live | Protocol = 50 (ESP) |   Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Outer Source IPv4 Address               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                   Outer Destination IPv4 Address              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   
   ESP Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                SPI (Security Parameter Index)                 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Sequence Number                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Outer UDP Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Source Port         |       Dest Port = VXLAN Port  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           UDP Length          |        UDP Checksum           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   VXLAN Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |R|R|R|R|I|R|R|R|            Reserved                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                VXLAN Network Identifier (VNI) |   Reserved    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   
   Inner Ethernet Header:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             Inner Destination MAC Address                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Inner Destination MAC Address | Inner Source MAC Address      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                Inner Source MAC Address                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |OptnlEthtype = C-Tag 802.1Q    | Inner.VLAN Tag Information    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Payload:
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Ethertype of Original Payload |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   |                                  Original Ethernet Payload    |
   |                                                               |
   |(Note that the original Ethernet Frame's FCS is not included)  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Padding (variable)                        |
   |                                         +-+-+-+-+-+-+-+-+-+-+-|
   |                                         | Pad Len | next = UDP|
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   
   ESP Authentication
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  Authentication Data (optional)               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   
Encryption would be provided from the UDP Header to the Padding while
authentication would be provided from the ESP header to the padding.

This patchset introduces a vxlanipsec interface tunnel type.

Encryption and hash generation takes place at the encapsulation stage.
Authentication and decryption occurs at the decapsulatation stage. 

The flow structer has been modified to allow the storing of the ESP SPI
value of a packet. The Minflow extract process has been modified accordingly.

Base IPsec functionality has been detailed in 'Docs: Update releases with IPsec feature support info.'

A proposed design of a new IPsec interface is included with its options in the
'vswitch.xml: Detail ipsec user interface' RFC. Note this is the final target the
patch series should resemble as development continues.

A `how-to` guide has been added to provide some context of how the IPsec
interface would be configured by a user in the 'Docs: Add userspace-ipsec how to guide.'

Please note this is a early approach and is not intended for upstreaming, instead it is to
provide an insight into some of the requirements the work will have. It is subject to
change following feedback from the community and ongoing investigation during future
RFC implementations.


(ii) Known Issues

As investigation progresses I'm sure there will be more opens to be added to
the list below, but from the outset there are a few issues I'd like to flag
at this stage as the patch the feature is still in development.

(1) Cipher/Authentication Algorithms: The current RFC is limited in that the
algorithm used for cipher/authentication are hard coded to 128 AES-CBC and 
HMAC-SHA1-96 respectively. Keys are also hardcoded. I will add the ability
to read keys from a user in the next revision along with selection of 
algorithms for the operations. The current series should provide a feel for
how crypto operations work with DPDK.

(2) Crypto device: Currently only software crypto devices are supported,
specifically the AESN-NI vdev PMD in DPDK.

(3) Single PMD support within OVS: The current RFC is limited to running on a single PMD.
Running it with more than 1 PMD will (probably) cause a segfault. Multiple pmd
support will be added in the next revision after some discussion on how cryptodevs
should be accessed on a multi core system.

(4) Use of DPDK crypto devs requires installing the Intel(R) Multi-Buffer Crypto
for IPSec library. This is an opensource library available on github and is used
by DPDK to perform crypto operations when with a vdev such as the AESN-NI PMD. Setup 
instructions have been included in the patch series.

(5) Stats: I haven’t looked into how this will affect stats within OVS yet
but this is another item I will look at for the next revision in the series.

(6) OVS mode: The series has been tested with OVS with DPDK only. A few rte libraries
have been introduced to areas where DPDK previously was not active, for instance
the tunneling code. I'm aware that this will break compilation if a user compiles 
OVS without DPDK. How the libraries should be introduced to prevent this is an
item I would be interested in receiving feedback on as I will be working on this
for the next revision.

I would appreciate any feedback people have regarding the proposed approach
for the initial RFC.

Thanks
Ian


Ian Stokes (10):
  acinclude.m4: Support compilation of libIPsec.
  openvswitch.h: add vport to ovs_action_push_tnl.
  packets: Add ESP header and trailer.
  flow: Add ESP spi value to flow struct.
  flow: Modify minflow extract to handle SPI.
  vxlanipsec: Add userspace support for vxlan ipsec.
  Docs: Modify dpdk howto to include cryptodev.
  vswitch.xml: Detail vxlanipsec user interface.
  Docs: Add userspace-ipsec how to guide.
  Docs: Update releases with IPsec feature support.

 Documentation/automake.mk                         |    1 +
 Documentation/faq/releases.rst                    |   51 ++
 Documentation/howto/dpdk.rst                      |   60 +++
 Documentation/howto/index.rst                     |    1 +
 Documentation/howto/userspace-ipsec.rst           |  187 ++++++++
 acinclude.m4                                      |   13 +
 datapath/linux/compat/include/linux/openvswitch.h |    3 +
 include/openvswitch/flow.h                        |    5 +
 lib/flow.c                                        |   11 +-
 lib/netdev-native-tnl.c                           |  532 ++++++++++++++++++++-
 lib/netdev-native-tnl.h                           |   26 +
 lib/netdev-vport-private.h                        |   33 ++
 lib/netdev-vport.c                                |  366 ++++++++++++++-
 lib/netdev-vport.h                                |   12 +
 lib/packets.h                                     |   14 +
 lib/tnl-ports.c                                   |    8 +-
 vswitchd/vswitch.xml                              |  225 +++++++++
 17 files changed, 1541 insertions(+), 7 deletions(-)
 create mode 100644 Documentation/howto/userspace-ipsec.rst



More information about the dev mailing list