one icon indicating copy to clipboard operation
one copied to clipboard
verified publisher icon OpenNebula

Security Groups Enhancements

Open christian7007 opened this issue 4 years ago • 0 comments

Description The current implementation of Security Groups (SG) have to main limitations:

  • A high number of rules needs to be processed in high density setups. This also may expose kernel connection tracking tables to a denial of service attack.
  • Implementation is limited to linux bridge-based drivers.

The proposed enhancement is to decouple the SG implementation with the actual switching technology used to implement a Virtual Network (e.g linux bridge or OpenVSwitch).

+--------------+-------------+
| Linux Bridge |     OVS     |
+--------------+-------------+ --> Connection layer
|     iptables + netns       |
+----------------------------+ --> Firewall layer

This way the functional logic is distributed in two layers:

  • Connection Layer: This is basically the current functionality. It is responsible for setting up the connection devices: bridge creation and interface tagging and configuration.

  • Firewall layer: This new layer is responsible to set up the firewalling infrastructure for each VM. The main components of the new firewall facilities are:

    • A linux bridge (LXB) associated with each VM interface. This LXB is used to implement the SG rules for inbound and outbound traffic.
    • A network namespace (netns) for each VM to isolate iptables rules and conntrack tables. This will greatly improve the performance of traffic processing.

The workflow will look as below:

  1. The VM is by default connected to the the network bridge, as defined in the network template.
  2. Create a netns for the VM, named after one-<VM_ID>
  3. Remove the VM tap from the network bridge and move this tap to the VM netns
  4. Create a firewall LXB, named after one-br-<VM_ID>-<NIC_ID> in the VM netns
  5. Create a veth to connect the firewall LXB and the Virtual Network bridge. Each pair will be in the VM and Hypervisor network namespaces, respectively.
  6. Attach the VM end of the veth and the VM tap to the firewall LXB.
  7. Attach the Hypervisor end of the veth to the Virtual Network bridge.

Progress Status

  • [ ] Branch created
  • [ ] Code committed to development branch
  • [ ] Testing - QA
  • [ ] Documentation
  • [ ] Release notes - resolved issues, compatibility, known issues
  • [ ] Code committed to upstream release/hotfix branches
  • [ ] Documentation committed to upstream release/hotfix branches

christian7007 avatar Aug 25 '21 15:08 christian7007