Delivering Standard Openstack Security NFV Service Chaining at Scale with Networking-
SFC and Networking-OVNor – How to deploy security at cloud speed
John McDowallSDN and Virtualization Architect
Palo Alto Networks
Agenda
2 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
Whywearedoingthis
Toolsweareusing
Howwearedoingthis
Demo
Buildingthefuture
Key Security Perspectives for VNF
The security perimeter no longer exists.
DevOps is driving accelerated application deployments
Understanding the Cyber Attack Pattern Lifecycle
Securing the perimeter no longer works
ManualDeploymentsSlowanderror-
proneprocessestoenablesecurity
TransientWorkloadsWorkloadlifespanisinhours,daysor
weeks
StaticRemediationLackofdynamicremediationmeasures
Malware
30,000newmalware/day
Accelerating pace of DevOps
5 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
Preventing Across the Cyber Attack* Life Cycle
Unauthorized Access Unauthorized Use
GatherIntelligence
LeverageExploit
ExecuteMalware
Command & Control
Actions on the objective
Reconnaissance Weaponization& Delivery
MalwareCommunicateswith Attacker
Exploitation Data Theft, Sabotage, Destruction
* Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation
BreachthePerimeter1 DelivertheMalware2 ExfiltrateData4LateralMovement3
Requirements – focus on scaling and ease of deployment
7
• Atomic operations – idempotent• Ability to add/remove in any order
• Location independent move workloads and VNFs• As host becomes loaded or unloaded move VNF’s to another compute node
• Remove networking from VNF• VNF independent of networking – as network changes no need to update VNFs• Would be very hard to do at scale
• Grow into container networking• Support service chaining for Docker and Kubernettes
• Move traffic steering into standard infrastructure• Most important traffic steering should be standard plumbing that is common to all VNFs.
• Make Security part of the deployment process not an after thought…...
SFC
• Driver model for neutron plugins
• Single programming interface multiple implementations
• Create one approach to VNF deployment
• Move key feature into Openstack infrastructure
• Support in other Openstack projects such as Tacker
OVN
• Logical overlay L2/L3 V4 and V6
• Enables VNF deployment at scale and location independent
• Works with containers and VMs
• Supports connection tracking
• DPDK Support
• Support for fastpath in hardware
Why OVN and SFC
8 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
OVN Architecture
Host A
OVN-Controller
ovsdbserver
ovsswitch
Host B
OVN-Controller
ovsdbserver
ovsswitch
ovn-northd OVNNorthbound Db
OVN Southbound
Db
Geneve
ovn-nbctl
Openstack Neutron Drivers
Adding Openstack and SFC
Networking OVN
OVN-Controller
ovsdbserver
ovsswitch
OVN-Controller
ovsdbserver
ovsswitch
ovn-northd OVNNorthbound Db
OVN Southbound Db
Geneve
Net
wor
king
SF
C
Plug
ins
OVN
Logical Model of Service Function Chaining
11 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
Port Chain
Flow Classifier
Port Pair Group1
Port Pair Group2
VNF-22
VNF-21
VNF-23
Port Pair Group3
VNF-31
VNF-11
VNF-12
App-1 App-2
OVN NB Ingress Pipeline
12
L2 Port Security
IP Port Security
ND Port Security
Pre-ACl
Pre-LB
Pre-Stateful
ACL
LB
Stateful
ARP Response
DHCP Options
DHCP Response
Service Chain
L2 Lookup
Security of portsIP Port SecurityNeighbordiscoverportsecurityconstraintsonARPandIPv6
Handle connection tracking ACL Packets
Deal with potentially fragmented packets for LBDefragment connection tracking packets
Apply ACL RulesApply LB rulesContinue stateful packetsSend ARP ResponseSet DHCP Options on packet
Send DHCP ResponseDirect packets into service chainDeliver packets to L2 destination
Service Chaining OVN Rules
Host A Host B
Virtual network
App-1 App-2Firewall
• Ingress Rules [App-1]• If dst-ip = app-1 and src-mac = fw-2-mac then dst = app-1 [Priority 150]• If dst-ip = app-1 then dst = fw-2 [Priority 125]
• Egress Rules [App-1]• If src-ip = app-1 and src-mac=app-1 then dst = fw-1 [Priority 125]• If src-ip = app-1 and src-mac = fw-1 then dst = app-2 [Priority 100]
Port Fw-1 Port Fw-2
OVN CLI Commands
14 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Logical port-chain commands: • lport-chain-add LSWITCH [LPORT-CHAIN] • lport-chain-del LPORT-CHAIN • lport-chain-list LSWITCH
• Logical port-pair-groups commands: • lport-pair-group-add LPORT-CHAIN LPORT-PAIR-GROUP-NAME • lport-pair-group-del LPORT-PAIR-GROUP-NAME • lport-pair-group-list LPORT-CHAIN • lport-pair-group-add-port-pair LPORT-PAIR-GROUP LPORT-PAIR • lport-pair-group-del-port-pair LPORT-PAIR-GROUP LPORT-PAIR
• Logical port-pair commands: • lport-pair-add LSWITCH LIN-PORT LOUT-PORT [LPORT-PAIR-NAME• lport-pair-del LPORT-PAIR-NAME • lport-pair-list
• Logical flow-classifier commands: • lflow-classifier-add LPORT-CHAIN LIN-PORT [LFLOW-CLASSIFIER-NAME• lflow-classifier-del LFLOW-CLASSIFIER-NAME • lflow-classifier-list LPORT-CHAIN • lflow-classifier-set-logical-destination-port LFLOW_CLASSIFIER [LDEST_PORT] • lflow-classifier-get-logical-destination-port LFLOW_CLASSIFIER
Port Pair
15 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Definition of individual VNF• Basic building block, can be single or dual ported VNF
REST URL: POST http://10.4.1.102:9696/v2.0/sfc/port_pairs
{ "port_pair":{ "name": "Firewall-1",
"description": "Firewall SF instance","tenant_id": "e22dc3ad621e45688038b57539be8555", "ingress": "4567fd10-c7fc-4f92-9619-c113f38e152f", “egress": "ec7ea7c1-104a-4d3a-8a3a-6f4ce60a5a95"
}}
Port Pair Groups
16 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Group of Port-Pairs• Enables clustering and load-balancing of VNFs in a service chain• Can have one or more port-pairs
REST URL: POST http://10.4.1.102:9696/v2.0/sfc/port_pair_groups
{ "port_pair_group": { "name": "Firewall_PortPairGroup", "tenant_id": "ccbce32620cf4162a38dab172a13d265", "description": "Grouping Firewall SF instances", "port_pairs": [
"4b3cbdf2-3659-437d-86e1-c27255c672d4" ] }}
Flow Classifier
17 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Directs flows to service chain• Classification parameters depends on engine available
REST URL: POST http://10.4.1.102:9696/v2.0/sfc/flow_classifiers
{ "flow_classifier": { "name": "FC1", "tenant_id": "520d5cf8751f4d79a65a2c3578c22e35", "description": "Flow rule for application traffic", "logical_source_port": "c1e3b713-d053-4698-80a3-be2296329b4f", "logical_destination_port": "c1e3b713-d053-4698-80a3-be2296329b4f"
}}
Port Chain
18 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Service chain that makes up the VNF• Sequence of port-pair-groups to make service chain• Flow-classifiers to direct traffic into service chain
REST URL: POST http://10.4.1.102:9696/v2.0/sfc/port_chains
{ "port_chain": { "name": "Firewall-PC1", "tenant_id": "3a8f5c000a7e4e37a6370f5deff11906", "description": "Steering to Firewall", "flow_classifiers": [ "fd291ecc-1b06-44a1-9c31-81b00effa755" ], "port_pair_groups": [ "b0539263-cde7-4a27-b237-c190c3fc0e43" ]
}}
Simple SFC Demo
19 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
Putting it all together: VNF Integration with Openstack
20 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Cloud Admin Cloud AdminWeb Interface
Security AdminWeb Interface
Define security tags1
Register security tags with “Controller”3 Configure Policy based on tags2
Deploy Workload and insert firewall in traffic path (Nova and Neutron Interfaces).
4
Notify Security VNF manager of new workload and associated tags5
Security Policy dynamically pushed to firewall (no human interaction)
6
All new workloads are automatically secured in real-time7
Dynamically Adding More Compute Nodes with Policy
21 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
Conclusions and Future Work
22 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
• Conclusions• Demonstrated how to move service chaining into standard virtual network.• Simple service chaining with no changes to existing VNFs• Scalable solution that is idempotent enabling scale and change.
• Future Work• Integrated load balancing leveraging OVN• Integrate Flow Classification and ACL• Other parts of the problem Tacker support when to scale up and down• Dynamic security policy from Nova Tags• Container Integration
Questions?
23
• Special Thanks to:• Vikram Dham• networking-sfc team.• networking-ovn team.• OVN/OVS team.
• Repo Locations• OVN/OVS: https://github.com/doonhammer/ovs• Networking-sfc: https://github.com/doonhammer/networking-sfc• Networking-ovn: https://github.com/doonhammer/networking-ovn
• Further Reading• networking-sfc: http://docs.openstack.org/developer/networking-sfc/• networking-ovn: http://docs.openstack.org/developer/networking-ovn/readme.html• OpenVSwitch: http://openvswitch.org• Russell Bryant: https://blog.russellbryant.net/2016/09/29/ovs-2-6-and-the-first-release-of-ovn/• Dustin Spinhirne: http://blog.spinhirne.com/p/blog-series.html