未加星标

Fast and Secure Container Networking with Weave Net’s Fast Datapath

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏
February 16, 2017 / Martynas Pumputis
Fast and Secure Container Networking with Weave Net’s Fast Datapath

Weave Net 1.2 introduced a high performance overlay network for containers called fast datapath (fastdp). Despite advantages, the overlay had a limitation that it did not have any built-in mechanism for encrypting dataplane packets, so by default, it could not be securely used in untrusted networks. Today, this is no longer true, as we are announcing the release of Weave Net 1.9 which enables encryption in fast datapath, with measured throughput up to three times higher than the previous default overlay (sleeve).

Enabling encryption in fast datapath is done in the same way as in sleeve: you need to specify a password when launching Weave Net, as described in Securing Connections Across Untrusted Networks .

However, as fast datapath leverages the ESP protocol of IPsec (see Details section), please keep the following requirements and limitations in mind:

The minimum required version of the linux kernel is 4.2. In some networks, e.g. Google Cloud Platform, a firewall rule for enabling ESP traffic has to be installed. ESP adds 34-37 bytes overhead (the final MTU has to be divisible by four), therefore when setting a custom MTU for Weave Net, make sure that the MTU can accommodate the overhead. For instance, if MTU of a host public network interface is 1500, then the maximum MTU you can set on Weave Net is 1416 (50 bytes for the VXLAN overhead and 34 bytes for the ESP overhead). The default Weave Net’s MTU is 1376. SeeUsing Fast Datapath for more details. Same as in the unencrypted mode, encrypted fast datapath is not able to traverse NATs.

If Weave Net is not able to establish encryption in fast datapath due to any of the requirements not being met, it will automatically fall back to the slower sleeve overlay in the encrypted mode. Thus, it guarantees that a traffic is always encrypted. To see which overlay is in use, you can run weave status connections command.

Details

Communication over the encrypted fast datapath has the following security properties:

data confidentiality data origin authentication data integrity anti-replay limited traffic flow confidentiality as fast datapath VXLAN packets are fully encrypted

The encryption feature is implemented using the ESP protocol of IPsec . Each fast datapath packet is authenticated and encrypted with AES-GCM , and encapsulated with ESP in the transport mode.

Per each connection direction, a different AES-GCM 32-byte key and 4-byte salt are used. The pairs are derived with the HMAC-based Key Derivation Function ( HKDF ) by using SHA256 as the hashing algorithm, a 32-byte ephemeral session key which derivation is documented in Establishing the Ephemeral Session Key as input keying material, a 32-byte randomly generated and exchanged over the encrypted control plane channel nonce, and a peer name as optional context.

Packet integrity and authenticity of origin is protected with 16-byte Integrity Check Value which is included in each packet.

The structure of an encrypted fast datapath packet is shown below.


Fast and Secure Container Networking with Weave Net’s Fast Datapath

The decision to use AES-GCM is based on security requirements, and its performance characteristics. For Intel Architecture Processors, the Linux kernel implements the crypto algorithm by using special set of instructions which gives significant gains in performance .

By default, the ESP protocol implementation in the Linux kernel uses 4-byte Sequence Number (SeqNo) to protect against replay attacks. However, SeqNo’s of such size are prone to overflows in networks of large data volume and high throughput. To prevent it from happening, we use 8-byte Extended Sequence Number ( ESN ).

Security associations and policies are controlled by the Linux kernel IP transformation framework, or XFRM. During the development of the encryption feature, we discovered and fixed a bug in the kernel which limits XFRM functionality for VXLAN tunneling.

As the Linux kernel does not implement IP Security API Extensions to BSD Sockets to prevent from sending unencrypted traffic over secure channels, we install additional iptables rules. This is necessary as an end-user with administrator capabilities might accidentally modify the security associations.

Evaluation

To compare the performance of encryption in both overlays, we ran TCP throughput benchmarks with iperf3 between two Amazon EC2 c3.8xlarge instances connected with enhanced 10 Gigabit networking. Each instance was running Ubuntu 16.04 LTS.

The results are shown below. Firstly, encrypted fast datapath outperformed encrypted sleeve by factor of three because our combination of VXLAN and IPsec stays in the kernel and does not incur the overhead of user-space processing. Secondly, the encryption implementation in fast datapath does not introduce any significant overhead when comparing its throughput with the throughput measured between two hosts communicating over the IPsec protected channel.


Fast and Secure Container Networking with Weave Net’s Fast Datapath

Additionally, we evaluated Chacha20,Poly1305 as an alternative crypto suite for fast datapath. The achieved throughput was 2.88 Gbits/s which is lower than the one of AES-GCM, therefore we decided to use the latter.

Summary

We presented the encryption feature in fast datapath which enables fast and secure communication among containers.The conducted benchmarks shows that the throughput of the encrypted fast datapath is three times higher than the throughput of the encrypted sleeve, and its performance is very close to IPsec on hosts communicating without overlays.

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: LinuxUbuntu
分页:12
转载请注明
本文标题:Fast and Secure Container Networking with Weave Net’s Fast Datapath
本站链接:http://www.codesec.net/view/535135.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(46)