Issues in Network virtualization

ITICT205A Virtualisation Assignment

Complied by Saeed Ur Rahman693484761

ContentsWhat is network virtualization?1Issues in network virtualization2Issues faced by Infrastructure operators3Issues faced by Services providers4Security benefits of network virtualization5Security Issues in network virtualization5Types of attacks in a virtualized network environment6Attacks in Virtual Networks6Attacks in Network Infrastructure6Attacks to the Users6Challenges in a virtualized network7Defence mechanism for the challenges in virtual networks7Confidential Packet Forwarding8Capabilities-Based Virtual Network Instance9Conclusion9References10

What is network virtualization?

Network virtualization allows administration to consolidate multiple networks, divide a single network into many or create software-only network between virtual machines. The objective of virtual networks is to improve speed, automation and network management. Virtual networks also binds separate physical switches into on virtual switch. Which saves spaces and reduces power and cabling cost.

Figure 1 Binding of physical network to virtual network (The FP7 4WARD Project, 2008)

Virtual machines support applications that often require network connectivity (routing and switching) to other virtual machines and the internet. The first networking devices a Virtual Machine (VM) is connected to is the virtual switch on the Hypervisor or Virtual Machine Monitor (VMM). Virtualizing the network mean virtualizing the entire layer 2 to layer 7 services viewed by the virtual machine and all the network configuration necessary to deploy the applications network architecture. The purpose of virtualizing networks is to take all the network services, features and configurations to provision the applications virtual network, (i.e. Vlans, VRFs Firewall rules, Load balancer pools and VIPs, Routing, isolation, muti-tenancy, etc.) And decouple it from the physical network and shift it up into the virtualized software layer (Hedlund and Profile, 2013).Virtualized networking reconstructs the layer 2 to layer 7 network services necessary to deploy the applications virtual network at the same software virtualization layer hosting the applications virtual machine. Virtualized network software recreates logical switches, logical routers (layer 2- layer 3), logical load balancers, logical firewalls (layer 4 - layer 7), assembled in any arbitrary topology, therefore presenting the virtual compute a complete layer2 layer 7 virtual network topology.

Figure 2 virtual network VS physical network (Anon, 2014)

Network virtualization is an overlay based approach that helps a network administrator in an enterprise datacentre to program and provision the network on-demand, without physical access to the switches or routers. Virtualizing networks facilitates the network to be provisioned in few seconds. Some other benefits to network virtualization are (Dhawan, 2014): Easy and cheaper to manage networks. Reduce time to provision. Avoids limitations in current network topologies. Allows for policy based access. Analytics and easier troubleshooting.Issues in network virtualizationAlthough virtualizing network enhances performance, manageability and security among other benefits, there are some technical issues with virtualizing networks. We will discuss some of the issues and challenges, namely Isolation, Elasticity and Programmability, encountered with virtual networks by two entities (Advanced Network Virtualization: Definition, Benefits, Applications, and Technical Challenges, 2011); Infrastructure operators Services providers Issues faced by Infrastructure operatorsInfrastructure operators have faced many issues with network virtualization. Some of the major issues are mentioned below:Isolation of virtual networksIsolation of virtual networks is an essential feature that provides logically independent resources designated for each service. Isolation of virtual networks eliminates interference and mutual impacts between the co-existing virtual networks over a common physical infrastructure .The interference includes performance and security aspects. The isolation capability has been studied by means of logical division of virtual LAN, time division based on time slots and wavelength division. To establish high scalable isolation for virtual networks, a new approach is to be recommended; Enabling performance and security isolation on resource-scarce edge devices: Augmented machine architecture and enhanced resource-separation technology suitable for access-network devices. They are to separate resources in a secure fashion at relatively low-performance edge devices. Substrate technologies to enable stringent isolation: New resources isolation technologies which complement existing physical layer isolation technologies, for example VLAN, time slot and wavelength division, should be established. Scalability of the number of slices: Scalability in terms of the number of resource-isolated slices, the number of setup and release of the slices per unit interval should established.ElasticityElasticity is a key feature for optimization of the required resources in response to the services on-demand efficiently and rapidly. It is necessary to specify protocols for real-time and highly scalable resources provisioning. Enable instant allocation of resources: Resource provisioning technology should be established, which responds very rapidly from service demand to relevant network equipment. Scalability for resource control: intelligent resource control should be designed to manage multiple elementary resources originated from different physical sources simultaneously, arrange the requested resources from them and complete providing the requested slice on demand. ProgrammabilityProgrammability on virtualization-enabled network equipment is to sustain optimal network performance in accordance with service requests and to foster technological innovations of network equipment towards new services and applications.

Operation and management for systemlevel network programmability: To apply the programmability to network infrastructures, the integrated design process should be established which consists of the platform technologies. The cyclic loop should be repeated ranging from key technology research, design and development of devices and systems for the entire operation and management, consideration and management of core intellectual properties, installation to the infrastructure, auditing of the operation, and assessment of the isolation against interferences among relevant technologies. Candidate technologies for programmability: Multi-core and hetero-core processors are the latest candidates for virtualization-enabled network equipment. Multi-core is the definite trend in processor technology. The issue is how to reap rewards of its parallel processing for the network-specific tasks. Intelligent operation for optimized parallel processing is another challenge.

Issues faced by Services providersSome technical issues faces by services providers and propose mitigation techniques are as follows:IsolationVerification of achieved performance as a benchmarking is essential to confirm that the performance isolations are well performed and the agreed performance are guaranteed. At present, performance benchmarking and SLAs are available mainly for a single network. Further works for virtualized network environment should be studied, such as performance analysis at the boundary between infrastructure operators and service providers, and SLA issues in case of federated networks. Development of performance benchmarking and SLA: Performance analysis technology should be developed to discover performance bottlenecks in a network or in a node. The technology contributes to the clarification of the responsibility among the infrastructure operators and the service providers involved.ElasticityElasticity is of significant, which discovers the resources and functional component to be reserved for service composition, discovers the composed service itself, and configures the service automatically. The technology contributes to maintain the service integrity and sustainability against both internal causes (e.g., service modifications and feature changes) and external causes (e.g., network condition change, resource availability change, and user request change). Optimal resource assignments: The technology is to select the most appropriate resources and functional components among their multiple candidates, change the selection when the situation changes, and optimize the resource to be assigned. The technology includes identification/discovery of the required resources and functional components to meet the given SLA and maximization of the objective performance index specific to the service. Consistent and sustainable provisioning: The technology includes rapid identification and discovery for the required resource and functional components, swift composition of services, and the corresponding synchronization and inheritance of the service and node status. The technology is to achieve service consistency and sustainability against either internal or external causes.ProgrammabilityProgrammability is indispensable for providing multi-dimensional services with fine level granularity. The programmability refers to many aspects such as functional components, telecommunication systems installing the components, and composed services. The programmability gives sufficient flexibility to service providers and users without any physical constraints for developing innovative services and their customization or optimization by enhancing the service components in a short period. Dynamic service composition: The service composition technology should be established, which discovers resources and functional components needed to meet the service requirements identified, reserves them on demand, and compose them into the required service. Controllability and manageability: The technology should be established, whose API controls configurations of the distributed resources and functional components when the target service is composed or the assumed network condition changes, and maintains the target service level agreement (SLA) by managing the configurations to be optimal.Security benefits of network virtualization

By virtualizing networks, a lot of benefits are gained to an organization or a corporate enterprise. But among all the benefits, security is among the most important one and a major concern in the IT industry. Virtualizing networks enhances security in many ways among which are: Centralized storage in a virtualized network mitigates data loss if an end-user device is compromised. When virtual machines and applications are isolated, only one application and one virtual machine is affected by an attack. If a virtual machine is infected or compromised, it can be rolled back to a prior state that exist before the attack. Hardware reductions that occurs due to virtualization improves physical security since there are fewer devices. The system and network administrations access control as well as separation of duties can be improved as certain individuals may be assigned to only control VMs within the network while others only deal with VMs in the DMZ. Virtual switches dont perform the dynamic trunking necessary to conduct inter-switch link tagging attacks. They also drop double encapsulated packets so double encapsulation attacks arent effective. Virtual switches also dont allow packets to leave their assigned broadcast domain. Therefore, eliminates the multicast brute force attacks that rely on overloading a switch to let packets broadcast to other VLAN domains.Security Issues in network virtualization

Network security is a critically important challenge to be addressed when adapting network virtualization. The programmable functionality of virtual networks and the provision of the shared, hosted network infrastructure creates new security vulnerabilities. Each entity in the technology architecture is operated by different management units. In a study at the University of Massachusetts, Amherst, MA, USA, virtual network vulnerabilities are identified and possible attack scenario are illustrated (Natrajan and Wolf, 2012). Some of the possible attacks are mentioned below:

Types of attacks in a virtualized network environment

Attacks in Virtual NetworksVirtualized networks can be targeted by attacks generated from the underlying network infrastructure, the co-hosted virtual networks or the user connected to the virtual network. The possible attack scenarios after making some assumptions are as follows: Network infrastructure attack on virtual network: To attain control over the network congestion and to maintain the assigned network access, the network infrastructure can possibly create protocol specific interference by injecting forged packets to disrupt the legitimate connection. Virtual network attack on a co-hosted virtual network: An attacker could take advantage of the shared infrastructure platform by leasing portion of resources to assess the vulnerabilities and functionalities of the co-hosted VNs. The vulnerable virtual network could be one of the competing virtual network running a specific service. Once the attacking on a virtual network is instantiated, it takes advantage of the placement and launches a cross-virtual network side channel attack to steal information from the vulnerable virtual network. User attacks on virtual networks: A functionality of router migration by vMotion, introduced by VMware, facilitates in live router migration. During the migration of the virtual network state, an attacker sniffing the network traffic can launch a Man-in-the-middle attack to eavesdrop the contents of the virtual network and other confidential data available.Attacks in Network Infrastructure The network infrastructure is vulnerable to attacks originating from the hosted virtual networks or user associated with them. After making some assumptions of the attacker capabilities the following attacks at perceived. User attack on network infrastructure: An attacker could inject a data packet that takes advantage of the code vulnerability of the hosted virtual network and modify the operation of the packet processor leading to a denial-of-service attack. Virtual network attack on network infrastructure: An attacker wishes to reproduce some hosted VN service, can manipulate the configurations of Network infrastructure by extracting confidential information and eavesdrop on the hosted virtual network traffic. An example could be a live video streaming service that can be eavesdropped, reproduced and redirected to a set of unauthorized users.Attacks to the UsersNumerous network security issues and related defence mechanisms have been proposed to protect end systems. The following are attacks originating from an infected virtual network or network infrastructure after making assumption of attacker capabilities. Network infrastructure attack on User: An attacker can choose to drop a packet within a particular time slot in an infected network infrastructure, thereby forcing the sender to reduce their sending rate as they perceive congestion. The attacker can selectively drop queued packets exploiting congestion control protocol at the senders. The Virtual network and the sender are unaware of the malicious activity taking place in the network infrastructure. Virtual network attack on Users: An attacker can intentionally sniff the end user network traffic. This could impose more financial constraints on the user by raising false alarms.Challenges in a virtualized network

Although virtualization of IT infrastructure provides a lot of benefits, security enhancement among many others, it has also introduced new unique challenges as compared to traditional network infrastructure. Some of the challenges that need to be considered are mentioned below: Efficient Packet Processing: An efficient packet processing methodology should be introduced with a certain level of data transparency between the virtual network and network infrastructure. Biased management practices, monitoring of confidential information or launching of hidden attacks as mention earlier are possible scenarios in a virtualized network. Therefore, a mechanism to securely process the packets without exposing the input data is required. A proposed functionality known as the Confidential Packet Forwarding that uses a protocol called EncrIP, may be used to mitigate this issue (Natarajan, 2012). Global Connectivity: End to end network connectivity need to be setup, the virtual network service should partner with multiple infrastructure providers with varying levels of agreements and requirements. Forwarding Rate: High data rate forwarding requirements in the routers imposes significant challenge when extra processing is introduced by the security mechanisms. Most services require certain level of Quality of Service such as low latency with reliable packet processing. To meet such demands, the computation complexity introduced by newer security mechanisms should ensure that the forwarding data rate is not compromised.Defence mechanism for the challenges in virtual networks

A secure network system should provide fundamental principles such as, Confidentiality, integrity, resource isolation of data and information. The proposed defence mechanism for these principles are as follows: Confidentiality: Considering the possible vulnerabilities in a virtualized environment mentioned earlier, the virtual network does not need to expose the data packet when processed by the network infrastructure. Encryption techniques are effective to ensure the confidentiality of the data traffic when processed by third party network infrastructure. The challenge is to identify a mechanism that can support the processing of the encrypted input data. The processing technique should include the following functionality: An efficient encryption process that encrypts all incoming data with low latency requirement. An encryption process that is supported by all processing features required by the hosted virtual network. Integrity: Data integrity protects data from being tampered or modified without appropriate authorization. From the attack scenarios mentioned earlier, it is evident that both virtual networks and network infrastructure are prone to hidden attacks. By implementing the following defence mechanism, data integrity can be achieved. By modifying the network interface card to support better detection capabilities using processor extensions and show inherent assurance of a trusted, accountable platform. A monitoring system should need to be introduce and should be able to have the functionality of a detection mechanism that identifies the malicious activity and discard them and a recovery module that resets the working state of the infrastructure when attacked or compromised. The virtual network monitoring should be implemented and must ensure that the protocol processing function in the infrastructure is processed as specified and any manipulation and modification of network traffic should be detected. Resource isolation: the provisioning of network and physical resource isolation by hosted network infrastructure is a major security concern in virtualized networks. To eliminate these concerns, the following mitigation techniques are proposed. To use a network processor that provides the required resource isolation to the virtual network segment. To use a network processor that introduces processor scheduling across hardware threads to ensure isolation and weighted fair access.Confidential Packet Forwarding

Encrypted IP (EncrIP), a protocol that uses probabilistic encryption in a prefix-preserving manner to hide source and destination information while still permitting packet forwarding using longest prefix match. Using EncrIP, network infrastructure providers can forward packets without gaining insights into the internal operation of virtual networks. EncrIP can be implemented using only a few MB of data on gateways at the edge of the virtual network (Natrajan, S and Wolf, T, 2012). Forwarding in the virtual network itself can be performed without overhead. The success probability of a statistical inference attack, trying to identify which packets belong to the same source-destination pair, is less than 0.001%. Therefore, an assumption can be made that EncrIP presents an effective solution to providing privacy in virtualized networks (Natrajan, S and Wolf, T, 2012).

Figure 3 Packet forwarding: Encrypted vs normalWhen a virtual network is used to connect multiple subnetworks (e.g., corporate campuses, etc.), the traffic sent via the network infrastructure can be seen by the network infrastructure provider. By introducing a gateway that encrypts network addresses so that the infrastructure provider no longer can determine which end-system is communicating with which other end-system. The presented approach can achieve this privacy more efficiently than IPsec and other approaches and does not require any additional headers.

Capabilities-Based Virtual Network Instance

Capabilities-based networks present a fundamental shift in the security design of network architectures. Instead of permitting the packet to from any source to any destination, routers deny forwarding by default. For a successful transmission, packets to need to identify themselves and their permission to the router. A major challenge for a high-performance implementation of such a network is an efficient design of the credentials that are carried in the packet and the verification procedure on the router. Recent proposal for capabilities-based networks have provided some ideas on the fundamental shifts in the design philosophy of networks by moving from the internets on-by-default principle to an off-by default assumption (Natrajan, S and Wolf, T, 2012). In an off-by-default network, a connection needs to be explicitly authorized to reach an end-system rather than being allowed to connect to an end-system by default.Conclusion Virtualization of network infrastructure is among the major involvement in the IT industry. Network virtualization provides cost, manageability, scalability and flexibility benefits with security and network performance enhancement. However, it have also given rise to new some unique security and performance issues that need to be studied and appropriate countermeasures need to been considered before a implementation of a virtualized network.

ReferencesAdvanced Network Virtualization: Definition, Benefits, Applications, and Technical Challenges. (2011). 1st ed. [ebook] Network Virtualization Study Group, pp.16-21. Available at: https://nvlab.nakao-lab.org/nv-study-group-white-paper.v1.0.pdf [Accessed 8 Nov. 2014].Anon, (2014). [image] Available at: http://blog.ipspace.net/2011/10/vxlan-termination-on-physical-devices.html [Accessed 8 Nov. 2014].Benefits of virtualizing. (2014). 1st ed. [ebook] Cisco. Available at: http://docs.media.bitpipe.com/io_10x/io_104158/item_519976/Cisco_sServerVirt_IO%23104158_E-Guide_030712.pdf [Accessed 8 Nov. 2014].Chowdhury, . Mosharaf Kabir, N. and Boutaba, (2010). A survey of network virtualization. 1st ed. Computer Networks 54.Computerweekly.com, (2014). VMware: five biggest challenges of server virtualisation. [online] Available at: http://www.computerweekly.com/feature/VMware-five-biggest-challenges-of-server-virtualisation [Accessed 7 Nov. 2014].Dhawan, A. (2014). Benefits of Network Virtualization to Enterprise Customers. [online] Insights.wired.com. Available at: http://insights.wired.com/profiles/blogs/benefits-of-network-virtualization-to-enterprise-customers#axzz3IT3EBvQI [Accessed 8 Nov. 2014].Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. Proceedings of the 41st annual ACM symposium on Symposium on theory of computing - STOC '09.Hedlund, B. and Profile, A. (2013). What is Network Virtualization?. [online] BRAD HEDLUND. Available at: http://bradhedlund.com/2013/05/28/what-is-network-virtualization/ [Accessed 7 Nov. 2014].Mekouar, L., Iraqi, Y. and Boutaba, R. (2010). Incorporating Trust in Network Virtualization. 2010 10th IEEE International Conference on Computer and Information Technology.Mirzrak, A., Cheng, Y., Marzullo, K. and Savage, S. (2006). Detecting and isolating malicious routers. 3rd ed. IEEE Transactions on Dependable and Secure Computing.Natarajan, S. (2012). SECURITY ISSUES IN NETWORK VIRTUALIZATION FOR THE FUTURE INTERNET. [online] Scholarworks.umass.edu. Available at: http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1655&context=open_access_dissertations [Accessed 8 Nov. 2014].Natrajan, S. and Wolf, T. (2012). Security Issues in Network Virtualization for the Future Internet. 1st ed. [ebook] Amherst, MA, USA: Department of Electrical and Computer Engineering University of Massachusetts. Available at: http://www.ecs.umass.edu/ece/wolf/pubs/icnc2012.pdf [Accessed 8 Nov. 2014].Routeviews.org, (2003). Route Views Project Page. [online] Available at: http://www.routeviews.org/ [Accessed 8 Nov. 2014].Tariq, M., Motiwala, M., Feamster, N. and Ammar, M. (2009). Detecting network neutrality violations with causal inference. Proceedings of the 5th international conference on Emerging networking experiments and technologies - CoNEXT '09.The FP7 4WARD Project, (2008). WP3 - Network Virtualization. [image] Available at: http://www.4ward-project.eu/index.php?s=overview&c=WP3 [Accessed 8 Nov. 2014].

sAEED UR RAHMAN

5