SlideShare ist ein Scribd-Unternehmen logo

Secure LXC Networking

Marian Marinov
Marian Marinov

Linux containers networking explained.

Bildung
1 von 30
Downloaden Sie, um offline zu lesen
Secure LXC networking Marian HackMan Marinov <mm@1h.com> CEO of 1H Ltd. CTO of GetClouder.com
Who am I? ➢ System Administrator since 1998 ➢ CEO of 1H Ltd. ➢ CTO of GetClouder Ltd. ➢ Head of DevOps for Siteground.com ➢ Organizer of OpenFest, BG Perl workshops and others ➢ This year I helped with the organization of YAPC europe and EuroBSDcon in Sofia ➢ In my spare time I teach Linux System Administration and Network Security courses in Sofia University ➢ For the past year I'm playing mainly with containers!
We don't really need networking...
MAC addresses ➢ Keep a central DB with all MAC addresses to prevent collisions ➢ Use a reliable way to generate MAC addresses ➢ Keep in mind: ➢local or global ➢unicast or multicast
generate MAC address in bash function gen_mac() { mac_vars=(0 1 2 3 4 5 6 7 8 9 a b c d e f) mac_base='52:00:01:' ret='' for i in {1..6}; do n=$RANDOM let 'n %= 16' ret="${ret}${mac_vars[$n]}" if [ $i -eq 2 ] || [ $i -eq 4 ]; then ret="${ret}:" fi done echo "${mac_base}${ret}" }
generate mac address in PLPGSQL CREATE OR REPLACE FUNCTION generate_mac() RETURNS text LANGUAGE plpgsql AS $$DECLARE mac TEXT; a CHAR; count INTEGER; BEGIN mac='52:00:01:'; FOR count IN 1..6 LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; -- This fixes an issue, where the above SELECT returns NULL or empty string -- If for some reason we concatenate with a NULL string, the result will be NULL string WHILE a IS NULL OR a = '' LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; END LOOP; mac = mac || a; IF count = 2 OR count = 4 THEN mac = mac || ':'; END IF; END LOOP; RETURN mac; END;$$;
generate MAC address in Python #/usr/bin/python import random mac = [random.choice(range(256)) for i in range(6)] mac[0] |= 0x02 mac[0] &= 0xfe print ':'.join('%02x' % m for m in mac)
Types of LXC networking ➢none ➢empty ➢macvlan ➢macvtap (did not have time to test it) ➢veth (linux or ovs bridge) ➢vlan ➢physical ➢VPN device(haven't tried that either)
None lxc.network.type = none lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
Empty lxc.network.type = empty lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
VETH lxc.network.type = veth lxc.network.veth.pair = vethc3070 lxc.network.flags = up lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
VETH lxc.network.veth.pair = vethc3070 11: vethD6YPJ1: <BROADCAST,MULTICAST,PROMISC,UP,LOWE R_UP> mtu 1500 qdisc pfifo_fast master lxcbr0 state UP qlen 1000 link/ether f2:0:32:02:55:2f brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever
MACVLAN lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.flags = up lxc.network.link = lxcbr1 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
MACVLAN ➢ If you want to manually setup the networking ip link add link PARENT [NAME] type macvlan [address MAC] ➢ Auto generated MAC adresses # ip link add link eth0 lxc0 type macvlan ➢ Manually assigned # ip link add link eth0 lxc1 type macvlan address f0:de:f1:81:0a:2a ➢ Additional parameter: mode ➢ macvlan mode { private | vepa | bridge | passthru }
MACVLAN ➢ private (filter all incoming packets) ➢ bridge (all packets on the same iface can be seen from all vlans) ➢ pasthru (requires enabled STP) ➢ VEPA (Virtual Ethernet Port Aggregator)
MACVLAN ➢ Edge Virtual Bridging EVB ➢ Top-of-Rack (ToR) ➢ End-of-Row (EoR) ➢ Virtual Ethernet Bridge (VEB) ➢ Linux bridge ➢ OpenVswitch ➢ Virtual Ethernet Port Aggregator (VEPA) ➢ used for EVB ➢ VEPA 802.1Qab - HP, IBM, Brocade, Juniper ➢ Standard mode ➢ Multi-channel VEPA (Q-in-Q) ➢ VN-Tag 802.1Qbh - Cisco
VLAN lxc.network.type = vlan lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.link = eth0 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
VLAN # vconfig add eth0 10 # ip link add link eth0 vlan10 type vlan id 10 # ip link show vlan10 10: vlan10@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT link/ether f0:de:f1:81:0a:2a brd ff:ff:ff:ff:ff:ff
Physical lxc.network.type = phys lxc.network.flags = up lxc.network.link = eth2 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
Bridging :) ➢Linux Bridge ➢ setup with brctl ➢ setup with ip route ➢OpenVswitch (OVS) ➢ setup with its tools
Bridging :) ➢What is OpenVswitch ➢multilayer virtual switch ➢Why OpenVswitch ➢ greater flexibility ➢more control over the traffic ➢ native VXLAN support
Bridging :) # brctl show bridge name bridge id STP enabled interfaces # brctl addbr br0 # brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no
Bridging :) # brctl addif br0 eth0 # brctl show bridge name bridge id STP interfaces br0 8000.f0def1810a2a no eth0 adding a veth device # brctl addif br0 vethc3070 adding a vlan # brctl addif br0 eth0.4
Bridging :) # ip link add name lxcbr0 type bridge # ip link set dev lxcbr0 up # ip link show lxcbr0 7: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT link/ether fe:d8:b2:55:ce:5b brd ff:ff:ff:ff:ff:ff # ip link set dev eth0 promisc on # ip link set dev eth0 up # ip link set dev eth0 master bridge_name # ip link set dev eth0 nomaster
Securing all of these ➢Do not allow traffic out of the container with MAC address that was not assigned to the container ➢Do not allow traffic out of the container with IP address that was not assigned to the container ➢Do not allow multicast traffic to go to container which is not part of the multicast group ➢Actually if possible allow network traffic only to its gateway :)
Securing all of these ➢Do not use NAT for connecting your containers ➢NAT is susceptible to DoS. By spoofing many connections from one container can block the connectivity of the whole machine!
Broadcasts... ➢It depends on your network design ➢ Generally limit the broadcast destinations that a container can reach ➢ If possible use source routing to route the traffic directly to where it is supposed to go
OpenVswitch security ➢ Implement OpenFlow rules to enforce the previous rules ➢ For each container hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=150 dl_type=0x0800 in_port=$input_port nw_dst=$container_gw actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=100 dl_type=0x0800 in_port=$input_port nw_dst=$container_network actions=drop hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$container_ip dl_type=0x0806 priority=50 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac dl_type=0x0800 nw_src=$container_ip priority=25 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=20 dl_type=0x0800 dl_src=$container_mac nw_dst=$container_ip actions=output:$input_port hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port priority=5 actions=drop ➢ For each additional IP on the container hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_type=0x0800 dl_src=$container_mac nw_src=$additional_ip priority=10 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$additional_ip dl_type=0x0806 priority=50 actions=NORMAL
OpenVswitch security ➢ OpenVswitch networking DOES NOT go trough the normal linux networking so you CAN NOT use ipatables/ebtables to limit the traffic ➢ Even if you use net_cls it still DON'T WORK
TThhaannkk yyoouu!! QQuueessttiioonnss?? Marian Marinov <mm@1h.com> http://getclouder.com Jabber: hackman@jabber.org IRC: irc.freenode.net HackMan ICQ: 7556201 GitHub: http://github.com/hackman

Empfohlen

Bsides final
Bsides finalBsides final
Bsides final
Collyn Hartley
 
OVS-NFV Tutorial
OVS-NFV TutorialOVS-NFV Tutorial
OVS-NFV Tutorial
Open Networking Perú (Opennetsoft)
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
snrism
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
budi rahardjo
 

Empfohlen

Bsides final
Bsides finalBsides final
Bsides final
Collyn Hartley
 
OVS-NFV Tutorial
OVS-NFV TutorialOVS-NFV Tutorial
OVS-NFV Tutorial
Open Networking Perú (Opennetsoft)
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
snrism
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
budi rahardjo
 
SDNDS.TW Mininet
SDNDS.TW MininetSDNDS.TW Mininet
SDNDS.TW Mininet
NCTU
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
Weaveworks
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178
Abhichai L.
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet Basics
Eueung Mulyana
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
Emil CHERICHEȘ
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
CAN in linux
CAN in linuxCAN in linux
CAN in linux
Jabez Winston
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
Mininet demo
Mininet demoMininet demo
Mininet demo
Momina Masood
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
OSOCO
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on Docker
Stylight
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introduction
Vipin Gupta
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 Labs
James Dennis
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking
Nicola Kabar
 
Chris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networkingChris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networking
Cohesive Networks
 

Weitere ähnliche Inhalte

Was ist angesagt?

debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
OSOCO
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on Docker
Stylight
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 Labs
James Dennis
 

Was ist angesagt? (20)

SDNDS.TW Mininet
SDNDS.TW MininetSDNDS.TW Mininet
SDNDS.TW Mininet
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet Basics
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
CAN in linux
CAN in linuxCAN in linux
CAN in linux
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
 
Mininet demo
Mininet demoMininet demo
Mininet demo
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
Weave Networking on Docker
Weave Networking on DockerWeave Networking on Docker
Weave Networking on Docker
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introduction
 
ZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 LabsZeroMQ: Super Sockets - by J2 Labs
ZeroMQ: Super Sockets - by J2 Labs
 

Andere mochten auch

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with Kubernetes
Carlos Sanchez
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
Brian Grant
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 

Andere mochten auch (17)

Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking
 
Chris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networkingChris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networking
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
Docker networking Tutorial 101
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with Kubernetes
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
 
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
 
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes MeetupKubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 

Ähnlich wie Secure LXC Networking

Ähnlich wie Secure LXC Networking (20)

Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux Kernel
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
Deep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksDeep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay Networks
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SI
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDeep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SI
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SI
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
 
Netcat
NetcatNetcat
Netcat
 
Automating the Network
Automating the NetworkAutomating the Network
Automating the Network
 
Multicloud connectivity using OpenNHRP
Multicloud connectivity using OpenNHRPMulticloud connectivity using OpenNHRP
Multicloud connectivity using OpenNHRP
 
Network Automation (Bay Area Juniper Networks Meetup)
Network Automation (Bay Area Juniper Networks Meetup)Network Automation (Bay Area Juniper Networks Meetup)
Network Automation (Bay Area Juniper Networks Meetup)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
Skydive 5/07/2016
Skydive 5/07/2016Skydive 5/07/2016
Skydive 5/07/2016
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commands
 

Mehr von Marian Marinov

Mehr von Marian Marinov (20)

How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
 

Kürzlich hochgeladen

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Kürzlich hochgeladen (20)

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 

Secure LXC Networking

  • 1. Secure LXC networking Marian HackMan Marinov <mm@1h.com> CEO of 1H Ltd. CTO of GetClouder.com
  • 2. Who am I? ➢ System Administrator since 1998 ➢ CEO of 1H Ltd. ➢ CTO of GetClouder Ltd. ➢ Head of DevOps for Siteground.com ➢ Organizer of OpenFest, BG Perl workshops and others ➢ This year I helped with the organization of YAPC europe and EuroBSDcon in Sofia ➢ In my spare time I teach Linux System Administration and Network Security courses in Sofia University ➢ For the past year I'm playing mainly with containers!
  • 3. We don't really need networking...
  • 4. MAC addresses ➢ Keep a central DB with all MAC addresses to prevent collisions ➢ Use a reliable way to generate MAC addresses ➢ Keep in mind: ➢local or global ➢unicast or multicast
  • 5. generate MAC address in bash function gen_mac() { mac_vars=(0 1 2 3 4 5 6 7 8 9 a b c d e f) mac_base='52:00:01:' ret='' for i in {1..6}; do n=$RANDOM let 'n %= 16' ret="${ret}${mac_vars[$n]}" if [ $i -eq 2 ] || [ $i -eq 4 ]; then ret="${ret}:" fi done echo "${mac_base}${ret}" }
  • 6. generate mac address in PLPGSQL CREATE OR REPLACE FUNCTION generate_mac() RETURNS text LANGUAGE plpgsql AS $$DECLARE mac TEXT; a CHAR; count INTEGER; BEGIN mac='52:00:01:'; FOR count IN 1..6 LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; -- This fixes an issue, where the above SELECT returns NULL or empty string -- If for some reason we concatenate with a NULL string, the result will be NULL string WHILE a IS NULL OR a = '' LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; END LOOP; mac = mac || a; IF count = 2 OR count = 4 THEN mac = mac || ':'; END IF; END LOOP; RETURN mac; END;$$;
  • 7. generate MAC address in Python #/usr/bin/python import random mac = [random.choice(range(256)) for i in range(6)] mac[0] |= 0x02 mac[0] &= 0xfe print ':'.join('%02x' % m for m in mac)
  • 8. Types of LXC networking ➢none ➢empty ➢macvlan ➢macvtap (did not have time to test it) ➢veth (linux or ovs bridge) ➢vlan ➢physical ➢VPN device(haven't tried that either)
  • 9. None lxc.network.type = none lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
  • 10. Empty lxc.network.type = empty lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
  • 11. VETH lxc.network.type = veth lxc.network.veth.pair = vethc3070 lxc.network.flags = up lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 12. VETH lxc.network.veth.pair = vethc3070 11: vethD6YPJ1: <BROADCAST,MULTICAST,PROMISC,UP,LOWE R_UP> mtu 1500 qdisc pfifo_fast master lxcbr0 state UP qlen 1000 link/ether f2:0:32:02:55:2f brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever
  • 13. MACVLAN lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.flags = up lxc.network.link = lxcbr1 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 14. MACVLAN ➢ If you want to manually setup the networking ip link add link PARENT [NAME] type macvlan [address MAC] ➢ Auto generated MAC adresses # ip link add link eth0 lxc0 type macvlan ➢ Manually assigned # ip link add link eth0 lxc1 type macvlan address f0:de:f1:81:0a:2a ➢ Additional parameter: mode ➢ macvlan mode { private | vepa | bridge | passthru }
  • 15. MACVLAN ➢ private (filter all incoming packets) ➢ bridge (all packets on the same iface can be seen from all vlans) ➢ pasthru (requires enabled STP) ➢ VEPA (Virtual Ethernet Port Aggregator)
  • 16. MACVLAN ➢ Edge Virtual Bridging EVB ➢ Top-of-Rack (ToR) ➢ End-of-Row (EoR) ➢ Virtual Ethernet Bridge (VEB) ➢ Linux bridge ➢ OpenVswitch ➢ Virtual Ethernet Port Aggregator (VEPA) ➢ used for EVB ➢ VEPA 802.1Qab - HP, IBM, Brocade, Juniper ➢ Standard mode ➢ Multi-channel VEPA (Q-in-Q) ➢ VN-Tag 802.1Qbh - Cisco
  • 17. VLAN lxc.network.type = vlan lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.link = eth0 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 18. VLAN # vconfig add eth0 10 # ip link add link eth0 vlan10 type vlan id 10 # ip link show vlan10 10: vlan10@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT link/ether f0:de:f1:81:0a:2a brd ff:ff:ff:ff:ff:ff
  • 19. Physical lxc.network.type = phys lxc.network.flags = up lxc.network.link = eth2 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 20. Bridging :) ➢Linux Bridge ➢ setup with brctl ➢ setup with ip route ➢OpenVswitch (OVS) ➢ setup with its tools
  • 21. Bridging :) ➢What is OpenVswitch ➢multilayer virtual switch ➢Why OpenVswitch ➢ greater flexibility ➢more control over the traffic ➢ native VXLAN support
  • 22. Bridging :) # brctl show bridge name bridge id STP enabled interfaces # brctl addbr br0 # brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no
  • 23. Bridging :) # brctl addif br0 eth0 # brctl show bridge name bridge id STP interfaces br0 8000.f0def1810a2a no eth0 adding a veth device # brctl addif br0 vethc3070 adding a vlan # brctl addif br0 eth0.4
  • 24. Bridging :) # ip link add name lxcbr0 type bridge # ip link set dev lxcbr0 up # ip link show lxcbr0 7: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT link/ether fe:d8:b2:55:ce:5b brd ff:ff:ff:ff:ff:ff # ip link set dev eth0 promisc on # ip link set dev eth0 up # ip link set dev eth0 master bridge_name # ip link set dev eth0 nomaster
  • 25. Securing all of these ➢Do not allow traffic out of the container with MAC address that was not assigned to the container ➢Do not allow traffic out of the container with IP address that was not assigned to the container ➢Do not allow multicast traffic to go to container which is not part of the multicast group ➢Actually if possible allow network traffic only to its gateway :)
  • 26. Securing all of these ➢Do not use NAT for connecting your containers ➢NAT is susceptible to DoS. By spoofing many connections from one container can block the connectivity of the whole machine!
  • 27. Broadcasts... ➢It depends on your network design ➢ Generally limit the broadcast destinations that a container can reach ➢ If possible use source routing to route the traffic directly to where it is supposed to go
  • 28. OpenVswitch security ➢ Implement OpenFlow rules to enforce the previous rules ➢ For each container hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=150 dl_type=0x0800 in_port=$input_port nw_dst=$container_gw actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=100 dl_type=0x0800 in_port=$input_port nw_dst=$container_network actions=drop hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$container_ip dl_type=0x0806 priority=50 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac dl_type=0x0800 nw_src=$container_ip priority=25 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=20 dl_type=0x0800 dl_src=$container_mac nw_dst=$container_ip actions=output:$input_port hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port priority=5 actions=drop ➢ For each additional IP on the container hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_type=0x0800 dl_src=$container_mac nw_src=$additional_ip priority=10 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$additional_ip dl_type=0x0806 priority=50 actions=NORMAL
  • 29. OpenVswitch security ➢ OpenVswitch networking DOES NOT go trough the normal linux networking so you CAN NOT use ipatables/ebtables to limit the traffic ➢ Even if you use net_cls it still DON'T WORK
  • 30. TThhaannkk yyoouu!! QQuueessttiioonnss?? Marian Marinov <mm@1h.com> http://getclouder.com Jabber: hackman@jabber.org IRC: irc.freenode.net HackMan ICQ: 7556201 GitHub: http://github.com/hackman