WO2020080930A1 - System, virtual switch and method for establishing secured communication within network segment in virtualized environment - Google Patents

System, virtual switch and method for establishing secured communication within network segment in virtualized environment Download PDF

Info

Publication number
WO2020080930A1
WO2020080930A1 PCT/MY2019/050075 MY2019050075W WO2020080930A1 WO 2020080930 A1 WO2020080930 A1 WO 2020080930A1 MY 2019050075 W MY2019050075 W MY 2019050075W WO 2020080930 A1 WO2020080930 A1 WO 2020080930A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
security information
tenant
packets
virtual
Prior art date
Application number
PCT/MY2019/050075
Other languages
French (fr)
Inventor
Swee Leong @ Low Kwang Hao LOW
Sharipah Setapa
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2020080930A1 publication Critical patent/WO2020080930A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • the present invention relates generally to arrangement for virtualized communication environment. More particularly, the present invention relates to a system, a virtual switch and a method for establishing secured communication within a network segment in virtualized environment.
  • Network virtualization is defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware in order to ensure that the network can better integrate with and support increasingly virtual environments. It allows segmentation of network (i.e. network segments) without relying on the underlying hardware using a technology called the Virtual Extensible Local Area Network (VXLAN).
  • VXLAN Virtual Extensible Local Area Network
  • each network segment is assigned to a customer or tenant via a tunneling mechanism that has no encryption and decryption.
  • the VXLAN is known for network segmentation and tunneling mechanism but it does not provide any encryption and decryption function. As each network segment is typically allocated to a different customer, it is essential that data or packets traffic to the customer be encrypted for security. Although the customer or tenant may utilize technology such as Virtual Private Network (VPN) to manually encrypt the packets traffic, this VPN however is more suitable for a virtual point-to- point instead of a network wide encryption within a network segment.
  • VPN Virtual Private Network
  • the ⁇ 91 publication discloses a method, device, and system for processing a VXLAN packet.
  • the method includes obtaining, by a controller, a request message for requesting allocation of a VXLAN network identifier (VNI), obtaining the VNI and a VXLAN security policy corresponding to the VNI according to the request message, and delivering the VNI and the VXLAN security policy corresponding to the VNI to a network device.
  • VNI VXLAN network identifier
  • the present invention provides a system for establishing secured communication within a network segment in virtualized environment.
  • the system comprises a controller for receiving packets and a virtual switch coupled to the controller for processing the packets transmitted thereof.
  • the system of the present invention may be characterized by the virtual switch which comprises a virtual encrypted port comprising a packet decision maker for receiving the packets associated with the virtual encrypted port from the controller thereof; a security information unit coupled to the virtual encrypted port comprising a packet extractor for extracting security information parameters from the packets and a packet comparator for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and a security unit comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.
  • the security information unit transmits the packets to the security unit if the security information parameters extracted from the packets match with the predefined list of security information parameters.
  • the security information parameters include a source Internet Protocol (IP) address, a source port, a destination IP address and a destination port.
  • IP Internet Protocol
  • the predefined list of security information parameters is stored in a security database of the security information unit that is linked to a tenant security parameter database deployed at the controller thereof.
  • the tenant security parameter database receives and stores tenant security parameters and a security inclusion list comprising policy rules provisioned by the tenant.
  • the encryption and decryption algorithm is a symmetric cipher including Triple-DES, AES, Blowfish and tenant-specific password.
  • the present invention provides a virtual switch connected to a controller for establishing secured communication within a network segment in virtualized environment.
  • the virtual switch of the present invention may be characterized by a virtual encrypted port comprising a packet decision maker for receiving packets associated with the virtual encrypted port from the controller thereof; a security information unit coupled to the virtual encrypted port comprising a packet extractor for extracting security information parameters from the packets and a packet comparator for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and a security unit comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.
  • the present invention provides a method of establishing secured communication within a network segment in virtualized environment.
  • the method of the present invention may be characterized by the steps of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof; detecting, by a controller, a port event and a type of port associated thereof; receiving, at a virtual encrypted port, packets associated with the virtual encrypted port from the controller; extracting, at a security information unit, security information parameters from the packets and comparing the security information parameters extracted thereof against a predefined list of security information parameters; encrypting and decrypting, at a security unit, the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by the tenant; and routing the packets encrypted and decrypted thereof to a virtual machine via a packet processing path.
  • the step of receiving, at a tenant security parameter databased, tenant security parameters includes configuring the encryption and decryption algorithm by the tenant. It is an objective of the present invention to provide a system, a virtual switch and a method to establish secured communication within a network segment of virtualized environment that allows the tenant to define or set encryption and decryption for the data packets using, for example, tenant-specific password that advantageously is not easily sniffed or perceived by the host of the network or hijackers.
  • Figure 1 is a schematic diagram depicting a system for establishing secured communication within a network segment in virtualized environment according to one embodiment of the present invention
  • FIG 2 is a schematic diagram of a virtual encrypted port (VEPort) of the system in Figure 1 according to one embodiment of the present invention
  • FIG 3 is a schematic diagram of a security information unit of the system in Figure 1 according to one embodiment of the present invention.
  • Figure 4 is a schematic diagram of a security unit of the system in Figure 1 according to one embodiment of the present invention.
  • Figure 5 is a flow diagram depicting the overall flow of a method of establishing secured communication within a network segment in virtualized environment according to one embodiment of the present invention
  • Figure 6 is a flow diagram of the step of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof in Figure 5 according to one embodiment of the present invention
  • Figure 7 is a flow diagram of the step of detecting, by a controller, a port event and a type of port associated thereof in Figure 5 according to one embodiment of the present invention
  • Figure 8 is a flow diagram of the step of encrypting, at a security unit, the packets transmitted by the security information unit based on an encryption algorithm provisioned by the tenant in Figure 5 according to one embodiment of the present invention
  • Figure 9 is a flow diagram of the step of decrypting, at a security unit, the packets transmitted by the security information unit based on a decryption algorithm provisioned by the tenant in Figure 5 according to one embodiment of the present invention.
  • the present invention provides a system, a virtual switch and a method for establishing secured communication within a network segment in virtualized environment.
  • the present invention allows a tenant to define, set and create a personalized encryption and decryption method (e.g. algorithm) and a security inclusion list.
  • the security inclusion list has a series of policy rules. This series of policy rules can be used to determine packets to be encrypted or decrypted.
  • the tenant preferably provisions the personalized encryption and decryption method and the security inclusion list into a controller 100 which is also adapted to receive packets.
  • the controller 100 is coupled to a virtual switch 200 over a standard Secure Sockets Layer (SSL) channel in a language like JavaScript Object Notation (JSON), as schematically shown in Figure 1 of the accompanying drawings.
  • SSL Secure Sockets Layer
  • JSON JavaScript Object Notation
  • the virtual switch 200 can be configured for processing the packets it receives from the controller 100 thereof.
  • the virtual switch 200 of the present invention comprises a virtual encrypted port 201 (known as“VEPort”), a security information unit 202 and a security unit 203.
  • the security information unit 202 and the security unit 203 are connected directly to the VEPort 201.
  • the VEPort 201 is a new type of port that is deployed within the virtual switch 200 itself.
  • the VEPort 201 is preferably linked to a main daemon process of Open vSwitch (OVS) which is vswitch, a user space program.
  • OVS Open vSwitch
  • the vswitch is further connected to a database server of OVS which is ovsdb-server.
  • a VEPort datapath which is a kernel module, on the other hand, performs platform-dependent packet forwarding.
  • the VEPort datapath comprises a basic kernel defined structure called sk buff which is used for packets.
  • the structure sk buff keeps information of a packet, including pointers (i.e. head point, end point, data point and tail point) about the packet and variables that describe the packet.
  • the VEPort 201 preferably comprises a packet decision maker 201a. It can be configured to receive the packets that are being associated with the VEPort 201 thereof. The association of the received packets with the VEPort 201 shall be verified at the controller 100. Any packet which has no association with the VEPort 201 , or has received no verification by the controller 100 for the same, shall never be allowed to proceed any further.
  • Figure 2 illustrates the VEPort 201 of the present invention which receives, processes and transmits the packets via the packet decision maker 201 a deployed therein.
  • the security information unit 202 comprises a packet extractor 202a and a packet comparator 202b.
  • the packet extractor 202a can be configured for extracting security information parameters from the packets which are transmitted by the packet decision maker 201a of the VEPort 201.
  • the security information parameters include, but not limited to, a source Internet Protocol (IP) address, a source port, a destination IP address and a destination port.
  • IP Internet Protocol
  • the packet comparator 202b positioned after the packet extractor 202a can be configured for comparing the security information parameters extracted by the packet extractor 202a against a predefined list of security information parameters. This predefined list of security information parameters is stored in a security database of the security information unit 202 that is linked to a tenant security parameter database deployed at the controller 100.
  • the tenant security parameter database may receive and store tenant security parameters and the security inclusion list comprising policy rules as provisioned by the tenant.
  • the security information unit 202 preferably transmits the packets to the security unit 203 if the security information parameters extracted from the packets match with the predefined list of security information parameters.
  • Figure 3 illustrates the arrangement of the packet extractor 202a and the packet comparator 202b as well as the security database within the security information unit 202.
  • the security unit 203 comprises an encryption and decryption module containing an encryption and decryption algorithm.
  • the security unit 203 can be configured for encrypting and decrypting the packets transmitted by the security information unit 202 based on the encryption and decryption algorithm that is provisioned by a tenant of the network segment at an initialization stage.
  • the packets encrypted and decrypted by the security unit 203 are further allowed to be routed to a VM set thereof via a normal packet processing path.
  • Figure 4 illustrates an encryption module having its encryption algorithm and a decryption module having its decryption algorithm deployed at the security unit 203.
  • an IP address or port can be wild card like 192.168.10. * or a range such as 102.168.10.2 - 192.168.10.50.
  • an encryption and decryption algorithm utilized in the present invention is a symmetric cipher which includes, but not limited to, triple data encryption standard (Triple-DES), advanced encryption standard (AES), Blowfish and tenant-specific password.
  • the controller 100 shall detect port add events.
  • the controller 100 shall hence send transact command to port tables in a vswitch database.
  • the vswitch daemon shall monitor the port tables. If there is a change in a security column of the port tables, the vswitch daemon will be triggered to send a OVS_DP_CMD_SET netlink message with security information parameters to the VEPort datapath.
  • the VEPort datapath will further initialize the security unit 203 for performing encryption and decryption.
  • a call will be made to the security unit 203 to decrypt the packets prior to passing down to a normal or ordinary packet processing path. Otherwise, when packets are received via ovs_vport_send, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database. At the verification stage, if the source IP address and the source port match the security inclusion list, then a call will be made to the security unit 203 to encrypt the packets prior to passing down to a normal or ordinary packet processing path.
  • Figure 5 depicts the detailed method of establishing secured communication within a network segment in virtualized environment.
  • the method comprises a number of steps including the step of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof (see 300); the step of detecting, by the controller 100, a port event and a type of port associated thereof (see 301 ), the step of receiving, at the VEPort 201 , packets associated with the VEPort 201 from the controller 100 (see 302); the step of extracting, at the security information unit 202, security information parameters from the packets and comparing the security information parameters extracted thereof against a predefined list of security information parameters (see 303); the step of encrypting and decrypting, at the security unit 203, the packets transmitted by the security information unit 202 based on an encryption and decryption algorithm provisioned by the tenant (see 304); and the step of routing the packets encrypted and decrypted thereof to a VM via a
  • the step 300 preferably revolves around receipt or provisioning of tenant security parameters and the security inclusion list into the controller 100.
  • the tenant is allowed to set or define its own encryption alongside password, making data or packet traffic that is traversing within the network segment encrypted with a tenant-specific password.
  • the tenant enters a security inclusion list and a security exclusion list. These lists preferably contain policy rules to determine which packets to be encrypted or decrypted based on their IP addresses and ports.
  • the tenant provisions its encryption and decryption algorithm and the security inclusion list (and the security exclusion list) into the tenant security parameter database located at the controller 100. It is preferred that the step 300 includes configuring the encryption and decryption algorithm by the tenant.
  • the step 301 deals with detection of new port events and provision of security parameter into the VEPort datapath.
  • the controller 100 shall detect any port add events. Once detected, the controller 100 will check the type of the port to determine and confirm if the port is associated or itself is a VEPort. If the port is not a VEPort, the flow will be aborted. However, if otherwise, the controller 100 shall hence send transact command to port tables in the vswitch database. The vswitch daemon shall monitor the port tables. If there is a change in a security column of the port tables, the vswitch daemon will be triggered to send a OVS_DP_CMD_SET netlink message with security information parameters to the VEPort datapath.
  • the VEPort datapath will further initialize the security unit 203 for performing encryption and decryption.
  • the security information parameters are stored in the security database accordingly.
  • the security unit 203 encrypts and decrypts the packets transmitted by the security information unit 202 based on the provisioned encryption and decryption algorithm. All packets received from the structure sk buff will be observed for obtaining packet information therefrom.
  • a check or verification shall be conducted against the security inclusion list of the tenant security parameter database.
  • the source IP address and the source port match the security inclusion list stored in the tenant security parameter database which is linked to the security database of the security information unit 202 storing the predefined list of security information parameters, then a call will be made to the security unit 203 to encrypt the packets prior to passing down to a normal or ordinary packet processing path. If the source IP address and the source port do not match the security inclusion list, then the packets shall be forwarded as is. With reference to Figure 9, when packets are received via ovs_vport_receive, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database.
  • the security unit 203 At the verification stage, if the source IP address and the source port match the security inclusion list stored in the tenant security parameter database which is linked to the security database of the security information unit 202 storing the predefined list of security information parameters, then a call will be made to the security unit 203 to decrypt the packets prior to passing down to a normal or ordinary packet processing path. If the source IP address and the source port do not match the security inclusion list, then the packets shall be forwarded as is.
  • the terms“a” and“an,” as used herein, are defined as one or more than one.
  • the term“plurality,” as used herein, is defined as two or more than two.
  • the term“another,” as used herein, is defined as at least a second or more.
  • the terms “including” and/or“having,” as used herein, are defined as comprising (i.e., open language).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a system, a virtual switch and a method for establishing secured communication within a network segment in virtualized environment. The system comprises a controller (100) and a virtual switch (200). The virtual switch (200) comprises a virtual encrypted port (201) comprising a packet decision maker (201a) for receiving packets associated with the virtual encrypted port (201), a security information unit (202) comprising a packet extractor (202a) and a packet comparator (202b), and a security unit (203) comprising an encryption and decryption module for encrypting and decrypting the packets based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof. The packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.

Description

SYSTEM, VIRTUAL SWITCH AND METHOD FOR ESTABLISHING SECURED COMMUNICATION WITHIN NETWORK SEGMENT IN VIRTUALIZED
ENVIRONMENT
FIELD OF THE INVENTION
The present invention relates generally to arrangement for virtualized communication environment. More particularly, the present invention relates to a system, a virtual switch and a method for establishing secured communication within a network segment in virtualized environment.
BACKGROUND OF THE INVENTION
Network virtualization is defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware in order to ensure that the network can better integrate with and support increasingly virtual environments. It allows segmentation of network (i.e. network segments) without relying on the underlying hardware using a technology called the Virtual Extensible Local Area Network (VXLAN). In the VXLAN, each network segment is assigned to a customer or tenant via a tunneling mechanism that has no encryption and decryption.
The VXLAN is known for network segmentation and tunneling mechanism but it does not provide any encryption and decryption function. As each network segment is typically allocated to a different customer, it is essential that data or packets traffic to the customer be encrypted for security. Although the customer or tenant may utilize technology such as Virtual Private Network (VPN) to manually encrypt the packets traffic, this VPN however is more suitable for a virtual point-to- point instead of a network wide encryption within a network segment.
Numerous attempts have been made heretofore to tackle these problems. For example, by way of background, United States Patent Application Publication No. 2018/0139191 A1 (hereinafter“the Ί 91 publication”) discloses a method, device, and system for processing a VXLAN packet. According to the Ί91 publication, the method includes obtaining, by a controller, a request message for requesting allocation of a VXLAN network identifier (VNI), obtaining the VNI and a VXLAN security policy corresponding to the VNI according to the request message, and delivering the VNI and the VXLAN security policy corresponding to the VNI to a network device.
Consequently, there is a long-felt need for a system, a virtual switch and a method to establish secured communication within the network segment which allows the customer or tenant to define encryption and decryption algorithm at their side thereby overcoming the problems and shortcomings of the prior art.
SUMMARY OF THE INVENTION
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
Accordingly, the present invention provides a system for establishing secured communication within a network segment in virtualized environment. The system comprises a controller for receiving packets and a virtual switch coupled to the controller for processing the packets transmitted thereof.
The system of the present invention may be characterized by the virtual switch which comprises a virtual encrypted port comprising a packet decision maker for receiving the packets associated with the virtual encrypted port from the controller thereof; a security information unit coupled to the virtual encrypted port comprising a packet extractor for extracting security information parameters from the packets and a packet comparator for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and a security unit comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path. Preferably, the security information unit transmits the packets to the security unit if the security information parameters extracted from the packets match with the predefined list of security information parameters.
Preferably, the security information parameters include a source Internet Protocol (IP) address, a source port, a destination IP address and a destination port. Preferably, the predefined list of security information parameters is stored in a security database of the security information unit that is linked to a tenant security parameter database deployed at the controller thereof.
Preferably, the tenant security parameter database receives and stores tenant security parameters and a security inclusion list comprising policy rules provisioned by the tenant.
Preferably, the encryption and decryption algorithm is a symmetric cipher including Triple-DES, AES, Blowfish and tenant-specific password.
In accordance with another aspect, the present invention provides a virtual switch connected to a controller for establishing secured communication within a network segment in virtualized environment. The virtual switch of the present invention may be characterized by a virtual encrypted port comprising a packet decision maker for receiving packets associated with the virtual encrypted port from the controller thereof; a security information unit coupled to the virtual encrypted port comprising a packet extractor for extracting security information parameters from the packets and a packet comparator for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and a security unit comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.
In accordance with yet another aspect, the present invention provides a method of establishing secured communication within a network segment in virtualized environment.
The method of the present invention may be characterized by the steps of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof; detecting, by a controller, a port event and a type of port associated thereof; receiving, at a virtual encrypted port, packets associated with the virtual encrypted port from the controller; extracting, at a security information unit, security information parameters from the packets and comparing the security information parameters extracted thereof against a predefined list of security information parameters; encrypting and decrypting, at a security unit, the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by the tenant; and routing the packets encrypted and decrypted thereof to a virtual machine via a packet processing path.
Preferably, the step of receiving, at a tenant security parameter databased, tenant security parameters includes configuring the encryption and decryption algorithm by the tenant. It is an objective of the present invention to provide a system, a virtual switch and a method to establish secured communication within a network segment of virtualized environment that allows the tenant to define or set encryption and decryption for the data packets using, for example, tenant-specific password that advantageously is not easily sniffed or perceived by the host of the network or hijackers.
The foregoing and other objects, features, aspects and advantages of the present invention will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS
A more complete appreciation of the invention and many of the attendant advantages thereof will be readily as the same becomes better understood by reference to the following detailed description when considered in connection with the accompanying drawings, wherein:
Figure 1 is a schematic diagram depicting a system for establishing secured communication within a network segment in virtualized environment according to one embodiment of the present invention;
Figure 2 is a schematic diagram of a virtual encrypted port (VEPort) of the system in Figure 1 according to one embodiment of the present invention;
Figure 3 is a schematic diagram of a security information unit of the system in Figure 1 according to one embodiment of the present invention;
Figure 4 is a schematic diagram of a security unit of the system in Figure 1 according to one embodiment of the present invention;
Figure 5 is a flow diagram depicting the overall flow of a method of establishing secured communication within a network segment in virtualized environment according to one embodiment of the present invention;
Figure 6 is a flow diagram of the step of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof in Figure 5 according to one embodiment of the present invention;
Figure 7 is a flow diagram of the step of detecting, by a controller, a port event and a type of port associated thereof in Figure 5 according to one embodiment of the present invention; Figure 8 is a flow diagram of the step of encrypting, at a security unit, the packets transmitted by the security information unit based on an encryption algorithm provisioned by the tenant in Figure 5 according to one embodiment of the present invention; and
Figure 9 is a flow diagram of the step of decrypting, at a security unit, the packets transmitted by the security information unit based on a decryption algorithm provisioned by the tenant in Figure 5 according to one embodiment of the present invention.
It is noted that the drawings may not be to scale. The drawings are intended to depict only typical aspects of the invention, and therefore should not be considered as limiting the scope of the invention. In the drawings, like numberings represent like elements between the drawings.
DETAILED DESCRIPTION OF THE INVENTION
According to one preferred embodiment, the present invention provides a system, a virtual switch and a method for establishing secured communication within a network segment in virtualized environment. The present invention allows a tenant to define, set and create a personalized encryption and decryption method (e.g. algorithm) and a security inclusion list. The security inclusion list has a series of policy rules. This series of policy rules can be used to determine packets to be encrypted or decrypted.
The tenant preferably provisions the personalized encryption and decryption method and the security inclusion list into a controller 100 which is also adapted to receive packets. The controller 100 is coupled to a virtual switch 200 over a standard Secure Sockets Layer (SSL) channel in a language like JavaScript Object Notation (JSON), as schematically shown in Figure 1 of the accompanying drawings. The virtual switch 200 can be configured for processing the packets it receives from the controller 100 thereof.
The virtual switch 200 of the present invention comprises a virtual encrypted port 201 (known as“VEPort”), a security information unit 202 and a security unit 203. The security information unit 202 and the security unit 203 are connected directly to the VEPort 201. The VEPort 201 is a new type of port that is deployed within the virtual switch 200 itself. The VEPort 201 is preferably linked to a main daemon process of Open vSwitch (OVS) which is vswitch, a user space program. OVS is used to bridge up virtual machines (VMs) running on the node within one host. The vswitch is further connected to a database server of OVS which is ovsdb-server. A VEPort datapath which is a kernel module, on the other hand, performs platform-dependent packet forwarding. The VEPort datapath comprises a basic kernel defined structure called sk buff which is used for packets. The structure sk buff keeps information of a packet, including pointers (i.e. head point, end point, data point and tail point) about the packet and variables that describe the packet.
The VEPort 201 preferably comprises a packet decision maker 201a. It can be configured to receive the packets that are being associated with the VEPort 201 thereof. The association of the received packets with the VEPort 201 shall be verified at the controller 100. Any packet which has no association with the VEPort 201 , or has received no verification by the controller 100 for the same, shall never be allowed to proceed any further. Figure 2 illustrates the VEPort 201 of the present invention which receives, processes and transmits the packets via the packet decision maker 201 a deployed therein.
The security information unit 202 comprises a packet extractor 202a and a packet comparator 202b. The packet extractor 202a can be configured for extracting security information parameters from the packets which are transmitted by the packet decision maker 201a of the VEPort 201. The security information parameters include, but not limited to, a source Internet Protocol (IP) address, a source port, a destination IP address and a destination port. The packet comparator 202b positioned after the packet extractor 202a can be configured for comparing the security information parameters extracted by the packet extractor 202a against a predefined list of security information parameters. This predefined list of security information parameters is stored in a security database of the security information unit 202 that is linked to a tenant security parameter database deployed at the controller 100. The tenant security parameter database may receive and store tenant security parameters and the security inclusion list comprising policy rules as provisioned by the tenant.
The security information unit 202 preferably transmits the packets to the security unit 203 if the security information parameters extracted from the packets match with the predefined list of security information parameters. Figure 3 illustrates the arrangement of the packet extractor 202a and the packet comparator 202b as well as the security database within the security information unit 202.
The security unit 203 comprises an encryption and decryption module containing an encryption and decryption algorithm. The security unit 203 can be configured for encrypting and decrypting the packets transmitted by the security information unit 202 based on the encryption and decryption algorithm that is provisioned by a tenant of the network segment at an initialization stage. The packets encrypted and decrypted by the security unit 203 are further allowed to be routed to a VM set thereof via a normal packet processing path. Figure 4 illustrates an encryption module having its encryption algorithm and a decryption module having its decryption algorithm deployed at the security unit 203.
According to the security unit 203 of the present invention, the encryption and decryption are based upon IP address and port. For instance, an IP address or port can be wild card like 192.168.10. * or a range such as 102.168.10.2 - 192.168.10.50. It is preferred that an encryption and decryption algorithm utilized in the present invention is a symmetric cipher which includes, but not limited to, triple data encryption standard (Triple-DES), advanced encryption standard (AES), Blowfish and tenant-specific password.
Essentially, when a new VM is launched, the controller 100 shall detect port add events. The controller 100 shall hence send transact command to port tables in a vswitch database. The vswitch daemon shall monitor the port tables. If there is a change in a security column of the port tables, the vswitch daemon will be triggered to send a OVS_DP_CMD_SET netlink message with security information parameters to the VEPort datapath. The VEPort datapath will further initialize the security unit 203 for performing encryption and decryption. When packets are received via ovs_vport_receive, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database. At the verification stage, if the source IP address and the source port match the security inclusion list, then a call will be made to the security unit 203 to decrypt the packets prior to passing down to a normal or ordinary packet processing path. Otherwise, when packets are received via ovs_vport_send, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database. At the verification stage, if the source IP address and the source port match the security inclusion list, then a call will be made to the security unit 203 to encrypt the packets prior to passing down to a normal or ordinary packet processing path.
Figure 5 depicts the detailed method of establishing secured communication within a network segment in virtualized environment. The method comprises a number of steps including the step of receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof (see 300); the step of detecting, by the controller 100, a port event and a type of port associated thereof (see 301 ), the step of receiving, at the VEPort 201 , packets associated with the VEPort 201 from the controller 100 (see 302); the step of extracting, at the security information unit 202, security information parameters from the packets and comparing the security information parameters extracted thereof against a predefined list of security information parameters (see 303); the step of encrypting and decrypting, at the security unit 203, the packets transmitted by the security information unit 202 based on an encryption and decryption algorithm provisioned by the tenant (see 304); and the step of routing the packets encrypted and decrypted thereof to a VM via a packet processing path.
The step 300 preferably revolves around receipt or provisioning of tenant security parameters and the security inclusion list into the controller 100. According to Figure 6, the tenant is allowed to set or define its own encryption alongside password, making data or packet traffic that is traversing within the network segment encrypted with a tenant-specific password. Subsequently, the tenant enters a security inclusion list and a security exclusion list. These lists preferably contain policy rules to determine which packets to be encrypted or decrypted based on their IP addresses and ports. Finally, the tenant provisions its encryption and decryption algorithm and the security inclusion list (and the security exclusion list) into the tenant security parameter database located at the controller 100. It is preferred that the step 300 includes configuring the encryption and decryption algorithm by the tenant.
The step 301 deals with detection of new port events and provision of security parameter into the VEPort datapath. As shown in Figure 7, the controller 100 shall detect any port add events. Once detected, the controller 100 will check the type of the port to determine and confirm if the port is associated or itself is a VEPort. If the port is not a VEPort, the flow will be aborted. However, if otherwise, the controller 100 shall hence send transact command to port tables in the vswitch database. The vswitch daemon shall monitor the port tables. If there is a change in a security column of the port tables, the vswitch daemon will be triggered to send a OVS_DP_CMD_SET netlink message with security information parameters to the VEPort datapath. The VEPort datapath will further initialize the security unit 203 for performing encryption and decryption. The security information parameters are stored in the security database accordingly. At the step 304, the security unit 203 encrypts and decrypts the packets transmitted by the security information unit 202 based on the provisioned encryption and decryption algorithm. All packets received from the structure sk buff will be observed for obtaining packet information therefrom. With reference to Figure 8, when packets are received via ovs_vport_send, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database. At the verification stage, if the source IP address and the source port match the security inclusion list stored in the tenant security parameter database which is linked to the security database of the security information unit 202 storing the predefined list of security information parameters, then a call will be made to the security unit 203 to encrypt the packets prior to passing down to a normal or ordinary packet processing path. If the source IP address and the source port do not match the security inclusion list, then the packets shall be forwarded as is. With reference to Figure 9, when packets are received via ovs_vport_receive, a check or verification shall be conducted against the security inclusion list of the tenant security parameter database. At the verification stage, if the source IP address and the source port match the security inclusion list stored in the tenant security parameter database which is linked to the security database of the security information unit 202 storing the predefined list of security information parameters, then a call will be made to the security unit 203 to decrypt the packets prior to passing down to a normal or ordinary packet processing path. If the source IP address and the source port do not match the security inclusion list, then the packets shall be forwarded as is.
The terms“a” and“an,” as used herein, are defined as one or more than one. The term“plurality,” as used herein, is defined as two or more than two. The term“another,” as used herein, is defined as at least a second or more. The terms “including” and/or“having,” as used herein, are defined as comprising (i.e., open language).
While this invention has been particularly shown and described with reference to the exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention as defined by the appended claims.

Claims

1. A system for establishing secured communication within a network segment in virtualized environment, comprising:
a controller (100) for receiving packets; and
a virtual switch (200) coupled to the controller (100) for processing the packets transmitted thereof,
characterized in that,
the virtual switch (200) comprising
a virtual encrypted port (201 ) comprising a packet decision maker (201 a) for receiving the packets associated with the virtual encrypted port (201 ) from the controller (100) thereof;
a security information unit (202) coupled to the virtual encrypted port (201 ) comprising a packet extractor (202a) for extracting security information parameters from the packets and a packet comparator (202b) for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and
a security unit (203) comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit (202) based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.
2. The system according to Claim 1 , wherein the security information unit (202) transmits the packets to the security unit (203) if the security information parameters extracted from the packets match with the predefined list of security information parameters.
3. The system according to Claim 1 , wherein the security information parameters include a source Internet Protocol, IP address, a source port, a destination IP address and a destination port.
4. The system according to Claim 1 , wherein the predefined list of security information parameters is stored in a security database of the security information unit (202) that is linked to a tenant security parameter database deployed at the controller (100) thereof.
5. The system according to Claim 4, wherein the tenant security parameter database receives and stores tenant security parameters and a security inclusion list comprising policy rules provisioned by the tenant.
6. The system according to Claim 1 , wherein the encryption and decryption algorithm is a symmetric cipher including triple data encryption standard, Triple-DES, advanced encryption standard, AES, Blowfish and tenant-specific password.
7. A virtual switch (200) connected to a controller (100) for establishing secured communication within a network segment in virtualized environment, characterized in that, the virtual switch (200) comprising:
a virtual encrypted port (201 ) comprising a packet decision maker (201 a) for receiving packets associated with the virtual encrypted port (201 ) from the controller (100) thereof;
a security information unit (202) coupled to the virtual encrypted port (201 ) comprising a packet extractor (202a) for extracting security information parameters from the packets and a packet comparator (202b) for comparing the security information parameters extracted thereof against a predefined list of security information parameters; and
a security unit (203) comprising an encryption and decryption module for encrypting and decrypting the packets transmitted by the security information unit (202) based on an encryption and decryption algorithm provisioned by a tenant of the network segment thereof, wherein the packets encrypted and decrypted thereof are routed to a virtual machine via a packet processing path.
8. A method of establishing secured communication within a network segment in virtualized environment, characterized in that, the method comprising the steps of:
receiving, at a tenant security parameter database, tenant security parameters and a security inclusion list comprising policy rules from a tenant of the network segment thereof (300); detecting, by a controller (100), a port event and a type of port associated thereof (301 );
receiving, at a virtual encrypted port (201 ), packets associated with the virtual encrypted port from the controller (100) (302);
extracting, at a security information unit, security information parameters from the packets and comparing the security information parameters extracted thereof against a predefined list of security information parameters (303); encrypting and decrypting, at a security unit (203), the packets transmitted by the security information unit based on an encryption and decryption algorithm provisioned by the tenant (304) ; and
routing the packets encrypted and decrypted thereof to a virtual machine via a packet processing path.
9. The method according to Claim 8, wherein the step of receiving, at a tenant security parameter databased, tenant security parameters includes configuring the encryption and decryption algorithm by the tenant.
PCT/MY2019/050075 2018-10-15 2019-10-15 System, virtual switch and method for establishing secured communication within network segment in virtualized environment WO2020080930A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2018001744 2018-10-15
MYPI2018001744 2018-10-15

Publications (1)

Publication Number Publication Date
WO2020080930A1 true WO2020080930A1 (en) 2020-04-23

Family

ID=70284029

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2019/050075 WO2020080930A1 (en) 2018-10-15 2019-10-15 System, virtual switch and method for establishing secured communication within network segment in virtualized environment

Country Status (1)

Country Link
WO (1) WO2020080930A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160255051A1 (en) * 2015-02-26 2016-09-01 International Business Machines Corporation Packet processing in a multi-tenant Software Defined Network (SDN)
US20170374106A1 (en) * 2016-06-23 2017-12-28 Vmware, Inc. Micro-segmentation in virtualized computing environments
US20180139191A1 (en) * 2016-02-27 2018-05-17 Huawei Technologies Co., Ltd. Method, Device, and System for Processing VXLAN Packet
US20180205673A1 (en) * 2017-01-13 2018-07-19 Nicira, Inc. Managing network traffic in virtual switches based on logical port identifiers
US20180227195A1 (en) * 2011-08-04 2018-08-09 Midokura Sarl System and method for implementing and managing virtual networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180227195A1 (en) * 2011-08-04 2018-08-09 Midokura Sarl System and method for implementing and managing virtual networks
US20160255051A1 (en) * 2015-02-26 2016-09-01 International Business Machines Corporation Packet processing in a multi-tenant Software Defined Network (SDN)
US20180139191A1 (en) * 2016-02-27 2018-05-17 Huawei Technologies Co., Ltd. Method, Device, and System for Processing VXLAN Packet
US20170374106A1 (en) * 2016-06-23 2017-12-28 Vmware, Inc. Micro-segmentation in virtualized computing environments
US20180205673A1 (en) * 2017-01-13 2018-07-19 Nicira, Inc. Managing network traffic in virtual switches based on logical port identifiers

Similar Documents

Publication Publication Date Title
US11750476B2 (en) Service operation chaining
US11533301B2 (en) Secure key management protocol for distributed network encryption
JP6910348B2 (en) Distribution of remote device management attributes to service nodes for service rule processing
TWI554905B (en) Security management method, computing system and non-transitory computer-readable storage medium
EP2873214B1 (en) Virtual gateways for isolating virtual machines
WO2016003491A4 (en) Encryption architecture
US8719567B2 (en) Enabling QoS for MACsec protected frames
AU2020200907A1 (en) Automated provisioning of virtual machines
EP3343838B1 (en) Utilizing management network for secured configuration and platform management
EP2052327B1 (en) Early authentication in cable modem initialization
CN110226155B (en) Collecting and processing context attributes on a host
WO2014011374A1 (en) Cryptographic isolation of virtual machines
US8347073B2 (en) Inspection and rewriting of cryptographically protected data from group VPNs
US10826916B2 (en) Agent-less network traffic inspection using an overlay network
US11088992B2 (en) Context specific keys
EP2681874A2 (en) Ipsec connection to private networks
US20200351306A1 (en) Configuring security policies in response to detecting a pivot of an intrusion
KR101772681B1 (en) Firewall Apparatus and Driving Method Thereof
Spiekermann et al. Towards digital investigation in virtual networks: a study of challenges and open problems
WO2020080930A1 (en) System, virtual switch and method for establishing secured communication within network segment in virtualized environment
US20190268353A1 (en) Systems and methods for preventing malicious network traffic from accessing trusted network resources
KR20140028615A (en) Network separation device using one time password, network separation system and method thereof
US20220247719A1 (en) Network Access Control System And Method Therefor
KR20170075240A (en) Firewall Apparatus and Driving Method Thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19873095

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19873095

Country of ref document: EP

Kind code of ref document: A1