Field
Embodiments of the present invention generally relate to data networking and more particularly to securing access to a dynamic virtualized network that is overlaid on a physical network.
Description of the Related Art
A virtualized network is a data network that is overlaid on the top of another network, such as a physical network. Network elements in the overlaid network are connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. For example, a virtualized network is a combination of hardware and software network resources that is a single administrative entity.
One example of a virtualized network is Virtual eXtensible Local Area Network (VXLAN), where VXLAN is a layer 2 overlay over a layer 3 physical network. Each VXLAN overlay network is known as a VXLAN segment and is identified by a unique 24-bit segment ID called a VXLAN Network Identifier (VNI). Virtual machines with the same VNI are allowed to communicate with each other over the corresponding VXLAN segment. In a VXLAN segment, virtual machines are uniquely identified by the combination of Media Access Control (MAC) addresses and the VNI of that segment. A Virtual Tunnel Endpoint (VTEP) encapsulates data entering the VXLAN segment with the VNI and de-encapsulates the data traffic leaving the VXLAN segment.
In addition, VXLAN uses multicast to transport virtual machine originated traffic such as unknown destination MAC packets, broadcasts, multicast or non-Internet Protocol (IP) traffic. Multicast is also used for endpoint discovery by the VTEPs. Physical switches further use multicast snooping to build a map of the physical ports to multicast addresses in use by the end clients.
The model used for VXLAN overlay network virtualization as well as other virtualization models (e.g., Network Virtualization using Generic Routing Encapsulation (NVGRE), Stateless Transport Tunneling (STT), Overlay Transport Virtualization (OTV), etc.) use tunneling and encapsulation. In addition, these models use IP Multicast for learning new network addresses in each virtual segment. This is called conversational learning as this attempts to mimic the behavior of a traditional Ethernet network so that the instantiation of a virtualized network does not require any changes to the host stacks. For example, traditional Ethernet Network Interface Controller (NIC) drivers, Transport Control Protocol (TCP)/IP stacks, etc., continue to work and the deployment of a virtualized network is transparent to hosts and applications.
The challenge with these conversational learning models is that they rely upon relatively insecure methods of joining a virtualized segment and there are no mechanisms in place that prevents source address spoofing. For example, a rogue node in a multi-tenant cloud you can join any tenant network, bypassing every firewall, and security appliance they have in their data path.