Software-defined networking (SDN) often uses network controllers to configure logical networks throughout a data center, such as a software-defined data center (SDDC). In a logical network, one or more virtual machines (VMs) or other virtualized computing instances (e.g., containers (e.g., Docker containers), data compute nodes, isolated user space instances, etc.) and one or more virtual switches may be implemented by a virtualization layer (e.g., hypervisor) running on host machines, which are physical computing devices. The host machines may be connected to a physical network via physical network interfaces (PNICs). Each VM may include one or more virtual network interfaces (VNICs) for exchanging traffic with other entities on the logical network. The VNICs may behave similarly to PNICs. Each VNIC may connect to a virtual port of a virtual switch to exchange traffic of the associated VM on the logical network. In particular, the VNIC of a VM may be responsible for exchanging packets between the VM and the hypervisor implementing the VM. The hypervisor implementing the VM may further exchange packets with hypervisors (and corresponding VMs) running on other host machines via the PNIC of its host machine.
Networks may be vulnerable to side-channel attack. Side-channel attacks are attacks that are based on side-channel information that may be retrieved even from encryption protected communication channels. Side-channel information may include information that is gained from the physical implementation of the system, for example, rather than a brute force attack based on theoretical weakness in the encryption algorithms. Side-channel information may include timing information (e.g., timing of the traffic), power consumption, electromagnetic monitoring, sound, etc. Hackers may collect and analyze the side-channel information and exploit the information to break or circumvent the security system without breaking the encryption.
In the context of network security, the traffic pattern, the traffic timing, the size of the (encrypted) packets, etc., may be sensitive data that could be used by hackers. Side-channel information leakage may result in the encrypted system being vulnerable to side-channel attacks. For example, a hacker may just sniffer the traffic on a wire without trying to decrypt the traffic. Network traffic in a SDDC may be vulnerable to side-channel attack when the underlying physical networking is insecure and easily accessible to hackers. Thus, even if the communications within the data center networks are encrypted, hackers may still be able to use side-channel attacks to collect sensitive information within the data center. Securing data and network transmissions on local area networks, encryption, and protection of sensitive data, including side channel data, continue to be an important consideration for network operators.