Network Virtualization and Security

The Linux Plumbers 2014 Network Virtualization and Security track is focusing design and implementation of virtualization and security in the networking stack. Network virtualization is undoubtedly an exciting and disruptive technology that is becoming pervasive in the data center, however it could easily become a security and privacy nightmare. We need to address these issues as a community. This is important not just for the success of virtualization or cloud, but, I believe, is paramount to the future of the Internet itself!

• Network virtualization performance– how do we get virtual performance == native performance (with security requirements addressed)?
• Hardware switching offload API
• Packet level security for data centers– how can we get to encrypting all packets in flight?
• Hardware offload and network virtualization– how to offload checksum, lso/gro, and encryption to the hardware?
• Group Based Policy Abstraction– how to translate abstract security policies into specific ACLs with appropriate performance?
• Packet inspection and network virtualization– how to provide a scalable first line of defense at a host with VMs?
• Scalability, isolation, and protocol mechanisms– how do we scale and allow extensibility to address future threats?
• DoS and network virtualization– how to we defend the network against internally generated DoS attacks?
• Application level security– how do we establish trust with userspace apps to access sensitive data?
• Configuration security– how can we prevent kernel or device configuration (willful or inadvertent) from circumventing security measures
• Exfiltration control - how to prevent data loss after a breach

The structure will be short introductions to an issue or topic followed by a discussion with the audience. A hard limit of 3 slides per presentation is enforced to ensure focus and allocate enough time for discussions.

• Confirmed
  • Alexei Starovoitov
  • Thomas Graf
  • Tom Herbert
  • Vincent JARDIN (DPDK expert and stack)
  • Jesse Gross
  • Deep Debroy (Cisco Systems)
  • Rony Efraim (Mellanox)
  • Or Gerlitz (Mellanox)
  • Hannes Frederic Sowa (Red Hat)
  • Steffen Klassert (secunet)
  • … Add yourself …

• Desirable
  • Kernel network hackers
  • OVS guys
  • Geneve and VXLAN authors
  • Network driver authors and maintainers
  • Switch abstraction guys
  • Software datapath folks
  • …

• Network virtualization performance / Vincent : - backgrounder, virtio, vSwitch for VM2VM
  • Abstract: …
• Packet level security for data centers / Vincent : - backgrounder, multitenant/netns, VxLAN + IPsec
  • Abstract: …
• Integrated Network Virtualization / Tom Herbert - integrating virtualization into the stack
• Generic UDP Encapsulation / Tom Herbert - implementing a scalable and extensible encapsulation protocol
• does packet format matter? (Alexei Starovoitov, Plumgrid)
  • (ideas for solving ever growing need of new meta data in the cloud and live discussion)
• vxlan + encryption (Alexei Starovoitov, Plumgrid)
  • example packet format, lessons learned in implementatio
• tenant security in the cloud, policy enforcement (Alexei Starovoitov, Plumgrid)
  • example packet format, performance and hw offload
• Stateful services for OVS (Thomas Graf, Noiro / Jesse Gross? Justin?)
  • progress, opens, performance, discussion
• Demystifying group based policy and OpFlex (Thomas Graf, Noiro)
• Geneve: Generic Network Virtualization Encapsulation (Jesse Gross)
• OVS userspace tunneling (Pravin Shelar)

• We are currently colleting talk proposals, schedule will be announced after final selection
• This microconference needs to be scheduled at a different time than Network Switch Devices, as many people will want to attend both.

• TBD

Proposal added by therbert@google.com, Thomas Graf tgraf@suug.ch