Issues in Network virtualization

ITICT205A Virtualisation Assignment

Complied by Saeed Ur Rahman

693484761

Contents
What is network virtualization?..............................................................................1
Issues in network virtualization.............................................................................2
Issues faced by Infrastructure operators.........................................................3
Issues faced by Services providers..................................................................4
Security benefits of network virtualization............................................................5
Security Issues in network virtualization...............................................................5
Types of attacks in a virtualized network environment.......................................6
Attacks in Virtual Networks............................................................................. 6
Attacks in Network Infrastructure....................................................................6
Attacks to the Users........................................................................................ 6
Challenges in a virtualized network.......................................................................7
Defence mechanism for the challenges in virtual networks..................................7
Confidential Packet Forwarding..........................................................................8
Capabilities-Based Virtual Network Instance......................................................9
Conclusion............................................................................................................. 9
References........................................................................................................... 10

What is network virtualization?

Network virtualization allows administration to consolidate multiple networks,
divide a single network into many or create software-only network between
virtual machines. The objective of virtual networks is to improve speed,
automation and network management. Virtual networks also binds separate
physical switches into on virtual switch. Which saves spaces and reduces power
and cabling cost.

Figure 1 Binding of physical network to virtual network (The FP7 4WARD Project, 2008)

Virtual machines support applications that often require network connectivity

(routing and switching) to other virtual machines and the internet. The first
networking devices a Virtual Machine (VM) is connected to is the virtual switch
on the Hypervisor or Virtual Machine Monitor (VMM). Virtualizing the network
mean virtualizing the entire layer 2 to layer 7 services viewed by the virtual
machine and all the network configuration necessary to deploy the applications
network architecture.
The purpose of virtualizing networks is to take all the network services, features
and configurations to provision the applications virtual network, (i.e. Vlans, VRFs
Firewall rules, Load balancer pools and VIPs, Routing, isolation, muti-tenancy,
etc.) And decouple it from the physical network and shift it up into the virtualized
software layer (Hedlund and Profile, 2013).
SAEED UR RAHMAN

Virtualized networking reconstructs the layer 2 to layer 7 network services

necessary to deploy the applications virtual network at the same software
virtualization layer hosting the applications virtual machine. Virtualized network
software recreates logical switches, logical routers (layer 2- layer 3), logical load
balancers, logical firewalls (layer 4 - layer 7), assembled in any arbitrary
topology, therefore presenting the virtual compute a complete layer2 layer 7
virtual network topology.

Figure 2 virtual network VS physical network (Anon, 2014)

Network virtualization is an overlay based approach that helps a network

administrator in an enterprise datacentre to program and provision the network
on-demand, without physical access to the switches or routers. Virtualizing
networks facilitates the network to be provisioned in few seconds. Some other
benefits to network virtualization are (Dhawan, 2014):

Easy and cheaper to manage networks.

Reduce time to provision.
Avoids limitations in current network topologies.
Allows for policy based access.
Analytics and easier troubleshooting.

Issues in network virtualization

Although virtualizing network enhances performance, manageability and security
among other benefits, there are some technical issues with virtualizing networks.
We will discuss some of the issues and challenges, namely Isolation, Elasticity
and Programmability, encountered with virtual networks by two entities
(Advanced Network Virtualization: Definition, Benefits, Applications, and
Technical Challenges, 2011);

Infrastructure operators
Services providers
SAEED UR RAHMAN

Issues faced by Infrastructure operators

Infrastructure operators have faced many issues with network virtualization.
Some of the major issues are mentioned below:
Isolation of virtual networks
Isolation of virtual networks is an essential feature that provides logically
independent resources designated for each service. Isolation of virtual networks
eliminates interference and mutual impacts between the co-existing virtual
networks over a common physical infrastructure .The interference includes
performance and security aspects. The isolation capability has been studied by
means of logical division of virtual LAN, time division based on time slots and
wavelength division. To establish high scalable isolation for virtual networks, a
new approach is to be recommended;

Enabling performance and security isolation on resource-scarce

edge devices: Augmented machine architecture and enhanced resourceseparation technology suitable for access-network devices. They are to
separate resources in a secure fashion at relatively low-performance edge
devices.
Substrate technologies to enable stringent isolation: New resources
isolation technologies which complement existing physical layer isolation
technologies, for example VLAN, time slot and wavelength division, should
be established.
Scalability of the number of slices: Scalability in terms of the number
of resource-isolated slices, the number of setup and release of the slices
per unit interval should established.

Elasticity
Elasticity is a key feature for optimization of the required resources in response
to the services on-demand efficiently and rapidly. It is necessary to specify
protocols for real-time and highly scalable resources provisioning.

Enable instant allocation of resources: Resource provisioning

technology should be established, which responds very rapidly from
service demand to relevant network equipment.
Scalability for resource control: intelligent resource control should be
designed to manage multiple elementary resources originated from
different physical sources simultaneously, arrange the requested
resources from them and complete providing the requested slice on
demand.

Programmability
Programmability on virtualization-enabled network equipment is to sustain
optimal network performance in accordance with service requests and to foster
technological innovations of network equipment towards new services and
applications.

Operation and management for systemlevel network

programmability: To apply the programmability to network
infrastructures, the integrated design process should be established which
consists of the platform technologies. The cyclic loop should be repeated
ranging from key technology research, design and development of
SAEED UR RAHMAN

devices and systems for the entire operation and management,

consideration and management of core intellectual properties, installation
to the infrastructure, auditing of the operation, and assessment of the
isolation against interferences among relevant technologies.
Candidate technologies for programmability: Multi-core and heterocore processors are the latest candidates for virtualization-enabled
network equipment. Multi-core is the definite trend in processor
technology. The issue is how to reap rewards of its parallel processing for
the network-specific tasks. Intelligent operation for optimized parallel
processing is another challenge.

Issues faced by Services providers

Some technical issues faces by services providers and propose mitigation
techniques are as follows:
Isolation
Verification of achieved performance as a benchmarking is essential to confirm
that the performance isolations are well performed and the agreed performance
are guaranteed. At present, performance benchmarking and SLAs are available
mainly for a single network. Further works for virtualized network environment
should be studied, such as performance analysis at the boundary between
infrastructure operators and service providers, and SLA issues in case of
federated networks.

Development of performance benchmarking and SLA:

Performance analysis technology should be developed to discover
performance bottlenecks in a network or in a node. The technology
contributes to the clarification of the responsibility among the
infrastructure operators and the service providers involved.

Elasticity
Elasticity is of significant, which discovers the resources and functional
component to be reserved for service composition, discovers the composed
service itself, and configures the service automatically. The technology
contributes to maintain the service integrity and sustainability against both
internal causes (e.g., service modifications and feature changes) and external
causes (e.g., network condition change, resource availability change, and user
request change).

Optimal resource assignments: The technology is to select the

most appropriate resources and functional components among their
multiple candidates, change the selection when the situation changes,
and optimize the resource to be assigned. The technology includes
identification/discovery of the required resources and functional
components to meet the given SLA and maximization of the objective
performance index specific to the service.
Consistent and sustainable provisioning: The technology includes
rapid identification and discovery for the required resource and
functional components, swift composition of services, and the
corresponding synchronization and inheritance of the service and node
SAEED UR RAHMAN

status. The technology is to achieve service consistency and

sustainability against either internal or external causes.
Programmability
Programmability is indispensable for providing multi-dimensional services with
fine level granularity. The programmability refers to many aspects such as
functional components, telecommunication systems installing the components,
and composed services. The programmability gives sufficient flexibility to service
providers and users without any physical constraints for developing innovative
services and their customization or optimization by enhancing the service
components in a short period.

Dynamic service composition: The service composition technology

should be established, which discovers resources and functional
components needed to meet the service requirements identified, reserves
them on demand, and compose them into the required service.
Controllability and manageability: The technology should be
established, whose API controls configurations of the distributed resources
and functional components when the target service is composed or the
assumed network condition changes, and maintains the target service
level agreement (SLA) by managing the configurations to be optimal.

Security benefits of network virtualization

By virtualizing networks, a lot of benefits are gained to an organization or a
corporate enterprise. But among all the benefits, security is among the most
important one and a major concern in the IT industry. Virtualizing networks
enhances security in many ways among which are:

Centralized storage in a virtualized network mitigates data loss if an enduser device is compromised.
When virtual machines and applications are isolated, only one application
and one virtual machine is affected by an attack.
If a virtual machine is infected or compromised, it can be rolled back to a
prior state that exist before the attack.
Hardware reductions that occurs due to virtualization improves physical
security since there are fewer devices.
The system and network administrations access control as well as
separation of duties can be improved as certain individuals may be
assigned to only control VMs within the network while others only deal
with VMs in the DMZ.
Virtual switches dont perform the dynamic trunking necessary to conduct
inter-switch link tagging attacks. They also drop double encapsulated
packets so double encapsulation attacks arent effective. Virtual switches
also dont allow packets to leave their assigned broadcast domain.
Therefore, eliminates the multicast brute force attacks that rely on
overloading a switch to let packets broadcast to other VLAN domains.

Security Issues in network virtualization

SAEED UR RAHMAN

Network security is a critically important challenge to be addressed when

adapting network virtualization. The programmable functionality of virtual
networks and the provision of the shared, hosted network infrastructure creates
new security vulnerabilities. Each entity in the technology architecture is
operated by different management units. In a study at the University of
Massachusetts, Amherst, MA, USA, virtual network vulnerabilities are identified
and possible attack scenario are illustrated (Natrajan and Wolf, 2012). Some of
the possible attacks are mentioned below:

Types of attacks in a virtualized network environment

Attacks in Virtual Networks
Virtualized networks can be targeted by attacks generated from the underlying
network infrastructure, the co-hosted virtual networks or the user connected to
the virtual network. The possible attack scenarios after making some
assumptions are as follows:

Network infrastructure attack on virtual network: To attain control

over the network congestion and to maintain the assigned network access,
the network infrastructure can possibly create protocol specific
interference by injecting forged packets to disrupt the legitimate
connection.
Virtual network attack on a co-hosted virtual network: An attacker
could take advantage of the shared infrastructure platform by leasing
portion of resources to assess the vulnerabilities and functionalities of the
co-hosted VNs. The vulnerable virtual network could be one of the
competing virtual network running a specific service. Once the attacking
on a virtual network is instantiated, it takes advantage of the placement
and launches a cross-virtual network side channel attack to steal
information from the vulnerable virtual network.
User attacks on virtual networks: A functionality of router migration
by vMotion, introduced by VMware, facilitates in live router migration.
During the migration of the virtual network state, an attacker sniffing the
network traffic can launch a Man-in-the-middle attack to eavesdrop the
contents of the virtual network and other confidential data available.

Attacks in Network Infrastructure

The network infrastructure is vulnerable to attacks originating from the hosted
virtual networks or user associated with them. After making some assumptions
of the attacker capabilities the following attacks at perceived.

User attack on network infrastructure: An attacker could inject a data

packet that takes advantage of the code vulnerability of the hosted virtual
network and modify the operation of the packet processor leading to a
denial-of-service attack.
SAEED UR RAHMAN

Virtual network attack on network infrastructure: An attacker

wishes to reproduce some hosted VN service, can manipulate the
configurations of Network infrastructure by extracting confidential
information and eavesdrop on the hosted virtual network traffic. An
example could be a live video streaming service that can be
eavesdropped, reproduced and redirected to a set of unauthorized users.

Attacks to the Users

Numerous network security issues and related defence mechanisms have been
proposed to protect end systems. The following are attacks originating from an
infected virtual network or network infrastructure after making assumption of
attacker capabilities.

Network infrastructure attack on User: An attacker can choose to

drop a packet within a particular time slot in an infected network
infrastructure, thereby forcing the sender to reduce their sending rate as
they perceive congestion. The attacker can selectively drop queued
packets exploiting congestion control protocol at the senders. The Virtual
network and the sender are unaware of the malicious activity taking place
in the network infrastructure.
Virtual network attack on Users: An attacker can intentionally sniff
the end user network traffic. This could impose more financial constraints
on the user by raising false alarms.

Challenges in a virtualized network

Although virtualization of IT infrastructure provides a lot of benefits, security
enhancement among many others, it has also introduced new unique challenges
as compared to traditional network infrastructure. Some of the challenges that
need to be considered are mentioned below:

Efficient Packet Processing: An efficient packet processing

methodology should be introduced with a certain level of data
transparency between the virtual network and network infrastructure.
Biased management practices, monitoring of confidential information or
launching of hidden attacks as mention earlier are possible scenarios in a
virtualized network. Therefore, a mechanism to securely process the
packets without exposing the input data is required. A proposed
functionality known as the Confidential Packet Forwarding that uses a
protocol called EncrIP, may be used to mitigate this issue (Natarajan,
2012).
Global Connectivity: End to end network connectivity need to be setup,
the virtual network service should partner with multiple infrastructure
providers with varying levels of agreements and requirements.
Forwarding Rate: High data rate forwarding requirements in the routers
imposes significant challenge when extra processing is introduced by the
security mechanisms. Most services require certain level of Quality of
Service such as low latency with reliable packet processing. To meet such
demands, the computation complexity introduced by newer security

SAEED UR RAHMAN

mechanisms should ensure that the forwarding data rate is not

compromised.

Defence mechanism for the challenges in virtual

networks
A secure network system should provide fundamental principles such as,
Confidentiality, integrity, resource isolation of data and information. The
proposed defence mechanism for these principles are as follows:

Confidentiality: Considering the possible vulnerabilities in a virtualized

environment mentioned earlier, the virtual network does not need to expose
the data packet when processed by the network infrastructure. Encryption
techniques are effective to ensure the confidentiality of the data traffic when
processed by third party network infrastructure. The challenge is to identify a
mechanism that can support the processing of the encrypted input data. The
processing technique should include the following functionality:
An efficient encryption process that encrypts all incoming data with low
latency requirement.
An encryption process that is supported by all processing features
required by the hosted virtual network.
Integrity: Data integrity protects data from being tampered or modified
without appropriate authorization. From the attack scenarios mentioned
earlier, it is evident that both virtual networks and network infrastructure are
prone to hidden attacks. By implementing the following defence mechanism,
data integrity can be achieved.
By modifying the network interface card to support better detection
capabilities using processor extensions and show inherent assurance of
a trusted, accountable platform.
A monitoring system should need to be introduce and should be able to
have the functionality of a detection mechanism that identifies the
malicious activity and discard them and a recovery module that resets
the working state of the infrastructure when attacked or compromised.
The virtual network monitoring should be implemented and must
ensure that the protocol processing function in the infrastructure is
processed as specified and any manipulation and modification of
network traffic should be detected.
Resource isolation: the provisioning of network and physical resource
isolation by hosted network infrastructure is a major security concern in
virtualized networks. To eliminate these concerns, the following mitigation
techniques are proposed.
To use a network processor that provides the required resource
isolation to the virtual network segment.
To use a network processor that introduces processor scheduling across
hardware threads to ensure isolation and weighted fair access.

SAEED UR RAHMAN

Confidential Packet Forwarding

Encrypted IP (EncrIP), a protocol that uses probabilistic encryption in a prefixpreserving manner to hide source and destination information while still
permitting packet forwarding using longest prefix match. Using EncrIP, network
infrastructure providers can forward packets without gaining insights into the
internal operation of virtual networks. EncrIP can be implemented using only a
few MB of data on gateways at the edge of the virtual network (Natrajan, S and
Wolf, T, 2012). Forwarding in the virtual network itself can be performed without
overhead. The success probability of a statistical inference attack, trying to
identify which packets belong to the same source-destination pair, is less than
0.001%. Therefore, an assumption can be made that EncrIP presents an effective
solution to providing privacy in virtualized networks (Natrajan, S and Wolf, T,
2012).

Figure 3 Packet forwarding: Encrypted vs normal

When a virtual network is used to connect multiple subnetworks (e.g., corporate

campuses, etc.), the traffic sent via the network infrastructure can be seen by
the network infrastructure provider. By introducing a gateway that encrypts
network addresses so that the infrastructure provider no longer can determine
which end-system is communicating with which other end-system. The presented
approach can achieve this privacy more efficiently than IPsec and other
approaches and does not require any additional headers.

Capabilities-Based Virtual Network Instance

Capabilities-based networks present a fundamental shift in the security design of
network architectures. Instead of permitting the packet to from any source to any
destination, routers deny forwarding by default. For a successful transmission,
SAEED UR RAHMAN

packets to need to identify themselves and their permission to the router. A

major challenge for a high-performance implementation of such a network is an
efficient design of the credentials that are carried in the packet and the
verification procedure on the router. Recent proposal for capabilities-based
networks have provided some ideas on the fundamental shifts in the design
philosophy of networks by moving from the internets on-by-default principle to
an off-by default assumption (Natrajan, S and Wolf, T, 2012). In an off-bydefault network, a connection needs to be explicitly authorized to reach an endsystem rather than being allowed to connect to an end-system by default.

Conclusion
Virtualization of network infrastructure is among the major involvement in the IT
industry. Network virtualization provides cost, manageability, scalability and
flexibility benefits with security and network performance enhancement.
However, it have also given rise to new some unique security and performance
issues that need to be studied and appropriate countermeasures need to been
considered before a implementation of a virtualized network.

SAEED UR RAHMAN

1
0

References
Advanced Network Virtualization: Definition, Benefits, Applications, and Technical
Challenges. (2011). 1st ed. [ebook] Network Virtualization Study Group, pp.16-21.
Available at: https://nvlab.nakao-lab.org/nv-study-group-white-paper.v1.0.pdf [Accessed
8 Nov. 2014].
Anon, (2014). [image] Available at: http://blog.ipspace.net/2011/10/vxlan-termination-onphysical-devices.html [Accessed 8 Nov. 2014].
Benefits of virtualizing. (2014). 1st ed. [ebook] Cisco. Available at:
http://docs.media.bitpipe.com/io_10x/io_104158/item_519976/Cisco_sServerVirt_IO
%23104158_E-Guide_030712.pdf [Accessed 8 Nov. 2014].
Chowdhury, . Mosharaf Kabir, N. and Boutaba, (2010). A survey of network virtualization.
1st ed. Computer Networks 54.
Computerweekly.com, (2014). VMware: five biggest challenges of server virtualisation.
[online] Available at: http://www.computerweekly.com/feature/VMware-five-biggestchallenges-of-server-virtualisation [Accessed 7 Nov. 2014].
Dhawan, A. (2014). Benefits of Network Virtualization to Enterprise Customers. [online]
Insights.wired.com. Available at: http://insights.wired.com/profiles/blogs/benefits-ofnetwork-virtualization-to-enterprise-customers#axzz3IT3EBvQI [Accessed 8 Nov.
2014].
Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. Proceedings of the
41st annual ACM symposium on Symposium on theory of computing - STOC '09.
Hedlund, B. and Profile, A. (2013). What is Network Virtualization?. [online] BRAD
HEDLUND. Available at: http://bradhedlund.com/2013/05/28/what-is-networkvirtualization/ [Accessed 7 Nov. 2014].
Mekouar, L., Iraqi, Y. and Boutaba, R. (2010). Incorporating Trust in Network Virtualization.
2010 10th IEEE International Conference on Computer and Information Technology.
Mirzrak, A., Cheng, Y., Marzullo, K. and Savage, S. (2006). Detecting and isolating
SAEED UR RAHMAN

1
1

malicious routers. 3rd ed. IEEE Transactions on Dependable and Secure Computing.
Natarajan, S. (2012). SECURITY ISSUES IN NETWORK VIRTUALIZATION FOR THE
FUTURE INTERNET. [online] Scholarworks.umass.edu. Available at:
http://scholarworks.umass.edu/cgi/viewcontent.cgi?
article=1655&context=open_access_dissertations [Accessed 8 Nov. 2014].
Natrajan, S. and Wolf, T. (2012). Security Issues in Network Virtualization for the Future
Internet. 1st ed. [ebook] Amherst, MA, USA: Department of Electrical and Computer
Engineering University of Massachusetts. Available at:
http://www.ecs.umass.edu/ece/wolf/pubs/icnc2012.pdf [Accessed 8 Nov. 2014].
Routeviews.org, (2003). Route Views Project Page. [online] Available at:
http://www.routeviews.org/ [Accessed 8 Nov. 2014].
Tariq, M., Motiwala, M., Feamster, N. and Ammar, M. (2009). Detecting network neutrality
violations with causal inference. Proceedings of the 5th international conference on
Emerging networking experiments and technologies - CoNEXT '09.
The FP7 4WARD Project, (2008). WP3 - Network Virtualization. [image] Available at:
http://www.4ward-project.eu/index.php?s=overview&c=WP3 [Accessed 8 Nov. 2014].

SAEED UR RAHMAN

1
2