Marian Marinov, profile picture
Uploaded byMarian Marinov
PDF, PPTX3,885 views

Secure LXC Networking

This document discusses secure LXC networking using various methods like MACVLAN, VETH, VLAN, and OpenVSwitch. It provides code samples for generating MAC addresses in Bash, PLPGSQL, and Python. Bridging with Linux bridge and OpenVSwitch is also covered. The document emphasizes securing network traffic within and between containers by limiting traffic to assigned IP/MAC addresses and enforcing rules with OpenFlow.

Embed presentation

Download as PDF, PPTX
Secure LXC networking Marian HackMan Marinov <mm@1h.com> CEO of 1H Ltd. CTO of GetClouder.com
Who am I? ➢ System Administrator since 1998 ➢ CEO of 1H Ltd. ➢ CTO of GetClouder Ltd. ➢ Head of DevOps for Siteground.com ➢ Organizer of OpenFest, BG Perl workshops and others ➢ This year I helped with the organization of YAPC europe and EuroBSDcon in Sofia ➢ In my spare time I teach Linux System Administration and Network Security courses in Sofia University ➢ For the past year I'm playing mainly with containers!
We don't really need networking...
MAC addresses ➢ Keep a central DB with all MAC addresses to prevent collisions ➢ Use a reliable way to generate MAC addresses ➢ Keep in mind: ➢local or global ➢unicast or multicast
generate MAC address in bash function gen_mac() { mac_vars=(0 1 2 3 4 5 6 7 8 9 a b c d e f) mac_base='52:00:01:' ret='' for i in {1..6}; do n=$RANDOM let 'n %= 16' ret="${ret}${mac_vars[$n]}" if [ $i -eq 2 ] || [ $i -eq 4 ]; then ret="${ret}:" fi done echo "${mac_base}${ret}" }
generate mac address in PLPGSQL CREATE OR REPLACE FUNCTION generate_mac() RETURNS text LANGUAGE plpgsql AS $$DECLARE mac TEXT; a CHAR; count INTEGER; BEGIN mac='52:00:01:'; FOR count IN 1..6 LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; -- This fixes an issue, where the above SELECT returns NULL or empty string -- If for some reason we concatenate with a NULL string, the result will be NULL string WHILE a IS NULL OR a = '' LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; END LOOP; mac = mac || a; IF count = 2 OR count = 4 THEN mac = mac || ':'; END IF; END LOOP; RETURN mac; END;$$;
generate MAC address in Python #/usr/bin/python import random mac = [random.choice(range(256)) for i in range(6)] mac[0] |= 0x02 mac[0] &= 0xfe print ':'.join('%02x' % m for m in mac)
Types of LXC networking ➢none ➢empty ➢macvlan ➢macvtap (did not have time to test it) ➢veth (linux or ovs bridge) ➢vlan ➢physical ➢VPN device(haven't tried that either)
None lxc.network.type = none lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
Empty lxc.network.type = empty lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
VETH lxc.network.type = veth lxc.network.veth.pair = vethc3070 lxc.network.flags = up lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
VETH lxc.network.veth.pair = vethc3070 11: vethD6YPJ1: <BROADCAST,MULTICAST,PROMISC,UP,LOWE R_UP> mtu 1500 qdisc pfifo_fast master lxcbr0 state UP qlen 1000 link/ether f2:0:32:02:55:2f brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever
MACVLAN lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.flags = up lxc.network.link = lxcbr1 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
MACVLAN ➢ If you want to manually setup the networking ip link add link PARENT [NAME] type macvlan [address MAC] ➢ Auto generated MAC adresses # ip link add link eth0 lxc0 type macvlan ➢ Manually assigned # ip link add link eth0 lxc1 type macvlan address f0:de:f1:81:0a:2a ➢ Additional parameter: mode ➢ macvlan mode { private | vepa | bridge | passthru }
MACVLAN ➢ private (filter all incoming packets) ➢ bridge (all packets on the same iface can be seen from all vlans) ➢ pasthru (requires enabled STP) ➢ VEPA (Virtual Ethernet Port Aggregator)
MACVLAN ➢ Edge Virtual Bridging EVB ➢ Top-of-Rack (ToR) ➢ End-of-Row (EoR) ➢ Virtual Ethernet Bridge (VEB) ➢ Linux bridge ➢ OpenVswitch ➢ Virtual Ethernet Port Aggregator (VEPA) ➢ used for EVB ➢ VEPA 802.1Qab - HP, IBM, Brocade, Juniper ➢ Standard mode ➢ Multi-channel VEPA (Q-in-Q) ➢ VN-Tag 802.1Qbh - Cisco
VLAN lxc.network.type = vlan lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.link = eth0 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
VLAN # vconfig add eth0 10 # ip link add link eth0 vlan10 type vlan id 10 # ip link show vlan10 10: vlan10@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT link/ether f0:de:f1:81:0a:2a brd ff:ff:ff:ff:ff:ff
Physical lxc.network.type = phys lxc.network.flags = up lxc.network.link = eth2 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
Bridging :) ➢Linux Bridge ➢ setup with brctl ➢ setup with ip route ➢OpenVswitch (OVS) ➢ setup with its tools
Bridging :) ➢What is OpenVswitch ➢multilayer virtual switch ➢Why OpenVswitch ➢ greater flexibility ➢more control over the traffic ➢ native VXLAN support
Bridging :) # brctl show bridge name bridge id STP enabled interfaces # brctl addbr br0 # brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no
Bridging :) # brctl addif br0 eth0 # brctl show bridge name bridge id STP interfaces br0 8000.f0def1810a2a no eth0 adding a veth device # brctl addif br0 vethc3070 adding a vlan # brctl addif br0 eth0.4
Bridging :) # ip link add name lxcbr0 type bridge # ip link set dev lxcbr0 up # ip link show lxcbr0 7: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT link/ether fe:d8:b2:55:ce:5b brd ff:ff:ff:ff:ff:ff # ip link set dev eth0 promisc on # ip link set dev eth0 up # ip link set dev eth0 master bridge_name # ip link set dev eth0 nomaster
Securing all of these ➢Do not allow traffic out of the container with MAC address that was not assigned to the container ➢Do not allow traffic out of the container with IP address that was not assigned to the container ➢Do not allow multicast traffic to go to container which is not part of the multicast group ➢Actually if possible allow network traffic only to its gateway :)
Securing all of these ➢Do not use NAT for connecting your containers ➢NAT is susceptible to DoS. By spoofing many connections from one container can block the connectivity of the whole machine!
Broadcasts... ➢It depends on your network design ➢ Generally limit the broadcast destinations that a container can reach ➢ If possible use source routing to route the traffic directly to where it is supposed to go
OpenVswitch security ➢ Implement OpenFlow rules to enforce the previous rules ➢ For each container hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=150 dl_type=0x0800 in_port=$input_port nw_dst=$container_gw actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=100 dl_type=0x0800 in_port=$input_port nw_dst=$container_network actions=drop hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$container_ip dl_type=0x0806 priority=50 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac dl_type=0x0800 nw_src=$container_ip priority=25 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=20 dl_type=0x0800 dl_src=$container_mac nw_dst=$container_ip actions=output:$input_port hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port priority=5 actions=drop ➢ For each additional IP on the container hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_type=0x0800 dl_src=$container_mac nw_src=$additional_ip priority=10 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$additional_ip dl_type=0x0806 priority=50 actions=NORMAL
OpenVswitch security ➢ OpenVswitch networking DOES NOT go trough the normal linux networking so you CAN NOT use ipatables/ebtables to limit the traffic ➢ Even if you use net_cls it still DON'T WORK
TThhaannkk yyoouu!! QQuueessttiioonnss?? Marian Marinov <mm@1h.com> http://getclouder.com Jabber: hackman@jabber.org IRC: irc.freenode.net HackMan ICQ: 7556201 GitHub: http://github.com/hackman

More Related Content

PPTX
Bsides final
byCollyn Hartley
 
PDF
OVS-NFV Tutorial
byOpen Networking Perú (Opennetsoft)
 
PDF
OpenStack networking
bySim Janghoon
 
PPTX
Networking in linux
byVarnnit Jain
 
PDF
Understanding Open vSwitch
byYongKi Kim
 
PDF
Docker-OVS
bysnrism
 
PPTX
Using metasploit
byCyberRad
 
PPTX
Network Sniffing
bybudi rahardjo
 
Bsides final
byCollyn Hartley
 
OVS-NFV Tutorial
byOpen Networking Perú (Opennetsoft)
 
OpenStack networking
bySim Janghoon
 
Networking in linux
byVarnnit Jain
 
Understanding Open vSwitch
byYongKi Kim
 
Docker-OVS
bysnrism
 
Using metasploit
byCyberRad
 
Network Sniffing
bybudi rahardjo
 

What's hot

PDF
SDNDS.TW Mininet
byNCTU
 
PDF
Docker Networking
byWeaveworks
 
PDF
debugging openstack neutron /w openvswitch
by어형 이
 
PDF
Hack The Box Nest 10.10.10.178
byAbhichai L.
 
PDF
Mininet Basics
byEueung Mulyana
 
PDF
OpenVPN
byEmil CHERICHEȘ
 
PDF
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
DOCX
CAN in linux
byJabez Winston
 
PDF
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
byidsecconf
 
PDF
Killing any security product … using a Mimikatz undocumented feature
byCyber Security Alliance
 
PDF
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
byBlueHat Security Conference
 
PPT
Laboratory exercise - Network security - Penetration testing
byseastorm44
 
PDF
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
PPTX
Mininet demo
byMomina Masood
 
PDF
SSH Tunneling Recipes
byOSOCO
 
PDF
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
byRedspin, Inc.
 
PDF
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
PDF
Weave Networking on Docker
byStylight
 
PDF
Mininet introduction
byVipin Gupta
 
PPTX
ZeroMQ: Super Sockets - by J2 Labs
byJames Dennis
 
SDNDS.TW Mininet
byNCTU
 
Docker Networking
byWeaveworks
 
debugging openstack neutron /w openvswitch
by어형 이
 
Hack The Box Nest 10.10.10.178
byAbhichai L.
 
Mininet Basics
byEueung Mulyana
 
OpenVPN
byEmil CHERICHEȘ
 
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
CAN in linux
byJabez Winston
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
byidsecconf
 
Killing any security product … using a Mimikatz undocumented feature
byCyber Security Alliance
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
byBlueHat Security Conference
 
Laboratory exercise - Network security - Penetration testing
byseastorm44
 
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
Mininet demo
byMomina Masood
 
SSH Tunneling Recipes
byOSOCO
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
byRedspin, Inc.
 
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
Weave Networking on Docker
byStylight
 
Mininet introduction
byVipin Gupta
 
ZeroMQ: Super Sockets - by J2 Labs
byJames Dennis
 

Viewers also liked

PDF
Docker Multihost Networking
byNicola Kabar
 
PDF
Chris Swan at Container.Camp: Docker networking
byCohesive Networks
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
PPTX
Docker Networking
byKingston Smiler
 
PPTX
Docker networking Tutorial 101
byLorisPack Project
 
PDF
Scaling Docker with Kubernetes
byCarlos Sanchez
 
PDF
Kubernetes architecture
byJanakiram MSV
 
PDF
Kubernetes Basics
byEueung Mulyana
 
PDF
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
byBrian Grant
 
PPTX
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
byDocker, Inc.
 
PDF
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
byStefan Schimanski
 
PDF
Kubernetes Networking
byCJ Cullen
 
PDF
Docker Networking Deep Dive
byDocker, Inc.
 
PPTX
Docker networking basics & coupling with Software Defined Networks
byAdrien Blind
 
PPTX
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
byDocker, Inc.
 
PPTX
Docker Networking: Control plane and Data plane
byDocker, Inc.
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
Docker Multihost Networking
byNicola Kabar
 
Chris Swan at Container.Camp: Docker networking
byCohesive Networks
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
Docker Networking
byKingston Smiler
 
Docker networking Tutorial 101
byLorisPack Project
 
Scaling Docker with Kubernetes
byCarlos Sanchez
 
Kubernetes architecture
byJanakiram MSV
 
Kubernetes Basics
byEueung Mulyana
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
byBrian Grant
 
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
byDocker, Inc.
 
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
byStefan Schimanski
 
Kubernetes Networking
byCJ Cullen
 
Docker Networking Deep Dive
byDocker, Inc.
 
Docker networking basics & coupling with Software Defined Networks
byAdrien Blind
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
byDocker, Inc.
 
Docker Networking: Control plane and Data plane
byDocker, Inc.
 
An Introduction to Kubernetes
byImesh Gunaratne
 

Similar to Secure LXC Networking

PPT
Chapter 1 Switch Network Device (1).ppt
bydesalewminale
 
PDF
Linux Networking Explained
byThomas Graf
 
ODP
Securing the network for VMs or Containers
byMarian Marinov
 
ODP
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 
PPTX
Openstack openswitch basics
bynshah061
 
PPTX
Thebasicintroductionofopenvswitch
byRamses Ramirez
 
PDF
CCNA Training in Bangalore | Best Networking course in Bangalore
byTIB Academy
 
PDF
Xb30330.xb30350 management guide
byDanilo Eduardo Miranda
 
PDF
CCIE R&S Real Lab H1 Config
byCCIERNSTRICKS.COM
 
PDF
CCIE R&S Real Lab H3 Config
byCCIERNSTRICKS.COM
 
PDF
CCIE R&S Real Lab H2 Config
byCCIERNSTRICKS.COM
 
PDF
CCIE R&S Real Lab Workbbok 2018 updated
byCCIERNSTRICKS.COM
 
PDF
CCIE R&S Real TS-1 Config
byCCIERNSTRICKS.COM
 
PPTX
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
byAbdelkhalik Mosa
 
PPT
Training Day Slides
byadam_merritt
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
PDF
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
PDF
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
PDF
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 
Chapter 1 Switch Network Device (1).ppt
bydesalewminale
 
Linux Networking Explained
byThomas Graf
 
Securing the network for VMs or Containers
byMarian Marinov
 
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 
Openstack openswitch basics
bynshah061
 
Thebasicintroductionofopenvswitch
byRamses Ramirez
 
CCNA Training in Bangalore | Best Networking course in Bangalore
byTIB Academy
 
Xb30330.xb30350 management guide
byDanilo Eduardo Miranda
 
CCIE R&S Real Lab H1 Config
byCCIERNSTRICKS.COM
 
CCIE R&S Real Lab H3 Config
byCCIERNSTRICKS.COM
 
CCIE R&S Real Lab H2 Config
byCCIERNSTRICKS.COM
 
CCIE R&S Real Lab Workbbok 2018 updated
byCCIERNSTRICKS.COM
 
CCIE R&S Real TS-1 Config
byCCIERNSTRICKS.COM
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
byAbdelkhalik Mosa
 
Training Day Slides
byadam_merritt
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 

More from Marian Marinov

PDF
How to start and then move forward in IT
byMarian Marinov
 
PDF
Thinking about highly-available systems and their setup
byMarian Marinov
 
PDF
Understanding your memory usage under Linux
byMarian Marinov
 
PDF
How to implement PassKeys in your application
byMarian Marinov
 
PDF
Dev.bg DevOps March 2024 Monitoring & Logging
byMarian Marinov
 
PDF
Basic presentation of cryptography mechanisms
byMarian Marinov
 
PDF
Microservices: Benefits, drawbacks and are they for me?
byMarian Marinov
 
PDF
Introduction and replication to DragonflyDB
byMarian Marinov
 
PDF
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
byMarian Marinov
 
PDF
How to successfully migrate to DevOps .pdf
byMarian Marinov
 
PDF
How to survive in the work from home era
byMarian Marinov
 
PDF
Managing sysadmins
byMarian Marinov
 
PDF
Improve your storage with bcachefs
byMarian Marinov
 
PDF
Control your service resources with systemd
byMarian Marinov
 
PDF
Comparison of-foss-distributed-storage
byMarian Marinov
 
PDF
Защо и как да обогатяваме знанията си?
byMarian Marinov
 
PDF
Securing your MySQL server
byMarian Marinov
 
PDF
Sysadmin vs. dev ops
byMarian Marinov
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
PDF
Challenges with high density networks
byMarian Marinov
 
How to start and then move forward in IT
byMarian Marinov
 
Thinking about highly-available systems and their setup
byMarian Marinov
 
Understanding your memory usage under Linux
byMarian Marinov
 
How to implement PassKeys in your application
byMarian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
byMarian Marinov
 
Basic presentation of cryptography mechanisms
byMarian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
byMarian Marinov
 
Introduction and replication to DragonflyDB
byMarian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
byMarian Marinov
 
How to successfully migrate to DevOps .pdf
byMarian Marinov
 
How to survive in the work from home era
byMarian Marinov
 
Managing sysadmins
byMarian Marinov
 
Improve your storage with bcachefs
byMarian Marinov
 
Control your service resources with systemd
byMarian Marinov
 
Comparison of-foss-distributed-storage
byMarian Marinov
 
Защо и как да обогатяваме знанията си?
byMarian Marinov
 
Securing your MySQL server
byMarian Marinov
 
Sysadmin vs. dev ops
byMarian Marinov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
Challenges with high density networks
byMarian Marinov
 

Recently uploaded

PPTX
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
PDF
Application of Information and Communication Technology Content.pdf
byKhalil Khan Marwat
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
PDF
Pharmaceutical Organic Chemistry Unit 5 Cycloalkanes
bySandeshSul
 
PPTX
LEARNING PART 2.SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
PDF
‘You can do anything, but not everything’: Using UCC’s Service Principles to ...
byCONUL Conference
 
PPTX
ENGLISH 3-Q3-W7.pptx 2025-2026..................................................
byWindyDizonMiranda
 
PPTX
GRADE-1-Q3-MATH-WEEK-6.pptx_202633333333
byKennethGraceAngeles1
 
PDF
Homebound (2025): A Critical Analysis of Social Realism, Systemic Apathy, and...
bykrutivyas2005
 
PPTX
No Storage Needed! Odoo Cross-Docking
byCeline George
 
PPTX
English 8 Q3 Wk8.pptx opinion editorial article( Writing , Revising, Editing...
byjacquelyncastre03
 
PPTX
Mixing Pharmaceutical Engineering .pptxx
byShraddha Bandgar
 
PDF
THE NORF (National Open Research Forum), Strategy and Roadmap for Persistent ...
byCONUL Conference
 
PDF
Enhancing Accessibility and Inclusivity: The TU Dublin Leaving Certificate St...
byCONUL Conference
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING Unit 1.pdf
byA R SIVANESH M.E., (Ph.D)
 
PPTX
CHAPTER NO. 09 HCP BY GG LABORATORY CLINICAL TEST
byGanu Gavade
 
PDF
Visualising Library Insights: Power BI Dashboard for Data-Driven Decision Mak...
byCONUL Conference
 
PPTX
How to Create a Search Panel in Odoo 18
byCeline George
 
PPTX
Structure Editorial Grade 8 Lesson (Opinion Editorial)
byJessaMaeCabangon1
 
PDF
Digital Transformation, AI, and ML in Pharma R&D and Manufacturing Workflows ...
byAjaz Hussain
 
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
Application of Information and Communication Technology Content.pdf
byKhalil Khan Marwat
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
Pharmaceutical Organic Chemistry Unit 5 Cycloalkanes
bySandeshSul
 
LEARNING PART 2.SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
‘You can do anything, but not everything’: Using UCC’s Service Principles to ...
byCONUL Conference
 
ENGLISH 3-Q3-W7.pptx 2025-2026..................................................
byWindyDizonMiranda
 
GRADE-1-Q3-MATH-WEEK-6.pptx_202633333333
byKennethGraceAngeles1
 
Homebound (2025): A Critical Analysis of Social Realism, Systemic Apathy, and...
bykrutivyas2005
 
No Storage Needed! Odoo Cross-Docking
byCeline George
 
English 8 Q3 Wk8.pptx opinion editorial article( Writing , Revising, Editing...
byjacquelyncastre03
 
Mixing Pharmaceutical Engineering .pptxx
byShraddha Bandgar
 
THE NORF (National Open Research Forum), Strategy and Roadmap for Persistent ...
byCONUL Conference
 
Enhancing Accessibility and Inclusivity: The TU Dublin Leaving Certificate St...
byCONUL Conference
 
PROBLEM SLOVING AND PYTHON PROGRAMMING Unit 1.pdf
byA R SIVANESH M.E., (Ph.D)
 
CHAPTER NO. 09 HCP BY GG LABORATORY CLINICAL TEST
byGanu Gavade
 
Visualising Library Insights: Power BI Dashboard for Data-Driven Decision Mak...
byCONUL Conference
 
How to Create a Search Panel in Odoo 18
byCeline George
 
Structure Editorial Grade 8 Lesson (Opinion Editorial)
byJessaMaeCabangon1
 
Digital Transformation, AI, and ML in Pharma R&D and Manufacturing Workflows ...
byAjaz Hussain
 

Secure LXC Networking

  • 1.
    Secure LXC networking Marian HackMan Marinov <mm@1h.com> CEO of 1H Ltd. CTO of GetClouder.com
  • 2.
    Who am I? ➢ System Administrator since 1998 ➢ CEO of 1H Ltd. ➢ CTO of GetClouder Ltd. ➢ Head of DevOps for Siteground.com ➢ Organizer of OpenFest, BG Perl workshops and others ➢ This year I helped with the organization of YAPC europe and EuroBSDcon in Sofia ➢ In my spare time I teach Linux System Administration and Network Security courses in Sofia University ➢ For the past year I'm playing mainly with containers!
  • 3.
    We don't reallyneed networking...
  • 4.
    MAC addresses ➢Keep a central DB with all MAC addresses to prevent collisions ➢ Use a reliable way to generate MAC addresses ➢ Keep in mind: ➢local or global ➢unicast or multicast
  • 5.
    generate MAC addressin bash function gen_mac() { mac_vars=(0 1 2 3 4 5 6 7 8 9 a b c d e f) mac_base='52:00:01:' ret='' for i in {1..6}; do n=$RANDOM let 'n %= 16' ret="${ret}${mac_vars[$n]}" if [ $i -eq 2 ] || [ $i -eq 4 ]; then ret="${ret}:" fi done echo "${mac_base}${ret}" }
  • 6.
    generate mac addressin PLPGSQL CREATE OR REPLACE FUNCTION generate_mac() RETURNS text LANGUAGE plpgsql AS $$DECLARE mac TEXT; a CHAR; count INTEGER; BEGIN mac='52:00:01:'; FOR count IN 1..6 LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; -- This fixes an issue, where the above SELECT returns NULL or empty string -- If for some reason we concatenate with a NULL string, the result will be NULL string WHILE a IS NULL OR a = '' LOOP SELECT substring('0123456789abcdef' FROM (random()*16)::int + 1 FOR 1) INTO a; END LOOP; mac = mac || a; IF count = 2 OR count = 4 THEN mac = mac || ':'; END IF; END LOOP; RETURN mac; END;$$;
  • 7.
    generate MAC addressin Python #/usr/bin/python import random mac = [random.choice(range(256)) for i in range(6)] mac[0] |= 0x02 mac[0] &= 0xfe print ':'.join('%02x' % m for m in mac)
  • 8.
    Types of LXCnetworking ➢none ➢empty ➢macvlan ➢macvtap (did not have time to test it) ➢veth (linux or ovs bridge) ➢vlan ➢physical ➢VPN device(haven't tried that either)
  • 9.
    None lxc.network.type =none lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
  • 10.
    Empty lxc.network.type =empty lxc.network.hwaddr = 00:16:3a:61:45:a6 lxc.network.flags = up
  • 11.
    VETH lxc.network.type =veth lxc.network.veth.pair = vethc3070 lxc.network.flags = up lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 12.
    VETH lxc.network.veth.pair =vethc3070 11: vethD6YPJ1: <BROADCAST,MULTICAST,PROMISC,UP,LOWE R_UP> mtu 1500 qdisc pfifo_fast master lxcbr0 state UP qlen 1000 link/ether f2:0:32:02:55:2f brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever
  • 13.
    MACVLAN lxc.network.type =macvlan lxc.network.macvlan.mode = bridge lxc.network.flags = up lxc.network.link = lxcbr1 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 14.
    MACVLAN ➢ Ifyou want to manually setup the networking ip link add link PARENT [NAME] type macvlan [address MAC] ➢ Auto generated MAC adresses # ip link add link eth0 lxc0 type macvlan ➢ Manually assigned # ip link add link eth0 lxc1 type macvlan address f0:de:f1:81:0a:2a ➢ Additional parameter: mode ➢ macvlan mode { private | vepa | bridge | passthru }
  • 15.
    MACVLAN ➢ private(filter all incoming packets) ➢ bridge (all packets on the same iface can be seen from all vlans) ➢ pasthru (requires enabled STP) ➢ VEPA (Virtual Ethernet Port Aggregator)
  • 16.
    MACVLAN ➢ EdgeVirtual Bridging EVB ➢ Top-of-Rack (ToR) ➢ End-of-Row (EoR) ➢ Virtual Ethernet Bridge (VEB) ➢ Linux bridge ➢ OpenVswitch ➢ Virtual Ethernet Port Aggregator (VEPA) ➢ used for EVB ➢ VEPA 802.1Qab - HP, IBM, Brocade, Juniper ➢ Standard mode ➢ Multi-channel VEPA (Q-in-Q) ➢ VN-Tag 802.1Qbh - Cisco
  • 17.
    VLAN lxc.network.type =vlan lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.link = eth0 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 18.
    VLAN # vconfigadd eth0 10 # ip link add link eth0 vlan10 type vlan id 10 # ip link show vlan10 10: vlan10@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT link/ether f0:de:f1:81:0a:2a brd ff:ff:ff:ff:ff:ff
  • 19.
    Physical lxc.network.type =phys lxc.network.flags = up lxc.network.link = eth2 lxc.network.name = eth0 lxc.network.ipv4 = X.X.X.X/24 lxc.network.ipv4.gateway = X.X.X.1 lxc.network.hwaddr = 00:16:3e:28:73:b3
  • 20.
    Bridging :) ➢LinuxBridge ➢ setup with brctl ➢ setup with ip route ➢OpenVswitch (OVS) ➢ setup with its tools
  • 21.
    Bridging :) ➢Whatis OpenVswitch ➢multilayer virtual switch ➢Why OpenVswitch ➢ greater flexibility ➢more control over the traffic ➢ native VXLAN support
  • 22.
    Bridging :) #brctl show bridge name bridge id STP enabled interfaces # brctl addbr br0 # brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no
  • 23.
    Bridging :) #brctl addif br0 eth0 # brctl show bridge name bridge id STP interfaces br0 8000.f0def1810a2a no eth0 adding a veth device # brctl addif br0 vethc3070 adding a vlan # brctl addif br0 eth0.4
  • 24.
    Bridging :) #ip link add name lxcbr0 type bridge # ip link set dev lxcbr0 up # ip link show lxcbr0 7: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT link/ether fe:d8:b2:55:ce:5b brd ff:ff:ff:ff:ff:ff # ip link set dev eth0 promisc on # ip link set dev eth0 up # ip link set dev eth0 master bridge_name # ip link set dev eth0 nomaster
  • 25.
    Securing all ofthese ➢Do not allow traffic out of the container with MAC address that was not assigned to the container ➢Do not allow traffic out of the container with IP address that was not assigned to the container ➢Do not allow multicast traffic to go to container which is not part of the multicast group ➢Actually if possible allow network traffic only to its gateway :)
  • 26.
    Securing all ofthese ➢Do not use NAT for connecting your containers ➢NAT is susceptible to DoS. By spoofing many connections from one container can block the connectivity of the whole machine!
  • 27.
    Broadcasts... ➢It dependson your network design ➢ Generally limit the broadcast destinations that a container can reach ➢ If possible use source routing to route the traffic directly to where it is supposed to go
  • 28.
    OpenVswitch security ➢Implement OpenFlow rules to enforce the previous rules ➢ For each container hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=150 dl_type=0x0800 in_port=$input_port nw_dst=$container_gw actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=100 dl_type=0x0800 in_port=$input_port nw_dst=$container_network actions=drop hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$container_ip dl_type=0x0806 priority=50 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac dl_type=0x0800 nw_src=$container_ip priority=25 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,priority=20 dl_type=0x0800 dl_src=$container_mac nw_dst=$container_ip actions=output:$input_port hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port priority=5 actions=drop ➢ For each additional IP on the container hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_type=0x0800 dl_src=$container_mac nw_src=$additional_ip priority=10 actions=NORMAL hard_timeout=0,idle_timeout=0,cookie=$cookie,in_port=$input_port dl_src=$container_mac nw_src=$additional_ip dl_type=0x0806 priority=50 actions=NORMAL
  • 29.
    OpenVswitch security ➢OpenVswitch networking DOES NOT go trough the normal linux networking so you CAN NOT use ipatables/ebtables to limit the traffic ➢ Even if you use net_cls it still DON'T WORK
  • 30.
    TThhaannkk yyoouu!! QQuueessttiioonnss?? Marian Marinov <mm@1h.com> http://getclouder.com Jabber: hackman@jabber.org IRC: irc.freenode.net HackMan ICQ: 7556201 GitHub: http://github.com/hackman