[libvirt] Libvirt and IPSec (was: What about Trusted Virtual Domains???)

Paolo Smiraglia paolo.smiraglia at polito.it
Wed Apr 6 13:10:59 UTC 2011 

Hi to everyone! First of all, sorry for the thread subject change.

Due to the several issues of the Libvirt implementation of the Trusted 
Virtual Domains (TVD), I decided to approach the topic in a modular manner.

I think that the first step should be to define the IPSec support or, 
more in general, the secure tunnel support for Libvirt. I see the 
implementation divided in two step:

    1. define a new driver called 'sectunnel' which describes a generic
       secure tunnel that will be established using several
       technologies (for now using only ipsec)

    2. modify the existing 'network' driver by adding the possibility to
       specify the 'sectunnel' that
       the network have to use in the virtual network definition

As an example, you can see below a possible XML definition of the 
network which use a secure tunnel and the corresponding 'sectunnel' XML 
definition:

     NETWORK DEFINITION
     ==================
     <network>
         <name>sec-net</name>
         <uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid>
         <bridge name='virbr0' />
         <domain name='example' />
	...
         <sectunnel name='sec-tun' /> <--(specify the 'sectunnel' to use)
     </network>

     SECTUNNEL DEFINITION
     ====================
     <sectunnel type='ipsec'>
         <name>sec-tun</name>
         <uuid>8b7fd1b0-4463-43b7-8b6e-8006344aeb66</uuid>

         <!-- Security Association definitions -->

         <sa>
             <secret uuid='...' /> <--(specify the 'secret' which
                                       contains the pre-shared key)
         </sa>

         <!-- Security Policy definitions -->

         <sp>
             <src_range address='10.0.0.1' prefixlen='30' port='5000' />
             <dst_range address='10.0.0.2' prefixlen='30' port='5000' />
             <upperspec protocol='any' />

             <policy direction='out' action='ipsec'>
                 <rule protocol='esp' mode='tunnel' level='require'>
                     <src address='192.168.0.1' port='55055' />
                     <dst address='192.168.0.2' port='55055' />
                 </rule>
             </policy>
         </sp>

         <sp>
             <src_range address='10.0.0.2' prefixlen='30' port='5000' />
             <dst_range address='10.0.0.1' prefixlen='30' port='5000' />
             <upperspec protocol='any' />
             <policy direction='in' action='ipsec'>
                 <rule protocol='esp' mode='tunnel' level='require'>
                     <src address='192.168.0.2' port='55055' />
                     <dst address='192.168.0.1' port='55055' />
                 </rule>
             </policy>
         </sp>
     </sectunnel>

As you can see in the 'sectunnel' XML definition, I use a 'secret' 
element. This element is a Libvirt secret [1] and it stores the 
pre-shared key used by IPSec to establish the Security Associations 
(SA). Obviously this feature requires to define a new usage category in 
the 'secret' driver definition.

Another possible way to establish the SA is to use the X.509 
certificates. To this purpose, I think that the certificates already 
used by Libvirt to setup SSL/TLS remote connections, might be used.

That's all! :-)

What do you think about this possible IPSec implementation?

Thanks in advance for the replies!

Best regards,

    PAOLO



LINK LIST
---------
[1] http://libvirt.org/formatsecret.html


-- 
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Mobile: +39 (333) 527 3593
Email: paolo.smiraglia at polito.it

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6095 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110406/c4e16906/attachment-0001.p7s>

More information about the libvir-list mailing list