According to Wikipedia, network virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Which of the following is not true about virtual networks?
A. Layer 2 networks may suffer flooding and denial of service attacks.
B. VLANs are subject to conflict of VLAN IDs in a multi-tenant data center.
C. VXLAN employs the MAC-over-IP mechanism that decreases the attack surface.
D. VXLAN endpoints joining one or more multicast groups may hijack MAC addresses.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. VXLAN employs the MAC-over-IP mechanism that decreases the attack surface.
The current VLAN has a limited number of 4094, that cannot meet the requirements of data centers or cloud computing with a common feature where networks are isolated based on tenants. For example, Azure or AWS has far more customers than 4094.
VXLAN Problem Statement
VXLAN (RFC 7348) is designed to solve this problem. VXLAN problem statement highlights the following issues:
- Limitations Imposed by Spanning Tree and VLAN Ranges
- Multi-tenant Environments
- Inadequate Table Sizes at ToR (Top-of-Rack) Switch
It also reads: “VXLAN (Virtual eXtensible Local Area Network) addresses the above requirements of the Layer 2 and Layer 3 data center network infrastructure in the presence of VMs in a multi-tenant environment.”
VXLAN as Overlay Network
VXLAN encapsulates the traditional VLAN frame as an IP payload or MAC-over-IP to support communication between spine switches and leaf switches. The leaf-spine architecture employs a two-layer network topology composed of leaf switches and spine switches.
Overlay and Underlay Networks
Underlay networks or so-called Physical networks where traditional protocols are working. Underlay Network is physical infrastructure above which overlay network is built. It is the underlying network responsible for delivery of packets across networks.
- Underlay Protocols: BGP, OSPF, IS-IS, EIGRP
An overlay network is a virtual network which is routed on top of underlay network infrastructure, routing decision would take place with the help of software.
- Overlay Protocols: VXLAN, NVGRE, GRE, OTV, OMP, mVPN
Overlay networking is a method of using software to create layers of network abstraction that can be used to run multiple separate, discrete virtualized network layers on top of the physical network, often providing new applications or security benefits.
VXLAN is a MAC-over-IP overlay network that inherits both layer 2 and layer 3 attack vectors, so it extends the attack vector of Layer 2 networks.
Traditionally, Layer 2 networks can only be attacked from ‘within’ by rogue end points — either:
- by having inappropriate access to a LAN and snooping on traffic,
- by injecting spoofed packets to ‘take over’ another MAC address, or
- by flooding and causing denial of service.
A MAC-over-IP mechanism for delivering Layer 2 traffic significantly extends this attack surface. This can happen by rogues injecting themselves into the network:
- by subscribing to one or more multicast groups that carry broadcast traffic for VXLAN segments and also
- by sourcing MAC-over-UDP frames into the transport network to inject spurious traffic, possibly to hijack MAC addresses.
This document does not incorporate specific measures against such attacks, relying instead on other traditional mechanisms layered on top of IP. This section, instead, sketches out some possible approaches to security in the VXLAN environment.
- Traditional Layer 2 attacks by rogue end points can be mitigated by limiting the management and administrative scope of who deploys and manages VMs/gateways in a VXLAN environment. In addition, such administrative measures may be augmented by schemes like 802.1X for admission control of individual end points. Also, the use of the UDP-based encapsulation of VXLAN enables configuration and use of the 5-tuple-based ACL (Access Control List) functionality in physical switches.
- Tunneled traffic over the IP network can be secured with traditional security mechanisms like IPsec that authenticate and optionally encrypt VXLAN traffic. This will, of course, need to be coupled with an authentication infrastructure for authorized end points to obtain and distribute credentials.
- VXLAN overlay networks are designated and operated over the existing LAN infrastructure. To ensure that VXLAN end points and their VTEPs are authorized on the LAN, it is recommended that a VLAN be designated for VXLAN traffic and the servers/VTEPs send VXLAN traffic over this VLAN to provide a measure of security.
- In addition, VXLAN requires proper mapping of VNIs and VM membership in these overlay networks. It is expected that this mapping be done and communicated to the management entity on the VTEP and the gateways using existing secure methods.
Source: RFC 7348
- Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks (RFC 7348)
- Virtual Extensible LAN (Wikipedia)
- What is VXLAN? (Juniper)
- Underlay Network and Overlay Network
- A Network Engineer’s Perspective of Virtual Extensible LAN (VXLAN)
- What do TOR, EOR and MOR mean?
- Popular ToR and ToR Switch in Data Center Architectures
- VxLAN | Part 1 – How VxLAN Works (YouTube)
- VXLAN Introduction (YouTube)
- Fundamentals of SD-WAN
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
B. VLAN在多租戶數據中心中會受到VLAN ID衝突的影響。