Security analysis of network virtualization implemented with open virtual network (OVN)

Abstract

Network Virtualization (NV) refers to abstracting network resources that were traditionally delivered in hardware to software. NV can combine multiple physical networks into one virtual, software-based network, or it can divide one physical network into separate, independent virtual networks. Network virtualization allows the creation of multiple independent virtual network instances on top of a single physical substrate. This is made possible by instantiating one or more virtual routers on physical devices and establishing virtual links between these routers, forming topologies that are not limited by the structure of the physical network. In addition to the ability to create different topological structures, virtual networks are also not bound by other characteristics of the physical network, such as its protocol stack. One of such Network Virtualization mechanism is known as Open Virtual Network (OVN) which is a series of daemons which can convert CMS originated virtual network configuration into physical flow rules. OVN uses Open vSwitch for its switching fabric and uses tunnels to provide the logical/physical separation and Geneve protocol for encapsulation mechanism and allows the binding of physical network elements to their logical counterparts. In the following we discuss about Open Virtual Network, its architecture, its working mechanism and try to map the security mechanisms, configuration methodologies and evidence collection mechanisms against our required security properties.