VIRTUAL TRUSTED DOMAIN

Garrett Drown

Tianyi Xing

Group #4

CSE548 – Advanced Computer Network Security

Virtual Trusted Domains

What are Virtual Trusted Domains?

A virtual trusted domain (VTD) is a collection of machines, regardless of physical boundaries, that trust one another.

Project Goal Create and manage virtual trusted

domains for virtual machines through the use of a NetFPGA.

Provide the virtual machines with reliable, secure, and fast connections to others in their virtual trusted domain.

What is NetFPGA? Low-cost platform, primarily designed as

a tool for teaching networking hardware and router design

Technical DetailsRoadmap of project: By midterm:

Research how to program NetFPGAs. Research and design an implementation for Virtual Trusted Domains on

a NetFPGA. Research Path Splicing, which implements similar features that we

would like to use in our project. Setup environment and begin coding our program which creates and

manages Virtual Trusted Domains on a NetFPGA Find and (if time permitting) set up an existing similar solution (if there is

one) for VTDs as a basis for our work. By final:

Modify the existing solution which can or potentially can implement the VTD.

Deploy the program and setup a test-bed on a NetFPGA. Tested and debugged. Final documents completed.

Design of VTD for NetFPGA

Our idea: Have the controller maintain and utilize a

database which contains the list of approved computers, their domain, and security level.

The packet header will be modified to include the user’s trust level and the VTD he wishes to communicate with.

Virtual Trusted Model

Two fields:Domain

○ This domain field is used for indicating the domain that a group of VMs belong to.

○ Machines in the same domain are able to talk with each other

Trust Level○ Trust level indicates the trust relationship among

different machines in the same domain

System Setup Hardware

Pre-build NetFPGA serverDell Rack Server (Xenserver)

SoftwareCentOS 5NetFPGA base packageOpenflow SwitchNox Controller

Network Structure

Cloudserver1 Cloudserver2

VM1

VM2

VM3

VM4

6 3

6 3

6 2

0 3

NetFPGA-Based Openflow Switch

NOX Controller

DataBase

How to Implement the VTD field?

Domain/Trust Level

Details of the VTD Field

Domain Field10 bits, so it can support up to 1024 domains in

the system. Trust Level (TL)

2 bits, so it has 4 trust levels (from 0 to 3). And we defined that 3 is the highest trust level.

Domain Field Trust Level

10Bits 2Bit

Working Flow (cont.) The VM1(6,3) initiates the traffic to

VM2(6,2) The Openflow Switch receives the

packet from VM1 There is not entry in the flow table The packet is sent to the NOX controller.

NOX controller checks the domain and TL, found in the packet, and compares these with the destination in the database. If they are not in the same domain, then the packet is dropped.

If src and dst are in the same domain, then check the trust level.

If the TL(src) ≥ TL(dst), traffic is forwarded, otherwise, traffic is disallowed.

Working Flow

Conclusion We design a virtual trust domain concept for

cloud system. We deploy a innovative platform (Openflow

over NetFPGA) We successfully implemented our VTD

concept in the real cloud system

Questions?