[openstack-dev] Secure live VM migration in cloud (openstack)

Naveed Ahmad 12msccsnahmad at seecs.edu.pk
Mon Aug 26 18:10:07 UTC 2013 

Respected Joshua Harlow,

Thanks for reply,

Based on literature survey i found that following techniques are used for
secure live migration of vm.

1. RSA with SSL protocol for authentication and encryption.
As you mentioned earlier same problem is in RSA based authentication. we
have to add public keys of all other hypervisors.

In Blackhat 2013, security research found vulnerability in SSL so it can be
breakable in very short time.
please check
http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

2. SSH is used for secure tunnel before live vm migration.

Authentication is not discussed, only secure tunnel is used to achieve
confidentiality.

3. Openstack uses libvirtd with kvm to provide secure vm migration between
src and dst machine.
SSL is used for encrypted channel and SASL  is used for authentication.



so i am interested to implement authentication level's in live vm migration.

1.no authentication
2. Certificate base
3.smart card based authentication

and similarly ssl provide secure channel but after that seaprate VLAN is
used for vm migration traffic. if we use ipsec then we can achieve same
goal on network layer to hide all communication of vm migration.



Regards
Naveed









On Mon, Aug 26, 2013 at 2:44 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:

>  Arg, hit send to quick.
>
>  *likely these problems would require some managed migration "thing" that
> would temporarily open the network access, issue temporary auth keys and
> the initiate the migration between the 2 hypervisors. Is this in your
> scope, to make this thing??
>
>
> Sent from my really tiny device...
>
> On Aug 25, 2013, at 2:42 PM, "Joshua Harlow" <harlowja at yahoo-inc.com>
> wrote:
>
>   Hi,
>
>  I think it's a good idea, can u describe more what would be different,
> would there be a new auth and live migration mechanism?
>
>  I think one of the problems at least yahoo has is that live migration
> requires all ssh keys to be on all hypervisors since hypervisors (libvirtd)
> open up the connection to the hypervisor to be migrated to. This is
> obviously bad, as any hacker if they can get out of a vm now can start
> issuing these migration requests. Also at yahoo we don't allow hypervisors
> to communicate openly to each other, this is protected at the network
> level. Would u be working on solutions to these problems (likely involving
>
> Sent from my really tiny device...
>
> On Aug 25, 2013, at 6:33 AM, "Naveed Ahmad" <12msccsnahmad at seecs.edu.pk>
> wrote:
>
>
>  thanks for replying Joshua,
>
>
>  VM migration is the process used to migrate vm from one physical server
> to another physical server due to many reasons like system maintenance,
> hardware failure ,
>
>  VM is important element in cloud as well, so we do same in the cloud.
> xen/kvm hypervisor used in the openstack dont provide security  in this
> process. i studied few paper on it  which are related to VM migration in DC
> instead of Cloud.   i also seen book on openstack security in which it is
> describe that xen/kvm could not provide security but libvirt can be used
> with xen/kvm to secure this process.
>
>  Currently libvirt is providing ssl for confidentiality of data between
> source and destination. and SASL for authentication. i want to add other
> authentication mechanism in it and in the end it would be added in the
> Dashboard of openstack so that administrator use it easily, Access control
> is also part of this thesis..
>
>
>  may you got my idea Mr. Joshua Harlow and now please comment on it. is
> it good or not? your comment will help me to choose good topic in cloud
> security,
>
>
>  Regards
>
>
>
>
>
>
>
>
>
>
> On Sun, Aug 25, 2013 at 4:17 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:
>
>> Is there any write up of what u want to do or is that not defined yet?
>>
>> If u can write up some information I think that would help others provide
>> feedback as well as help everyone (including yourself) see the goal too be
>> accomplished. It's hard to tell what the desired outcome is otherwise,
>> secure vm migration could mean a lot of things :)
>>
>> Sent from my really tiny device...
>>
>> On Aug 24, 2013, at 12:26 PM, "Naveed Ahmad" <12msccsnahmad at seecs.edu.pk>
>> wrote:
>>
>> >
>> >
>> > Hi all,
>> >
>> >
>> >
>> > I am doing thesis in cloud computing security domain, i selected to
>> secure vm migration  process in openstack.
>> > Please let me know about this idea. i have done some initial work on
>> it. i need comment of you people which will be helpful for me.
>> >
>> >
>> >
>> >
>> > Thanks and Regards
>> >
>> >
>>  > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>    _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130826/8ec09a2c/attachment.html>

More information about the OpenStack-dev mailing list