VDE: Virtual Distributed Ethernet

Renzo Davoli∗ Department of Computer Science University of Bologna, Italy email: [email protected]

Abstract permits the concurrent execution and communication of several virtual or emulated machines through an emulated The idea of VDE is very effective but straightforward network. These tools however fail in generality and distri- simple and can be applied in very many configuration to bution: in generality as they are tailored to one single kind provide several services. It is a sort of Swiss knife of em- of virtual or emulated machine, in distribution as everything ulated networks. It can be used as a general Virtual Pri- (emulate machinesand the network emulator itself) must re- vate network as well as a support technology for mobility, side and run on the same real computer. a tool for network testing, a general reconfigurable over- It is possible to create a completely virtual/emulated net- lay network, a layer for implementing privacy preserving working space by using VDE together with virtual ma- technologies and many others. A prototype VDE has been chines on a set of real (based on hardware, physical) com- implemented and released as Free Software under the GPL puters connected by a real network. This second layer licence [11]. of virtuality has been also named as Virtual Square [12]. Square has here the double meaning of squared (i.e. el- evated to the second power) and of a virtual place where 1 Introduction machines and humans can meet. The remaining if the paper is organized as follows. Sec- tion 2 presents the structure and the composing entities of The acronym VDE is self explaining: it is a Virtual net- a VDE, section 3 explains some examples of VDE apppli- work because it is built completely in software, it is Dis- cations. A section about Related Work and a section with tributed as parts of the same network can run on different final remarks and future work complete the paper. physical (real) computers and it is an Ethernet as the entire virtual software structure is able to forward, dispatch and route plain ethernet packets. The main features of VDE are 2 Structure of VDE the following: VDE has the same structure of a modern Ethernet net- • VDE is Ethernet compliant. work. The main components, in fact, are vde switches and vde cables. • VDE is general, it is a virtual infrastracture that gives connectivity to several kinds of software components: • A vde switch is the virtual couterpart of a physical emulators/virtual machines, real operating systems and Ethernet switch (or hub). A switch has several ports other connectivity tools. where users can plug in computers, routers, other ethernet-compliant equipments. • VDE is distributed. • It is also possible to interconnect two different • VDE does not need specifically administration privi- switches together by using a so called cross-cable leges to run. plugging it from a port of one switch to a port of the . Virtual ethernet network facilities have been implemented other. VDE has the virtual counterpart of the crossed as a complementary feature for some emulation or virtual cable: a VDE-cable. It is a software tool able to inter- machine software (e.g. [17],[14, 15], [22]). This feature connect two vde-switches.

∗This work was partially supported by the WebMinds FIRB project of With VDE it is also possible to integrate real comput- the Italian Ministry of University, Research and Education ers in the emulated network. When a real computer is con- VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A

Application 1 eth0 Application 1 eth0 QEMU (Mozilla) (Mozilla) running Debian/i386 Application 2 (ssh) VDE_SWITCH Debian/i386 eth0 Ethernet Switch

User−Mode LINUX eth0 running Mandrake Application 2 (ssh) Mandrake

Figure 1. A simple application of VDE nected to a VDE a virtual interface (based on tuntap) is vis- tures are announced on daily base. It runs completely ible from the operating system. This virtual interface ap- at user-level and virtualizes completely the processor pears exactly as it were a hardware interface and behaves architecture. as a physical ethernet interface. This operation however • changes the network behavior of the host computer and thus Bochs [19] is an historical virtual machine. It runs on need administrative privileges to be completed. several host architectures (supported host OS: Linux, MacOS 9/X, Windows) where it is able to create com- Currently VDE supports User-Mode Linux virtual ma- plete system virtualization of an i386 architecture. It chines, qemu, Bochs and MPS. relies on standard emulation techniques thus it is quite • User-Mode Linux. [14, 15] It is a project that realizes slow when compared to modern virtual machines. a complete system virtualization through system trap- It runs completely at user-level and virtualizes com- ping. It has been released as a set of patches for the pletely the processor architecture. linux kernel that defines a new virtual ”um” hardware • MPS and uMPS (micro MPS) [21] have been designed architecture. A kernel for the ”um” architecture is just for educational purposes. Like Qemu and Bochs, MPS an executable for the host computer that include the I- is a complete virtual system of a Mips based computer O virtualization routines as well as the kernel itself. It (user-level, complete processor virtualization). It is a runs at user-level. It does not require a specific kernel workbench for computer science students to run their support in the host machine but there is patch named experimental operating systems in a real-world consis- skas mode for the 2.4 version of Linux to increase U- tent virtual computer while stripping off unnecessary ML security and performance (to reduce the number complexities. of threads and to keep the addressing space of the emulated kernel inaccessible by the emulated tasks). The A vde switch operates as a real switch: it is a fast bridge support for skas mode should be included in vanilla able to manage the dynamical association between hard- Linux 2.6. ware (MAC) address and port. The switch learns from the headers of the packets exchanged on the network which • Qemu. [10] Quoting its author’s web site: Qemu is a is the mapping between each MAC address and the corre- FAST! processor emulation using dynamic translation sponding port. As a real switch a vde switch implements to achieve good emulation speed. Qemu is able to run the network traffic separation that leads to a higher ag- just as a processor or as a Complete System Virtual- gregate bandwidth. Vde switch also implements the Mac izer. It is possbile to run executables compiled for dif- to Port mapping aging to allow a graceful convergence to ferent processor architectures in a linux environment a new configuration when the topology changes. When or it is possible to start a virtual machine and boot an two switches are interconnected by a vde cable, the switch- entire operating system. It runs on a number of differ- ing algorithm forwards through the cable only packets that ent hardware architectures, it is currently able to run have source and destination on the opposite sides as well i386, ppc, arm and sparc executables and provides vir- as broadcast packets and packets sent to already unknown tual machines emulating i386 and ppc based architec- destinations. There is an option for the vde switch to use tures. This project is very active: new ports and fea- it as a hub. This latter option can be useful for debugging,

2 VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A

Application 1 Application 1 QEMU (Mozilla) (Mozilla) running Debian/i386 eth0 Standard eth0 Linux Routing Application 2 Linux IP tap0 (ssh) Routing Firewalling Debian/i386 eth0 Ethernet Switch DHCP etc. User−Mode LINUX eth0 running Mandrake VDE_SWITCH Application 2 need root privileges (ssh) Mandrake

Figure 2. A VDE routed to the Internet to plug in a network traffic analyzer, or for educational pur- 3 Detailed examples Applications of VDE pose: e.g. to show the security threats that can be put in place on hub based networks. As stated in the abstract, VDE can have several applica- Vde cables are composed by three software components: tions. In this section we pass through some examples and analyze which classes of common problems can be solved • Two vde plugs, one at each end of the cable. A by using VDE. vde plug is a program that has been designed to be Figure 1 shows the simplest usage of a VDE: One or connected to a vde switch and converts all the traffic several local virtual machines can be interconnected by the to a standard stream connection. virtual network. In the example the ssh client running as an application for the Linux Debian O.S. on the Qemu vir- • An interconnection tool, that is able to bi-directionally tual machine can open a session to the Linux Mandrake ma- connect the streams of two vde plugs. chine running as a User-Mode Linux virtual machine. It is possible to run several vde switches on the same computer: An interconnection tool can be a double pipe, i.e. a bidi- each vde switch has a Unix Socket as its identificator and rectional extension to the standard pipe Unix tool to inter- its channel to communicate with the switch. It is also pos- connect commands. It is also possible to connect switches sible for several users to join the same virtual network. On running on different host computers by the joint use of a the contrary it is possible for a user to keep different virtual double pipe and a standard remote execution tool like rsh networks running. Permission to access a specific network (not secure) or ssh. Netcat is another well known program is granted or revoked by setting the permissions of the ac- that can be used as an interconnection tool. cess socket (as it were a standard Unix file). This network There is also a Slirp tool for VDE. Slirp is a tool by structure can be used in computer science education: stu- Danny Gasparovski dated back to 1995. At that time dents can run their virtual machine as administrators and internet providers proposed two different kinds of con- test services using other virtual machines. [13]. This con- tracts: a cheap remote terminal connection and an expen- figuration has no inpact on the overall network security as sive ppp/slip service. Slirp was able to convert a terminal the virtual network and the real network are not intercon- line into a ppp/slip access for client applications. Slirp runs nected. As a consequence it can be used to test malicious completely at User-level: whenever a client application tries software in a confined environment. This configuration can to open a new network connection, slirp catches the em con- be completely set up by ordinaryusers of the host computer. nect request. Slirp does the connect for the internal appli- The second example (see Fig. 2) is a slight variation of cations and then forwards all the packets. From the Internet the first. The virtual network infrastructure is connected point of view (and from the host computer operating sys- to the host operating system by the tuntap support. The tem) it is like all the connections were inited by slirp itself. host computer is then logically connected to the VDE as It supports TCP on IPv4, an extension to IPv6 is under de- it had a physical interface to a real ethernet. All the meth- velopment. The VDE slirp tool has also a DHCP server so ods used for routing, bridging, firewalling, packet filtering that a VDE network with slirp behaves as if were an IPv4 and shaping can be applied to this configuration. Is it possi- masquered network. ble to configure the host just as a packet forwarded (packer

3 VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A User−Mode LINUX VDE_SWITCH Application 1 running Mandrake (Mozilla) eth0 Application 1 (Mozilla) VDE_PLUG

Debian/i386 eth0 Ethernet Switch eth0 Application 2 Internet Ethernet (ssh) crossed−cable

eth0 eth0 Ethernet Switch QEMU Mandrake running Debian/i386 VDE_PLUG

Application 2 (ssh) VDE_SWITCH

COMPUTER B

Figure 3. A VDE with remote clients routing) or as an IPv4 NAT/masquerading [6] firewall with and test the services running on a remote virtual network DHCP support [16] or as an IPv6 router with network au- using a local virtual machine. A vde cable can also estab- toconfiguration [9]. All the tools that can be installed on a lished between two vde switches running on the same host real boundary machine of an internal network like DNS for- computer. This configuration can be used to interconnect warders, service proxies, mail agents etc. can be installed clusters of virtual computers and reduce the load on a sin- on the host machine. The VDE is interconnected to the In- gle switch (if the pattern of traffic is consistent with the vir- ternet (or the external network) as it were a standard real tual topology). It can be lso used to test the reliability of ethernet. Obviously all the installation and management of applications in case of network partitioning. In fact starting the network tools and virtual interfaces on the host com- and stopping the vde cable leads to the simulation of a net- puter operating system need administration privileges (root work partition. It is simple to create interconnection tools access). This configuration can be used to connect virtual for the vde cable able to simulate packet dropping, delays machines to a real network, putting in place all the security and other network behaviors very useful for tests. structures needed. It is possible to test network install or up- The scenario depicted in figure 4 is the same of Fig. 3 grade procedures for operating systems or applications and but the interconnection to the host Operating System and debug them with no need of real hardware reboots. Disk then the possibility of routing virtual nerwork traffic to the images or Copy-On-Write tecniques can be used to return Internet. This network configuration has been used at the to a previous checkpoint in the emulated system status in School of Computer Science in Bologna to teach Operating case of failures. System administration. Figure 3 shows the usage of a vde cable. This is similar Each student can run her virtual machine on a worksta- to the first example proposed: the network topology is per- tion in the computer laboratory as well as on her own per- ceived in the same manner by the users of the two virtual sonal computer or laptop and through a single switch con- machines. A user of the Debian Linux system running on nected to the Internet she use her virtual machine as it were the Qemu emulator opens a connection on the User-Mode a real computer on the network. It is also possible to keep mandrake Linux. The two virtual machines operate as they a virtual machine running at the Department and then to were on the same ethernet local area network. With this join the virtual network from home and to test the services configuration it is possible to run distributed system emu- provided as well as to practice in remote administration. A lations on a cluster of workstation or it is possible to join class of student can manage a virtual network as they were

4 VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A User−Mode LINUX VDE_SWITCH Application 1 running Mandrake need root privileges (Mozilla) eth0 VDE_PLUG Host OS routing Application 1 (Mozilla) Host OS routing Ethernet Switch tap0 Mandrake eth0 eth0

Internet Ethernet crossed−cable Debian/i386

eth0 Application 2 (ssh) eth0 Ethernet Switch QEMU running Debian/i386 VDE_PLUG

Application 2 (ssh) VDE_SWITCH

COMPUTER B

Figure 4. A VDE with remote clients routed to the Internet real system administrators of a cluster of computers each is encrypted. one providing different services (DNS, Mail, Web, NTP, News etc.). We give to students a direct Internet connection • Mobility: the user can terminate a vde cable and start for their virtual machines with packet filtering for security a new one. Nothing changes in the virtual network, and confidentiality. if the two actions are not contemporary maybe some Remote connections opening and closing are logged for packets get dropped but the data-link network topol- security: it is possible to find the mapping between real IP ogy does not change. It has the same effect to change on the Internet of the remote computer and the set of virtual a crossed cable between two real switches. There is no IPv4 and IPv6 addresses used, and the mapping between need for IP reconfiguration and the transport level con- IP addresses (virtual and real) and the username that was nections (e.g. TCP) do not drop. The new vde cable authenticated to allow the connection. can pass through a real network interface with a dif- The example shown in Fig. 5 does not make use of vir- ferent IP address because it is connected to a different tual machines, VDE is used here as a general tunneling tool local area network or even use a completely different for real computers. There are two vde switches running on interface maybe based on a different technology. For two different computers. Both vde switches are connected example the traffic can be moved from a cabled ether- to a local tap interface. Computer A has been configured net to a 802.11, to a serial PPP or to a GPRS/UMTS to be a network router/firewall as in the previous examples. mobile service. These intra or inter technology hand- Computer B has its default route to be its tap interface and offs do not affect the virtual network topology, thus the theIP addressofthe tap interfaceofComputerA B. (A fixed user can experience just a difference in performance, route for the Computer A on eth0 or a policy routing defini- not in connectivity. Vde switch software allows the tion is needed for the interconnection tool of the vde cable temporary presence of several cables between a pair of not to use the defult route). In this way all the applications switches by setting a specific option. This can lead to at Computer B use VDE instead of the real network regard- duplicate packets but avoids the temporary disconnec- less of the protocol used. This configuration has a number tions during hand-offs. of possible usages. • Privacy: it is possible to change the real IP addressand, • VPN: the user has her own connectivity. If the connec- if the virtual network has several distributed switches. tivity tool is encrypted (e.g. ssh) all the network traffic It is also possible to change the IP address of the cor-

5 VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A VDE_SWITCH Application 1 need root privileges (Mozilla) eth0 VDE_PLUG Host OS routing Application 1 (Mozilla) tap0 Host OS routing tap0 Ethernet Switch eth0

Internet Ethernet crossed−cable

COMPUTER B tap0 eth0 Ethernet Switch Host OS routing Application 2 default route on tao0 VDE_PLUG IMAP Mail Client tap0

VDE_SWITCH need root privileges Application 2 IMAP Mail Client COMPUTER B

Figure 5. A VDE used as a general tunneling tool

responding host. This makes the pattern of traffic less the computer running slirpvde (computer A in the figure) at trackable from an external spying software. It is possi- a specified port. Slirp would have to forward the requests to ble to use dynamically changing addresses as in [8] or an internal node. Slirp currently supports IPv4 only. as proposed in [7]. • Unsupported protocol or family of protocols in the real infrastructure. By VDE it is possible to use protocols that are unsupported on the physical network in use. 4 Related Work It is the case for example of the use of IPv6 with a provider which does not support that family of protocols or the use of non routable LAN protocols between Several tools do exist that are able do cover part of the geographically disdtributed systems. features of VDE. Point to Point Tunneling Protocols (PPTP) Several vde cables for several remote tunnel services can [4] and Level 2 Tunneling Protocols (L2TP) [2] are both work at the same time. Computer A can be seen as a tunnel data-link tunneling protocols. Both emulate a point-to-point broker [1] just by using VDE. connection able to run PPP. PPTP has internal security fea- The last example of this set (see Fig. 6) has a single dif- tures while L2TP needs IPsec to create secure channels. ference from the one shown in Fig. 4: the use of slirpvde These protocols and tools have not been designed for dis- instead of the tuntap interface. Slirpvde runs with user per- tributed networks but just as point to point connections for missionsthus it is not needed to have root access to interface VPN. There are many examples of tool for IP tunneling like the virtual network to the real networks at Computer A. All openVPN [23], Zebedee [24], IPsec [3] e.g. the Free S- the network connections originated from applications inside WAN [5] implementation. These tools are tailored to IP the virtual network having destination outside are regener- and thus less general with respect to VDE. Virtual Tunnel ated by the slirpvde program as they were all genuine con- (VTUN) [18] and Virtual Private Ethernet (VPE) [20] have nections initiated by slirpvde itself. All the internal nodes more similarities with VDE. In fact VTUN and VPE can (virtual or real computers) are then interconnected to the In- create data link ethernet compliant tunnels. All the tools ternet as they were on a NAT/masqueraded LAN. All client here listed are interfaced to the tuntap kernel driver thus al- applicationswork normally, there is currently no support for ways need to have root access for their installation. More- servers trough port forwarding. In any case it would be an over they have been designed for real operating systems and indirect support: servers appear on the Internet as hosted by does not interface virtual machines.

6 VIRTUAL ONCE WORLD VIRTUAL SQUARE WORLD

COMPUTER A COMPUTER A Application 1 User−Mode LINUX VDE_SWITCH (Mozilla) running Mandrake NAT (masqueraded) eth0 VDE_PLUG Application 1 subnet (Mozilla) SLIRPVDE Ethernet Switch Mandrake eth0 eth0

Internet Ethernet crossed−cable Debian/i386

eth0 Application 2 (ssh) eth0 Ethernet Switch QEMU running Debian/i386 VDE_PLUG

Application 2 (ssh) VDE_SWITCH

COMPUTER B

Figure 6. A VDE with remote clients and VDESLIRP

5 Conclusions and future work the related work section.

VDE is a multipurpose tool able to give a simple and References generalized solution for a wide area of applications. VDE project is not complete, several other features are being de- [1] RFC 3053 - IPv6 Tunnel Broker. signed or under development. Vde switch is not currently [2] W. T. A. Valencia A. Rubens G. Pall G. Zorn B. Palter. RFC supporting a loop detection and management feature. Real 2661 - Layer Two Tunneling Protocol ”L2TP”. IETF, 1999. ethernet networks implement the Minimum Spanning Tree [3] S. K. B. Atkinson. Rfc 2041: Security architecture for the protocol, a different approach is under study in order to internet protocol. Technical report, IETF, 1998. avoid inproductive network traffic. The vde switch cur- [4] K. H. G.S. Vertein W. Vertheini J. tarraudi W.A. i little (. Point-to-point tunneling protocol. Internet draft, IETF, July rently does not manage multicasts (all the multicast packets 1997. are processed as broadcast). A better implementation able [5] J. G. H. Daniel M. Richardson R. G. Briggs H. Redelmeier to deal also with IPv6 multicating methods is under devel- C. Schmeing S. Sgro J. Ioannidis A. D. Keromytisr H. opment. A tool named Ale4NET (application level for net- Spencer S. Harris. Free s/wan project web site. working) has already been implemented, now it is available [6] K. E. P. Francis. Rfc 1631 - the ip network address translator in alpha version. Ale4NET is a network only virtual ma- (nat). Technical report, IETF, 1994. chine: with a simple configuration, one or several applica- [7] M. T. R. Davoli. User untraceability in next-generation inter- tions on the host computer can use virtual networks instead net: a proposal. In IASTED, editor, Proceeding of Commu- of the real host machine network while running on the real nication and Computer Networks 2002 (CCN 2002), pages 177 – 182, November 2002. processor and using the real Operating System services of [8] T. N. R. Draves. Rfc 3041: Privacy extensions for stateless the host computer. address autoconfiguration in ipv6. Technical report, IETF, 2001. 6 Acknowledgements [9] S. T. T. Narten. Rfc 2462 - ipv6 stateless address autoconfiguration. Technical report, IETF, 1998. [10] F. Ballard. Qemu project home page. The code for vde switch is based on the User-Mode http://fabrice.bellard.free.fr/qemu/. Linux networking tool by Yon Uriarte and Jeff Dike. I wish [11] R. Davoli. Vde project home page. to thank dr. Nicola Mezzetti for his useful suggestions for http://vde.sourceforge.net.

7 [12] R. Davoli. Virtual square home page. http://www.virtualsquare.org/. [13] R. Davoli. Teaching operating systems administration with user mode linux. In Proceeding of the 9th Annual Con- ference on Innovation and Technology in Computer Science Education. ACM, 06 2004. Leeds, UK. [14] J. D. Dike. User-mode linux. In Proc. of 2001 Ottawa Linux Symposium (OLS), Ottawa, 2001. [15] J. D. Dike. Making linux safe for virtual machines. In Proc. of 2002 Ottawa Linux Symposium (OLS), Ottawa, 2002. [16] R. Droms. Rfc 2131 - dynamic host conﬁguration protocol. Technical report, IETF, 1997. [17] M. (formerly from Connectix). Virtual pc (proprietary prod- uct). http://www.microsoft.com/windowsxp/virtualpc/. [18] M. Krasnyansky. Virtual tunnel: Vtun (web site). http://vtun.sourceforge.net. [19] K. Lawton. Bochs project home page. http://bochs.sourceforge.net. [20] M. A. Lehmann. Virtual private ethernet (vpe) web site. http://savannah.gnu.org/projects/gvpe. [21] M. Morsiani and R. Davoli. Learning operating system structure and implementation through the MPS computer system simulator. In Proceedings of the 30th SIGCSE Tech- nical Symposium on Computer Science Education, pages 63–67, New Orleans, 1999. [22] Vmware inc. http://www.vmware.com/. [23] J. Yonan. Openvpn project web site. http://openvpn.sourceforge.net. [24] Zebedee web site. http://www.winton.org.uk/zebedee/.