VXLAN Security or Injection, and protection

This talk is about VXLAN encapsulation protocol and problems if not protected. The talk will use scapy examples as well as modifications to existing tools to allow and present attack scenarios - spoofed Layer 3 IP packets being decapsulated into Layer 2 switched VLAN packets, and resulting problems.

VXLAN is an encapsulation protocol becoming more popular with cloud deployments these days. This talk will be a reminder that VXLAN encapsulation by itself does not have any security features, so networks must be protected by other means. The seriousness will be underlined using examples of injection and firewall circumvention with packet injection code examples including data and numbers from real life experiments. I have done various experiments to allow injections, scanning and firewall openings using VXLAN encapsulated packets.

Additionally we have modified hping3, Suricata and other tools to allow use in VXLAN scenarios.

An older version of this talk can be seen at https://github.com/kramse/security-courses/tree/master/presentations/network/vxlan-bornhack-2018 shown at BornHack 2018

also a version will be shown at conference RIPE77 with RIPE NCC

New to be added in the TR19 version: * more detection mechanisms, talking about how to discover if VXLAN is used in your networks active/passive * Blueprints for “secure deployment” of VXLAN across the internet * Further tool modifications, existing and new tools being developed * Statistics and experiences from more networks

About the Speaker