1 / 59

Secure network virtualisation with user-centric clouds Fernando M. V. Ramos Assistant Professor

Secure network virtualisation with user-centric clouds Fernando M. V. Ramos Assistant Professor. Claim #1. You use cloud services everyday. Claim #2. With a good probability, on February 28 2017 your favourite app stopped working for a few hours. The Internet, 28 February 2017.

tiger-carter
Download Presentation

Secure network virtualisation with user-centric clouds Fernando M. V. Ramos Assistant Professor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure network virtualisation with user-centric cloudsFernando M. V. RamosAssistant Professor

  2. Claim #1 Youuse cloud services everyday

  3. Claim #2 With a good probability, on February 28 2017 your favourite app stopped working for a few hours

  4. The Internet, 28 February 2017

  5. An isolated example?

  6. Guess what? It can get worse

  7. A good explanation for the problem

  8. Our proposed solution:User-centric clouds

  9. High level view User-centric cloud

  10. Motivation for user-centric clouds

  11. Scalability Scale out the infrastructure to accommodate growth

  12. Performance Bring the infrastructure closer to the customers

  13. Security More options to secure your infrastructure

  14. Dependability

  15. Dependability Cloud replication for fault-tolerance

  16. Secure network virtualisation with user-centric clouds

  17. Virtualisation has revolutionized computing • Completely changed the way resources are managed • Is this true for networking? • Many virtualisation primitives (VLAN, NAT, MPLS, etc.) but no network virtualisation per se • Result: • Network provisioning is slow • Mobility is limited • …

  18. Game changer: Software-Defined Networking Traditional SDN • SDN • decoupling of networking planes • logical centralisation of control • network-wide visibility & direct control

  19. Result: network virtualisation • VMware NSX [Koponen2014] • A production-level, cloud-scale network virtualisation platform Source: VMware

  20. Characteristics of existing platforms • Provider-centric • Single operator, single provider • Networking services: traditional • Full virtualisation of topology, addressing and service models • Traditional services • flat L2, L3 routing, ACL filtering

  21. Our goal • User-centric • Public clouds + private datacenters • Networking services: traditional + security & dependability • Full virtualisation of topology, addressing and service models • Traditional services + security & dependability • flat L2, L3 routing, ACL filtering • security & dependability of virtual resources

  22. Our solution:Sirius

  23. High level view User-centric cloud U-vNet 2 U-vNet 3 U-vNet 1 Sirius

  24. Main challenges

  25. Main challenges #1 How to offer full network virtualisation across multiple cloud infrastructures? #2 How to guarantee isolationbetween virtual networks? #3 How to embedthe user virtual network into the substrate infrastructure? • Taking into account the available resources and the user’s requirements (including security and dependability)

  26. Challenge #1Full network virtualisation across clouds

  27. Sirius system architecture U-vNet ofUser 1 U-vNet OfUserN . . . U-Cloud Orchestrator Network Hypervisor SDN controller VM1 VM1 VM1 VM1 VM1 VM1 VM1 VM1 VM VM1 VM VM VM VM VM GATEWAY GATEWAY Container Container GATEWAY Container Container Container Container Container Container Container Container Hypervisor Container Hypervisor Container Hypervisor Container Hypervisor Container Hypervisor Container Hypervisor OvS OvS OvS OvS OvS GRE TUNNEL GRE TUNNEL GRE TUNNEL OvS Public cloud VM manager Public cloud VM manager Private datacenter VM manager Cloud provider 2 Cloud provider 1 Private cloud User-centric management of SECURE TUNNEL SECURE TUNNEL

  28. Inter- and intra-cloud connections

  29. Challenge #2Isolation between virtual networks

  30. Main isolation techniques Tunneling Edge-based address translation ARP handling Flow table isolation

  31. Edge-based address translation • Tenants’ hosts are uniquely identified • hostID = (vSwitchID,vPort) • Edge address translation • We have network-wide visibility and control • At the edge the host MAC is translated to an ephemeral MAC (eMAC) based on the hostID

  32. Other isolation techniques • ARP handling • We emulate ARP functionality as we want unmodified hosts to use our platform • Flow table isolation • Each tenant has a quota of forwarding table space per switch

  33. Challenge #3Secure Virtual Network Embedding

  34. Virtual Network Embedding

  35. Secure Virtual Network Embedding • VNE: mapping each virtual network to specific nodes and links in the substrate network • The VNE problem is traditionally formulated with the objective of maximising network provider revenue, by minimising the cost of embedding VN requests • We include securityinto the VNE problem • To enable user-defined security

  36. User-defined security

  37. Our solution We formulate the SecVNE problem and solve it as a Mixed Integer Linear Program (MILP) The novelty of the approach is in considering comprehensive securityaspects over a user-centric cloud model

  38. SecVNE problem Given a virtual network GVwith the requested resources and corresponding security requirements, and the substrate network GS with the resources to serve incoming Virtual Network Requests, can GV be mapped to GSwith the minimum use of resourceswhile satisfying the following constraints? Each virtual link is mapped to the substrate network meeting the bandwidth and security constraints, namely related to confidentiality, integrity and availability; Each virtual node is mapped to the substrate network meeting the CPU capacity and security constraints, namely with regard to trusted executions and availability; Each virtual node is mapped to a substrate node located in a cloud that covers its trust domainsrequirements.

  39. MILP formulation: objective function Minimise the sum of all computing costs + the sum of all communication costs + overall number of hops of the substrate paths for the virtual links

  40. MILP formulation: constraints • Typical • Link mapping for working traffic • Node and link capacity constraints • Security constraints • Node + link + cloud • Availability constraints • Link mapping for backup traffic • Virtual node mapping • Nodes and links disjointness

  41. Main results SecVNE performance without security requirements is similarto traditional algorithms A richer set of features (namely, security and availability) decreases the acceptance ratio, increases the revenue, and increases cost Key finding: by increasing the price of security services by a modestvalue, a u-centric cloud provider attains a profit

  42. Sirius in action

  43. Sirius in action

  44. Sirius in action

  45. Sirius in action

  46. Conclusions

  47. Conclusions • User-centric cloudsoffer several advantages over provider-centric clouds • Scalability, performance, security, dependability • Our platform Sirius extends network virtualization with security & dependability, by: • adopting a user-centric paradigm approach • leveraging from a multi-cloud substrate • following an SDN-based approach • enabling user-defined security & dependability

  48. Future

  49. Sirius.next() • Short-term • Improving SecVNE scalability • Efficient heuristics • Virtual network migration • Transparently, across clouds • Medium- to long-term • Programmable user-centric virtual networks • User-centric virtual network functions

  50. Bruno Nunes AlyssonBessani José Soares Rui Miguel Thanks André Mantas JoãoPaulino NunoNeves Luis Ferrolho Diogo Pinto Eric Vial TúlioRibeiro Max Alaluna

More Related