1 / 34

VIOLIN : A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu

VIOLIN : A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services) Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS)

tmcnamee
Download Presentation

VIOLIN : A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services) Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

  2. The Team • Lab FRIENDS • Xuxian Jiang (Ph.D. student) • Paul Ruth (Ph.D. student) • Dongyan Xu (faculty) • Supported in part by NSF Middleware Initiative (NMI)

  3. Outline • Motivations and goals • Architecture of VIOLIN • Applications of VIOLIN • Network system emulation • Scientific computing • Honeyfarm (network attack aggregation) • On-going work

  4. Motivations • Formation of wide-area sharedcyber-infrastructure • Multiple domains • Heterogeneous platforms • Large number of users • Need for mutually isolated distributed environments • Customized system administration and configuration • Consistent and binary-compatible runtime support • Un-trusted or malfunctioning applications • Known vulnerabilities in SETI@Home, KaZaa, and Condor • Un-trusted network traffic control

  5. Potential Applications • Multi-institutional collaboratories • Large-scale distributed emulations • Cyber-systems • Real-world systems • Parallel/distributed scientific applications • Philanthropic (volunteer) computing services • Content distribution networks

  6. VM (Virtual Machine): a Solution? • Achieves single node isolation (SODA*) • Administration • Resource • Runtime services/libraries • Fault/attack impact • However, does not achieve network isolation • VMs addressable from/to any Internet hosts • Cannot control traffic volume between VMs • Cannot have overlapping address spaces * X. Jiang, D. Xu, “SODA: Service-on-Demand Architecture for Service Hosting Utility Platforms”, IEEE HPDC-12, 2003.

  7. VIOLIN: Proposed Solution • VIOLIN: A VN (Virtual Network) for VMs * • Independent IP address space • Invisible from Internet and vice versa • Un-tamperable topology and traffic control • Value-added network services (e.g., IP multicast) • Binary and IP compatible runtime environment * X. Jiang, D. Xu, “VIOLIN: Virtual Internetworking on OverLay INfrastructure”, Springer LNCS Vol. 3358 (ISPA 2004). *D. Xu, X. Jiang, “Towards an Integrated Multimedia Service Hosting Overlay”, ACM Multimedia 2004.

  8. Internet VIOLIN: the Big Picture Two mutually Isolated VIOLINs VM N M I N M I N M I NMI-based Grid infrastructure N M I N M I N M I N M I Physical infrastructure

  9. Key Ideas in VIOLIN • One level of indirection between VIOLIN and real Internet • “All problems in Computer Science can be solved by another level of indirection ” – Butler Lampson • A middleware-level underlay network serving as “intelligent carrier” of a VIOLIN • Traffic tunneling • Topology control • Traffic volume control • Traffic encryption • Network service virtualization

  10. App1 App2 Guest OS Guest OS … VIOLIN daemon Existing NMI Middleware Host OS VIOLIN Architecture VMs Physical host

  11. App1 App1 Guest OS Guest OS Virtual NIC Virtual NIC VIOLIN daemon VIOLIN daemon Host OS Host OS VIOLIN Architecture Between two VIOLIN nodes (VMs) 196.128.1.2 196.128.1.3 Message (e.g.,MPI) TCP, UDP, … IP Ethernet frame via UDP tunneling planetlab6.csail.mit.edu planetlab6.millennium.berkeley.edu

  12. VIOLIN Network Performance TCP throughput measurement on PlanetLab planetlab6.csail.mit.edu→planetlab6.millennium.berkeley.edu

  13. VIOLIN Network Performance ICMP latency measurement on PlanetLab planetlab6.csail.mit.edu→planetlab6.millennium.berkeley.edu

  14. Application I: Network System Emulation • vBET: an education toolkit for network emulation * • “Create your own IP network ” on a shared platform • IP address space and network topology • Routers, switches, firewalls, end-hosts, links • Real-world network software (OSPF, BGP…) • Strict confinement (network security experiments) • Flexible configuration • Not constrained by device/port availability • No manual cable re-wiring or hardware setup * X. Jiang, D. Xu, “vBET: a VM-Based Emulation Testbed”, ACM SIGCOMM Workshop on Models, Methods, and Tools for Reproducible Network Research (ACM MoMeTools), 2003

  15. vBET GUI

  16. Sample Emulation: OSPF Routing

  17. Emulation of OSPF Routing Demo video clip:

  18. Sample Emulation: Critical Server Protection

  19. Screenshot: Distributed Firewall

  20. Sample Emulation: Chord P2P Network

  21. Screenshot

  22. Sample Emulation: Internet Worms A worm playground Virtual Physical A shared infrastructure (e.g. PlanetLab) *X. Jiang, D. Xu, H. J. Wang, E. H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation”, 8th International Symposium on Recent Advances in Intrusion Detection (RAID’05), 2005.

  23. Application II: Scientific Computing* • Virtual clusters leveraging idle CPU cycles • Long running parallel/distributed jobs • Complicated communication patterns between nodes (different from SETI@Home, Condor) • Runtime adaptation • Resource re-allocation • Migration/re-location • Scale adjustment *P. Ruth,X. Jiang, D. Xu, S. Goasguen, “Towards Virtual Distributed Environments in a Shared Infrastructure”, IEEE Computer, May 2005.

  24. Experiment Setup Two mutually isolated virtual clusters VM VS VS Physical Cluster (ITaP) Physical Switch

  25. VIOLIN vs. Physical Hosts (running HPL benchmark) • Physical host: dual processor 1.2 GHz Athlon, 1GBmemory • VM: running one per host, ≤512MB memory

  26. Multiple VIOLINs Sharing Physical Hosts(running HPL benchmark) • Aggregate performance remains stable (up to 16 VIOLINs) • In this example, 16 VIOLINs exhaust memory

  27. 5MB/s 6MB/s 6MB/s 6 4 3 0 5MB/s 6MB/s 3MB/s 6MB/s 5MB/s 1 5 2 7 4MB/s 7MB/s VM Communication Pattern 7MB/s

  28. Application III: Honeyfarm • Collapsar: a network attack aggregation center * • Achieving two (seemingly) conflicting goals • Distributed honeypot presence • Centralized honeypot operation • Key ideas • Leveraging unused IP addresses in each network • Diverting corresponding traffic to a “detention” center (transparently), by VIOLIN • Creating VM-based honeypots in the center * X. Jiang, D. Xu, “Collapsar: a VM-Based Architecture for Network Attack Detention Center”, 13th USENIX Security Symposium (Security’04), 2004.

  29. Collapsar Architecture Collapsar Architecture Production Network Attacker Redirector Production Network Redirector Redirector Front-End Production Network VM-based Honeypot Collapsar Center Management Station Correlation Engine

  30. Real-Time Worm Alert * X. Jiang, D. Xu, R. Eigenmann, “Protection Mechanisms for Application Service Hosting Platforms”, IEEE/ACM CCGrid’04, 2004.

  31. Log Correlation: Stepping Stone Log Correlation: Stepping Stone iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained an ssh backdoor xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

  32. Log Correlation: Network Scanning Log Correlation: Network Scanning

  33. On-going Work • VIOLIN-based virtual distributed environments on shared cyber-infrastructure • Self-management (making them smart entities) • Missing role of VIOLIN administrator • Automatic customization and bootstrapping • Enforcement of application-specific policies • Self-provisioning (application-driven) • Resource scaling • Scale adaptation • Topology evolution

  34. Thank you. For more information: Email:dxu@cs.purdue.edu URL:http://www.cs.purdue.edu/~dxu Google: “Purdue SODA Friends”

More Related