FI technologies on cloud computing and trusty networking

FI technologies on cloud computing

and trusty networking

Dr. Yu-Huang Chu (朱煜煌) [email protected]

Chunghwa Telecommunication Labs. 99/8/26

Outlines

Cloud Computing Introduction Future Internet

Future Internet Technologies on Cloud Computing

Trusty Network

Cloud: Computing + Virtualization Computing (Hadoop) L2 Ethernet (802.1Q) Ethernet SW … Virtualization (Microsoft、VMWare、 KVM、Xen、Trend Micro) Server L2 Ethernet (IEEE DCB (802.1Qbb、802.1Qaz )、 FCoE) Ethernet SW Server …

4

3 Cloud Service Models

Cloud Infrastructure as a Service (IaaS) or Cloud infrastructure services

 Rent and control processors, storage, data center

space or network equipment (Amazon Elastic

Compute Cloud (EC2) , Simple Storage Service (S3))

Cloud Platform as a Service (PaaS) or Cloud platform services

 Rent programming languages and tools supported

by the provider (e.g., java, python, .Net, IBM Pangoo, Gigaspace, IBM Azure,Hadoop)

Cloud Software as a Service (SaaS)

 Use provider′s applications over a network (e.g.,

web-based email, CRM、ERP software)

To be considered “cloud” they must be deployed on top of cloud infrastructure (Hypervisor)

Service Model Architectures Cloud Infrastructure

IaaS PaaS SaaS

Infrastructure as a Service (IaaS) Architectures

Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS

(IBM Pangoo, Gigaspace, IBM Azure,Hadoop)

Storage, VM (Virtual Machine)

6

4 Cloud Deployment Models Private cloud

 enterprise owned or leased

Community cloud

 shared infrastructure for specific community

Public cloud

 Sold to the public, mega-scale infrastructure

Hybrid cloud

Trend of Cloud

Private Cloud Evolution

Public Cloud Evolution PaaS SaaS IaaS Public Clouds Hybrid • Federation with public clouds • Interoperability • Inter-Cloud • Cloud bursting

App1 App2 App3

Private IaaS Private PaaS

Virtual Private Cloud

Hybrid PaaS SaaS IaaS Private Cloud • Self-service • Policy-based resource mgmt • Chargeback • Capacity planning App2 App3 Private IaaS Private PaaS App1 Silo’d Grid • Virtual • Shared services • Dynamic • Standardized appliances

App1 App2 App3

App1 App2 App3

Private IaaS Private PaaS

Core Principles/Challenges of Cloud Computing Security Scalability Availability Performance Cost-effective

Acquire resources on demand

Release resources when no long needed (Green) Pay for what you use (Flexible Billing)

Future Network vs Future Internet ITU-T, ISO: NGN -> Future Network

ISO: Future Network “The Network of the Future, not limited in Internet”

NSF, FP7: Current Internet -> Future Internet NICT: NGN -> NWGN

Why FN (ITU-T SG13 )

The Future Internet (Network), which is anticipated to

provide futuristic functionalities beyond the limitation of the current network including Internet, is getting a global

attention in the field of communication network and services.

We see growing concerns about the following aspects on current network, including IP based networks:

– Scalability, ubiquity, security, robustness, mobility, heterogeneity, Quality of Service (QoS),

re-configurability, context-awareness, manageability, data-centric, network virtualization, economics, etc.

These topics will be the requirements for Future Internet, which will meet future services and overcome the

deficiencies of the current IP based network.

Source: Future Internet Standardization (Eun Kyoung PAIK, KT) 2008.8 Future Internet Summer Camp 2008/ Asia Future Internet Summer School

Future Internet Technologies on Cloud Computing

VM mobility Energy saving

Network Devices Convergence Security

OpenFlow apply to VM mobility

Ref: A demonstration of virtual machine mobility in an

•Stanford University demo

the VM mobility using

OpenFlow (SIGCOMM 2008)

•VM mobility: devices and

VMs are allowed keep their original IP addresses,

maintaining all existing connections.

LISP

LISP (Locator/ID Separation Protocol)

separate node identifiers from its locators Overcome the following problems

 Mobility management  Multi-homing

 Security and privacy  Traffic engineering  Scalable routing

Data Center Energy Saving Increasing utilization in data center

 Concentrating servers and network devices

 Low utilization servers can be aggregated into designated physical servers

 Unused servers and network devices can detach

from active data center, and shut down their power supply

 Network (Devices) convergence

OpenFlow can easily change the data path for energy saving purpose

OpenFlow apply to energy saving VM VM VM VM VM Data Center Network Low Utilization OpenFlow VM VM VM VM VM enter power saving mode OpenFlow Controller shut down Data Center Network High Utilization

Data Center Network Devices Convergence

Diversity network devices: Firewall, SLB, Switch, etc.

The function of Firewall, SLB and switch could be

emulated on single OpenFlow switch

Control plane of firewall, SLB and switch is moved to OpenFlow controller or Cloud Server

Benefit

 Simplify data center network architecture  Reduce data center network devices

Data Center Network Architecture

Server Server_… Server

. Server Server_… . Core Router SW SLB FW SLB FW SW

circuit switch Ethernet switch IP Router Firewall OpenFlow Switch If “ingress port” == 1, send to port 2 If “ingress port” == 3, send to port 6 If “Ether dst” == X, send to port 2 If “Ether dst” == Z, send to port 6 If “IP dst” == X, send to port 2 If “IP dst” == Z, send to port 6 If “dst port” == X, send to port 2 If “dst port” == Z, drop

Converged Transport Infrastructure Internet …. …. Core Router Controller Fir e w all SLB Swit ch Fir e w all SLB Swit ch software applications can reside on controller or remote server (Cloud) server

Internet/VPN Service/Network on Demand Windows (OS) Windows (OS) Linux Mac OS x86 (Computer) Windows (OS) NOX Cloud Portal Linux

Linux LinuxMac_OS

Virtualization CRM Cloud Server OpenFlow Switch 1 2 ₂ Windows (OS) Windows (OS) Linu x Ma c OS Windows (OS) App. App. Linu x Linu x Ma c OS Flo wVi sor Virtualization ACS 3 ₃

1. User subscribe the Cloud Service Portal

2. Cloud Service Portal summit the request and inform CRM and NOX

3. CRM provision Server and VM，NOX rewrite the flow table of OpenFlow Switch

4. On demand Services delivery (within 15 minutes)

How to Provide a Trusty Network Access switch can behave like a security guard in front of a trusty network

Only Specific user (i.e. specific packet pattern) can pass through

Server farm is protected

The network between server farm and user becomes trusty network

Trusty Network Implementation (Example) Trusted Network OpenFlow Controller Server Farm host 1 OpenFlow switch behaves as a security guard

Trusted user or traffic Untrusted user or traffic

Trusty Network

OpenFlow: Policy based management LISP: User ID Identified

Virtualization: end to end Security

Linu x x86 (Computer) Windows (OS) NOX App. Linu x Linu x Linu x Virtualization ACS Trusted Network Controller Current Internet

Untrusted Network Server Farm

Firewall

Policy based Security

Hacker Router Man-in-the-Middle Attacks Signaling Weakness Virus Spam _DDoS Linu x Mac OS x86 (Computer) Windows (OS) NOX App. Linu x Linu x Mac OS Linu x Virtualization ACS Server Farm

DDoS Defender based on OpenFlow DDoS defender

OpenFlow switch could block DDoS attack

traffic

OpenFlow controller (NOX) uses

flow-fetcher API to get and monitor per-flow

statistic

Two stages of DDoS defender algorithm

First stage: Detects the flow volume every 5

seconds.

Second stage: Detects the flow volume

DDoS Defender Algorithm (Example)

Parameter Setting

Detect all the flows on the OpenFlow switch

(every 5sec)

Inspecting the volume of suspected flows per

second No Yes Yes Drop/Stop No Yes No Setting timeout ， reset the status and

inspect again Packets over threshold? (3000) Packetover 800/Sec. Detect 5 times

DDoS Defender Experimental Controller Switch Switch Adtech AX/4000 10.1.1.1 10.0.0.1~10.0.0.100 Send IP packets to 10.1.1.1 from 100 differentsource IP

Detect Attack, Send Rule: Dst_IP = 10.1.1.1

Action: drop

Equipments:

OpenFlow Switch NOX Controller (PC) Spirent Adtech AX/4000 Two Switches

Server/ Receiver Attackers/

DDoS Defender Testing Result

After 10 seconds, packets will be dropped

Reference

New Cloud Networking Enabled by “ProgrammableFlow” No.2 (June, 2010) NEC TECHNICAL JOURNAL

David Erickson, Glen Gibb, Brandon Heller, Jad Naous, David Underhill, Guido Appenzeller, Guru Parulkar, Nick McKeown, et al. A demonstration of virtual machine mobility in an

OpenFlow network. In Proceedings of ACM SIGCOMM (Demo), page 513, Seattle, WA, August 2008.