FI technologies on cloud computing and trusty networking Dr. Yu-Huang Chu ( 朱 煜 煌 ) yhchu@cht.com.tw Chunghwa Telecommunication Labs. 99/8/26 1/7
Outlines Cloud Computing Introduction Future Internet Future Internet Technologies on Cloud Computing Trusty Network Inter-Cloud Standard 2
Cloud: Computing + Virtualization Computing (Hadoop) Virtualization (Microsoft VMWare KVM Xen Trend Micro) Server Server Ethernet SW L2 Ethernet (802.1Q) Ethernet SW L2 Ethernet (IEEE DCB (802.1Qbb 802.1Qaz ) FCoE) 3
3 Cloud Service Models Cloud Infrastructure as a Service (IaaS) or Cloud infrastructure services Rent and control processors, storage, data center space or network equipment (Amazon Elastic Compute Cloud (EC2), Simple Storage Service (S3)) Cloud Platform as a Service (PaaS) or Cloud platform services Rent programming languages and tools supported by the provider (e.g., java, python,.net, IBM Pangoo, Gigaspace, IBM Azure,Hadoop) Cloud Software as a Service (SaaS) Use provider s applications over a network (e.g., web-based email, CRM ERP software) To be considered cloud they must be deployed on top of cloud infrastructure (Hypervisor) 4
Service Model Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS SaaS Software as a Service (SaaS) Architectures Cloud Infrastructure PaaS Cloud Infrastructure IaaS PaaS Platform as a Service (PaaS) Architectures (IBM Pangoo, Gigaspace, IBM Azure,Hadoop) Cloud Infrastructure IaaS Infrastructure as a Service (IaaS) Architectures Storage, VM (Virtual Machine) Pay by usage on demand Provision,Flexible Billing 5 5
4 Cloud Deployment Models Private cloud enterprise owned or leased Community cloud shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud composition of two or more clouds 6
Trend of Cloud Public Clouds Hybrid Public Cloud Evolution SaaS PaaS IaaS SaaS PaaS IaaS Private Cloud Evolution (NOW) Virtual Private Cloud App1 App2 App3 App1 App2 App3 App1 App2 App3 App1 App2 App3 Private PaaS Private PaaS Private PaaS Private IaaS Private IaaS Private IaaS Silo d Grid Private Cloud Hybrid Virtual Shared services Dynamic Standardized appliances Self-service Policy-based resource mgmt Chargeback Capacity planning Federation with public clouds Interoperability Inter-Cloud Cloud bursting 7
Core Principles/Challenges of Cloud Computing Security Scalability Availability Performance Cost-effective Acquire resources on demand Release resources when no long needed (Green) Pay for what you use (Flexible Billing) Source: Amazon CTO Werner Vogels 8
Challenges/issues of Cloud 9
Future Network vs Future Internet ITU-T, ISO: NGN -> Future Network ISO: Future Network The Network of the Future, not limited in Internet NSF, FP7: Current Internet -> Future Internet NICT: NGN -> NWGN 10
Why FN (ITU-T SG13 ) The Future Internet (Network), which is anticipated to provide futuristic functionalities beyond the limitation of the current network including Internet, is getting a global attention in the field of communication network and services. We see growing concerns about the following aspects on current network, including IP based networks: Scalability, ubiquity, security, robustness, mobility, heterogeneity, Quality of Service (QoS), reconfigurability, context-awareness, manageability, datacentric, network virtualization, economics, etc. These topics will be the requirements for Future Internet, which will meet future services and overcome the deficiencies of the current IP based network. Source: Future Internet Standardization (Eun Kyoung PAIK, KT) 2008.8 Future Internet Summer Camp 2008/ Asia Future Internet Summer School 11
Future Internet Technologies on Cloud Computing VM mobility Energy saving Network Devices Convergence Security 12
OpenFlow apply to VM mobility Stanford University demo the VM mobility using OpenFlow (SIGCOMM 2008) VM mobility: devices and VMs are allowed keep their original IP addresses, maintaining all existing connections. Ref: A demonstration of virtual machine mobility in an OpenFlow network 13
LISP LISP (Locator/ID Separation Protocol) separate node identifiers from its locators Overcome the following problems Mobility management Multi-homing Security and privacy Traffic engineering Scalable routing WAN VM mobility 14
Data Center Energy Saving Increasing utilization in data center Concentrating servers and network devices Low utilization servers can be aggregated into designated physical servers Unused servers and network devices can detach from active data center, and shut down their power supply Network (Devices) convergence OpenFlow can easily change the data path for energy saving purpose Ref: New Cloud Networking Enabled by ProgrammableFlow 15
OpenFlow apply to energy saving Data Center Network VM VM VM OpenFlow Controller Data Center Network High Utilization VM VM VM VM VM VM OpenFlow VM Low Utilization enter power saving mode shut down 16
Data Center Network Devices Convergence Diversity network devices: Firewall, SLB, Switch, etc. The function of Firewall, SLB and switch could be emulated on single OpenFlow switch Control plane of firewall, SLB and switch is moved to OpenFlow controller or Cloud Server Benefit Simplify data center network architecture Reduce data center network devices 17
Data Center Network Architecture Internet Internet FW Core Router FW FW Core Router FW SWx2 SWx2 SLB SLB SLB SW SW SLB Server Serve r. Serve r Serv er Serve r. Server Server Server. Server Server. 18
Network Device Emulation circuit switch Ethernet switch IP Router Firewall If Ether dst == X, send to port 2 If Ether dst == Z, send to port 6 If IP dst == X, send to port 2 If IP dst == Z, send to port 6 If dst port == X, send to port 2 If dst port == Z, drop If ingress port == 1, send to port 2 If ingress port == 3, send to port 6 OpenFlow Switch 19
Converged Transport Infrastructure Internet Core Router Firewall SLB Switch Controller Server Server. Server Server Server. Server software applications can reside on controller or remote server (Cloud) Switch SLB Firewall server 20
Service/Network on Demand 1. User subscribe the Cloud Service Portal 2. Cloud Service Portal summit the request and inform CRM and NOX 3. CRM provision Server and VM,NOX rewrite the flow table of OpenFlow Switch 4. On demand Services delivery (within 15 minutes) Cloud Portal Windows (OS) (OS) (OS) Cloud Server 1 2 2 CRM Linux Linux Linux Virtualization x86 (Computer) NOX Mac Mac Linux OS OS Internet/VPN OpenFlow Switch 4 3 3 App. Windows Windows (OS) (OS) ACS Linu Linu Linu xx x Virtualization App. Flo Ma Ma wvi cc sor OS OS x86 (Computer) 21
How to Provide a Trusty Network Access switch can behave like a security guard in front of a trusty network Only Specific user (i.e. specific packet pattern) can pass through Server farm is protected The network between server farm and user becomes trusty network End to End Virtualization 22
Trusty Network Implementation (Example) OpenFlow Controller Trusted user or traffic Untrusted user or traffic host 1 Trusted Network Server Farm host 2 OpenFlow switch behaves as a security guard 23
Trusty Network OpenFlow: Policy based management LISP: User ID Identified Virtualization: end to end Security Policy based Security App. ACS NOX App. ACS NOX Windows (OS) Linu Linu Linu xx x Virtualization Linu Mac Mac xos OS Trusted Network Windows (OS) Linu Linu Linu xx x Virtualization Linu x x86 (Computer) Controller Virus Spam Hacker Router Current Internet Untrusted Network Man-in-the-Middle Attacks Signaling Weakness DDoS x86 (Computer) Server Farm Server Farm Firewall 24
DDoS Defender based on OpenFlow DDoS defender OpenFlow switch could block DDoS attack traffic OpenFlow controller (NOX) uses flowfetcher API to get and monitor per-flow statistic Two stages of DDoS defender algorithm First stage: Detects the flow volume every 5 seconds. Second stage: Detects the flow volume every 1 second 25
DDoS Defender Algorithm (Example) Parameter Setting Setting timeout, reset the status and inspect again Detect all the flows on the OpenFlow switch (every 5sec) Drop/Stop No Packets over threshold? (3000) Yes No Yes Detect 5 times Inspecting the volume of suspected flows per second Packetover 800/Sec. Yes No 26
DDoS Defender Experimental Equipments: OpenFlow Switch NOX Controller (PC) Spirent Adtech AX/4000 Two Switches Controller Detect Attack, Send Rule: Dst_IP = 10.1.1.1 Action: drop Switch Send IP packets to 10.1.1.1 from 100 different source IP 10.0.0.1~10.0.0.100 Attackers/ Sender Adtech AX/4000 10.1.1.1 Server/ Receiver Switch 27
DDoS Defender Testing Result After 10 seconds, packets will be dropped 28
Multiple Standards and Associations 資 料 來 源 : [9] 29
Specific Intercloud Projects 30
Questions? 31
Reference New Cloud Networking Enabled by ProgrammableFlow No.2 (June, 2010) NEC TECHNICAL JOURNAL David Erickson, Glen Gibb, Brandon Heller, Jad Naous, David Underhill, Guido Appenzeller, Guru Parulkar, Nick McKeown, et al. A demonstration of virtual machine mobility in an OpenFlow network. In Proceedings of ACM SIGCOMM (Demo), page 513, Seattle, WA, August 2008. 32