TOChain:一种高性能虚拟网络安全服务功能链

doi:10.13190/j.jbupt.2017-134

北京邮电大学学报 ›› 2018, Vol. 41 ›› Issue (1): 70-80.doi: 10.13190/j.jbupt.2017-134

TOChain:一种高性能虚拟网络安全服务功能链

唐宏伟^1,2,3,4, 冯圣中^1,2,3, 赵晓芳^1,3,4

1. 中国科学院深圳先进技术研究院, 深圳 518055;
2. 中国科学院大学深圳先进技术学院, 深圳 518055;
3. 中国科学院大学, 北京 100049;
4. 中国科学院计算技术研究所, 北京 100190

收稿日期:2017-07-05 出版日期:2018-02-28 发布日期:2018-01-04
作者简介:唐宏伟(1984-),男,高级工程师,博士生,E-mail:tanghongwei@ict.ac.cn;冯圣中(1968-),男,研究员,博士生导师.

TOChain: a High-Performance SFC for Virtual Network Security

TANG Hong-wei^1,2,3,4, FENG Sheng-zhong^1,2,3, ZHAO Xiao-fang^1,3,4

1. Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences, Shenzhen 518055, China;
2. Shenzhen College of Advanced Technology, University of Chinese Academy of Sciences, Shenzhen 518055, China;
3. University of Chinese Academy of Sciences, Beijing 100049, China;
4. Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China

Received:2017-07-05 Online:2018-02-28 Published:2018-01-04

摘要/Abstract

摘要： 为了优化基于网络功能虚拟化（NFV）的安全服务功能链（NS-SFC）的性能，提出了基于TCP Offloading的虚拟网络安全服务功能链（SFC）——TOChain，解决了重复收发网络包的问题；提出了面向吞吐率保证的强同步周期性CPU调度算法，在虚拟网络功能（VNF）与用户虚拟机混合部署的场景下实现网络吞吐率性能保证与调度公平性.基于KVM虚拟化平台实现了原型系统，并对由防火墙、入侵防御系统和应用层防火墙3种VNF构成的NS-SFC进行了不同负载下的性能测试.结果显示，与传统SFC相比，TOChain能够以较低的CPU资源占用率达到更高、更稳定的网络性能；在轻度和中度网络流量负载下，采用强同步周期性调度算法都能够达到与所设定的吞吐率极为接近的网络性能，即便是在重度负载下，也能实现用户虚拟机间的调度公平性.

关键词: 网络功能虚拟化, 服务功能链, 网络安全, 吞吐率保证, 处理器调度

Abstract: Performance problem is a big challenge for network function virtualization (NFV) based security service function chain (NS-SFC). To solve this problem, a TCP offloading based SFC for virtual network security, called TOChain was proposed, which avoids reduplicative packet processing over TCP/IP stack and virtual network interfaces. And furthermore, a throughput guarantee oriented strongly synchronized periodical CPU scheduling algorithm for TOChain was presented. Finally, the prototype based on KVM and the performance of the prototype with three types of virtualized network function (VNF), including iptables, Snort and FreeWAF was developed and evaluated. It is shown that TOChain achieves a significantly higher performance with a lower CPU utilization compared to the NFV based traditional SFC architecture. With strongly synchronized periodical algorithm, the network performance achieved is very close to the configured throughput under the light and medium traffic load. Moreover, even under the heavy load, it also ensure fairness between virtual machines.

Key words: network function virtualization, service function chain, network security, throughput guarantee, central processing unit scheduling

中图分类号:

TN911.22

唐宏伟, 冯圣中, 赵晓芳. TOChain:一种高性能虚拟网络安全服务功能链[J]. 北京邮电大学学报, 2018, 41(1): 70-80.

TANG Hong-wei, FENG Sheng-zhong, ZHAO Xiao-fang. TOChain: a High-Performance SFC for Virtual Network Security[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2018, 41(1): 70-80.

参考文献

[1] Bonafiglia R, Cerrato I, Ciaccia F, et al. Assessing the performance of virtualization technologies for NFV:a preliminary benchmarking[C]//Proc of 4^th European Workshop on Software Defined Networks. Bilbao:IEEE, 2015:67-72.
[2] Mauricio L A F, Rubinstein M G, Duarte O C M B. Proposing and evaluating the performance of a firewall implemented as a virtualized network function[C]//Proc of 7^th Int Conf on the Network of the Future (NOF). Buzios:IEEE, 2016:1-3.
[3] Deng Juan, Hu Hongxin, Li Hongda, et al. VNGuard:an NFV/SDN combination framework for provisioning and managing virtual firewalls[C]//Proc of Network Function Virtualization and Software Defined Network. San Francisco:IEEE, 2015:107-114.
[4] Li Hongda, Deng Juan, Hu Hongxin, et al. On the safety and efficiency of virtual firewall elasticity control[C]//Proc of the 22^nd ACM Symp on Access Control Models and Technologies. Indianapolis:Association for Computing Machinery, 2017:129-131.
[5] Jakaria A H M, Yang Wei, Rashidi B, et al. VFence:a defense against distributed denial of service attacks using network function virtualization[C]//Proc of Computer Software and Applications Conf. Atlanta:IEEE, 2016:431-436.
[6] Rashidi B, Fung C. CoFence:a collaborative DDoS defence using network function virtualization[C]//Proc of Int Conf on Network and Service Management. Montreal:IEEE, 2016:160-166.
[7] Fung C J, Mccormick B. VGuard:a distributed denial of service attack mitigation method using network function virtualization[C]//Proc of Int Conf on Network and Service Management. Barcelona:IEEE, 2015:64-70.
[8] Cao Lianjie, Sharma P, Fahmy S, et al. NFV-VITAL:a framework for characterizing the performance of virtual network functions[C]//Proc of Network Function Virtualization and Software Defined Network. San Francisco:IEEE, 2015:93-99.
[9] Asawa M. NFV:a dynamic, multi-layer resource optimization challenge[EB/OL]. Ann Arbor:University of Michigan, 2016[2017-03-24]. http://eecs. umich. edu/eecs/about/articles/2016/Celebrating-a-Leader-In-Control-Systems/presentations/asawa. pdf.
[10] Ge Xiongzi, Liu Yi, Du D H C, et al. OpenANFV:accelerating network function virtualization with a consolidated framework in OpenStack[C]//Proc of ACM Conf on SIGCOMM. Chicago:ACM, 2015:353-354.
[11] Blendin J, Ruckert J, Leymann N, et al. Software-defined network service chaining[C]//Proc of Third European Workshop on Software Defined Networks. London:IEEE, 2014:139-140.
[12] 楼亮. 基于snort的入侵检测系统的分析和改进[D]. 上海:上海交通大学, 2007.
[13] Hu Yang, Song Mingcong, Chen Huixiang, et al. Towards efficient server architecture for virtualized network function deployment:implications and implementations[C]//Proc of IEEE/ACM 49^th Int Symp on Microarchitecture. Taipei:IEEE, 2016:1-12.
[14] Stezenbach D, Tutschku K, Fiedler M. A performance evaluation metric for NFV elements on multiple timescales[C]//Proc of the 2013 Global Communications Conference. Atlanta:IEEE, 2013.
[15] Hoban A, Czesnowicz P, Mooney S, et al. A path to line-rate-capable NFV deployments with Intel architecture and the OpenStack Kilo release[EB/OL]. USA:Intel Corporation, 2015[2017-02-21]. https://networkbuilders.intel.com/docs/kilo-a-path-to-line-rate-capable-nfv-deployments-with-intel-architecture-and-the-openstack-kilo-release.pdf.
[16] Jardin V. High performance NFV infrastructure (NFVI):DPDK host applications with neutron/OpenStack and VNF acceleration[EB/OL]. Dusselforf:ELC Europe, 2014[2017-02-22]. http://events.linuxfoundation.jp/sites/events/files/slides/Openstack-v4_0.pdf.
[17] Roseboro R. Using hardware to improve NFV performance[EB/OL]. Sunnyvale:Mellanox Technologies, 2015[2017-03-10]. http://www.mellanox.com/related-docs/whitepapers/WP_heavyreading-NFV-performance.pdf.
[18] Kim T, Kim S, Lee K, et al. A QoS assured network service chaining algorithm in network function virtualization architecture[C]//Proc of IEEE/ACM Int Symp on Cluster, Cloud and Grid Computing. Shenzhen:IEEE, 2015:1221-1224.
[19] Riera J F, Escalona E, Batalle J, et al. Virtual network function scheduling:concept and challenges[C]//Proc of Int Conf on Smart Communications in Network Technologies. Vilanova i la Geltru:IEEE, 2014:1-5.
[20] Long Q, Assi C, Shaban K. Delay-aware scheduling and resource optimization with network function virtualization[J]. IEEE Transactions on Communications, 2016, 64(9):3746-3758.
[21] Zhang Qixia, Xiao Yikai, Liu Fangming, et al. Joint optimization of chain placement and request scheduling for network function virtualization[C]//Proc of 37^th IEEE Int Conf on Distributed Computing Systems. Atlanta:IEEE, 2017:731-741.

TOChain:一种高性能虚拟网络安全服务功能链

TOChain: a High-Performance SFC for Virtual Network Security

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	孔紫璇李航向万陈亚文郑伟. 用户动态接入下的多播业务链部署和调整方法[J]. 北京邮电大学学报, 2022, 45(6): 55-61.
[2]	石子成, 李新, 唐颖, 黄善国. 基于全光模式匹配的光包过滤系统[J]. 北京邮电大学学报, 2022, 45(3): 96-101.
[3]	贾雨宁, 魏翼飞, 周军华. 基于SDN与NFV的服务功能链编排算法[J]. 北京邮电大学学报, 2022, 45(2): 85-90.
[4]	杨宏宇, 袁海航, 张良. 一种基于主机重要度的网络主机节点风险评估方法[J]. 北京邮电大学学报, 2022, 45(2): 16-21.
[5]	张天魁, 王筱斐, 杨立伟, 杨鼎成. 移动网络SFC部署与计算资源分配联合算法[J]. 北京邮电大学学报, 2021, 44(1): 7-13.
[6]	岳毅, 程渤. 面向终端用户的轻量级网络功能虚拟化服务编排环境[J]. 北京邮电大学学报, 2019, 42(4): 24-31.
[7]	唐伦, 赵培培, 赵国繁, 陈前斌. 基于QoS保障的服务功能链动态部署算法[J]. 北京邮电大学学报, 2018, 41(6): 90-96.
[8]	易芝玲, 崔春风, 韩双锋, 潘成康, 陈亚迷. 5G蜂窝物联网关键技术分析[J]. 北京邮电大学学报, 2018, 41(5): 20-25.
[9]	李旭, 鲍京京, 刘颖. 编队通信安全中的黑洞问题[J]. 北京邮电大学学报, 2016, 39(1): 12-17.
[10]	白媛, 王倩, 贾其兰, 张会兵. 一种高效安全的EPS AKA协议[J]. 北京邮电大学学报, 2015, 38(s1): 10-14.
[11]	刘胜利, 彭飞, 武东英, 邹睿, 肖达. CHoney:一个面向Cisco路由器攻击捕获的新型蜜罐[J]. 北京邮电大学学报, 2015, 38(5): 47-53.
[12]	刘敬, 谷利泽, 钮心忻, 杨义先, 李忠献. 基于神经网络和遗传算法的网络安全事件分析方法[J]. 北京邮电大学学报, 2015, 38(2): 50-54.
[13]	付钰, 陈永强, 吴晓平, 宋衍. 基于随机博弈模型的网络攻防策略选取[J]. 北京邮电大学学报, 2014, 37(s1): 35-39.
[14]	陈永强, 吴晓平, 付钰, 宋衍. 基于随机博弈与网络熵的网络安全性评估[J]. 北京邮电大学学报, 2014, 37(s1): 92-96.
[15]	钟尚勤徐国胜姚文斌杨义先. 基于主机安全组划分的网络安全性分析 [J]. 北京邮电大学学报, 2012, 35(1): 19-23.