TOChain: a High-Performance SFC for Virtual Network Security

doi:10.13190/j.jbupt.2017-134

JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM ›› 2018, Vol. 41 ›› Issue (1): 70-80.doi: 10.13190/j.jbupt.2017-134

• Papers • Previous Articles Next Articles

TOChain: a High-Performance SFC for Virtual Network Security

TANG Hong-wei^1,2,3,4, FENG Sheng-zhong^1,2,3, ZHAO Xiao-fang^1,3,4

1. Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences, Shenzhen 518055, China;
2. Shenzhen College of Advanced Technology, University of Chinese Academy of Sciences, Shenzhen 518055, China;
3. University of Chinese Academy of Sciences, Beijing 100049, China;
4. Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China

Received:2017-07-05 Online:2018-02-28 Published:2018-01-04

Abstract

Abstract: Performance problem is a big challenge for network function virtualization (NFV) based security service function chain (NS-SFC). To solve this problem, a TCP offloading based SFC for virtual network security, called TOChain was proposed, which avoids reduplicative packet processing over TCP/IP stack and virtual network interfaces. And furthermore, a throughput guarantee oriented strongly synchronized periodical CPU scheduling algorithm for TOChain was presented. Finally, the prototype based on KVM and the performance of the prototype with three types of virtualized network function (VNF), including iptables, Snort and FreeWAF was developed and evaluated. It is shown that TOChain achieves a significantly higher performance with a lower CPU utilization compared to the NFV based traditional SFC architecture. With strongly synchronized periodical algorithm, the network performance achieved is very close to the configured throughput under the light and medium traffic load. Moreover, even under the heavy load, it also ensure fairness between virtual machines.

Key words: network function virtualization, service function chain, network security, throughput guarantee, central processing unit scheduling

CLC Number:

TN911.22

TANG Hong-wei, FENG Sheng-zhong, ZHAO Xiao-fang. TOChain: a High-Performance SFC for Virtual Network Security[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2018, 41(1): 70-80.

References

[1] Bonafiglia R, Cerrato I, Ciaccia F, et al. Assessing the performance of virtualization technologies for NFV:a preliminary benchmarking[C]//Proc of 4^th European Workshop on Software Defined Networks. Bilbao:IEEE, 2015:67-72.
[2] Mauricio L A F, Rubinstein M G, Duarte O C M B. Proposing and evaluating the performance of a firewall implemented as a virtualized network function[C]//Proc of 7^th Int Conf on the Network of the Future (NOF). Buzios:IEEE, 2016:1-3.
[3] Deng Juan, Hu Hongxin, Li Hongda, et al. VNGuard:an NFV/SDN combination framework for provisioning and managing virtual firewalls[C]//Proc of Network Function Virtualization and Software Defined Network. San Francisco:IEEE, 2015:107-114.
[4] Li Hongda, Deng Juan, Hu Hongxin, et al. On the safety and efficiency of virtual firewall elasticity control[C]//Proc of the 22^nd ACM Symp on Access Control Models and Technologies. Indianapolis:Association for Computing Machinery, 2017:129-131.
[5] Jakaria A H M, Yang Wei, Rashidi B, et al. VFence:a defense against distributed denial of service attacks using network function virtualization[C]//Proc of Computer Software and Applications Conf. Atlanta:IEEE, 2016:431-436.
[6] Rashidi B, Fung C. CoFence:a collaborative DDoS defence using network function virtualization[C]//Proc of Int Conf on Network and Service Management. Montreal:IEEE, 2016:160-166.
[7] Fung C J, Mccormick B. VGuard:a distributed denial of service attack mitigation method using network function virtualization[C]//Proc of Int Conf on Network and Service Management. Barcelona:IEEE, 2015:64-70.
[8] Cao Lianjie, Sharma P, Fahmy S, et al. NFV-VITAL:a framework for characterizing the performance of virtual network functions[C]//Proc of Network Function Virtualization and Software Defined Network. San Francisco:IEEE, 2015:93-99.
[9] Asawa M. NFV:a dynamic, multi-layer resource optimization challenge[EB/OL]. Ann Arbor:University of Michigan, 2016[2017-03-24]. http://eecs. umich. edu/eecs/about/articles/2016/Celebrating-a-Leader-In-Control-Systems/presentations/asawa. pdf.
[10] Ge Xiongzi, Liu Yi, Du D H C, et al. OpenANFV:accelerating network function virtualization with a consolidated framework in OpenStack[C]//Proc of ACM Conf on SIGCOMM. Chicago:ACM, 2015:353-354.
[11] Blendin J, Ruckert J, Leymann N, et al. Software-defined network service chaining[C]//Proc of Third European Workshop on Software Defined Networks. London:IEEE, 2014:139-140.
[12] 楼亮. 基于snort的入侵检测系统的分析和改进[D]. 上海:上海交通大学, 2007.
[13] Hu Yang, Song Mingcong, Chen Huixiang, et al. Towards efficient server architecture for virtualized network function deployment:implications and implementations[C]//Proc of IEEE/ACM 49^th Int Symp on Microarchitecture. Taipei:IEEE, 2016:1-12.
[14] Stezenbach D, Tutschku K, Fiedler M. A performance evaluation metric for NFV elements on multiple timescales[C]//Proc of the 2013 Global Communications Conference. Atlanta:IEEE, 2013.
[15] Hoban A, Czesnowicz P, Mooney S, et al. A path to line-rate-capable NFV deployments with Intel architecture and the OpenStack Kilo release[EB/OL]. USA:Intel Corporation, 2015[2017-02-21]. https://networkbuilders.intel.com/docs/kilo-a-path-to-line-rate-capable-nfv-deployments-with-intel-architecture-and-the-openstack-kilo-release.pdf.
[16] Jardin V. High performance NFV infrastructure (NFVI):DPDK host applications with neutron/OpenStack and VNF acceleration[EB/OL]. Dusselforf:ELC Europe, 2014[2017-02-22]. http://events.linuxfoundation.jp/sites/events/files/slides/Openstack-v4_0.pdf.
[17] Roseboro R. Using hardware to improve NFV performance[EB/OL]. Sunnyvale:Mellanox Technologies, 2015[2017-03-10]. http://www.mellanox.com/related-docs/whitepapers/WP_heavyreading-NFV-performance.pdf.
[18] Kim T, Kim S, Lee K, et al. A QoS assured network service chaining algorithm in network function virtualization architecture[C]//Proc of IEEE/ACM Int Symp on Cluster, Cloud and Grid Computing. Shenzhen:IEEE, 2015:1221-1224.
[19] Riera J F, Escalona E, Batalle J, et al. Virtual network function scheduling:concept and challenges[C]//Proc of Int Conf on Smart Communications in Network Technologies. Vilanova i la Geltru:IEEE, 2014:1-5.
[20] Long Q, Assi C, Shaban K. Delay-aware scheduling and resource optimization with network function virtualization[J]. IEEE Transactions on Communications, 2016, 64(9):3746-3758.
[21] Zhang Qixia, Xiao Yikai, Liu Fangming, et al. Joint optimization of chain placement and request scheduling for network function virtualization[C]//Proc of 37^th IEEE Int Conf on Distributed Computing Systems. Atlanta:IEEE, 2017:731-741.

TOChain: a High-Performance SFC for Virtual Network Security

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	. Multicast Service Chain Deployment and Adjustment Method under User Dynamic Access [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(6): 55-61.
[2]	SHI Zicheng, LI Xin, TANG Ying, HUANG Shanguo. Optical Packet Filtering System Based on All-Optical Pattern Matching [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(3): 96-101.
[3]	LI Hang, WEN Xiangming, KONG Zixuan, XIANG Wan, WANG Luhan. Service Function Chain Embedding for Network Slicing with Diversified Requirements [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(2): 9-15.
[4]	JIA Yuning, WEI Yifei, ZHOU Junhua. Service Function Chain Orchestrating Algorithm Based on SDN and NFV [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(2): 85-90.
[5]	YANG Hongyu, YUAN Haihang, ZHANG Liang. A Risk Assessment Method of Network Host Node with Host Importance [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(2): 16-21.
[6]	ZHANG Tian-kui, WANG Xiao-fei, YANG Li-wei, YANG Ding-cheng. A SFC Deployment and Computation Resource Allocation Joint Algorithm in Mobile Networks [J]. Journal of Beijing University of Posts and Telecommunications, 2021, 44(1): 7-13.
[7]	YUE Yi, CHENG Bo. Lightweight Network Services Orchestration Environment Based on NFV for End Users [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2019, 42(4): 24-31.
[8]	TANG Lun, ZHAO Pei-pei, ZHAO Guo-fan, CHEN Qian-bin. Dynamic Deployment Algorithm for Service Function Chaining with QoS Guarantee [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2018, 41(6): 90-96.
[9]	YI Zhi-ling, CUI Chun-feng, HAN Shuang-feng, PAN Cheng-kang, CHEN Ya-mi. Analysis of Key Technologies of 5G-Oriented Cellular Internet of Things [J]. Journal of Beijing University of Posts and Telecommunications, 2018, 41(5): 20-25.
[10]	LI Xu, BAO Jing-jing, LIU Ying. Formation Security: Black Hole Problem [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2016, 39(1): 12-17.
[11]	BAI Yuan, WANG Qian, JIA Qi-lan, ZHANG Hui-bing. An Efficient and Secured AKA for EPS Networks [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2015, 38(s1): 10-14.
[12]	LIU Jing, GU Li-ze, Niu Xin-xin, YANG Yi-xian, LI Zhong-xian. Network Security Events Analyze Method Based on Neural Networks and Genetic Algorithm [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2015, 38(2): 50-54.
[13]	FU Yu, CHEN Yong-qiang, WU Xiao-ping, SONG Yan. Network Attack-Defense Strategies Selection Based on Stochastic Game Model [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2014, 37(s1): 35-39.
[14]	CHEN Yong-qiang, WU Xiao-ping, FU Yu, SONG Yan. Network Security Evaluation Based on Stochastic Game and Network Entropy [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2014, 37(s1): 92-96.
[15]	. Network Security Analysis Based on Host-Security-Group [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2012, 35(1): 19-23.