Um Mecanismo para Isolamento Seguro de Redes Virtuais Usando a Abordagem Híbrida Xen e OpenFlow
Abstract
Secure virtual networks must provide privacy and avoid denial of service attacks. In this paper, we propose a mechanism which securely isolates virtual networks based on the paradigm of data and control plane separation. The proposal is deployed over XenFlow, a hybrid network virtualization tool that uses both Xen and OpenFlow. The proposed mechanism associates an OpenFlow control application with a labeling scheme for each virtual network of Xen virtual machines. In the plane separation paradigm, packets of each virtual network are forwarded directly in data plane, and the proposal ensures traffic isolation with resource reservation for each virtual network. The experiments evaluate two attackers' models: one that tries to exhaust the resources of virtual networks and other that attempts to eavesdrop on communications from other virtual networks. The results show that the proposal completely blocks the action of both attackers' model. Results reveal the effectiveness for traffic isolation, even on adverse situations, where virtual networks share the same IP address space or broadcast packets.References
Barabash, K., Cohen, R., Hadas, D., Jain, V., Recio, R., and Rochwerger, B. (2011). A case for overlays in dcn virtualization. In Proceedings of the 3rd Workshop on Data Center-Converged and Virtual Ethernet Switching, pages 30-37. ITCP.
Bari, M., Boutaba, R., Esteves, R., Granville, L., Podlesny, M., Rabbani, M., Zhang, Q., and Zhani, M. (2013). Data center network virtualization: A survey. Communications Surveys Tutorials, IEEE, 15(2):909-928.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Mathy, L., and Schooley, T. (2007). Evaluating Xen for router virtualization. In Computer Communications and Networks, 2007. ICCCN 2007. Proceedings of 16th International Conference on, pages 1256-1261. IEEE.
Feamster, N., Gao, L., and Rexford, J. (2007). How to lease the Internet in your spare time. ACM SIGCOMM Computer Communication Review, 37(1):61-64.
Fernandes, N. and Duarte, O. (2010). XNetMon: Uma arquitetura com segurança para redes virtuais. Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 339-352.
Fernandes, N., Moreira, M., Moraes, I., Ferraz, L., Couto, R., Carvalho, H., Campista, M., Costa, L., and Duarte, O. (2010). Virtual networks: Isolation, performance, and trends. Annals of Telecommunications, pages 1-17.
Fernandes, N. C. and Duarte, O. C. M. B. (2011). Provendo isolamento e qualidade de serviço em redes virtuais. In XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2011.
Figueiredo, U., Lobato, A., Mattos, D. M. F., Ferraz, L. H. G., and Duarte, O. C. M. B. (2013). AnÂálise de desempenho de mecanismos de encaminhamento de pacotes em redes virtuais. In Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos 2013 - XVIII Workshop de Gerência e Operação de Redes e Serviços (WGRS).
Greenberg, A., Hamilton, J. R., Jain, N., Kandula, S., Kim, C., Lahiri, P., Maltz, D. A., Patel, P., and Sengupta, S. (2009). Vl2: a scalable and flexible data center network. In Proceedings of the ACM SIGCOMM 2009, SIGCOMM '09, pages 51-62, New York, NY, USA. ACM.
Hao, F., Lakshman, T. V., Mukherjee, S., and Song, H. (2010). Secure cloud computing with a virtualized network infrastructure. In Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, HotCloud'10, Berkeley, CA, USA. USENIX Association.
Huang, M. (2005). Vnet: Planetlab virtualized network access. Technical report, Tech. Rep. PDN-05-029, PlanetLab Consortium.
Mattos, D. M. F. and Duarte, O. C. M. B. (2012). QFlow: Um sistema com garantia de isolamento e oferta de qualidade de serviço para redes virtualizadas. In XXX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2012.
Mattos, D. M. F., Fernandes, N. C., and Duarte, O. C. M. B. (2011). XenFlow: Um sistema de processamento de fluxos robusto e eficiente para migração em redes virtuais. In XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2011.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. (2008). OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69-74.
Mudigonda, J., Yalagandula, P., Mogul, J., Stiekes, B., and Pouffary, Y. (2011). Netlord: a scalable multi-tenant network architecture for virtualized datacenters. In Proceedings of the ACM SIGCOMM 2011, SIGCOMM '11, pages 62-73, Toronto, Ontario, Canada. ACM.
Nakagawa, Y., Hyoudou, K., and Shimizu, T. (2012). A management method of ip multicast in overlay networks using openflow. In Proceedings of the first workshop on Hot topics in software defined networks, HotSDN '12, pages 91-96, Helsinki, Finland. ACM.
Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and Ghanwani, A. (2011). Routing Bridges (RBridges): Base Protocol Specification. RFC 6325 (Proposed Standard). Updated by RFCs 6327, 6439.
Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., and Shenker, S. (2009). Extending networking into the virtualization layer. Proc. HotNets.
Pisa, P., Fernandes, N., Carvalho, H., Moreira, M., Campista, M., Costa, L., and Duarte, O. (2010). OpenFlow and Xen-based virtual network migration. In Pont, A., Pujolle, G., and Raghavan, S., editors, Communications: Wireless in Developing Countries and Networks of the Future, volume 327 of IFIP Advances in Information and Communication Technology, pages 170-181. Springer Boston.
Sridharan, M., Duda, K., Ganga, I., Greenberg, A., Lin, G., Pearson, M., and Thaler, P. (2013). NVGRE: Network Virtualization using Generic Routing Encapsulation. NVGRE.
Wang, Y., Keller, E., Biskeborn, B., van der Merwe, J., and Rexford, J. (2008). Virtual routers on the move: live router migration as a network-management primitive. ACM SIGCOMM Computer Communication Review, 38(4):231-242.
Bari, M., Boutaba, R., Esteves, R., Granville, L., Podlesny, M., Rabbani, M., Zhang, Q., and Zhani, M. (2013). Data center network virtualization: A survey. Communications Surveys Tutorials, IEEE, 15(2):909-928.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Mathy, L., and Schooley, T. (2007). Evaluating Xen for router virtualization. In Computer Communications and Networks, 2007. ICCCN 2007. Proceedings of 16th International Conference on, pages 1256-1261. IEEE.
Feamster, N., Gao, L., and Rexford, J. (2007). How to lease the Internet in your spare time. ACM SIGCOMM Computer Communication Review, 37(1):61-64.
Fernandes, N. and Duarte, O. (2010). XNetMon: Uma arquitetura com segurança para redes virtuais. Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 339-352.
Fernandes, N., Moreira, M., Moraes, I., Ferraz, L., Couto, R., Carvalho, H., Campista, M., Costa, L., and Duarte, O. (2010). Virtual networks: Isolation, performance, and trends. Annals of Telecommunications, pages 1-17.
Fernandes, N. C. and Duarte, O. C. M. B. (2011). Provendo isolamento e qualidade de serviço em redes virtuais. In XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2011.
Figueiredo, U., Lobato, A., Mattos, D. M. F., Ferraz, L. H. G., and Duarte, O. C. M. B. (2013). AnÂálise de desempenho de mecanismos de encaminhamento de pacotes em redes virtuais. In Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos 2013 - XVIII Workshop de Gerência e Operação de Redes e Serviços (WGRS).
Greenberg, A., Hamilton, J. R., Jain, N., Kandula, S., Kim, C., Lahiri, P., Maltz, D. A., Patel, P., and Sengupta, S. (2009). Vl2: a scalable and flexible data center network. In Proceedings of the ACM SIGCOMM 2009, SIGCOMM '09, pages 51-62, New York, NY, USA. ACM.
Hao, F., Lakshman, T. V., Mukherjee, S., and Song, H. (2010). Secure cloud computing with a virtualized network infrastructure. In Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, HotCloud'10, Berkeley, CA, USA. USENIX Association.
Huang, M. (2005). Vnet: Planetlab virtualized network access. Technical report, Tech. Rep. PDN-05-029, PlanetLab Consortium.
Mattos, D. M. F. and Duarte, O. C. M. B. (2012). QFlow: Um sistema com garantia de isolamento e oferta de qualidade de serviço para redes virtualizadas. In XXX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2012.
Mattos, D. M. F., Fernandes, N. C., and Duarte, O. C. M. B. (2011). XenFlow: Um sistema de processamento de fluxos robusto e eficiente para migração em redes virtuais. In XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC'2011.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. (2008). OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69-74.
Mudigonda, J., Yalagandula, P., Mogul, J., Stiekes, B., and Pouffary, Y. (2011). Netlord: a scalable multi-tenant network architecture for virtualized datacenters. In Proceedings of the ACM SIGCOMM 2011, SIGCOMM '11, pages 62-73, Toronto, Ontario, Canada. ACM.
Nakagawa, Y., Hyoudou, K., and Shimizu, T. (2012). A management method of ip multicast in overlay networks using openflow. In Proceedings of the first workshop on Hot topics in software defined networks, HotSDN '12, pages 91-96, Helsinki, Finland. ACM.
Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and Ghanwani, A. (2011). Routing Bridges (RBridges): Base Protocol Specification. RFC 6325 (Proposed Standard). Updated by RFCs 6327, 6439.
Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., and Shenker, S. (2009). Extending networking into the virtualization layer. Proc. HotNets.
Pisa, P., Fernandes, N., Carvalho, H., Moreira, M., Campista, M., Costa, L., and Duarte, O. (2010). OpenFlow and Xen-based virtual network migration. In Pont, A., Pujolle, G., and Raghavan, S., editors, Communications: Wireless in Developing Countries and Networks of the Future, volume 327 of IFIP Advances in Information and Communication Technology, pages 170-181. Springer Boston.
Sridharan, M., Duda, K., Ganga, I., Greenberg, A., Lin, G., Pearson, M., and Thaler, P. (2013). NVGRE: Network Virtualization using Generic Routing Encapsulation. NVGRE.
Wang, Y., Keller, E., Biskeborn, B., van der Merwe, J., and Rexford, J. (2008). Virtual routers on the move: live router migration as a network-management primitive. ACM SIGCOMM Computer Communication Review, 38(4):231-242.
Published
2013-11-11
How to Cite
MATTOS, Diogo Menezes Ferrazani; FERRAZ, Lyno Henrique Gonçalves; DUARTE, Otto Carlos Muniz Bandeira.
Um Mecanismo para Isolamento Seguro de Redes Virtuais Usando a Abordagem Híbrida Xen e OpenFlow. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 128-141.
DOI: https://doi.org/10.5753/sbseg.2013.19541.
