云计算数据中心的网络带宽隔离技术研究

发布时间：2018-05-31 10:09

本文选题：云计算 + 数据中心网络　；参考：《国防科学技术大学》2012年博士论文

【摘要】：云计算技术的目标是希望使得需要计算、存储和网络服务能力的企业能够从昂贵的设备采购、繁琐的应用部署和复杂的系统管理中释放出来，将更多精力投入业务软件开发与解决方案的创新。云计算允许用户按需支付，并支持其应用按需增长处理能力，降低其前期投资风险。然而，这种开放服务模型将使得具有不同背景的租赁者驻留在同一数据中心，从而带来潜在的安全威胁。例如，租赁者通过部署恶意应用并实施恶意攻击，在数据中心内部制造混乱。因此，云计算提供者不仅需要设计可扩展的数据中心结构，满足日益激增的应用需求，而且更重要的是，提供有效的性能隔离机制，保障不同租赁者之间性能互不干扰。云计算数据中心的资源主要包括计算、存储和网络资源。目前主要利用虚拟机管理器的机制，如Xen和Hyper-v，以虚拟机为单位对计算和存储资源进行划分，从而使得计算和存储资源得到比较好的隔离。但租赁者如何共享网络目前缺乏有力的控制，从而无法提供网络带宽隔离。例如利用VLAN可实现可达性或者流量隔离，但其目前不提供网络带宽配额，无法提供网络带宽隔离。缺乏有效的网络带宽隔离机制，当前面向云计算的数据中心网络至少存在以下风险。一是以流为单位的带宽分配方式，容易诱发自私和攻击行为，如通过并行发起多个流，占用更多网络带宽，发起流量攻击等。二是许多新的并行计算模式，如搜索和MapReduce等，引入同步性极强的多对一通信模式，对于低延时和小缓冲的数据中心网络容易导致TCP拥塞崩溃。三是许多既有应用基于非响应式协议实现，允许这类应用迁移到数据中心，势必对其他应用带来性能干扰；而禁止其迁移将损失潜在的商业利润，或对应用进行重写。针对上述问题，本文研究如何实现云计算数据中心网络租赁者之间网络层次的带宽隔离问题，主要创新和成果主要有以下三个方面：首先，从数据中心网络防范拓扑探测的角度，探索了云计算数据中心租赁用户利用端对端方法，探测数据中心网络逻辑路由拓扑结构的可能性，并提出一种基于UDP流粗粒度丢包特性的递进式探测算法。租赁用户仅利用正常流量，能否探测出其虚拟机之间的网络路由拓扑结构，目前尚不可知。传统的端对端路由拓扑探测技术，基于报文级的细粒度丢包或延时特性进行统计聚类，进而推测出逻辑路由拓扑的最大似然估计结果。但是直接应用这些技术将面临两个问题：一是假设探测报文在路由过程中总是可以获得细粒度的丢包和延时特性，这种假设在高带宽、低延时网络并不总是合理；二是基于报文级的统计分析方法，在网络带宽很高时将引入巨大的存储和计算开销，可扩展性较差。通过进一步研究和大量实验，本文提出，将路由拓扑分解成以接收虚拟机为根的探测树，依据特定的策略制造拥塞，并利用流级粗粒度丢包多维特性进行递进式探测，可以获得非常准确的逻辑路由拓扑结构，且单次探测可以在若干毫秒内完成。租赁用户可利用路由拓扑结构，为其自私和攻击行为服务。这就要求网络带宽隔离机制应尽可能将网络负载控制在较低的水平，且实现细粒度的拥塞控制。其次，从数据中心网络防范流量攻击的角度，探索了数据中心网络面临低速率拒绝服务攻击的可能性和必要条件，包括非响应式数据流和响应式数据流，特别是利用数据中心网络路由拓扑结构进行灵巧攻击的条件，并提出了理论分析模型。对于当前数据中心网络面临流量攻击的问题，尽管已有一些定性的讨论，但是对于实施该类攻击所需条件及其后果，缺乏定量的分析。通过构建理论分析模型和进行大量实验，本文指出，数据中心网络的低延时和小缓冲特性，使得租赁用户一是可以聚合多个同步流进行低速率拒绝服务攻击，二是可以利用网络的路由拓扑结构，将攻击目标选定在网络边缘或者网络内部。分析模型和实验结果表明，攻击流持续攻击时长通常只需若干毫秒就可能将目标TCP流的吞吐降至非常低。因此，需要研究数据中心网络的带宽隔离，在网络可用带宽不够时，尽可能抑制并发流；在实施拥塞控制时，统筹考虑拥塞可能发生的位置。最后，针对当前网络带宽隔离技术的不足，同时考虑防范拓扑探测与防范流量攻击问题，本文提出一种数据中心网络的带宽隔离机制，也就是统一的逻辑通道，对响应式和非响应式数据流进行统一的带宽分配，并提出一种基于RTT的接收端拥塞控制机制。现有基于资源预留的带宽分配方式，能实现较好的带宽隔离，但其实现复杂且资源利用率低；而现有动态带宽分配方式，能充分利用资源，但仅关注网络边缘链路的带宽公平性，同时缺乏对并发流的抑制和细粒度的拥塞控制机制。本文提出，利用统一的逻辑通道强制细粒度按需动态带宽分配机制，保障流之间的公平带宽分配；并提出接收端增强的细粒度拥塞控制算法，，兼顾了网络边缘和网络内部链路出现拥塞的情况，依据网络当前拥塞程度决定进入网络的并发流数目，在避免网络拥塞的前提下尽可能保证带宽分配的公平性。实验结果表明，该机制能够有效防止用户端有意或无意占用其他用户网络带宽，抵御来自用户端的低速率拒绝服务攻击，保障数据中心网络带宽隔离。
[Abstract]:The goal of cloud computing is to enable enterprises that require computing, storage and network services to be able to release from expensive equipment procurement, tedious application deployment and complex system management, and will devote more effort to the innovation of business software development and solutions. Cloud computing allows users to pay on demand and supports their applications However, this open service model will allow leaseholders with different backgrounds to reside in the same data center and bring potential security threats. For example, the leaseholder can create confusion within the data center by deploying malicious applications and carrying out malicious attacks. The donor needs not only to design extensible data center structures to meet the increasing demand for applications, but also, more importantly, to provide an effective performance isolation mechanism to ensure that the performance of different leaseholders does not interfere with each other.
The resources of the cloud computing data center include computing, storage and network resources. Currently, the mechanism of virtual machine manager, such as Xen and Hyper-v, is used to divide the computing and storage resources in a virtual machine, which makes the computing and storage resources better separated. But the leaseholder is currently lacking the power to share the network. Control, thus can not provide network bandwidth isolation. For example, accessibility or traffic isolation can be achieved by using VLAN, but it does not provide network bandwidth quotas at present, and can not provide network bandwidth isolation. There is no effective network bandwidth isolation mechanism, and at least the following risks exist in the current cloud computing data center network. The mode of bandwidth allocation is easy to induce selfishness and attack behavior, for example, by initiating multiple streams in parallel, taking up more network bandwidth and initiating traffic attacks. Two is a number of new parallel computing modes, such as search and MapReduce, and the introduction of a multi to one communication mode with very strong synchronization and easy guidance for low delay and small buffer data center networks. TCP congestion collapse. Three is a number of existing applications based on non responsive protocol implementation, allowing such applications to migrate to the data center, which is bound to bring performance interference to other applications, and prohibit its migration to lose potential commercial profits, or rewrite applications.
In view of the above problems, this paper studies how to implement the network level bandwidth isolation between network leaseholders in the cloud computing data center. The main innovations and results are as follows: the following three main aspects:
First, from the point of view of the data center network to prevent topology detection, the possibility of using the end to end method to detect the logical routing topology of the data center network is explored, and a progressive detection algorithm based on the coarse-grained packet loss characteristics of the UDP flow is proposed. The network routing topology between the virtual machines is not known. The traditional end to end routing topology detection technology is based on the fine-grained packet loss or delay characteristics of the message level, and then estimates the maximum likelihood estimation results of the logical routing topology. However, the direct application of these technologies will face two problems: 1 It is assumed that the detection packets can always obtain fine-grained packet loss and delay characteristics during the routing process. This assumption is not always reasonable in high bandwidth and low delay networks; two is a statistical analysis method based on message level, which will introduce huge storage and calculation overhead when the network bandwidth is high, and the scalability is poor. Further research is done. And a large number of experiments, this paper proposes that the routing topology is decomposed into a detection tree which takes the virtual machine as the root, makes the congestion according to the specific strategy, and uses the flow level coarse granularity packet loss multi-dimensional characteristics to carry on the progressive detection, and can obtain a very accurate logical routing topology, and the single detection can be completed in a number of milliseconds. The routing topology can be used to serve its selfish and aggressive behavior, which requires that the network bandwidth isolation mechanism should control the network load at a lower level as far as possible and achieve fine grained congestion control.
Secondly, the possibility and necessary conditions for the data center network to face low rate denial of service attack are explored, including non responsive data flow and response data stream, especially the conditions of using the data center network routing topology to enter the dexterous attack, and the theoretical analysis model is put forward. For the current data center network facing traffic attacks, although there are some qualitative discussions, there is a lack of quantitative analysis for the conditions and consequences required for the implementation of this type of attack. Through the construction of a theoretical analysis model and a large number of experiments, this paper points out that the low delay and small buffer characteristics of the data center network make the lease a lease. The first is that users can aggregate multiple synchronization streams for low rate denial of service attacks. The two is that the network routing topology can be used to select the target of the attack on the network edge or network. The analysis model and experimental results show that the duration of attack is usually only a few milliseconds in a few milliseconds to reduce the throughput of the target TCP stream. It is very low. Therefore, it is necessary to study the bandwidth isolation of the data center network. When the network available bandwidth is not enough, the concurrent flow is suppressed as much as possible; when congestion control is implemented, the possible location of congestion is considered as a whole.
Finally, in view of the shortage of current network bandwidth isolation technology, and considering the problem of preventing topology detection and preventing traffic attack, this paper proposes a bandwidth isolation mechanism of data center network, that is a unified logical channel, the bandwidth allocation of both response and non response data flows, and a kind of RTT based reception. The existing congestion control mechanism. The existing bandwidth allocation method based on resource reservation can achieve better bandwidth isolation, but its implementation is complex and the utilization of resources is low. However, the existing dynamic bandwidth allocation method can make full use of resources, but only pay attention to the bandwidth fairness of the network edge link, and lack the suppression of concurrent flow and the fine-grained support. In this paper, we propose to make use of a unified logical channel to enforce fine grained dynamic bandwidth allocation mechanism to ensure fair bandwidth allocation between streams, and to propose a fine-grained congestion control algorithm for receiving end enhancement, which takes into account the situation of the congestion in the network edges and the internal links of the network, which is determined by the current congestion level of the network. The number of concurrent flows into the network ensures the fairness of bandwidth allocation as far as possible to avoid network congestion. Experimental results show that the mechanism can effectively prevent users from intentionally or unintentionally occupying other user network bandwidth, resist the low rate denial of service attack from the user side, and protect the bandwidth isolation of the data center network.
【学位授予单位】：国防科学技术大学
【学位级别】：博士
【学位授予年份】：2012
【分类号】：TP308;TP393.08

【参考文献】