VIOLIN: A Network Virtualization Middleware - PowerPoint PPT Presentation

About This Presentation
Title:

VIOLIN: A Network Virtualization Middleware

Description:

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services) – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 35
Provided by: csPurdue
Category:

less

Transcript and Presenter's Notes

Title: VIOLIN: A Network Virtualization Middleware


1
  • VIOLIN A Network Virtualization Middleware
  • for Virtual Networked Computing
  • Dongyan Xu
  • Lab FRIENDS
  • (For Research In Emerging Network and Distributed
    Services)
  • Department of Computer Sciences
  • Center for Education and Research in Information
    Assurance
  • and Security (CERIAS)
  • Purdue University

2
The Team
  • Lab FRIENDS
  • Xuxian Jiang (Ph.D. student)
  • Paul Ruth (Ph.D. student)
  • Dongyan Xu (faculty)
  • Supported in part by NSF Middleware Initiative
    (NMI)

3
Outline
  • Motivations and goals
  • Architecture of VIOLIN
  • Applications of VIOLIN
  • Network system emulation
  • Scientific computing
  • Honeyfarm (network attack aggregation)
  • On-going work

4
Motivations
  • Formation of wide-area shared cyber-infrastructure
  • Multiple domains
  • Heterogeneous platforms
  • Large number of users
  • Need for mutually isolated distributed
    environments
  • Customized system administration and
    configuration
  • Consistent and binary-compatible runtime support
  • Un-trusted or malfunctioning applications
  • Known vulnerabilities in SETI_at_Home, KaZaa, and
    Condor
  • Un-trusted network traffic control

5
Potential Applications
  • Multi-institutional collaboratories
  • Large-scale distributed emulations
  • Cyber-systems
  • Real-world systems
  • Parallel/distributed scientific applications
  • Philanthropic (volunteer) computing services
  • Content distribution networks

6
VM (Virtual Machine) a Solution?
  • Achieves single node isolation (SODA)
  • Administration
  • Resource
  • Runtime services/libraries
  • Fault/attack impact
  • However, does not achieve network isolation
  • VMs addressable from/to any Internet hosts
  • Cannot control traffic volume between VMs
  • Cannot have overlapping address spaces

X. Jiang, D. Xu, SODA Service-on-Demand
Architecture for Service Hosting Utility
Platforms, IEEE HPDC-12, 2003.
7
VIOLIN Proposed Solution
  • VIOLIN A VN (Virtual Network) for VMs
  • Independent IP address space
  • Invisible from Internet and vice versa
  • Un-tamperable topology and traffic control
  • Value-added network services (e.g., IP multicast)
  • Binary and IP compatible runtime environment

X. Jiang, D. Xu, VIOLIN Virtual
Internetworking on OverLay INfrastructure,
Springer LNCS Vol. 3358 (ISPA 2004). D. Xu, X.
Jiang, Towards an Integrated Multimedia Service
Hosting Overlay, ACM Multimedia 2004.
8
VIOLIN the Big Picture
Two mutually Isolated VIOLINs
VM
N M I
N M I
N M I
NMI-based Grid infrastructure
N M I
N M I
N M I
N M I
Physical infrastructure
9
Key Ideas in VIOLIN
  • One level of indirection between VIOLIN and real
    Internet
  • All problems in Computer Science can be solved
    by another level of indirection Butler
    Lampson
  • A middleware-level underlay network serving as
    intelligent carrier of a VIOLIN
  • Traffic tunneling
  • Topology control
  • Traffic volume control
  • Traffic encryption
  • Network service virtualization

10
VIOLIN Architecture
VMs
Physical host
11
VIOLIN Architecture
Between two VIOLIN nodes (VMs)
196.128.1.2
196.128.1.3
Message (e.g.,MPI)
TCP, UDP,
IP
Ethernet frame via UDP tunneling
planetlab6.csail.mit.edu
planetlab6.millennium.berkeley.edu
12
VIOLIN Network Performance
TCP throughput measurement on PlanetLab planetlab6
.csail.mit.edu ? planetlab6.millennium.berkeley.ed
u
13
VIOLIN Network Performance
ICMP latency measurement on PlanetLab planetlab6.c
sail.mit.edu ? planetlab6.millennium.berkeley.edu

14
Application I Network System Emulation
  • vBET an education toolkit for network emulation
  • Create your own IP network on a shared
    platform
  • IP address space and network topology
  • Routers, switches, firewalls, end-hosts, links
  • Real-world network software (OSPF, BGP)
  • Strict confinement (network security experiments)
  • Flexible configuration
  • Not constrained by device/port availability
  • No manual cable re-wiring or hardware setup

X. Jiang, D. Xu, vBET a VM-Based Emulation
Testbed, ACM SIGCOMM Workshop on Models,
Methods, and Tools for Reproducible Network
Research (ACM MoMeTools), 2003
15
vBET GUI
16
Sample Emulation OSPF Routing
17
Emulation of OSPF Routing
Demo video clip
18
Sample Emulation Critical Server Protection
19
Screenshot Distributed Firewall
20
Sample Emulation Chord P2P Network
21
Screenshot
22
Sample Emulation Internet Worms
A worm playground
Virtual
Physical
A shared infrastructure (e.g. PlanetLab)
X. Jiang, D. Xu, H. J. Wang, E. H. Spafford,
Virtual Playgrounds for Worm Behavior
Investigation, 8th International Symposium on
Recent Advances in Intrusion Detection (RAID05),
2005.
23
Application II Scientific Computing
  • Virtual clusters leveraging idle CPU cycles
  • Long running parallel/distributed jobs
  • Complicated communication patterns between nodes
    (different from SETI_at_Home, Condor)
  • Runtime adaptation
  • Resource re-allocation
  • Migration/re-location
  • Scale adjustment

P. Ruth, X. Jiang, D. Xu, S. Goasguen, Towards
Virtual Distributed Environments in a Shared
Infrastructure, IEEE Computer, May 2005.
24
Experiment Setup
Two mutually isolated virtual clusters
VM
VS
VS
Physical Cluster (ITaP)
Physical Switch
25
VIOLIN vs. Physical Hosts (running HPL benchmark)
  • Physical host dual processor 1.2 GHz Athlon,
    1GB memory
  • VM running one per host, 512MB memory

26
Multiple VIOLINs Sharing Physical Hosts(running
HPL benchmark)
  • Aggregate performance remains stable (up to 16
    VIOLINs)
  • In this example, 16 VIOLINs exhaust memory

27
VM Communication Pattern
7MB/s
28
Application III Honeyfarm
  • Collapsar a network attack aggregation center
  • Achieving two (seemingly) conflicting goals
  • Distributed honeypot presence
  • Centralized honeypot operation
  • Key ideas
  • Leveraging unused IP addresses in each network
  • Diverting corresponding traffic to a detention
    center (transparently), by VIOLIN
  • Creating VM-based honeypots in the center

X. Jiang, D. Xu, Collapsar a VM-Based
Architecture for Network Attack Detention
Center, 13th USENIX Security Symposium
(Security04), 2004.
29
Collapsar Architecture
Collapsar Architecture
Production Network
Attacker
Redirector
Production Network
Redirector
Redirector
Front-End
Production Network
VM-based Honeypot
Collapsar Center
Correlation Engine
Management Station
30
Real-Time Worm Alert
X. Jiang, D. Xu, R. Eigenmann, Protection
Mechanisms for Application Service Hosting
Platforms, IEEE/ACM CCGrid04, 2004.
31
Log Correlation Stepping Stone
Log Correlation Stepping Stone
iii.jjj.kkk.11 compromised a honeypot installed
a rootkit, which contained an ssh backdoor
xx.yyy.zzz.3 connected to the ssh backdoor using
the same passwd
32
Log Correlation Network Scanning
Log Correlation Network Scanning
33
On-going Work
  • VIOLIN-based virtual distributed environments on
    shared cyber-infrastructure
  • Self-management (making them smart entities)
  • Missing role of VIOLIN administrator
  • Automatic customization and bootstrapping
  • Enforcement of application-specific policies
  • Self-provisioning (application-driven)
  • Resource scaling
  • Scale adaptation
  • Topology evolution

34
Thank you.
For more information Email dxu_at_cs.purdue.edu U
RL http//www.cs.purdue.edu/dxu Google
Purdue SODA Friends
Write a Comment
User Comments (0)
About PowerShow.com