Currently, different kinds of security devices are deployed in the cloud datacenter environment and tenants may choose their desired security services such as firewall and IDS (intrusion detection system). At the same time, tenants in cloud computing datacenters are dynamic and have different requirements. Therefore, security device deployment in cloud datacenters is very complex and may lead to inefficient resource utilization. In this paper, we study this problem in a software-defined network (SDN) based multi-tenant cloud datacenter environment. We propose a load-adaptive traffic steering and packet forwarding scheme called LTSS to solve the problem. Our scheme combines SDN controller with TagOper plug-in to determine the traffic paths with the minimum load for tenants and allows tenants to get their desired security services in SDN-based datacenter networks. We also build a prototype system for LTSS to verify its functionality and evaluate performance of our design.
The work is supported by the National Natural Science Foundation of China under Grant Nos. 61572137 and 61728202, and Shanghai Innovation Action Project under Grant No. 16DZ1100200.
通讯作者: Zhi-Hui Lu
About author: Xue-Kai Du got his Master's degree in computer science at School of Computer Science,Fudan University,Shanghai,in 2016.His research interests are cloud computing,virtualized network and software-defined network.
Xue-Kai Du, Zhi-Hui Lu, Qiang Duan, Jie Wu, Cheng-Rong Wu.在多租户数据中心中针对安全服务的负载自适应的流量转向和转发方案[J] Journal of Computer Science and Technology , 2017,V32(6): 1265-1278
Xue-Kai Du, Zhi-Hui Lu, Qiang Duan, Jie Wu, Cheng-Rong Wu.LTSS:Load-Adaptive Traffic Steering and Forwarding for Security Services in Multi-Tenant Cloud Datacenters[J] Journal of Computer Science and Technology, 2017,V32(6): 1265-1278
 Jain S, Kumar A, Mandal S et al. B4:Experience with a globally-deployed software defined WAN. In Proc. the ACM SIGCOMM, August 2013, pp.3-14. Benson T, Akella A, Shaikh A et al. CloudNaaS:A cloud networking platform for enterprise applications. In Proc. the 2nd ACM Symposium on Cloud Computing, October 2011, pp.353-365. Shin S, Song Y, Lee T et al. Rosemary:A robust, secure, and high performance network operating system. In Proc. the 21st ACM Conference on Computer and Communications Security (CCS), November 2014, pp.78-89. Shin S Gu G. CloudWatcher:Network security monitoring using OpenFlow in dynamic cloud networks. In Proc. NPSec12, November 2012. Sherry J, Hasan S, Scott C et al. Making middleboxes someone else's problem:Network processing as a cloud service. In Proc. the ACM SIGCOMM, August 2012, pp.13-24. Qazi Z A, Tu C, Chiang L et al. Simple-fying middlebox policy enforcement using SDN. In Proc. ACM SIGCOMM, August 2013, pp.27-38. Fayazbakhsh S K, Chiang L, Sekar V, Yu M L et al. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags. In Proc. the 11th USENIX Symposium on Networked Systems Design and Implementation, April 2014, pp.543-546. Hari A, Niesen U, Wilfong G. Optimal path encoding for software-defined networks. In Proc. IEEE International Symposium on Information Theory, June 2015, pp.2361-2365. Hari A, Lakshman T V, Wilfong G. Path switching:Reduced-state flow handling in SDN using path information. In Proc. CoNEXT, December 2015. Shin S, Wang H, Gu G et al. A first step toward network security virtualization:From concept to prototype. IEEE Transactions on Information Forensics and Security, 2015, 10(10):2236-2249. Shin S, Yegneswaran V, Porras P, Gu G. AVANT-GUARD:Scalable and vigilant switch flow management in softwaredefined networks. In Proc. the 20th ACM Conference on Computer and Communications Security (CCS), November 2013, pp.413-424. Shin S, Porras P A, Yegneswaran V, Fong M W, Gu G, Tyson M. Fresco:Modular composable security services for software-defined networks. In Proc. the 20th Annual Network and Distributed System Security Symposium (NDSS2013), February 2013. Du X K, Lu Z H, Wu J, Wu C R, Chen S. PDSDN:A policydriven SDN controller improving scheme for multi-tenant cloud datacenter environments. In Proc. the 13th IEEE International Conference on Services Computing (SCC), June 2016, pp.387-394. Erickson D. The beacon OpenFlow controller. In Proc. ACM SIGCOMM, August 2013, pp.13-18. John W, Pentikousis K, Agapiou G et al. Research directions in network service chaining. In Proc. Software Defined Networks for Future Networks & Services, November 2013. Cao Z Z, Kodialam M, Lakshman T V. Traffic steering in software defined networks:Planning and online routing. In Proc. the 2014 ACM SIGCOMM workshop on Distributed Cloud Computing (DCC), August 2014, pp.65-70. Pfaff B, Pettit J, Koponen T et al. The design and implementation of Open vSwitch. In Proc. the 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), March 2015, pp.117-130. Heorhiadi V, Reiter M K, Sekar V et al. New opportunities for load balancing in network-wide intrusion detection systems. In Proc. ACM CoNEXT, December 2012, pp.361-372. Zhang W, Rajasekaran S, Wood T et al. MIMP:Feadline and interference aware scheduling of Hadoop virtual machines. In Proc. the 14th ACM International Symposium on Cluster, Cloud and Grid Computing, May 2014, pp.394-403. Rao B T, Sridevi N V, Reddy V K, Reddy L S S. Performance issues of heterogeneous Hadoop clusters in cloud computing. Global Journal of Computer Science and Technology, 2011, XI(VⅢ):80-87.
Copyright 2010 by Journal of Computer Science and Technology