Authenticated Setup of Virtual Links with Quality-of-Service Guarantees Roland Bless, Martin Röhricht, Christoph Werle Institute of Telematics, Karlsruhe Institute of Technology (KIT) INSTITUTE OF TELEMATICS KIT – University of the State of Baden-Wuerttemberg and www.kit.edu National Research Center of the Helmholtz Association
Motivation Network Virtualization is an enabling technology Easier deployment of global networks and services Homogeneity across provider domain boundaries Parallel operation of different network architectures deploy novel network architectures and E2E services without requiring Internet-wide consensus Increased flexibility On-Demand creation and modification of virtual network topology and resources, esp. nodes and links Resource migration as Traffic Engineering mechanism More efficient use of resources (exploit statistical multiplexing gain) 2 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Network Virtualization Virtual Network (VNet) Set of (virtual) nodes directly connected by (virtual) links (realized on top of a set of physical resources, the “substrate”) „Naked“ topology at layer 3 No assumptions about the network protocols or architecture running inside the VNet, i.e., not necessarily IP May use various substrate techniques to create virtual links, e.g., IP Tunnels, MPLS, Ethernet VLANs,… We assume an IP-based substrate Partitioning or aggregation of resources possible 3 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Network Virtualization Business Model Virtual Network Operator (VNO) Virtual Network Provider (VNP) Virtual Network Substrate Networks Setup of Virtual Links Infrastructure Provider A Infrastructure Provider B Infrastructure Provider C 4 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Setup of Virtual Links with QoS Isolation and QoS guarantees required need to reserve resources along a substrate path Combine resource reservation with virtual link setup Control Plane Management Virtual VM 1 VM 2 Virtual node Node Architecture Substrate node VIf 1 VIf 2 VIf 1 VIf 2 Virtual Link Multiplexing / QoS PhyIf 1 PhyIf 2 PhyIf 3 Physical Link Infrastructure Infrastructure Provider InP 2 Provider InP 1 A B QoS signaling 5 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Approach Use existing QoS resource reservation protocol of the NSIS framework QoS NSLP Need interoperable solution for link setup across provider (InP) domains QoS NSLP NSIS Signaling Session Add information object VLSP Layer Authorization (NSLP) for setup of virtual links General Internet Add security object Signaling Transport NSIS Authentication TLS Transport (Pre-Shared Key) Layer UDP TCP SCTP (NTLP) Integrity protection IPsec for NSLP msgs (HMAC) IPv4/IPv6 6 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Step by Step Example 2. Ignores VLSP object, performs admission control 1. RESERVE 3. RESERVE + VLSP object + VLSP object Router A Router B Router C + SessionAuth object + SessionAuth object VM 1 VM 2 NSIS NSIS NSIS eth0 eth0 6. Reserve 7. RESPONSE 5. RESPONSE IP Forwarding Resources br0 tun AC tun CA br0 8. Setup virtual link 4. Setup virtual link VM1 VM2 eth0 eth0 eth1 eth0 VM2 VM1 EGRE Tunnel Virtual Link VLSP Signaling Shows unidirectional resource reservation VM1 2 Bidirectional reservation is possible 7 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Detailed Message Sequence with GIST Send a RESERVE Router A Router B Router X GIST 3-way GIST Query handshake Install GIST state GIST Response 1. Perform Resource GIST Confirm Admission Control 2. Pre-reserve Resources 3. Forward RESERVE GIST Data[RESERVE + VLSP object] GIST Query GIST 3-way handshake GIST Response Install GIST GIST Confirm state 1. Reserve Resources GIST Data[RESERVE + VLSP object] 2. Install virtual link Perform Resource Admission Control GIST Data[RESPONSE + VLSP object] 1. Reserve GIST Data[RESPONSE + VLSP object] 1. Commit Resources Resources 2. Forward RESPONSE 2. Install virtual link 8 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Evaluation Setup How long does it take to setup a virtual link, incl. QoS guarantees? Used freely available NSIS implementation (C++) http://nsis-ka.org/ evaluation code is available! Linux, KVM-based VM, Xeon X3430 Quad- core@2.4GHz, GRE Tunnel tb1 tb2 tb3 tb4 VLSP- Client Router Router VM 1 VM 2 NSIS NSIS NSIS NSIS eth0 eth0 eth0 eth0 eth1 eth0 eth1 eth0 br0 tun12 tun21 br0 172.1.2.1 172.1.2.2 172.2.3.2 172.2.3.3 172.3.4.3 172.3.4.4 VLink 1 (Ethernet over GRE tunnel) 9 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Measurement Methodology Measurement points in the code tcpdump packet capture on all nodes tb1 – tb4 tb1 tb4 tb2 tb3 GIST Query GIST Response GIST Confirm RESERVE GIST Query GIST Response GIST Confirm RESERVE GIST Query GIST Response GIST Confirm Execute script for GRE tunnel setup RESERVE RESPONSE RESPONSE Execute script for RESPONSE GRE tunnel setup 10 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Total Duration Script execution on tb1 Script execution on tb4 Round-trip time tb1 tb4: 0.7ms External program triggers virtual link setup Includes inter-process communication Script execution for virtual link setup dominates 11 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Pure NSIS Signaling 3-way GIST handshake Initial RESERVE processing Intermediate node processing <1ms 12 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Teardown Duration Link teardown takes much longer than setup, presumably due to “still in - use” checks Teardown not so critical (compared to setup) 13 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Signaling Authentication Overhead Measured internally Measured on the wire Subtracted script execution for virtual link setup No significant overhead if security is used 14 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Authentication Overhead Additional SessionAuthorization object [RFC5981] Protects RESERVE and RESPONSE messages Added 104 bytes to message (VLSP object: 80 bytes) HMAC calculation is negligible 15 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Conclusion and Summary Combining QoS reservation and virtual link setup is useful and efficient Extension of an existing NSIS signaling protocol was easy Additional VLSP object is ignored by intermediate nodes, but will perform QoS resource reservation Local link setup within nodes is much more costly than pure signaling and admission control processes Securing the signaling is important and can be done without significant overhead Currently: extend approach by node setup 16 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Thank you! 17 R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees" Institute of Telematics, Department of Informatics ICCCN 2011, Maui, Hawaii http://telematics.tm.kit.edu/
Recommend
More recommend