容器化安全服务功能链低延迟优化编排研究

doi:10.3969/j.issn.1671-1122.2020.07.002

信息网络安全 ›› 2020, Vol. 20 ›› Issue (7): 11-18.doi: 10.3969/j.issn.1671-1122.2020.07.002

容器化安全服务功能链低延迟优化编排研究

徐玉伟(), 赵宝康, 时向泉, 苏金树

国防科技大学计算机学院,长沙 410073

收稿日期:2020-04-30 出版日期:2020-07-10 发布日期:2020-08-13
通讯作者: 徐玉伟 E-mail:xuyuwei13@nudt.edu.cn
作者简介:徐玉伟（1995—）,男,安徽,博士研究生,主要研究方向为网络空间安全|赵宝康（1981—）,男,湖北,副教授,博士,主要研究方向为软件定义网络、天地一体化网络、网络空间安全|时向泉（1972—）,男,天津,副研究员,博士,主要研究方向为云计算数据中心网络、软件定义网络、网络空间安全|苏金树（1962—）,男,福建,教授,博士,主要研究方向为计算机网络、网络空间安全、高性能路由器
基金资助:
国家自然科学基金(61972412)

Low-latency Optimal Orchestration of Containerized Security Service Function Chain

XU Yuwei(), ZHAO Baokang, SHI Xiangquan, SU Jinshu

College of Computer, National University of Defense Technology, Changsha 410073, China

Received:2020-04-30 Online:2020-07-10 Published:2020-08-13
Contact: Yuwei XU E-mail:xuyuwei13@nudt.edu.cn

摘要/Abstract

摘要：

云计算的发展带来了安全服务虚拟化的需求,基于NFV/SDN技术构建服务功能链是解决数据中心虚拟化安全服务需求的重要途径。容器化已成为安全服务功能链编排的最新发展趋势。传统安全服务功能链编排算法通常针对虚拟机架构,在轻量级、延迟、灵活性等方面无法满足要求,没有充分发挥容器化NFV平台的性能优势。文章构建了容器化NFV平台的编排模型,分析了安全服务功能链网络延迟优化目标,研究了扁平网络拓扑下的近似局部最优性质。文章设计了一种延迟优化放置（LOP）算法,采用分阶段决策方式处理每个安全服务功能链请求,并在每个阶段采用选择可容纳连续VNF数最多的物理主机的方式,最小化每个安全服务功能链的跨主机延迟。仿真实验与对比分析表明,与最大化资源利用率的MINI算法相比,文章所提出的LOP算法可以实现降低延迟的优化目标,减少放置安全服务功能链的资源消耗。

关键词: 云安全, 容器网络, 服务功能链, 延迟优化

Abstract:

The development of cloud computing brings the need for security services virtualization. Building SFC (service function chain) based on NFV/SDN technology is an important way to meet the need of virtualized security services in data centers. Containerization has become the latest development trend of security SFC orchestration. Traditional security SFC orchestration algorithms are usually on the virtual machine architectures, which can not meet requirements in lightweight, latency, flexibility, etc., and have not fully utilized the performance advantages of containerized NFV platform. This paper constructs a containerized NFV platform orchestration model, analyzes the network latency optimization goal of security SFC, and studies the approximate local optimization property under flat network topology. This paper proposes a latency optimal placement (LOP) algorithm, which uses multi-stage decision to handle each security SFC request, and in each stage, a physical host that can hold the maximum number of consecutive VNFs is selected to minimize the cross host latency of each security SFC. Simulation experiments and comparative analysis show that, compared with MINI algorithm that maximizes resource utilization, the LOP algorithm proposed in this paper can achieve the optimization goal of reducing latency, and can reduce the resource consumption of placing the security SFC.

Key words: cloud security, container network, service function chain, latency optimization

中图分类号:

TP309

徐玉伟, 赵宝康, 时向泉, 苏金树. 容器化安全服务功能链低延迟优化编排研究[J]. 信息网络安全, 2020, 20(7): 11-18.

XU Yuwei, ZHAO Baokang, SHI Xiangquan, SU Jinshu. Low-latency Optimal Orchestration of Containerized Security Service Function Chain[J]. Netinfo Security, 2020, 20(7): 11-18.

图/表 7

图1

图2

表1

图3

图4

图5

图6

参考文献 23

[1]	PHAM C, TRAN N H, REN S, et al. Traffic-Aware and Energy-Efficient VNF Placement for Service Chaining: Joint Sampling and Matching Approach[J]. IEEE Transactions on Services Computing, 2020,13(1):172-185.
[2]	LAGHRISSI A, TALEB T. A Survey on the Placement of Virtual Resources and Virtual Network Functions[J]. IEEE Communications Surveys & Tutorials, 2019,21(2):1409-1434.
[3]	MECHTRI M, GHRIBI C, SOUALAH O, et al. NFV Orchestration Framework Addressing SFC Challenges[J]. IEEE Communications Magazine, 2017,55(6):16-23.
[4]	CHEN Zhuo, FENG Gang, LIU Bei, et al. Service Function Chain Migration Reconfiguration Strategy for Delay Optimization in Operator Networks[J]. Acta Electronica Sinica, 2018,46(9):2229-2237.
	陈卓, 冯钢, 刘蓓, 等. 运营商网络中面向时延优化的服务功能链迁移重配置策略[J]. 电子学报, 2018,46(9):2229-2237.
[5]	SOENEN T, VAN ROSSEM S, TAVERNIER W, et al. Insights from SONATA: Implementing and Integrating a Microservice-based NFV Service Platform with a DevOps Methodology[EB/OL]. , 2020-3-19.
[6]	HUANG Qiang, LI Ning. 5G Edge Computing Evolution[J]. Designing Techniques of Posts and Telecommunications, 2018(11):68-73.
	黄强, 李宁. 5G边缘计算演进[J]. 邮电设计技术, 2018(11):68-73.
[7]	BEN JEMAA F, PUJOLLE G, PARIENTE M. QoS-Aware VNF Placement Optimization in Edge-Central Carrier Cloud Architecture[C]// IEEE. 2016 IEEE Global Communications Conference, December 4-8, 2016, Washington, DC, USA. NJ: IEEE, 2016: 1-7.
[8]	VIZARRETA P, CONDOLUCI M, MACHUCA C M, et al. QoS-Driven Function Placement Reducing Expenditures in NFV Deployments[C]// IEEE. 2017 IEEE International Conference on Communications (ICC), May 21-25, 2017, Paris, France. NJ: IEEE, 2017: 1-7.
[9]	LIU Junjie, LU Wei, ZHOU Fen, et al. On Dynamic Service Function Chain Deployment and Readjustment[J]. IEEE Transactions on Network and Service Management, 2017,14(3):543-553.
[10]	BAUMGARTNER A, REDDY V S, BAUSCHERT T. Mobile Core Network Virtualization: A Model for Combined Virtual Core Network Function Placement and Topology Optimization[C]// IEEE. The 2015 1st IEEE Conference on Network Softwarization (NetSoft), April 13-17, 2015, London, UK. NJ: IEEE, 2015:1-9.
[11]	LIU Caixia, LU Ganqiang, TANG Hongbo, et al. Adaptive Deployment Method for Virtualized Network Function Based on Viterbi Algorithm[J]. Journal of Electronics and Information Technology, 2016,38(11):2922-2930.
	刘彩霞, 卢干强, 汤红波, 等. 一种基于Viterbi算法的虚拟网络功能自适应部署方法[J]. 电子与信息学报, 2016,38(11):2922-2930.
[12]	RIGGIO R, BRADAI A, RASHEED T, et al. Virtual Network Functions Orchestration in Wireless Networks[C]// IEEE. 2015 11th International Conference on Network and Service Management (CNSM), November 9-13, 2015, Barcelona, Spain. NJ: IEEE, 2015: 108-116.
[13]	SUN Quanying, LU Ping, LU Wei, et al. Forecast-Assisted NFV Service Chain Deployment Based on Affiliation-Aware vNF Placement[C]// IEEE. 2016 IEEE Global Communications Conference (GLOBECOM), December 4-8, 2016, Washington, DC, USA. NJ: IEEE, 2016: 1-6.
[14]	BHAMARE D, SAMAKA M, ERBAD A, et al. Optimal Virtual Network Function Placement in Multi-cloud Service Function Chaining Architecture[J]. Computer Communications, 2017,102:1-16.
[15]	CHEN Zhiqi, ZHANG Sheng, WANG Can, et al. A Novel Algorithm for NFV Chain Placement in Edge Computing Environments[EB/OL]. https://cis.temple.edu/~wu/research/publications/Publication_files/ZChen_GLOBECOM_2018.pdf, 2020-3-19.
[16]	LEIVADEAS A, FALKNER M, LAMBADARIS L, et al. Optimal Virtualized Network Function Allocation for an SDN Enabled Cloud[J]. Computer Standards & Interfaces, 2017,54(4):266-278.
[17]	GUO Chuanxiong, YUAN Lihua, XIANG Dong, et al. Pingmesh: A Large-scale System for Data Center Network Latency Measurement and Analysis[J]. ACM SIGCOMM Computer Communication Review, 2015,45(4):139-152.
[18]	MIOTTO G, LUIZELLI M C, CORDEIRO W L da C, et al. Adaptive Placement & Chaining of Virtual Network Functions with NFV-PEAR[J]. Journal of Internet Services and Applications, 2019,10(1):1-19.
[19]	MOENS H, TURCK F D. VNF-P: A Model for Efficient Placement of Virtualized Network Functions[C]// IEEE. 10th International Conference on Network and Service Management (CNSM) and Workshop, November 17-21, 2014, Rio de Janeiro, Brazil. NJ: IEEE, 2014: 418-423.
[20]	LUIZELLI M C, da Costa Cordeiro W L, BURIOL L S, et al. A Fix-and-optimize Approach for Efficient and Large Scale Virtual Network Function Placement and Chaining[J]. Computer Communications, 2017,102:67-77. doi: 10.1016/j.comcom.2016.11.002 URL
[21]	BOUET M, LEGUAY J, CONAN V. Cost-based Placement of Virtualized Deep Packet Inspection Functions in SDN[C]// IEEE. MILCOM 2013-2013 IEEE Military Communications Conference, November 18-20, 2013, San Diego, CA, USA. NJ: IEEE, 2013: 992-997.
[22]	CAO Jiuyue, ZHANG Yan, AN Wei, et al. VNF-FG Design and VNF Placement for 5G Mobile Networks[J]. Science China Information Sciences, 2017,60(4):17-31.
[23]	MECHTRI M, GHRIBI C, ZEGHLACHE D. VNF Placement and Chaining in Distributed Cloud[C]// IEEE. 2016 IEEE 9th International Conference on Cloud Computing (CLOUD), June27-July 2, 2016, San Francisco, CA, USA. NJ: IEEE, 2016: 376-383.

符号	含义
N	NFV平台物理主机节点集合
E	主机间网络连接边集合
G_p	NFV平台的物理网络图
H	延迟矩阵
l_xy	主机x和y之间的网络延迟
S_i	单个安全SFC
Fⁱ	S_i的VNF集合
Lⁱ	S_i上VNF间的连接关系
Γ	所有安全SFC集合
l(S_i)	S_i的网络延迟
e(u, v)	VNF u和VNFv间的邻接关系逻辑函数
δ( f,n)	VNF f与主机n间的放置关系逻辑函数
c_f	VNF f所需资源请求值
C_n	主机n的资源容量

容器化安全服务功能链低延迟优化编排研究

Low-latency Optimal Orchestration of Containerized Security Service Function Chain

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 23

相关文章 15

编辑推荐

Metrics

本文评价

[1]	余小军, 吴亚飚, 张玉清. 云安全体系结构设计研究[J]. 信息网络安全, 2020, 20(9): 62-66.
[2]	刘渊, 乔巍. 云环境下基于Kubernetes集群系统的容器网络研究与优化[J]. 信息网络安全, 2020, 20(3): 36-44.
[3]	王晓, 赵军, 张建标. 基于可信软件基的虚拟机动态监控机制研究[J]. 信息网络安全, 2020, 20(2): 7-13.
[4]	张健, 高铖, 宫良一, 顾兆军. 虚拟机自省技术研究[J]. 信息网络安全, 2017, 17(9): 63-68.
[5]	王文旭, 张健, 常青, 顾兆军. 云计算虚拟化平台安全问题研究[J]. 信息网络安全, 2016, 16(9): 163-168.
[6]	卿斯汉. 关键基础设施安全防护[J]. 信息网络安全, 2015, 15(2): 1-6.
[7]	吴继康, 于徐红, 王虹. 基于第三方可信平台的混合云安全存储系统构建[J]. 信息网络安全, 2015, 26(12): 28-33.
[8]	王李乐, 李明, 汪浩, 毕圣杰. 云WAF技术系统研究[J]. 信息网络安全, 2014, 14(12): 1-6.
[9]	胡杨;胡欣. 基于可信计算的云安全研究与分析[J]. , 2013, 13(Z): 0-0.
[10]	赵继军;陈伟. 一种基于云安全模型的信息系统安全等级保护测评方法[J]. , 2013, 13(Z): 0-0.
[11]	李菊. 基于私有云安全平台的网络安全部署研究与实施[J]. , 2013, 13(8): 0-0.
[12]	张显龙. 云计算安全总体框架与关键技术研究[J]. , 2013, 13(7): 0-0.
[13]	朱圣才. 基于Windows Azure平台的虚拟化技术研究[J]. , 2013, 13(6): 0-0.
[14]	刘川意;方滨兴. T-YUN:云提供商可信性审计与验证[J]. , 2012, 12(8): 0-0.
[15]	胡春辉. 云计算安全风险与保护技术框架分析[J]. , 2012, 12(7): 0-0.