Research On Network Bandwidth Isolation Of Data Center For Cloud Computing

The goal of cloud computing is to releases enterprises from the expensive equipmentpurchases, and cumbersome application deployment and systems management and en-able them to pay more attentions to the business developments and innovative solutions.In addition, it allows tenants to pay-as-you-go and scale their applications on-demand,lowering down the risk of upfront provisions and eliminating the need to worry aboutthe scaling problems due to business growth. However, supporting such an open servicemodel of computing-outsourcing will result in the co-residences of tenants with differentbackgrounds on the same data center and thus potential security threats. For example,tenants would deploy malicious codes and create chaos within the data center. Therefore,cloudserviceprovidersnotonlyneedbuildingascalabledatacentertomeettheincreasingrequirements of applications, but also have to develop effective schemes for performanceisolation and prevent tenant traffic from disturbing each other.Current data centers leverage hypervisor-based mechanism, such as Xen and Hyper-v, and partition the computing and storage resources in terms of Virtual Machine. How-ever, they have little control of how to share the underlying network and provide no band-width isolation. For instance, VLANs can be used to achieve reachability and trafficisolation, however, they have no enforce on bandwidth isolation as currently VLANsprovide no quota guarantee on bandwidth. Lack of effective bandwidth isolation, today’scloud-oriented data center networks undertake at least the following risks. Firstly, thetraditional way of allocating bandwidth is on per flow base, which would stimulate thetenants to behave selfishly and maliciously. For instance, through initiating multiple par-allel flows the tenant could occupy potentially more network bandwidth resources, andtenant would also launch attacks to the bottleneck links. Secondly, several noval parallelcomputing models, such as search and MapReduce, generate close-synchronized flowsfor many-to-one communicating, which is likely to result in TCP congestion collapse innetworks that feature low delay and shallowed buffers. Finally, many existing applica-tions are implemented based on non-responsive protocol, e.g., network file systems arebuilt upon UDP. Forbidding such applications will either reduce the profit of cloud ser-vice provider or require tenant to rewrite their applications. Once such non-responsiveflows are granted into cloud data center, their interferences to the responsive flows are inevitable.Basedontheabovediscussion,thisdissertationdiscusseshowtosharethedatacenternetworks well and achieve network bandwidth isolation between tenants, and topics withassociated achievements are mainly three-folders:1. Fromtheperspectiveofpreventingtopologydetectionindatacenternetworks,thisdissertation explores the feasibility of identifying logical routing topology in an end-to-end manner, and propose a progressive detecting algorithm based on the coarse-grainedloss featureof UDP flows. With only normal traffic, it is not known whether tenants coulddetect the network routing topology of the rental VMs. Traditional end-to-end topologydetection technologies make statistical clustering based on packet-level fine-grained lossorlatencyfeatures, anddeduce maximum likelihood estimationresults ofthe logicalrout-ingtopology. Applyingsuchtechnologiesdirectlytodatacenternetworkswouldraisetwoproblems: the fundamental assumption that the probe packets would be marked by fine-grained loss or latency properties is not always reasonable in high-bandwidth low-latencydata center networks, and such statistical analysis methods would cost a lot of computingresources and storages, and scale poorly in a high-bandwidth network. Through further s-tudy and extensive experiments, we claim that accurate logical routing topology detectionwould be achieved by dividing the routing topology into multiple receiving-VM-rootedtrees, creating congestions according to specific policies and making a progressive prob-ing based upon coarse-grained flow-level multi-dimension loss properties. And a singleprobeactioncouldbeaccomplishedwithinseveralmilliseconds. Tenantswouldmakeuseof such routing topologies for behaving selfishly and attacking maliciously. This requiresmechanisms of network bandwidth isolation to control the traffic load at a low level andachieve fine-grained congestion control.2. From the perspective of preventing traffic attacks in data center network, weexplore the feasibility and necessary conditions of launching low-rate denial of serviceattacks, by using both non-response and response data flows. There are already quali-tative discussions on the problem of traffic attack insides data center networks, yet noquantitative studies on the necessary condition for attack flows and the consequences ofthe attack. Through analytical models and extensive experiments, we find out the low-latency and small-buffer properties of data center networks allow tenants to aggregatemultiple synchronized flows to launch low-rate denial of service attack and designate the targets at the edge or core of network if the logical routing topology is exploited. Bothmodels and experimental results show that milliseconds-long persistent attack periods aregenerally enough the suppress the target TCP flows. Therefore, bandwidth isolation isessential in data center network, and the number of parallel flows that can be granted intothe network should be controlled if currently the available bandwidth is not enough, andwhile designing congestion control schemes the places where congestions would occurwould be taken into account.3. By combining the weakness of current isolation technologies with findings fromprevious studies on anti-probing and anti-attacking, we propose a solution of networkbandwidth isolation for data centers, namely a united logical tunnel with which band-width is allocated in a united and fair way for both non-responsive and responsive flows,and also propose a RTT-based receiver-side congestion control mechanism. Existingreservation methods could achieve well bandwidth isolation, but the implementations aremore involved and the achieved bandwidth utilization is much low. While the dynamiccounterparts could improve the utilization, currently they only focus on the bandwidthfairness of links at the network edge and lack mechanisms for parallel-flow controllingand fine-grained congestion control. We thus propose a united logical tunnel to enforcefine-grained dynamic bandwidth allocation on demand and guarantee fairness among allflows, and a receiver-enhanced fine-grained congestion control algorithm to control par-allel flows according to the real-time congestion level and guarantee fairness as possibleunder the premiss of avoiding congestion, considering that congestion may occur at boththe edge and core of data center network. The experiments indicate that such proposalscan effectively prevent tenants from occupying bandwidths of other tenants intentional-ly or unintentionally, resist low-rate denial of service attacks from tenants and guaranteebandwidth isolation in data center networks.