Conventional data center architecture VLAN to ensure security Scalability issue: can take up to 4K id Management and control overhead Per-user security policy control But, how to enforce? End-host? Not secure enough Middlebox? Unnecessary traffic
Numbering and addressing Each customer has a unique cnet id VM can be identified by (cnet id, IP) Each domain has a unique eid Use VLAN to separate different customer in the same domain VLAN id can be reused in different domain
Customer network integration Private network can be treated as a special domain where VPN is used to connect it to core domain
Central controller Address mapping VM MAC <-> (cnet id, IP) VM MAC <-> eid eid <-> FE MAC list (cnet id, eid) <-> VLAN id Policy databas E.g. packet from customer A are first forwarded to firewall F.
Forwarding elements Address lookup and mapping FE MAC of the destination domain VLAN ID Policy enforcement By default, packets designated to a different customer are dropped Tunneling between FEs Encapsulate another MAC header
Data forwarding Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf
How does it solve the limitation? VLAN scalability Partition network into smaller edge domain, each maintains its own VLAN VLAN id can be reused Per-user security Security policy enforced by FE CC stores security policies for all customers
Discussion Security via isolation and access control Consider the co-residence problem proposed by “Get off my cloud” paper Matching Dom0 IP address Disable traceroute Small round-trip time Every packet needs to go through FE Numerically close IP address Each customer has private IP address
Discussion Cached vs installed forwarding table VM migration Update CC (eid, VLAN id)
Discussion Pros Security enforcement via isolation and access control Scalable in terms of number of customers supported by VLAN Most networking equipments are off-the-shelf Cons? Scalability? Centralized CC? Larger round trip time within the same edge domain Tunneling?