Presentation is loading. Please wait.

Presentation is loading. Please wait.

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)"— Presentation transcript:

1 VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services) Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

2 The Team  Lab FRIENDS  Xuxian Jiang (Ph.D. student)  Paul Ruth (Ph.D. student)  Dongyan Xu (faculty)  Supported in part by NSF Middleware Initiative (NMI)

3 Outline  Motivations and goals  Architecture of VIOLIN  Applications of VIOLIN  Network system emulation  Scientific computing  Honeyfarm (network attack aggregation)  On-going work

4 Motivations  Formation of wide-area shared cyber-infrastructure  Multiple domains  Heterogeneous platforms  Large number of users  Need for mutually isolated distributed environments  Customized system administration and configuration  Consistent and binary-compatible runtime support  Un-trusted or malfunctioning applications  Known vulnerabilities in SETI@Home, KaZaa, and Condor  Un-trusted network traffic control

5 Potential Applications  Multi-institutional collaboratories  Large-scale distributed emulations  Cyber-systems  Real-world systems  Parallel/distributed scientific applications  Philanthropic (volunteer) computing services  Content distribution networks

6 VM (Virtual Machine): a Solution?  Achieves single node isolation (SODA*)  Administration  Resource  Runtime services/libraries  Fault/attack impact  However, does not achieve network isolation  VMs addressable from/to any Internet hosts  Cannot control traffic volume between VMs  Cannot have overlapping address spaces * X. Jiang, D. Xu, “SODA: Service-on-Demand Architecture for Service Hosting Utility Platforms”, IEEE HPDC-12, 2003.

7 VIOLIN: Proposed Solution  VIOLIN: A VN (Virtual Network) for VMs *  Independent IP address space  Invisible from Internet and vice versa  Un-tamperable topology and traffic control  Value-added network services (e.g., IP multicast)  Binary and IP compatible runtime environment * X. Jiang, D. Xu, “VIOLIN: Virtual Internetworking on OverLay INfrastructure”, Springer LNCS Vol. 3358 (ISPA 2004). * D. Xu, X. Jiang, “Towards an Integrated Multimedia Service Hosting Overlay”, ACM Multimedia 2004.

8 VIOLIN: the Big Picture Internet NMINMI NMINMI NMINMI NMINMI NMINMI NMINMI NMINMI Physical infrastructure NMI-based Grid infrastructure Two mutually Isolated VIOLINs VM

9 Key Ideas in VIOLIN  One level of indirection between VIOLIN and real Internet  “All problems in Computer Science can be solved by another level of indirection ” – Butler Lampson  A middleware-level underlay network serving as “intelligent carrier” of a VIOLIN  Traffic tunneling  Topology control  Traffic volume control  Traffic encryption  Network service virtualization

10 VIOLIN Architecture Host OS Guest OS App 1 Guest OS App 2 VIOLIN daemon … Existing NMI Middleware VMs Physical host

11 VIOLIN Architecture Host OS Guest OS App 1 VIOLIN daemon Virtual NIC Host OS Guest OS App 1 VIOLIN daemon Virtual NIC Message (e.g.,MPI) TCP, UDP, … IP Ethernet frame via UDP tunneling Between two VIOLIN nodes (VMs) planetlab6.csail.mit.eduplanetlab6.millennium.berkeley.edu 196.128.1.2196.128.1.3

12 VIOLIN Network Performance TCP throughput measurement on PlanetLab planetlab6.csail.mit.edu → planetlab6.millennium.berkeley.edu

13 VIOLIN Network Performance ICMP latency measurement on PlanetLab planetlab6.csail.mit.edu → planetlab6.millennium.berkeley.edu

14 Application I: Network System Emulation  vBET: an education toolkit for network emulation *  “Create your own IP network ” on a shared platform  IP address space and network topology  Routers, switches, firewalls, end-hosts, links  Real-world network software (OSPF, BGP…)  Strict confinement (network security experiments)  Flexible configuration  Not constrained by device/port availability  No manual cable re-wiring or hardware setup * X. Jiang, D. Xu, “vBET: a VM-Based Emulation Testbed”, ACM SIGCOMM Workshop on Models, Methods, and Tools for Reproducible Network Research (ACM MoMeTools), 2003

15 vBET GUI

16 Sample Emulation: OSPF Routing

17 Emulation of OSPF Routing Demo video clip:

18 Sample Emulation: Critical Server Protection

19 Screenshot: Distributed Firewall

20 Sample Emulation: Chord P2P Network

21 Screenshot

22 Sample Emulation: Internet Worms * X. Jiang, D. Xu, H. J. Wang, E. H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation”, 8 th International Symposium on Recent Advances in Intrusion Detection (RAID’05), 2005. A shared infrastructure (e.g. PlanetLab) A worm playground Virtual Physical

23 Application II: Scientific Computing *  Virtual clusters leveraging idle CPU cycles  Long running parallel/distributed jobs  Complicated communication patterns between nodes (different from SETI@Home, Condor)  Runtime adaptation  Resource re-allocation  Migration/re-location  Scale adjustment * P. Ruth, X. Jiang, D. Xu, S. Goasguen, “Towards Virtual Distributed Environments in a Shared Infrastructure”, IEEE Computer, May 2005.

24 Experiment Setup Physical Cluster (ITaP) Two mutually isolated virtual clusters VM Physical Switch VS

25 VIOLIN vs. Physical Hosts (running HPL benchmark)  Physical host: dual processor 1.2 GHz Athlon, 1GB memory  VM: running one per host, ≤512MB memory

26 Multiple VIOLINs Sharing Physical Hosts (running HPL benchmark)  Aggregate performance remains stable (up to 16 VIOLINs)  In this example, 16 VIOLINs exhaust memory

27 VM Communication Pattern 7MB/s 6MB/s 1 7 2 3 6 4 0 5 4MB/s 6MB/s 5MB/s 7MB/s 5MB/s 3MB/s

28 Application III: Honeyfarm  Collapsar: a network attack aggregation center *  Achieving two (seemingly) conflicting goals  Distributed honeypot presence  Centralized honeypot operation  Key ideas  Leveraging unused IP addresses in each network  Diverting corresponding traffic to a “detention” center (transparently), by VIOLIN  Creating VM-based honeypots in the center * X. Jiang, D. Xu, “Collapsar: a VM-Based Architecture for Network Attack Detention Center”, 13 th USENIX Security Symposium (Security’04), 2004.

29 Collapsar Architecture VM-based Honeypot Collapsar Architecture Redirector Correlation Engine Management Station Production Network Collapsar Center Attacker Front-End

30 Real-Time Worm Alert * X. Jiang, D. Xu, R. Eigenmann, “Protection Mechanisms for Application Service Hosting Platforms”, IEEE/ACM CCGrid’04, 2004.

31 Log Correlation: Stepping Stone iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained an ssh backdoor xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

32 Log Correlation: Network Scanning

33 On-going Work  VIOLIN-based virtual distributed environments on shared cyber-infrastructure  Self-management (making them smart entities)  Missing role of VIOLIN administrator  Automatic customization and bootstrapping  Enforcement of application-specific policies  Self-provisioning (application-driven)  Resource scaling  Scale adaptation  Topology evolution

34 Thank you. For more information: Email: dxu@cs.purdue.eduxu@cs.purdue.edu URL: http://www.cs.purdue.edu/~dxuhttp://www.cs.purdue.edu/~dxu Google: “Purdue SODA Friends”

Download ppt "VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.

All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.
Condor use in Department of Computing, Imperial College Stephen M c Gough, David McBride London e-Science Centre.

Condor use in Department of Computing, Imperial College Stephen M c Gough, David McBride London e-Science Centre.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.
Supercharging PlanetLab : a high performance, Multi-Application, Overlay Network Platform Written by Jon Turner and 11 fellows. Presented by Benjamin Chervet.

Supercharging PlanetLab : a high performance, Multi-Application, Overlay Network Platform Written by Jon Turner and 11 fellows. Presented by Benjamin Chervet.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
CCSE NETWORK STRUCTURE. CCSE NETWORK OUTLINE Mid-sized Building Network spanning over Building 22 and Building 23. Autonomous from ITC’s KFUPM Domain.

CCSE NETWORK STRUCTURE. CCSE NETWORK OUTLINE Mid-sized Building Network spanning over Building 22 and Building 23. Autonomous from ITC’s KFUPM Domain.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.

NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Towards Virtual Networks for Virtual Machine Grid Computing Ananth I. Sundararaj Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.

Towards Virtual Networks for Virtual Machine Grid Computing Ananth I. Sundararaj Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Automatic Run-time Adaptation in Virtual Execution Environments Ananth I. Sundararaj Advisor: Peter A. Dinda Prescience Lab Department of Computer Science.

Automatic Run-time Adaptation in Virtual Execution Environments Ananth I. Sundararaj Advisor: Peter A. Dinda Prescience Lab Department of Computer Science.
Increasing Application Performance In Virtual Environments Through Run-time Inference and Adaptation Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience.

Increasing Application Performance In Virtual Environments Through Run-time Inference and Adaptation Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience.
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.

Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
SODA : Service-On-Demand Architecture for Application Service Hosting Utility Platforms Dongyan Xu, Xuxian Jiang Lab FRIENDS (For Research In Emerging.

SODA : Service-On-Demand Architecture for Application Service Hosting Utility Platforms Dongyan Xu, Xuxian Jiang Lab FRIENDS (For Research In Emerging.
Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.
Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.

Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.
Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.

Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.

Similar presentations

Ads by Google