DPDK Summit China 2017

Transcription

1 DPDK Summit China 2017

2 2 Practice of Network Monitoring and Security Technologies in Cloud Data Center Kai, Wang YunShan Networks

3 Data center is evolving to be cloud based and software defined

4 The monitoring and security problems in SD-CDC The logical topologies become more and more complex Difficult to quickly find and locate the network problems in the tenant business The collection of network data is inefficient Netflow/sFlow/IPFIX: Sampling, per-packet interrupt & netlink upcall Limited variety of supported fields for collected flows The analysis of overlay traffic is insufficient Unable to do flexible & find-grain traffic collection on demand Unable to distinguish duplicated traffic from multiple tenants Unable to effectively aggregate the overlay packets in tunnel capsulation and IP fragments The physical boundaries of network security disappear Zero trust for the nodes in internal network

5 The monitoring solution Management Splitting TAP Mirror Traffic Controller Switch Cloud Analyzer Physical network layer Traffic Monitoring Fabric Resource layer Exporter Traffic Analyzer vswitch Analyzer x86 Cluster Hypervisor Physical resource pool Virtual resource pool

6 The security solution Management Traffic Controller Switch Security Protection Physical network layer Traffic Cloud Fabric Resource layer Traffic vswitch Hypervisor Physical resource pool Virtual resource pool Security x86 Cluster

7 Technology evolution for virtualized networks monitoring Our solution: hypervisor based DFI (Deep Flow Inspection) Probe utilizing OvS in Hypervisor Userspace VM VM VM VM ę Overlay traffic collection Kernel module + Userspace agent + OvS action Cons: invasive deployment Stability Problems: crash, soft lockup Kernel OvS vswitchd ovsdb openvswith.ko (datapath) DFI agent dfi.ko Influence to tenant business Our solution: VM based DFI Userspace VM VM VM ę vswitch d Exporter VM ovsdb agent Deployed in VM OvS openvswith.ko DFI df i. ko Mirror overlay traffic to VM Performance bottleneck vswitchd ovsdb OvS openvswith.ko (datapath) Kernel

8 Technology evolution for virtualized networks monitoring Our current solution: DPDK based Utilizing OvS-DPDK Fully exploit the compute resource of VM Extend functions based on OvS-DPDK conntrack ACL Userspace Exporter VM Flow generation vswitchd OvS-DPDK ovsdb Packet header extraction and compression DPI dpif-netdev (datapath) pkt_dedup, pkt_slicing, pkt_mask, pkt_timestamping, flow_gen, flow_slicing, flow_pkt_hdr_extract, mod_qinq/vlan, vxlan_encap/decap, dpi,... NPB SDN More efficient, flexible, benefit for debug Kernel uio_pci_generic Used for physical networks monitoring as well

9 Further optimization for exporter NIC Multi-queue & Symmetric RSS VM template Parallelize conntrack processing Make it scalable Optimize the datapath classifier (dpcls) algorithm Tuple Space Search (TSS) HyperSplit algorithm Intel vtune Amplifier Lock, Polling & Interrupt Computer Node VM VM Open vswitch Kernel NIC Exporter VM DPDK Network APP

10 Analysis & Visualization Cluster-based analyzer Use Storm to do real-time analysis DDoS/Port Scan Abnormal connections/transactions, Abnormal login ARP/MAC/IP Spoof Loop detection Use Spark to do off-line analysis Security analysis model Use ElasiticSearch/Kibana to do search and visualization Customized statistics in different dimensions Trace back of historical events Third-party analysis tool E.g. SQUIL, SQL injection detection

11 From monitoring to security control Use the monitoring results to generate security policies Exporter Big Data Machine Learning Real-time & Off-line Overview the security problems & risks in cloud networks Analyzer Locate the problematic nodes or areas Underlay& Overlay Big-scale Support High-perf & Parallel Exporter Analyzer Flow-based Data Controller Automated Policy Operational Decision AI Controller Prevent/Protect these nodes or areas via SDN More and more complex networks Virtualized No Border Business Driven

12 Security service chain and problems Use VNF to do security detection/prevention Pros Based on VXLAN Security Service Chain Orchestration VM1 vsw/vtep Service Chain 1 vfw vips Service Chain 2 vsw/vtep VM3 Elastic and flexible Controller VM4 vsw/vtep vfw vips vsw/vtep VM5 Cons Inefficient and low-performance, hard to cover the large-scale east-west traffic VXLAN encap/decap load Poor scalability of security service chain vswitch and VNF performance bottlenecks VXLAN Networking Compute Node vswitch VM1 VM2 VM3 VM4 VM5 IPS Pool FW Pool

13 Performance optimization Use VLAN instead of VXLAN to introduce traffic to assigned security nodes Offload VXLAN encap/decap to ToR switch, save more CPU for processing table=0,priority=202,dl_vlan=2000,ip,actions=output:20 table=0,priority=102,in_port=10,dl_vlan=0xffff,ip,actions= mod_vlan_vid:2000,resubmit(,0) vsw Traffic Traction Policies Micro Segment (MS) Micro Segment (MS) Micro Segment (MS) Micro Segment (MS) Micro Segment (MS) Micro Segment (MS) Traffi c Traction Rul es Security Service Element () Security Service Element () Security Service Element () Traffi c Traction Rul es Security Service Element () Security Service Element () Security Service Element () Security Service Chain Security Service Chain MS-1 MS-2 VM VM VM VM VM VM N Overlay Underlay Virtual Layer 2 VXLAN VXLAN VXLAN VXLAN Switch (SW) Switch (SW) VM VM VM VM VM VM VM VM VM VM VM VM VM VM vsw vsw VLAN vsw vsw VLAN VM VM VM VM VM VM VM Compute Pool vsw Security Pool vsw

14 Performance optimization Single VNF/SSC has limited performance Use SDN policies based trade-off to dispatch traffic to multiple chains Based on pseudo node Linearly increase the performance E.g. VM 2-4 priority=401,table=0,dl_vlan=1000,ip,tcp, tp_src=0/0x0001,tp_dst=0/0x0001,actions =mod_vlan_vid:2000,resubmit(,0) vsw Trade-off Policies vsw ACL Policies priority=401,table=0,dl_vlan=1000,ip,tcp, tp_src=1/0x0001,tp_dst=1/0x0001,actions =mod_vlan_vid:2000,resubmit(,0) VM 1-1 priority=401,table=0,dl_vlan=1000,ip,tcp, tp_src=0/0x0001,tp_dst=1/0x0001,actions =mod_vlan_vid:3000,resubmit(,0) priority=401,table=0,dl_vlan=1000,ip,tcp, tp_src=1/0x0001,tp_dst=0/0x0001,actions =mod_vlan_vid:3000,resubmit(,0)

15 Performance optimization Use OvS-DPDK to accelerate the networking in security resource pool Use DPDK to accelerate TOPSEC VM VM Network APP Network APP DPDK Network APP DPDK Network APP Computer Node Open vswitch NIC vswitchd datapath NIC Security Node DPDK vhost-user-client Open vswitch + DPDK DPDK PMD DPDK vhost-user-client Open vswitch + DPDK DPDK PMD NIC NIC NIC NIC Security Node

16 Security cloud ISP Traffic traction via route Core Router Security Cloud SLB Cluster HA & LB SDN Switch vfw vips VNF x86 KVM Cluster, OvS-DPDK SDN Switch control Controller Security analysis and protection SQL injection attack detection DDoS situational awareness Kibana visualization Custom development LB+vFW+vIPS OpenStack

17 Thanks!! 欢迎关注 DPDK 开源社区 DPDK China Summit 2017, Shanghai