Académique Documents
Professionnel Documents
Culture Documents
net/publication/311519265
CITATION READS
1 1,970
5 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Samia Bouzefrane on 30 November 2017.
Abstract. The gap between the deployment costs for the new services, apps and
hosting machines with the expected revenue forces the operators to think in the
virtualization concept although the heterogeneity in virtualization techniques
solutions. While this virtualization architecture came with different challenges
like instances isolation in the hardware or software layers, it anticipated many
opportunities for fast deployment and resources management. This position pa-
per lists the main challenges starting from tenants’ isolation and hardware trust-
ing for virtualization layer till the software and network mapping issues for vir-
tual instances communication under the softwarization techniques. Moreover, it
sums up the directions for this research point in terms of the vision of software
and hardware.
1 Introduction
The rest of this paper is constructed by the following sections. We first present the
general principles of virtualization in Section 2. Section 3 describes the concepts be-
hind network softwarization like SDN or NFV. Section 4 shows that virtualization
concept can be extended to the security aspect by virtualizing trusted hardware to
offer secure virtualized architecture. Before concluding in Section 6, Section 5 points
on virtualization challenges in terms of heterogeneity, isolation, security and perfor-
mance.
2 Virtualization
Full virtualization.
In full virtualization, the source code of the guest OS is not modified. So, when ex-
ecuted, the guest OS is not aware to be virtualized. Binary translation (BT) is used to
emulate a small set of instructions, i.e., privileged instructions are trapped and sensi-
tive but non-privileged instructions are detected then translated to show a fake value.
The rest of the instructions are directly executed by the host CPU. There are two
types of hypervisors that handle the full virtualization:
Type 1 corresponds to a native or standalone hypervisor that runs directly on the
bare hardware. Type 2 is a hypervisor that runs on top of the host OS (like an ordinary
application).
The full virtualization benefit is that guest OSs may run on a VMM while keeping
unmodified. But, the drawback is that the VMM must use special tricks to virtualize
the hardware for each VM, which generates an additional overhead when accessing
the hardware.
Para Virtualization.
It refers to the collaboration between the guest OS and the hypervisor to improve
the performance. This collaboration involves modifying the source code of guest OS
to call directly, using hyper calls, the hypervisor to execute privileged instructions. So
the guest OS is aware to be virtualized. The drawback of this technique is the poor
compatibility and portability of OSs.
Logical Topologies.
The emulation of logical network structure over physical one can be manipulated
either using layer 2 or layer 3 techniques for network based architectures.
For layer 2 techniques, Virtual Local Area Network (VLAN) is a standard isola-
tion technique known in the network many years ago. VLAN is a logical grouping
of several stations in the same broadcast domain (Broadcast) regardless of their
geographical location. The administration and management of VLANs are easier
than managing classical LANs, knowing that the organization is based on a logical
dependency of the director, not the physical location of stations.
For layer 3 techniques, the Virtual Private Network (VPN) is a good emulation and
it can also be emulated in Layer 2. VPN can be defined as an overlay network built
over public networks like Internet. It is generally used to connect one or more sites
using a secure tunnel either generated using layer 2 tunnel protocols like L2TP,
VPLS for MPLS technology or layer 3 tunnel protocols like IPSec.
Another logical topology structure based application is the point to point architec-
tures P2P. It is an overlay network built on top of one or more physical networks.
The majority of overlay networks are implemented at the application level. Differ-
ent implementations exist at other levels, to ensure some type of network func-
tions: like multicast routing, Service Quality.
Virtual Topologies.
The principle in virtualization is to provide the customer a point to point or multi-
point network overlay on the physical infrastructure. However the user has no real
control over the implementation of this network. With the recent emerging concepts
of communication, the using of traditional VLANs or VPNs is not coping with the
data centers. Indeed, the scalability problems are prohibitive in data centers due to the
increase in the number of virtual machines:
Virtual Extensible LAN (VXLAN) is a very close NVGRE solution and is well sup-
ported by Microsoft. It consists of encapsulating the Ethernet frames in UDP (re-
served port 4789 as shown in Figure 2). The tunnel terminates at the hypervisor and at
the host server. Besides Microsoft, including VXLAN is supported by Cisco and
VMWare. It provides the required scalability in terms of VLANs extension by in-
creasing the number of VLANs.
Fig. 2. VXLAN encapsulation through Wireshark capture.
NFV.
NFV (Network Function virtualization) was introduced to face a number of chal-
lenges in TSPs (Telecommunication Service Providers) such as the aim to build more
dynamic, flexible and service-aware networks and to reduce the CAPEX/OPEX
(CAPital EXpenditure/ OPeration EXpenditure)[10]. By using the virtualization tech-
nologies, NFV decouple the NFs (Network Functions) from the devices on which they
are traditionally run. This approach allows the consolidation of several NFs on stan-
dard server, switches and storage devices which may be located on data centers or at
End User Premises. In this way, a service would be broken down into a set of VNFs
(Virtualized Network Functions) that could be run as software on standards servers.
Therefore, these VNFs could be relocated in other networks [11, 12, 13].
SDN.
SDN (Software-Defined Networking) aims to reduce the CAPEX/OPEX costs and
to make networks more flexible by providing an open and user-controlled use of the
network’s forwarding devices (routers and switches)[14]. The main concept of SDN
is the split of the control plane (Network Operating System or controller) from the
data plane (forwarding plane) in the forwarding devices. In that way, the control
plane, which becomes a software executed on standard servers, sends instructions to
be performed by the data plane which is composed of SDN-enabled routers and
switches. This approach provides a global view of the network and simplifies its man-
agement. In addition, SDN provides programmability to share the network infrastruc-
ture between several virtual networks with different policies and allow APIs standar-
dization [1]
1. The southbound interface which is a standard one using OpenFlow protocol [17] to
execute the rules or flows actions inside the OpenFlow devices (OpeFlow-enabled
router/switch).
2. The northbound interface is dedicated between the application and the controller.
There is no standardization till now for this interface but the majority used APIs for
this communication.
Using OpenFlow, The administrator can change any network switch's rules when
necessary in a dynamic flow tables or even blocking specific types of packets with a
very granular level of control. This is especially helpful in a cloud computing multi-
tenant architecture (either VMs or Containers), because it allows the administrator to
manage traffic loads in a flexible and more efficient manner. Essentially, this allows
the administrator to use less expensive commodity switches and have more control
over network traffic flow than ever before. Figure 4 shows some OpenFlow messages
captured from Wireshark packet analyzer during our test for an SDN controller (IP:
192.168.0.155) to an OpenFlow client (OVS) (IP: 192.168.0.152) using TCP connec-
tion with the standard port: 6633.
The OpenStack [18] is one of the famous open source cloud project. It had many
nodes which are the outputs of many collaborated projects contributed in OpenStack
project.
Multi-tenant platforms must be highly secured and scalable. So, the main two issues
in such kind of platforms are:
Heterogeneity: it is one of the main open issues that required more clarification
under the virtualization concept. There are many hardware supports virtualization,
many types of hypervisors, and many types of containers based solutions. Those
together with an additional heterogeneity of different operating systems run on the
same platform. Also, the northbound interface for communicating the applications
with SDN controller not yet standardized and used only APIs for such communica-
tion. Unified communication for this interface will assure the convergence for
standardization as done for the southbound interface using OpenFlow protocol
which is secured and well defined. The convergence for heterogeneity can lead to
more flexible trusting for instances actions like creation/cloning/migration.
Isolation: isolating many virtual instances over one or many physical hosts is a
challenge in virtualization. This isolation can subject to the virtual connecting
bridges concepts using layer 2 technologies like VLANs applied on virtual switch
ports or till layer 3 based different subnets. But, the hardware isolation can provide
more performance evaluations in case of servers’ virtualization. The point of isola-
tion is still need many research work either for enhancing the hardware or software
isolations between different instances meanwhile the isolation for inter and intra
communication a cross virtual data center is a vital issue.
Security: the security of multi-tenant platforms has two concerns; hardware part
and software part. Regarding the hardware part, the TPM as explained before with
the evolutions of vTPM [24] solutions can improve the trusting for those tenants
running. While for software part, there are many assessment tools either for identi-
ties, licenses, authentications and VPNs. Moreover, the security of communication
between the hardware TPM and the virtualized ones. This is including the scala-
bility and security issues for such management for tenants especially for the mobil-
ity over different platforms.
Performance: the performance analysis either for VMs, Containers or NFVs over
virtualized infrastructure is important. The main metrics are the system, hardware
and network that affect the overall cost for the deployment and meanwhile for the
systems throughput. The work in [25] listed the main issues relevant to network
and system for instances migration controlled by classical cloud solutions, NFV
and SDN. Moreover, regarding to the performance, many research achievements
can be realized in terms of switching speed for OVSs or bridges that communicates
the virtual instances over the top of hypervisors. The whole virtualized hardware
solutions vSwitch, vCPU, vRAM, vStorage and vNIC for networking are all sub-
ject to the performance evaluation.
6 Conclusion
7 References
1. R. Jain and S. Paul;Network Virtualization and Software Defined Networking for Cloud
Computing: A Survey. In: Communications Magazine, IEEE, pp. 24-31, November 2013.
2. T. Le Vinh, S. Bouzefrane: Trusted Platforms to secure Mobile Cloud Computing. In: The
16th IEEE International Conference, pp. 1096-1103, August 2014.
3. G. J. Popek, R. P. Goldberg: Formal requirements for virtualizable third generation archi-
tectures.In: SIGOPS Operating Systems Review, ACM, 1973.
4. VMWare Inc: Introducing vmware virtual platform. Technical white paper, February
1999.
5. “Understanding Full Virtualization, Para-virtualization, and Hardware Assist”, VMWre
white paper, 2007.
6. F. Rodriguez-Haro, F. Freitag, L. Navarro, et al.: A summary of virtualization techniques.
In: The 2012 Iberoamerican Conference on Electronics Engineering and Computer
Science, pp. 267-272, 2012
7. http://lwn.net/Articles/531114/
8. http://en.wikipedia.org/wiki/Cgroups
9. https://tools.ietf.org/html/rfc5556
10. NFV White paper: "Network Functions Virtualisation, An Introduction, Benefits, Enab-
lers,Challenges & Call for Action. Issue 1", october 2013.
11. ETSI GS NFV 002 (V1.2.1): "Network Functions Virtualisation (NFV); Architectural
Framework", December 2014.
12. ETSI GS NFV 003 (V1.2.1): "Network Functions Virtualisation (NFV); Terminology for
Main Concepts in NFV", December 2014.
13. R. Mijumbi, J. Serrat, J. Gorricho, N. Bouten, F. De Turck, and R. Boutaba: Network func-
tion virtualization: State-of-the-art and research challenges. In: Communications Surveys
Tutorials, IEEE, vol. PP, no. 99, pp. 1–1, 2015.
14. F. Hu, Q. Hao, K. Bao: A Survey on Software-Defined Network (SDN) and OpenFlow:
From Concept to Implementation. In: Communications Surveys & Tutorials, IEEE, May
2014.
15. http://openvswitch.org/
16. https://www.opendaylight.org/
17. N. McKeown T. Anderson, H. Balakrishnan et al.: OpenFlow: Enabling Innovation in
Campus Network. In: SIGCOMM Computer Communication Review , ACM, March
2008.
18. https://www.openstack.org/
19. TPM main specification:
http://www.trustedcomputinggroup.org/resources/tpm_main_specification.
20. R. Perez, R. Sailer, L. van Doorn, and others: vTPM: virtualizing the trusted platform
module. In: Proc. 15th Conf. on USENIX Security Symposium, pp. 305–320, 2006.
21. P. England and J. Loeser: Para-virtualized TPM sharing. In: Trusted Computing-
Challenges and Applications, Springer, pp. 119–132, 2008.
22. F. J. Krautheim, D. S. Phatak, and A. T. Sherman: Private Virtual Infrastructure: A Model
for Trustworthy Utility Cloud Computing. In: DTIC Document, 2010 ,
23. M. Strasser and H. Stamer: A software-based trusted platform module emulator. In:
Trusted Computing-Challenges and Applications, Springer, pp. 33–47, 2008.
24. R. Perez, R. Sailer, L. van Doorn, et al. : vTPM: virtualizing the trusted platform module.
In: Proc. 15th Conf. on USENIX Security Symposium, pp. 305–320,2006.
25. H. Ibn-Khedher, E. Abd-Elrahman, and H. Afifi: Network Issues in Virtual Machine Mi-
gration. In: ISNCC, IEEE, Hamamet, Tunisia, vol. 1, pp.1-6, May 2015