ABSTRACT
Cloud virtualization technology is shifting towards light-weight containers, which provide isolated environments for running cloud-based services. The emerging trends such as container-based micro-service architectures and hybrid cloud deployments result in increased traffic volumes between the micro-services, mobility of the communication endpoints, and some of the communication taking place over untrusted networks. Yet, the services are typically designed with the assumption of scalable, persistent and secure connectivity. In this paper, we present the SynAPTIC architecture, which enables secure and persistent connectivity between mobile containers, especially in the hybrid cloud and in multi-tenant cloud networks. The solution is based on the standardized Host Identity Protocol (HIP) that tenants can deploy on top of existing cloud infrastructure independently of their cloud provider. Optional cloud-provider extensions based on Software-Defined Networking (SDN) further optimize the networking architecture. Our qualitative and quantitative evaluation shows that SynAPTIC performs better than some of the existing solutions.
- Calico Project. http://projectcalico.org.Google Scholar
- Docker Containers. http://docker.com.Google Scholar
- HIP for Linux. http://infrahip.hiit.fi.Google Scholar
- How to secure containers and microservices. www.infoworld.com/article/3029772/cloud-computing/how-to-secure-containers-and-microservices.html.Google Scholar
- IPSec connection between LXC containers. http://flockport.com/connect-lxc-containers-with-an-ipsec-vpn.Google Scholar
- Kubernetes. http://kubernetes.io.Google Scholar
- Linux Containers. http://linuxcontainers.org.Google Scholar
- Microservice architecture. http://microservices.io.Google Scholar
- Netperf. http://www.netperf.org/netperf.Google Scholar
- Open VSwitch. http://openvswitch.org.Google Scholar
- OpenContrail. http://opencontrail.org.Google Scholar
- Pertino. http://pertino.com.Google Scholar
- VirtualBox. https://www.virtualbox.org.Google Scholar
- Weave. http://weave.works.Google Scholar
- P. Berde et al. ONOS: Towards an open, distributed SDN OS. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN '14, pages 1--6, New York, USA, 2014. ACM. Google ScholarDigital Library
- S. Berger et al. vTPM: Virtualizing the trusted platform module. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- D. Farinacci, V. Fuller, D. Meyer, and D. Lewis. The Locator/ID Separation Protocol (LISP). RFC 6830 (Experimental), Jan. 2013.Google Scholar
- B. Gleeson et al. A Framework for IP Based Virtual Private Networks. RFC 2764 (Informational), Feb. 2000. Google ScholarDigital Library
- T. Heer, R. Hummen, M. Komu, S. Gotz, and K. Wehrle. Endhost authentication and authorization for middleboxes based on a cryptographic namespace. In 2009 IEEE International Conference on Communications, pages 1--6, June 2009. Google ScholarDigital Library
- T. Henderson and A. Gurtov. The Host Identity Protocol (HIP) Experiment Report. RFC 6538 (Informational), Mar. 2012.Google Scholar
- K.-H. Kim et al. Flexible network address mapping for container-based clouds. In Network Softwarization (NetSoft), 2015 1st IEEE Conference on, pages 1--5, April 2015.Google Scholar
- T. Koponen et al. Network virtualization in multi-tenant datacenters. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pages 203--216, Apr. 2014. Google ScholarDigital Library
- M. Mahalingam et al. Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348 (Informational), Aug. 2014.Google Scholar
- R. Moskowitz et al. Host Identity Protocol Version 2 (HIPv2). RFC 7401 (Proposed Standard), Apr. 2015.Google Scholar
- R. Moskowitz and P. Nikander. Host Identity Protocol (HIP) Architecture. RFC 4423 (Informational), May 2006.Google Scholar
- Y. Nakagawa et al. Dynamic virtual network configuration between containers using physical switch functions for NFV infrastructure. In IEEE Conference on NFV-SDN, pages 156--162, Nov. 2015.Google ScholarCross Ref
- D. Namiot and M. Sneps-Sneppe. On micro-services architecture. International Journal of Open Information Technologies, 2(9), 2014.Google Scholar
Recommendations
Secure Networking for Virtual Machines in the Cloud
CLUSTERW '12: Proceedings of the 2012 IEEE International Conference on Cluster Computing WorkshopsCloud computing improves utilization and flexibility of allocating computing resources while reducing the infrastructural costs. However, cloud technology is still proprietary in many cases and is tainted by security issues rooted in the multi-tenant ...
Combining containers and virtual machines to enhance isolation and extend functionality on cloud computing
AbstractVirtualization technology is the underlying element of cloud computing. Traditionally, cloud computing has employed virtual machines to distribute available resources and provide isolated environments among users. Multiple virtual ...
Highlights- We study the combination of virtual machines and containers in the cloud.
- The ...
Elascale: autoscaling and monitoring as a service
CASCON '17: Proceedings of the 27th Annual International Conference on Computer Science and Software EngineeringAuto-scalability has become an evident feature for cloud software systems including but not limited to big data and IoT applications. Cloud application providers now are in full control over their applications' microservices and macroservices; virtual ...
Comments