research-article

Free access

Offloading Security Services to the Cloud Infrastructure

Authors:

Jérôme François,

Olivier FestorAuthors Info & Claims

SecSoN '18: Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges

Pages 27 - 32

https://doi.org/10.1145/3229616.3229624

Published: 07 August 2018 Publication History

Abstract

Cloud applications rely on a diverse set of security services from application-layer rate-limiting to TCP SYN cookies and application firewalls. Some of these services are implemented at the infrastructure layer, on the host or in the NIC, to filter attacks closer to their source and free CPU cycles for the tenants' applications. Most security services, however, remain difficult to implement at the infrastructure layer because they are closely tied to the applications they protect.

In this paper, we propose to allow tenants to offload small filtering programs to the infrastructure. We design a mechanism to ensure fairness in resource consumption among tenants and show that, by carefully probing specific points of the infrastructure, all resource consumption can be accounted for.

We prototype our solution over the new high-performance datapath of Linux. Our preliminary experiments show that an offload to the host's CPU can bring a 4-6x performance improvement. In addition, fairness among tenants introduces an overhead of only 14% in the worst case and approximately 3% for realistic applications.

References

[1]

2015. BESS: Berkeley Extensible Software Switch. (2015). http://span.cs.berkeley.edu/bess.html

[2]

2017. Vector Packet Processing (VPP). (2017). https://fd.io/technology/#vpp

[3]

V. Addanki, L. Linguaglossa, J. Roberts, and D. Rossi. 2018. Controlling software router resource sharing by fair packet dropping. In Proc. IFIP Networking.

[4]

Z. Ahmed, M. H. Alizai, and A. A. Syed. 2016. InKeV: In-kernel distributed network virtualization for DCN. ACM SIGCOMM CCR (2016).

Digital Library

[5]

A. Cardigliano, L. Deri, J. Gasparakis, and F. Fusco. 2011. vPF_RING: Towards wire-speed network monitoring using virtual machines. In Proc. ACM IMC.

Digital Library

[6]

P. Chaignon, K. Lazri, J. François, T. Delmas, and O. Festor. 2018. Oko: Extending Open vSwitch with stateful filters. In Proc. ACM SOSR.

Digital Library

[7]

J. Corbet. 2016. Early packet drop---and more---with BPF. (Apr. 2016). https://lwn.net/Articles/682538

[8]

P. Emmerich, S. Gallenmüller, D. Raumer, F. Wohlfart, and G. Carle. 2015. Moon-Gen: A scriptable high-speed packet generator. In Proc. ACM IMC.

Digital Library

[9]

D. Firestone. 2017. VFP: A virtual switch platform for host SDN in the public cloud. In Proc. USENIX NSDI.

Digital Library

[10]

G. Gibb, H. Zeng, and N. McKeown. 2012. Outsourcing network functionality. In Proc. HotSDN.

Digital Library

[11]

E. J. Jackson, M. Walls, A. Panda, J. Pettit, B. Pfaff, J. Rajahalme, T. Koponen, and S. Shenker. 2016. SoftFlow: A middlebox architecture for Open vSwitch. In Proc. USENIX ATC.

Digital Library

[12]

J. Kicinski and N. Viljoen. 2016. eBPF/XDP hardware offload to SmartNICs. NetDev 1.2.

[13]

G. C. Necula and P. Lee. 1996. Safe kernel extensions without run-time checking. In Proc. USENIX OSDI.

Digital Library

[14]

R. Poddar, C. Lan, R. A. Popa, and S. Ratnasamy. 2018. SafeBricks: Shielding network functions in the cloud. In Proc. USENIX NSDI.

[15]

J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. 2012. Making middleboxes someone else's problem: Network processing as a cloud service. In Proc. ACM SIGCOMM.

Digital Library

[16]

X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, and Z. Tatlock. 2014. Jitk: A trustworthy in-kernel interpreter infrastructure. In Proc. USENIX OSDI.

Digital Library

Cited By

He QFeng ZFang HWang XZhao LYao YYu K(2024)A Blockchain-Based Scheme for Secure Data Offloading in Healthcare With Deep Reinforcement LearningIEEE/ACM Transactions on Networking10.1109/TNET.2023.327463132:1(65-80)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3274631
Wang FZhao GZhang QXu HYue WXie L(2023)OXDP: Offloading XDP to SmartNIC for Accelerating Packet Processing2022 IEEE 28th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS56603.2022.00103(754-761)Online publication date: Jan-2023
https://doi.org/10.1109/ICPADS56603.2022.00103
Osinski TTarasiuk HChaignon PKossakowski M(2021)A Runtime-Enabled P4 Extension to the Open vSwitch Packet Processing PipelineIEEE Transactions on Network and Service Management10.1109/TNSM.2021.305590018:3(2832-2845)Online publication date: Sep-2021
https://doi.org/10.1109/TNSM.2021.3055900
Show More Cited By

Index Terms

Offloading Security Services to the Cloud Infrastructure
1. Networks
  1. Network services
    1. Cloud computing
2. Security and privacy
  1. Network security

Recommendations

Security Infrastructure for On-demand Provisioned Cloud Infrastructure Services
CLOUDCOM '11: Proceedings of the 2011 IEEE Third International Conference on Cloud Computing Technology and Science

Providing consistent security services in on-demand provisioned Cloud infrastructure services is of primary importance due to multi-tenant and potentially multi-provider nature of Clouds Infrastructure as a Service (IaaS) environment. Cloud security ...
Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Cloud service providers typically adopt the multi-tenancy model to optimize resources usage and achieve the promised cost-effectiveness. Sharing resources between different tenants and the underlying complex technology increase the necessity of ...
Managed infrastructure with IBM cloud OpenStack services

In this paper, we discuss how OpenStack®, an open source cloud computing software platform, can be used to deliver a managed private cloud by describing the IBM Cloud OpenStack Services offering. IBM Cloud OpenStack Services is an enterprise-class ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SecSoN '18: Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges

August 2018

59 pages

ISBN:9781450359122

DOI:10.1145/3229616

Copyright © 2018 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

SIGCOMM '18

Sponsor:

SIGCOMM

SIGCOMM '18: ACM SIGCOMM 2018 Conference

August 24, 2018

Budapest, Hungary

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
562
Total Downloads

Downloads (Last 12 months)83
Downloads (Last 6 weeks)13

Reflects downloads up to 23 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

He QFeng ZFang HWang XZhao LYao YYu K(2024)A Blockchain-Based Scheme for Secure Data Offloading in Healthcare With Deep Reinforcement LearningIEEE/ACM Transactions on Networking10.1109/TNET.2023.327463132:1(65-80)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3274631
Wang FZhao GZhang QXu HYue WXie L(2023)OXDP: Offloading XDP to SmartNIC for Accelerating Packet Processing2022 IEEE 28th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS56603.2022.00103(754-761)Online publication date: Jan-2023
https://doi.org/10.1109/ICPADS56603.2022.00103
Osinski TTarasiuk HChaignon PKossakowski M(2021)A Runtime-Enabled P4 Extension to the Open vSwitch Packet Processing PipelineIEEE Transactions on Network and Service Management10.1109/TNSM.2021.305590018:3(2832-2845)Online publication date: Sep-2021
https://doi.org/10.1109/TNSM.2021.3055900
Taherkordi AZahid FVerginadis YHorn G(2018)Future Cloud Systems Design: Challenges and Research DirectionsIEEE Access10.1109/ACCESS.2018.28831496(74120-74150)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2883149

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten