本文選題：云計(jì)算 + 數(shù)據(jù)中心網(wǎng)絡(luò)　； 參考：《國防科學(xué)技術(shù)大學(xué)》2012年博士論文

【摘要】：云計(jì)算技術(shù)的目標(biāo)是希望使得需要計(jì)算、存儲(chǔ)和網(wǎng)絡(luò)服務(wù)能力的企業(yè)能夠從昂貴的設(shè)備采購、繁瑣的應(yīng)用部署和復(fù)雜的系統(tǒng)管理中釋放出來，將更多精力投入業(yè)務(wù)軟件開發(fā)與解決方案的創(chuàng)新。云計(jì)算允許用戶按需支付，并支持其應(yīng)用按需增長處理能力，降低其前期投資風(fēng)險(xiǎn)。然而，這種開放服務(wù)模型將使得具有不同背景的租賃者駐留在同一數(shù)據(jù)中心，從而帶來潛在的安全威脅。例如，租賃者通過部署惡意應(yīng)用并實(shí)施惡意攻擊，在數(shù)據(jù)中心內(nèi)部制造混亂。因此，云計(jì)算提供者不僅需要設(shè)計(jì)可擴(kuò)展的數(shù)據(jù)中心結(jié)構(gòu)，滿足日益激增的應(yīng)用需求，而且更重要的是，提供有效的性能隔離機(jī)制，保障不同租賃者之間性能互不干擾。 云計(jì)算數(shù)據(jù)中心的資源主要包括計(jì)算、存儲(chǔ)和網(wǎng)絡(luò)資源。目前主要利用虛擬機(jī)管理器的機(jī)制，如Xen和Hyper-v，以虛擬機(jī)為單位對(duì)計(jì)算和存儲(chǔ)資源進(jìn)行劃分，從而使得計(jì)算和存儲(chǔ)資源得到比較好的隔離。但租賃者如何共享網(wǎng)絡(luò)目前缺乏有力的控制，從而無法提供網(wǎng)絡(luò)帶寬隔離。例如利用VLAN可實(shí)現(xiàn)可達(dá)性或者流量隔離，但其目前不提供網(wǎng)絡(luò)帶寬配額，無法提供網(wǎng)絡(luò)帶寬隔離。缺乏有效的網(wǎng)絡(luò)帶寬隔離機(jī)制，當(dāng)前面向云計(jì)算的數(shù)據(jù)中心網(wǎng)絡(luò)至少存在以下風(fēng)險(xiǎn)。一是以流為單位的帶寬分配方式，容易誘發(fā)自私和攻擊行為，如通過并行發(fā)起多個(gè)流，占用更多網(wǎng)絡(luò)帶寬，發(fā)起流量攻擊等。二是許多新的并行計(jì)算模式，如搜索和MapReduce等，引入同步性極強(qiáng)的多對(duì)一通信模式，對(duì)于低延時(shí)和小緩沖的數(shù)據(jù)中心網(wǎng)絡(luò)容易導(dǎo)致TCP擁塞崩潰。三是許多既有應(yīng)用基于非響應(yīng)式協(xié)議實(shí)現(xiàn)，允許這類應(yīng)用遷移到數(shù)據(jù)中心，勢必對(duì)其他應(yīng)用帶來性能干擾；而禁止其遷移將損失潛在的商業(yè)利潤，或?qū)?yīng)用進(jìn)行重寫。 針對(duì)上述問題，本文研究如何實(shí)現(xiàn)云計(jì)算數(shù)據(jù)中心網(wǎng)絡(luò)租賃者之間網(wǎng)絡(luò)層次的帶寬隔離問題，主要?jiǎng)?chuàng)新和成果主要有以下三個(gè)方面： 首先，從數(shù)據(jù)中心網(wǎng)絡(luò)防范拓?fù)涮綔y的角度，探索了云計(jì)算數(shù)據(jù)中心租賃用戶利用端對(duì)端方法，探測數(shù)據(jù)中心網(wǎng)絡(luò)邏輯路由拓?fù)浣Y(jié)構(gòu)的可能性，并提出一種基于UDP流粗粒度丟包特性的遞進(jìn)式探測算法。租賃用戶僅利用正常流量，能否探測出其虛擬機(jī)之間的網(wǎng)絡(luò)路由拓?fù)浣Y(jié)構(gòu)，目前尚不可知。傳統(tǒng)的端對(duì)端路由拓?fù)涮綔y技術(shù)，基于報(bào)文級(jí)的細(xì)粒度丟包或延時(shí)特性進(jìn)行統(tǒng)計(jì)聚類，進(jìn)而推測出邏輯路由拓?fù)涞淖畲笏迫还烙?jì)結(jié)果。但是直接應(yīng)用這些技術(shù)將面臨兩個(gè)問題：一是假設(shè)探測報(bào)文在路由過程中總是可以獲得細(xì)粒度的丟包和延時(shí)特性，這種假設(shè)在高帶寬、低延時(shí)網(wǎng)絡(luò)并不總是合理；二是基于報(bào)文級(jí)的統(tǒng)計(jì)分析方法，在網(wǎng)絡(luò)帶寬很高時(shí)將引入巨大的存儲(chǔ)和計(jì)算開銷，可擴(kuò)展性較差。通過進(jìn)一步研究和大量實(shí)驗(yàn)，本文提出，將路由拓?fù)浞纸獬梢越邮仗摂M機(jī)為根的探測樹，依據(jù)特定的策略制造擁塞，并利用流級(jí)粗粒度丟包多維特性進(jìn)行遞進(jìn)式探測，可以獲得非常準(zhǔn)確的邏輯路由拓?fù)浣Y(jié)構(gòu)，且單次探測可以在若干毫秒內(nèi)完成。租賃用戶可利用路由拓?fù)浣Y(jié)構(gòu)，為其自私和攻擊行為服務(wù)。這就要求網(wǎng)絡(luò)帶寬隔離機(jī)制應(yīng)盡可能將網(wǎng)絡(luò)負(fù)載控制在較低的水平，且實(shí)現(xiàn)細(xì)粒度的擁塞控制。 其次，從數(shù)據(jù)中心網(wǎng)絡(luò)防范流量攻擊的角度，探索了數(shù)據(jù)中心網(wǎng)絡(luò)面臨低速率拒絕服務(wù)攻擊的可能性和必要條件，包括非響應(yīng)式數(shù)據(jù)流和響應(yīng)式數(shù)據(jù)流，特別是利用數(shù)據(jù)中心網(wǎng)絡(luò)路由拓?fù)浣Y(jié)構(gòu)進(jìn)行靈巧攻擊的條件，并提出了理論分析模型。對(duì)于當(dāng)前數(shù)據(jù)中心網(wǎng)絡(luò)面臨流量攻擊的問題，盡管已有一些定性的討論，但是對(duì)于實(shí)施該類攻擊所需條件及其后果，缺乏定量的分析。通過構(gòu)建理論分析模型和進(jìn)行大量實(shí)驗(yàn)，本文指出，數(shù)據(jù)中心網(wǎng)絡(luò)的低延時(shí)和小緩沖特性，使得租賃用戶一是可以聚合多個(gè)同步流進(jìn)行低速率拒絕服務(wù)攻擊，二是可以利用網(wǎng)絡(luò)的路由拓?fù)浣Y(jié)構(gòu)，將攻擊目標(biāo)選定在網(wǎng)絡(luò)邊緣或者網(wǎng)絡(luò)內(nèi)部。分析模型和實(shí)驗(yàn)結(jié)果表明，攻擊流持續(xù)攻擊時(shí)長通常只需若干毫秒就可能將目標(biāo)TCP流的吞吐降至非常低。因此，需要研究數(shù)據(jù)中心網(wǎng)絡(luò)的帶寬隔離，在網(wǎng)絡(luò)可用帶寬不夠時(shí)，盡可能抑制并發(fā)流；在實(shí)施擁塞控制時(shí)，統(tǒng)籌考慮擁塞可能發(fā)生的位置。 最后，針對(duì)當(dāng)前網(wǎng)絡(luò)帶寬隔離技術(shù)的不足，同時(shí)考慮防范拓?fù)涮綔y與防范流量攻擊問題，本文提出一種數(shù)據(jù)中心網(wǎng)絡(luò)的帶寬隔離機(jī)制，也就是統(tǒng)一的邏輯通道，對(duì)響應(yīng)式和非響應(yīng)式數(shù)據(jù)流進(jìn)行統(tǒng)一的帶寬分配，并提出一種基于RTT的接收端擁塞控制機(jī)制�，F(xiàn)有基于資源預(yù)留的帶寬分配方式，能實(shí)現(xiàn)較好的帶寬隔離，但其實(shí)現(xiàn)復(fù)雜且資源利用率低；而現(xiàn)有動(dòng)態(tài)帶寬分配方式，能充分利用資源，但僅關(guān)注網(wǎng)絡(luò)邊緣鏈路的帶寬公平性，同時(shí)缺乏對(duì)并發(fā)流的抑制和細(xì)粒度的擁塞控制機(jī)制。本文提出，利用統(tǒng)一的邏輯通道強(qiáng)制細(xì)粒度按需動(dòng)態(tài)帶寬分配機(jī)制，保障流之間的公平帶寬分配；并提出接收端增強(qiáng)的細(xì)粒度擁塞控制算法，，兼顧了網(wǎng)絡(luò)邊緣和網(wǎng)絡(luò)內(nèi)部鏈路出現(xiàn)擁塞的情況，依據(jù)網(wǎng)絡(luò)當(dāng)前擁塞程度決定進(jìn)入網(wǎng)絡(luò)的并發(fā)流數(shù)目，在避免網(wǎng)絡(luò)擁塞的前提下盡可能保證帶寬分配的公平性。實(shí)驗(yàn)結(jié)果表明，該機(jī)制能夠有效防止用戶端有意或無意占用其他用戶網(wǎng)絡(luò)帶寬，抵御來自用戶端的低速率拒絕服務(wù)攻擊，保障數(shù)據(jù)中心網(wǎng)絡(luò)帶寬隔離。
[Abstract]:The goal of cloud computing is to enable enterprises that require computing, storage and network services to be able to release from expensive equipment procurement, tedious application deployment and complex system management, and will devote more effort to the innovation of business software development and solutions. Cloud computing allows users to pay on demand and supports their applications However, this open service model will allow leaseholders with different backgrounds to reside in the same data center and bring potential security threats. For example, the leaseholder can create confusion within the data center by deploying malicious applications and carrying out malicious attacks. The donor needs not only to design extensible data center structures to meet the increasing demand for applications, but also, more importantly, to provide an effective performance isolation mechanism to ensure that the performance of different leaseholders does not interfere with each other.
The resources of the cloud computing data center include computing, storage and network resources. Currently, the mechanism of virtual machine manager, such as Xen and Hyper-v, is used to divide the computing and storage resources in a virtual machine, which makes the computing and storage resources better separated. But the leaseholder is currently lacking the power to share the network. Control, thus can not provide network bandwidth isolation. For example, accessibility or traffic isolation can be achieved by using VLAN, but it does not provide network bandwidth quotas at present, and can not provide network bandwidth isolation. There is no effective network bandwidth isolation mechanism, and at least the following risks exist in the current cloud computing data center network. The mode of bandwidth allocation is easy to induce selfishness and attack behavior, for example, by initiating multiple streams in parallel, taking up more network bandwidth and initiating traffic attacks. Two is a number of new parallel computing modes, such as search and MapReduce, and the introduction of a multi to one communication mode with very strong synchronization and easy guidance for low delay and small buffer data center networks. TCP congestion collapse. Three is a number of existing applications based on non responsive protocol implementation, allowing such applications to migrate to the data center, which is bound to bring performance interference to other applications, and prohibit its migration to lose potential commercial profits, or rewrite applications.
In view of the above problems, this paper studies how to implement the network level bandwidth isolation between network leaseholders in the cloud computing data center. The main innovations and results are as follows: the following three main aspects:
First, from the point of view of the data center network to prevent topology detection, the possibility of using the end to end method to detect the logical routing topology of the data center network is explored, and a progressive detection algorithm based on the coarse-grained packet loss characteristics of the UDP flow is proposed. The network routing topology between the virtual machines is not known. The traditional end to end routing topology detection technology is based on the fine-grained packet loss or delay characteristics of the message level, and then estimates the maximum likelihood estimation results of the logical routing topology. However, the direct application of these technologies will face two problems: 1 It is assumed that the detection packets can always obtain fine-grained packet loss and delay characteristics during the routing process. This assumption is not always reasonable in high bandwidth and low delay networks; two is a statistical analysis method based on message level, which will introduce huge storage and calculation overhead when the network bandwidth is high, and the scalability is poor. Further research is done. And a large number of experiments, this paper proposes that the routing topology is decomposed into a detection tree which takes the virtual machine as the root, makes the congestion according to the specific strategy, and uses the flow level coarse granularity packet loss multi-dimensional characteristics to carry on the progressive detection, and can obtain a very accurate logical routing topology, and the single detection can be completed in a number of milliseconds. The routing topology can be used to serve its selfish and aggressive behavior, which requires that the network bandwidth isolation mechanism should control the network load at a lower level as far as possible and achieve fine grained congestion control.
Secondly, the possibility and necessary conditions for the data center network to face low rate denial of service attack are explored, including non responsive data flow and response data stream, especially the conditions of using the data center network routing topology to enter the dexterous attack, and the theoretical analysis model is put forward. For the current data center network facing traffic attacks, although there are some qualitative discussions, there is a lack of quantitative analysis for the conditions and consequences required for the implementation of this type of attack. Through the construction of a theoretical analysis model and a large number of experiments, this paper points out that the low delay and small buffer characteristics of the data center network make the lease a lease. The first is that users can aggregate multiple synchronization streams for low rate denial of service attacks. The two is that the network routing topology can be used to select the target of the attack on the network edge or network. The analysis model and experimental results show that the duration of attack is usually only a few milliseconds in a few milliseconds to reduce the throughput of the target TCP stream. It is very low. Therefore, it is necessary to study the bandwidth isolation of the data center network. When the network available bandwidth is not enough, the concurrent flow is suppressed as much as possible; when congestion control is implemented, the possible location of congestion is considered as a whole.
Finally, in view of the shortage of current network bandwidth isolation technology, and considering the problem of preventing topology detection and preventing traffic attack, this paper proposes a bandwidth isolation mechanism of data center network, that is a unified logical channel, the bandwidth allocation of both response and non response data flows, and a kind of RTT based reception. The existing congestion control mechanism. The existing bandwidth allocation method based on resource reservation can achieve better bandwidth isolation, but its implementation is complex and the utilization of resources is low. However, the existing dynamic bandwidth allocation method can make full use of resources, but only pay attention to the bandwidth fairness of the network edge link, and lack the suppression of concurrent flow and the fine-grained support. In this paper, we propose to make use of a unified logical channel to enforce fine grained dynamic bandwidth allocation mechanism to ensure fair bandwidth allocation between streams, and to propose a fine-grained congestion control algorithm for receiving end enhancement, which takes into account the situation of the congestion in the network edges and the internal links of the network, which is determined by the current congestion level of the network. The number of concurrent flows into the network ensures the fairness of bandwidth allocation as far as possible to avoid network congestion. Experimental results show that the mechanism can effectively prevent users from intentionally or unintentionally occupying other user network bandwidth, resist the low rate denial of service attack from the user side, and protect the bandwidth isolation of the data center network.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2012
【分類號(hào)】：TP308;TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 丁澤柳;郭得科;申建偉;羅愛民;羅雪山;;面向云計(jì)算的數(shù)據(jù)中心網(wǎng)絡(luò)拓?fù)溲芯縖J];國防科技大學(xué)學(xué)報(bào);2011年06期

2 張禎松,趙偉;一個(gè)大型網(wǎng)絡(luò)數(shù)據(jù)中心安全解決方案[J];解放軍理工大學(xué)學(xué)報(bào)(自然科學(xué)版);2003年05期

3 李喬;鄭嘯;;云計(jì)算研究現(xiàn)狀綜述[J];計(jì)算機(jī)科學(xué);2011年04期

4 胡農(nóng)達(dá);王達(dá)偉;孫凝暉;;胖樹中的分布式動(dòng)態(tài)容錯(cuò)路由[J];計(jì)算機(jī)學(xué)報(bào);2010年10期

本文編號(hào)：1959246