Authenticated Setup of Virtual Links with Quality-of-Service - - PowerPoint PPT Presentation

authenticated setup of virtual links with quality of
SMART_READER_LITE
LIVE PREVIEW

Authenticated Setup of Virtual Links with Quality-of-Service - - PowerPoint PPT Presentation

Sep 29, 2023 380 likes •566 views

Authenticated Setup of Virtual Links with Quality-of-Service Guarantees Roland Bless, Martin Rhricht, Christoph Werle Institute of Telematics, Karlsruhe Institute of Technology (KIT) INSTITUTE OF TELEMATICS KIT University of the State of

slide-1
SLIDE 1

INSTITUTE OF TELEMATICS

www.kit.edu

KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association

Authenticated Setup of Virtual Links with Quality-of-Service Guarantees

Roland Bless, Martin Röhricht, Christoph Werle Institute of Telematics, Karlsruhe Institute of Technology (KIT)

slide-2
SLIDE 2

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Motivation Network Virtualization is an enabling technology Easier deployment of global networks and services

Homogeneity across provider domain boundaries

Parallel operation of different network architectures

deploy novel network architectures and E2E services without requiring Internet-wide consensus

Increased flexibility

On-Demand creation and modification of virtual network topology and resources, esp. nodes and links Resource migration as Traffic Engineering mechanism More efficient use of resources (exploit statistical multiplexing gain)

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 2

slide-3
SLIDE 3

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Network Virtualization Virtual Network (VNet)

Set of (virtual) nodes directly connected by (virtual) links (realized on top of a set of physical resources, the “substrate”) „Naked“ topology at layer 3 No assumptions about the network protocols or architecture running inside the VNet, i.e., not necessarily IP May use various substrate techniques to create virtual links, e.g., IP Tunnels, MPLS, Ethernet VLANs,… We assume an IP-based substrate

Partitioning or aggregation of resources possible

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 3

slide-4
SLIDE 4

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii

Network Virtualization Business Model

Virtual Network Operator (VNO) Virtual Network Provider (VNP)

Infrastructure Provider A Infrastructure Provider B Infrastructure Provider C

4

Substrate Networks Virtual Network Setup of Virtual Links

slide-5
SLIDE 5

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Setup of Virtual Links with QoS Isolation and QoS guarantees required

need to reserve resources along a substrate path

Combine resource reservation with virtual link setup

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 5

Substrate node

Infrastructure Provider InP1 Infrastructure Provider InP2

A B

Control Plane Management

Multiplexing / QoS

VM2

VIf2 VIf1

VM1

VIf2 VIf1 PhyIf1 PhyIf2 PhyIf3

Virtual node Virtual Link Physical Link

QoS signaling

Virtual Node Architecture

slide-6
SLIDE 6

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Approach Use existing QoS resource reservation protocol of the NSIS framework QoS NSLP Need interoperable solution for link setup across provider (InP) domains Add information object for setup of virtual links Add security object

Authentication (Pre-Shared Key) Integrity protection for NSLP msgs (HMAC)

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 6

NSIS Signaling Layer (NSLP) NSIS Transport Layer (NTLP)

IPsec SCTP TCP UDP TLS

General Internet Signaling Transport IPv4/IPv6

QoS NSLP

Session Authorization VLSP

slide-7
SLIDE 7

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Step by Step Example Shows unidirectional resource reservation VM12 Bidirectional reservation is possible

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 7

Router A

eth0

VM1

tunAC

NSIS Router C

eth0

VM2

tunCA

NSIS Router B

eth0 eth1

NSIS

IP Forwarding

  • 1. RESERVE

+ VLSP object + SessionAuth object

  • 3. RESERVE

+ VLSP object + SessionAuth object

  • 2. Ignores VLSP
  • bject, performs

admission control Virtual Link EGRE Tunnel VLSP Signaling

  • 4. Setup virtual link

VM2  VM1

  • 8. Setup virtual link

VM1  VM2

  • 5. RESPONSE
  • 7. RESPONSE
  • 6. Reserve

Resources

eth0 eth0 br0 br0

slide-8
SLIDE 8

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Detailed Message Sequence with GIST

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 8

Router A Router B Router X

GIST Query GIST Response GIST Confirm GIST Data[RESERVE + VLSP object] GIST Data[RESERVE + VLSP object] GIST Data[RESPONSE + VLSP object] GIST Data[RESPONSE + VLSP object] GIST Query GIST Response GIST Confirm GIST 3-way handshake

Send a RESERVE Install GIST state

  • 1. Perform Resource

Admission Control

  • 2. Pre-reserve Resources
  • 3. Forward RESERVE

Install GIST state

GIST 3-way handshake

Perform Resource Admission Control

  • 1. Reserve

Resources

  • 2. Install virtual

link

  • 1. Commit Resources
  • 2. Forward RESPONSE
  • 1. Reserve

Resources

  • 2. Install virtual

link

slide-9
SLIDE 9

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Evaluation Setup How long does it take to setup a virtual link, incl. QoS guarantees? Used freely available NSIS implementation (C++) http://nsis-ka.org/  evaluation code is available! Linux, KVM-based VM, Xeon X3430 Quad- core@2.4GHz, GRE Tunnel

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 9

VLink1 (Ethernet over GRE tunnel)

tb1

eth0 172.1.2.1

VM1

eth0 tun12 br0

tb2

eth0 172.1.2.2 eth1 172.2.3.2

NSIS Router

tb3

eth0 172.2.3.3

NSIS Router

eth1 172.3.4.3

tb4

eth0 172.3.4.4

VM2

eth0 tun21 br0

NSIS

VLSP- Client

NSIS

slide-10
SLIDE 10

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Measurement Methodology Measurement points in the code tcpdump packet capture on all nodes tb1 – tb4

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 10

tb1 tb4 tb2

GIST Query GIST Response GIST Confirm RESERVE RESERVE RESPONSE RESPONSE GIST Query GIST Response GIST Confirm GIST Query GIST Response GIST Confirm RESERVE RESPONSE

tb3

Execute script for GRE tunnel setup Execute script for GRE tunnel setup

slide-11
SLIDE 11

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Total Duration

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 11

Round-trip time tb1tb4: 0.7ms External program triggers virtual link setup

Includes inter-process communication

Script execution for virtual link setup dominates

Script execution on tb4 Script execution on tb1

slide-12
SLIDE 12

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Pure NSIS Signaling

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 12

Intermediate node processing <1ms

3-way GIST handshake Initial RESERVE processing

slide-13
SLIDE 13

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Teardown Duration

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 13

Link teardown takes much longer than setup, presumably due to “still in-use” checks Teardown not so critical (compared to setup)

slide-14
SLIDE 14

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Signaling Authentication Overhead

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 14

Subtracted script execution for virtual link setup No significant overhead if security is used

Measured on the wire Measured internally

slide-15
SLIDE 15

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Authentication Overhead

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 15

Additional SessionAuthorization object [RFC5981]

Protects RESERVE and RESPONSE messages Added 104 bytes to message (VLSP object: 80 bytes)

HMAC calculation is negligible

slide-16
SLIDE 16

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Conclusion and Summary Combining QoS reservation and virtual link setup is useful and efficient Extension of an existing NSIS signaling protocol was easy

Additional VLSP object is ignored by intermediate nodes, but will perform QoS resource reservation Local link setup within nodes is much more costly than pure signaling and admission control processes

Securing the signaling is important and can be done without significant overhead Currently: extend approach by node setup

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 16

slide-17
SLIDE 17

Institute of Telematics, Department of Informatics http://telematics.tm.kit.edu/

Thank you!

  • R. Bless "Authenticated Setup of Virtual Links w/ QoS guarantees"

ICCCN 2011, Maui, Hawaii 17