1 SVDC: A Highly Scalable Isolation Architecture for ... . SVDC - A Highly...¢ 1 SVDC: A...
Embed Size (px)
Transcript of 1 SVDC: A Highly Scalable Isolation Architecture for ... . SVDC - A Highly...¢ 1 SVDC: A...
SVDC: A Highly Scalable Isolation Architecture for Virtualized Layer-2 Data Center Networks
Congjie Chen, Student Member, IEEE, Dan Li, Senior Member, IEEE, Jun Li, Senior Member, IEEE, Konglin Zhu, Member, IEEE
Abstract—While large layer-2 networks are widely accepted as the network fabric for modern data centers and network virtualization is required to support multi-tenant cloud computing, existing network virtualization solutions are not specifically designed for layer-2 networks. In this paper, we design SVDC, a highly-scalable and low-overhead virtualization architecture for large layer-2 data center networks. By leveraging the emerging software defined networking (SDN) framework, SVDC decouples the global identifier of a virtual network from the identifier carried in the packet header. Hence, SVDC can scale to a great number of virtual networks with a very short tag in the packet header, which is never achieved by previous network virtualization solutions. SVDC enhances MAC-in-MAC encapsulation in a way that packets with overlapped MAC addresses are correctly forwarded even without in-packet global identifiers to differentiate the virtual networks they belong to. Besides, scalable and efficient layer-2 multicast and broadcast within virtual networks are also supported in SVDC. With extensive simulations and experiments, we show that SVDC is better than existing solutions in many aspects, particularly isolating virtual networks with high scalability and higher network goodput due to minimal packet header overhead.
Index Terms—data center network, network virtualization, multi-tenant cloud computing.
1 INTRODUCTION Virtualization is one of the paramount enabling technologies for the success of multi-tenant cloud computing. Through virtualization, cloud providers make profits by multiplex- ing physical resources among a large number of tenants, while tenants benefit from the “pay-as-you-go” charging model and rapid resource provision. Although computation virtualization technologies (by virtual machines, or VMs) have been developed for decades, cloud network virtual- ization only received attention recently, partially because of the cloud security and privacy concerns in the virtualized environment.
Due to the simplicity and easiness to manage, large layer-2 network is more and more widely accepted as the fabric to build a data center network. Scalable layer-2 archi- tectures, such as TRILL , SPB  and PortLand , are proposed as either industry standards or research artifacts. The layer-2 network can even cross the Internet via services such as VPLS . However, this kind of layer-2 network fabric design mainly focuses on routing/forwarding rules
• Congjie Chen, Dan Li and Konglin Zhu are with the Department of Computer Science, Tsinghua University.
• Jun Li is with the Department of Computer and Information Science, University of Oregon.
• Konglin Zhu is also with the School of Information and Communication Engineering, Beijing University of Posts and Telecommunications.
The work was supported by the National Key Basic Research Program of China (973 program) under Grant 2014CB347800, the National Natural Science Foundation of China under Grant No.61502045, the National Natural Science Foundation of China under Grant No.61522205, No.61432002, No. 61133006, the National High-tech R&D Program of China (863 program) under Grant 2013AA013303, 2015AA01A705, 2015AA016102, EU FP7 Marie Curie Actions project Grant Agreement No. 607584 (the Cleansky project), ZTE corporation and Tsinghua University Initiative Scientific Re- search Program.
in the network, and it is still an open issue how to run a multi-tenant network virtualization scheme on top of the network fabrics. Existing network virtualization solutions either face severe scalability problem , or are not specifi- cally designed for layer-2 networks –. Particularly, we need to address the following challenges in designing such a layer-2 virtualization solution.
First, for a large-scale, geographically distributed layer- 2 network operated by a cloud provider, the potential number of tenants and virtual networks can be huge. Net- work virtualization based on VLan  can support at most 4094 virtual networks, which is obviously not enough. Al- though VxLan , NvGRE  and NetLord  can support 16,777,216 virtual networks, they are at the cost of using much more bits in the packet header. The fundamental issue is, in existing network virtualization proposals –, the number of virtual networks that can be differentiated depends on the number of bits, aka the tag, used in the packet header. An interesting question is: can we design an isolation architecture for virtualized layer-2 networks whose upper limit of supported virtual networks exceed the length constraint of the extra tag it inserts in the packet header?
Second, given the possible overlapped MAC addresses for VMs in different virtual networks and the limited for- warding table size in data center switches, it is inevitable to encapsulate the original MAC address of a packet when transmitting it in the core network. MAC-in-UDP encap- sulation used in VxLAN  and MAC-in-IP encapsula- tion used in NetLord  incur unnecessary packet head- er overhead for a layer-2 network. Compared with them, MAC-in-MAC encapsulation is more suitable. Although it is proposed in previous works such as Provider Backbone Bridges , we need to enhance it to work well in the multi- tenant network virtualization scenario where VM addresses
largely overlap. Third, multicast service is common in data center net-
works , , but how to support multicast in a layer- 2 network, particularly in a multi-tenant virtualized layer- 2 network, is still open. A desired capability for a layer-2 network virtualization approach is to support efficient and scalable layer-2 multicast as well as broadcast.
We design SVDC in this paper, which leverages the framework of software defined networking (SDN) to ad- dress the challenges above, and achieves the goal of high scalability and low overhead in the following ways.
First, SVDC decouples the global identifier of a virtual network and the in-packet tag. The global identifier is maintained in the SVDC controller while the in-packet tag is only used to differentiate virtual networks residing in the same server. We denote the global virtual network identifier maintained in the SVDC controller as global tenant network identifier (GTID) and the server-local identifier of a virtual network, which is inserted in the packet header, as local tenant network identifier (LTID). In this way, SVDC is able to encompass a great number of virtual networks largely exceeding the short tag length carried in the packet header, which is never achieved by previous network virtualization solutions.
Second, SVDC uses MAC-in-MAC encapsulation in ingress edge switches to mask the overlapped VM addresses in the core network and employs two techniques to guaran- tee correct packet forwarding in the first hop and last hop even without in-packet global virtual network identifier. In the ingress edge switch, SVDC rewrites the LTID of the packet based on the original LTID of it together with the incoming port of it, which helps correct delivery after the packet arrives at the destination server. For the egress edge switch to correctly forward the packet out after decapsula- tion, SVDC reuses the VLan field of the outer MAC header to indicate the forwarding port of the egress edge switch. In this way, SVDC enhances MAC-in-MAC encapsulation to enable correct packet forwarding in the whole process with minimum efforts.
Third, SVDC efficiently supports up to tens of billions of multicast and broadcast groups with possible overlap- ping multicast or broadcast addresses in different virtual networks sharing the same physical layer-2 network, by the same framework. Each multicast or broadcast group address within a virtual network is translated to a global unique multicast group address that is assigned to the virtual network, which is maintained by the SVDC controller and carried by the packet multiplexing the destination MAC address as well as the VLan field in the outer MAC header.
We carry out extensive simulations and experiments to evaluate SVDC. The results show that SVDC outperforms existing solutions on many fronts, including its highest virtual network scalability and highest aggregate network goodput due to minimized packet header overhead. The overhead on the SVDC controller is also shown to be af- fordable.
The rest of this paper is organized as follows. Section 2 describes the background of the SVDC design. Section 3 and Section 4 present the SVDC design overview and design details, respectively. Sections 5 and 6 describe the evaluation results. Section 7 and Section 8 discuss several important
considerations in SVDC deployment and related works of SVDC, respectively. Finally, Section 9 concludes the paper.
2 BACKGROUND Cloud providers prefer to preserve a layer-2 model for inter- VM communication in virtualized data center networks due to its simplicity and easy management. However, there are many challenges in deploying pure layer-2 network virtualization.
To maintain the ”plug-and-play” features of layer-2 net- works, most of basic layer-2 network operations rely on broadcasting, such as Address Resolution Protocol (ARP) , Dynamic Host Configuration Protocol (DHCP) and lo- calizing unknown end hosts for Ethernet switches. Since tenants share the physical network resources in virtualized data center networks, frequent broadcasting may cause severe network performance interference among tenants. Meanwhile, the shared nature of