Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny...
-
Upload
bethanie-owens -
Category
Documents
-
view
218 -
download
4
Transcript of Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny...
![Page 1: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/1.jpg)
Course Name- CSc 8320 Advanced Operating SystemsInstructor- Dr. Yanqing ZhangPresented By- Sunny Shakya
Latest AOS techniques, applications and future work : CLOUDPOLICE
![Page 2: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/2.jpg)
OutlinePart 1 – Context and Motivation
Access control for clouds: why and what?Limitations of traditional mechanisms
Part 2 – CloudPolice ApproachOperation
Future Work
![Page 3: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/3.jpg)
ContextInfrastructure as a Service virtualized
clouds
Traffic internal to cloud
Hypervisor
VM
VM
VM
![Page 4: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/4.jpg)
ContextCloud computing requires network access
control
Access control policy of tenant X - what network traffic is tenant X willing to accept
Tenant X
Y can talk to
meTenant
Y
![Page 5: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/5.jpg)
Why Access Control in Clouds? For isolation
Policy: deny incoming traffic from any other tenant
Tenant 2
Tenant 1
![Page 6: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/6.jpg)
Why Access Control in Clouds?For inter-tenant & tenant-provider
communicationPolicy: weighted bandwidth allocation
between tenants
Tenant 1 Tenant
2
Ad Networ
k 1
Ad Networ
k 2
Database
Share bandwidth fairly among tenants regardless of #VM sources
Tenant 3
![Page 7: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/7.jpg)
Why Access Control in Clouds?DoS protection
One tenant can attack another tenantReduce bandwidth and slow down machinesAttackers more powerful: higher bandwidthsBarrier is lower: pay for attacking hosts
Tenant 1
Ad Networ
k 1
Ad Networ
k 2
Database
Tenant 3 Tenant 2
DoS
![Page 8: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/8.jpg)
Hence, the problem
Want access control in clouds thatIs resilient to DoSSupports rich inter-tenant policiesScales
100k servers10k tenants
Tolerates high dynamicity100k VMs started per day, more than one per second
Traditional access control mechanisms not well suited to meeting these requirements
![Page 9: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/9.jpg)
Hence, the problem
Want access control in clouds thatIs resilient to DoSSupports rich inter-tenant policiesScales
100k servers10k tenants
Tolerates high dynamicity100k VMs started per day, more than one per second
Traditional access control mechanisms not well suited to meeting these requirements
![Page 10: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/10.jpg)
Existing Access ControlAccess control in Cloud is provided usingVLANsFirewalls
Originally designed for enterprise environments
But clouds != enterprises
![Page 11: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/11.jpg)
Clouds != EnterprisesEnterprises are not multi-tenant
Few DoS concerns between departmentsTypically simpler policies
Clouds have different network designsHigh bisection bandwidths, multiple paths,
different L2/L3 mixMany new topologies: FatTree, BCube, DCell,
etc.
Limited Scalability
![Page 12: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/12.jpg)
Goal
Network Access Control for Clouds that is:
1. Independent of network topology and addressing
2. Scalable (millions hosts, high churn)3. Flexible (rated access, fair access)4. Robust to (internal) DoS attacks
![Page 13: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/13.jpg)
CloudPolice
Hypervisor
VM VM VM
Sufficient and advantageous to implement access control only within hypervisorsTrustedNetwork independentFull software programmability flexibleClose to VMs block unwanted traffic before
network and help DoSEasy deployability
![Page 14: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/14.jpg)
CloudPoliceSufficient and advantageous to implement access control only within hypervisors
Hypervisor
VM VM VM
CloudPolice Policy Model
Group = set of tenant VMs with same access control policy
![Page 15: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/15.jpg)
CloudPoliceSufficient and advantageous to implement
access control only within hypervisors
Hypervisor
VM VM VM
Policy = set of RulesRule = IF Condition THEN Action
CloudPolice Policy Model
![Page 16: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/16.jpg)
CloudPoliceSufficient and advantageous to implement
access control only within hypervisors
Hypervisor
VM VM VM
Condition = logical expression with predicates based on:• Group of sender• Packet header• Current time• History of traffic
CloudPolice Policy Model
![Page 17: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/17.jpg)
CloudPolice
Hypervisor
VM VM VM
Action: • Allow• Block• Rate-limit (token
bucket)
CloudPolice Policy Model
![Page 18: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/18.jpg)
CloudPoliceSufficient and advantageous to implement
access control only within hypervisors
Hypervisor
VM VM VM
Action: • Allow• Block• Rate-limit (token
bucket)
CloudPolice Policy Model
Applied per
flow
source VMsource group
![Page 19: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/19.jpg)
CloudPolice
Hypervisor
X Y Z
Policies for X, Y and Z
CloudPolice
Each hypervisor needs to know for hosted VMs: group and policy
X’s group policy:IF group = A allowIF group = B blockIF group = C & port = 80 rate-limit to 100Mbps
Y’s group policy:
Z’s group policy:
IF …
IF …
Policy could also be specified / updated
by VM
Installed by provider service that starts VMs
![Page 20: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/20.jpg)
CloudPolice
Hypervisor
X Y Z
Filter for incoming/outgoing
flows
![Page 21: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/21.jpg)
CloudPolice
Hypervisor
X Y Z A B C
Hypervisor
Start flow to C
Control Packet
CloudPolice inserts control packet before the flow
![Page 22: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/22.jpg)
CloudPolice
Hypervisor
X Y Z A B C
Hypervisor
CloudPolice verifies policy of destination VM
If allowed, packets are forwarded to destination
VM
Block/rate-limit
If blocked or rate limited, send control packet to
source hypervisor to block or rate-limit source
(flow/VM)
![Page 23: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/23.jpg)
Future WorkExtend CloudPolice
Policies with application-level semantics (dynamic policies)
Policies based on group-wide stateBeyond access control?
More flexible actions, e.g., send to middleboxPerformance isolation framework
![Page 24: Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d1e5503460f949f2201/html5/thumbnails/24.jpg)
ReferencesPopa et. al “CloudPolice: Taking Access
Control out of the Network,” Hotnets 10, October 20-21, 2010, Monterey, CA, USA.
X. Yang, D. J. Wetherall, and T. Anderson. “A DoS-limiting Network Architecture,” In ACM SIGCOMM, 2005