Optimizing Resource Allocation for Elastic Security ... - IEEE Xplore

Optimizing Resource Allocation for Elastic Security VNFs in the SDNFV-enabled Cloud Computing †

Trung V. Phan† , Nguyen Khac Bao† , Youngpin Kim† , Hyun-Jin Lee§ , Minho Park† , ∗

Department of Information Communication, Materials, and Chemistry Convergence Technology Soongsil University, Seoul 156-743, Korea § Electronics and Telecommunications Research Institute Email:{trungpv,khacbao,ypk,mhp}@ssu.ac.kr, [email protected]

Abstract—This paper proposes a proactive optimal resource allocation scheme for elastic security Virtualized Network Functions (VNFs) in the Service Function Chaining on the Software Defined Network Function Virtualization (SDNFV-enabled) cloud environment. We firstly analyze our system model, and transform them into M/M/1/∞ and M/M/k queueing model. Then we define mathematical requirements by analyzing the new VNF resource allocation function and estimating the total number of packets in an SFCi system. From these requirements, we finally propose a proactive resource allocation optimizer with solvable and practical constraints. Index Terms—Resource Allocation; Service Function Chaining; Software-Defined Networking; Network Function Virtualization; Cloud Computing

I. I NTRODUCTION

Fig. 1. The emerging SDNFV-enabled cloud computing

Nowadays, Network Function Virtualization (NFV) [1] has been an emerging technology to virtualize services and network functions as Vitualized Network Functions (VNFs) [2]. It provides several advantages such as equipment cost reducing, operating performance improvement, optimzing resource allocation and network deployment flexibility as well as energy saving. Along with the NFV, Software Defined Networking (SDN) [3]–[5] has proved its novelty and benefits in network control, monitor and management by utilizing the flexibility of a new network framework, especially in the cloud computing environment. In addition, Service Function Chaining (SFC) technology [6]–[9] provides network and cloud operators with the ability to set up an ordered list of network services and functions (e.g. Firewalls, DPI, Load Balancing). After defining the ordered list, these services are stitched together in the network to create a service chain as shown in Fig. 1, and the SFC traffic then is forwarded through this service chain by network components. SFC has gained benefits from both NFV and SDN to be more flexible and dynamic in controlling network traffic through a particular VNF sequence. Three combined technologies play important roles in making the future cloud computing environment, namely SDNFV-enabled [10] as shown in Fig. 1, for both researchers and industries. ∗ Corresponding author

978-1-5090-5124-3/17/$31.00 ©2017 IEEE

While the SFC deployment on the SDNFV-enabled cloud brings many benefits and advantages, it exists many crucial issues [11] which are needed to be solved to improve SFC flexibility and adaptability on the cloud environment. Among these major problems, we should take performance and management considerations into account with a higher priority to provide the cloud SFC customers with a better quality of service (QoS). With regard to the SFC inconstant traffic handling from customers on the SDNFV-enabled cloud domain, several previous works [12]–[15] proposed solutions for dynamic VNFs placement to adapt to the traffic changes. However, the cloud resource optimization in case of demanding for more VNF instances have not been solved yet in these researches. Furthermore, it is common that cloud providers always provide reactive schemes to adapt to unstable traffic of their customer by setting some hard thresholds and initiating pre-made image of VNFs. For example, an SFC always includes some prior security VNFs to detect and filter abnormal traffic such as DPI and Firewall; These VNFs are used in a reactive way so that they can handle even sudden heavy traffic in case of emergency. Although these reactive mechanisms can solve some urgent situations, it is not an optimal solution in terms of resource allocation minimization for every cloud provider as discussed in [16], [17].

163

ICOIN 2017

checking before reaching to a real service such as Web server or FPT sever. Besides, the security checking process usually takes much time in order to detect and filter malicious traffic; hence, it is easy to be a bottleneck at this procedure and the cloud provider often offers their customers an elastic solution for a better QoS in case of the high traffic volume.

Fig. 2. The SDNFV-enabled cloud with an SFCi under the increasingly traffic condition

Therefore, in this paper, we introduce a novel proactive optimal resource allocation scheme for elastic security VNFs in the Service Function Chaining on the SDNFV-enabled cloud environment. Our proposal is that we consider the first security VNFs layer, and transform them into a queueing system for systematic analyses to find solvable and practical constraints for the optimal VNF instantiation based on the cloud environment. We prove that our proposed approach is an feasible and practical solution for resource allocation minimization issue on the future cloud computing. The rest of the paper is structured as follows. Section II presents how system is modeled and provides readers with thorough analyses. Section III makes a conclusion and brings the work direction in the future.

B. New VNF Resource Allocation Analysis

II. S YSTEM M ODELING AND A NALYSIS A. Assumptions and System Modeling First of all, in order to produce our system model, analysis and the practical design, we can have reasonable following assumptions: •

•

•

•

In general, the cloud provider severs all s SFC customers. However, we take a specific SFCi (i ≤ s) into account in our research for detailed investigation convenience. As shown in Fig. 2, we consider the service chaining system on the Internet SDNFV-enabled cloud domain as a black box with its input and output. The SFCi will consist of a buffer for incoming packets - queue Q in the diagram and n VNFs, if the traffic volume is under the stable traffic condition (only one security VNF 01 1st is initiated), where normally n ≥ 2. The service chain includes a buffer - queue Q and (n − 1 + k − 1) VNFs (black rectangle line) when the SFCi is severing a high volume of incoming traffic, where k ≥ 2. The explanation for the kth VNF 01 (red rectangle line) is that the cloud provider realizes the increasing traffic trend and takes immediate actions to initiate one more security VNF for the SFCi to guarantee quality of service (QoS) [18]. From mentioned assumptions and analyses, we can transform the SFCi system on the SDNFV cloud to an M/M/k model [19] (exponential arrival and service rate), in which the model becomes a M/M/1/∞ queue system if it is under the normal traffic volume (Case I) and it turns into a M/M/k queue model in case of the high traffic volume (Case II).

We suppose the SDNFV-enabled cloud provider serves s SFC customers, and the cloud always has enough resources in order to provide their SFC customers with scalability in case of abrupt changes for each service chain. In this research, the exact meaning is to initiate more VNFs as fast as possible when the traffic volume increases over the processing capability of an VNF. We assume the arrival rate of all SFC customer’s traffic to prior security VNFs on the SDNFV cloud follows the Poisson distribution [19] in both cases of low and high volume of normal traffic . It is assumed that the service rate of each VNF obeys an exponential distribution that is common in queueing theory [19]. We only consider security Service Functions (VNFs) in this research work. This is quite reasonable because network traffic always has to pass through security

We denote a function fR (·) to represent the resource allocation for a new security VNF. Let variable x be the processing requirements of various resources such as x =  CPU, RAM Memory, Disk Space. Evidently, fR (·) depends on x and time point t, we thus refer it as fR (x,t). As mentioned previously, the incoming traffic obeys the Poisson distribution, and we denote the arrival rate as λ and the service rate of the security V NFj as µ j , where j = 1 in Case I and 1 < j ≤ k in Case II. With advantages of SDN and NFV technologies integrated into cloud, network traffic control and monitor become much easier than legacy networks. For example, the SDN controller is able to monitor a specific VNF bandwidth or average number of transferred packets. Therefore, we suppose the V NFj average number of incoming packets per second as ps¯ j , and we usually want ps¯ j ≤ µ j to keep the system in a stable state. In general, we have the total average number of incoming packets per second of k security VNFs at time point t as follows

164

ps¯ tt (t) =

k

∑ ps¯ j ,

j=1

1 ≤ j ≤ k.

(1)

  πa =

∏aj=1 ρ j π0 k!ka−k

=

ma λ a π0 , ∏aj=1 µ j k!ka−k

 −1 −1  ∏aj=1 ρ j ∏aj=1 ρ j ∞ ∏a−k  k−1 ma λ a k ma λ a l=0 ρl π0 = ∑k−1 , + = + ∑a=0 ∏a µ j a! ∏a µ j a! k− mλ ∑a=k ka−k a=0 a! a! j=1

Ck (ρ) =

∞

∑ πa =

a=k

k ( mλ µtt ) k k! k− mλ µ

ρk

k tt π0 = k−1 ma λ a , a a k! k − ρ ∑a=0 ∏a µ j a! + ∏am λµ j a! k−kmλ j=1

The service rate of k VNFs can be various because of different incoming traffic conditions time by time, we therefore have the following system service rate µtt µtt =

j=1

j=1

µtt

(6)

a ≥ k,

a ≥ k.

(8)

µtt

calculate πa for the system steady-state, we always have a ≥ k ∏a−k ρ

l=0 l and πa is defined by equation 6, where ∑∞ a=k ka−k is equal to kmλ , this is because we notice that the evolution of the

k− µ

tt

k

∑ µ j,

j=1

1 ≤ j ≤ k.

(2)

For a stable state system, we always want the constraint ps¯ tt ≤ µtt happen on the cloud for every SFCi . This constraint becomes the f irst requirement for our system model in case the cloud has k security VNFs.

M/M/k queue system during the total number of customers in the system A ≥ k is equivalent to that of an M/M/1 queue with arrival rate λ and service rate kµ [19]. Therefore, in our system we can have the arrival rate as mλ and the service rate as µtt . Accordingly, we compute the total number of customers or packets in the system, A as follows E [A] = Ck (ρ)

C. Estimation of the total number of packets in SFCi system We first consider the M/M/1/∞ queueing model in the Case I, we have λ a e−λ , a = 0, 1, 2, ..., (3) a! where a is the number of arrivals, and the P {X = a} shows the probability of a arrivals for a given time interval. We denote a utility parameter as ρ = λµ and we always hope ρ ≤ 1 to keep a stable system. And, we calculate the probability of the system steady-state πa , which means there are a packets in the system, as follows P {X = a} =



π0 = 1 − λµ ,

πa = ( λµ )a π0 .

(4)

By applying queueing theory [19], we have A as a random variable representing the total number of customers or packets in the system in steady-state, which is calculated as ρ E [A] = . (5) 1−ρ

Next, we suppose the kth is already initiated and we take the M/M/k queue system into account with the purpose of approximating the number of packets in the SFCi system. We define a constant m (m ≥ 1) which reveals how much greater the arrival rate λ in the Case II is in comparison with the former case. Obviously, we can have the arrival rate in the M/M/k queue system as mλ , and different service rate µ j (1 ≤ j ≤ k). Moreover, the Case − II depicts the increasing traffic volume and the demand for one more security VNF, kth. In other words, from VNF 1st to (k − 1)th are busy because they are severing a lot of packets; therefore, in this case if we

ρ + ρ, k−ρ

(7)

where, ρ = mλ µtt and Ck (ρ) is calculated by equation 8. From two estimations of both queueing models, it is true that if the system requires one more security VNF kth, it leads to the obvious second requirement which is defined as follows E [A]M/M/1/∞ ≤ AeSFCi ≤ E [A]M/M/k , ↔

mρ ρ ≤ AeSFCi ≤ Ck (mρ) + mρ, 1−ρ k − mρ

(9)

(10)

where AeSFCi is the estimated number of packets in both the queue Q and the k servers in the SFCi . D. Proposal Proactive Resource Allocation Optimizer We suppose that the SFCi system is now at time point t with (k − 1) security VNFs (k > 1) in the cloud system and the cloud provider is rising an alert for demanding more VNFs because of the estimated traffic increase based on the history of the SFCi . These changes urgently require one more security VNF (kth) with the least resources while it efficiently handles the incoming traffic increase. From the system model and above analyses, we can alter urgent requirements by an optimization problem: minimizing the resource allocation function fR (x,t) for a new security VNF to meet the increasing traffic requirement while guaranteeing the QoS of the SFCi on the cloud at time point t. From equations 1, 2, 9 and 10 we can formulate the problem by the following solvable constraint

165

arg min

fR (x,t)

s.t.

 k−1  µk ≥ ps¯ tt (t) − ∑ j=1 µ j ,  

ρ 1−ρ

1 ≤ j ≤ k,

mρ ≤ AeSFCi ≤ Ck (mρ) k−mρ + mρ

(a) (b). (11)

This optimization problem is absolutely feasible to be solved by satisfying the constraints in equation 10. Fortunately, with the advantages of SDN and NFV innovations, we can easily find solutions to satisfy these constraints. For example, the cloud provider can check buffer of the switches and calculate transferred packets between (t − 1) and t time points to predict the value of AeSFCi . III. C ONCLUSION AND F UTURE W ORK In this paper, we propose a proactive optimal resource allocation scheme for elastic security VNFs in the Service Function Chaining on the SDNFV-enabled cloud environment. We analyze and transform our model system into M/M/1/∞ and M/M/k queueing theory. Based on them, we define mathematical requirements by analyzing the new VNF resource allocation function and estimating the total number of packets in an SFCi system. Finally we propose a proactive resource allocation optimizer with solvable and practical constraints. In the future work, we will evaluate the proposed resource allocation optimizer, and validate the performance in comparison with other schemes on the SDNFV-enabled cloud environment to achieve the practical results.

[11] Problem Statement for Service Function Chaining. [Online]. Available: https://tools.ietf.org/html/rfc7498 [12] R. Shi, J. Zhang, W. Chu, Q. Bao, X. Jin, C. Gong, Q. Zhu, C. Yu, and S. Rosenberg, Mdp and machine learning-based cost-optimization of dynamic resource allocation for network function virtualization, in IEEE International Conference on Services Computing (SCC), June 27 2015July 2 2015 2015, pp. 6573. [13] F. Callegati, W. Cerroni, C. Contoli, and G. Santandrea, Dynamic chaining of virtual network functions in cloud-based edge networks, in the 1st IEEE Conference on Network Softwarization (NetSoft), 2015, pp. 15. [14] S. Clayman, E. Maini, A. Galis, A. Manzalini, and N. Mazzocca, The dynamic placement of virtual network functions, in The Network Operations and Management Symposium (NOMS), 2014, pp. 19. [15] M. Ghaznavi, A. Khan, N. Shahriar, K. Alsubhi, R. Ahmed, and R. Boutaba, Elastic virtual network function placement, in IEEE 4th International Conference on Cloud Networking (CloudNet), 5-7 Oct. 2015, pp. 255260. [16] Y. Xie, Z. Liu, S. Wang, Y. Wang, ”Service Function Chaining Resource Allocation: A Survey,” arXiv:1608.00095 [cs.NI]. [17] A. Muhammad, M. Fiorani, L. Wosinska, and J. Chen, ”Joint Optimization of Resource Allocation for Elastic Optical Intra-Datacenter Network,”IEEE Communication Letters, Vol. 20, No. 9, Sept 2016. [18] T. Kim, S. Kim, K. Lee, and S. Park, ”A QoS Assured Network Service Chaining Algorithm in Network Function Virtualization Architecture,” in 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), 2015, pp.1221–1224. [19] M. Zukerman, Introduction to queueing theory and stochastic teletraffic models, 2016.

IV. ACKNOWLEDGEMENTS This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIP) (No. B0126-16-1026, Development of Core Technologies for SDN-based Moving Target Defense). R EFERENCES [1] B. Han, V. Gopalakrishnan, L. S. Ji, and S. J. Lee, Network Function Virtualization: Challenges and Opportunities for Innovations, IEEE Communications Magazine, vol. 53, no. 2, pp. 90-97, Feb. 2015. [2] Network functions virtualisation white paper 3. [Online]. Available: https://portal.etsi.org/Portals/0/TBpages/NFV/Docs/NFV-WhitePaper3.pdf [3] W. Xia, Y. Wen, C. Foh, D. Niyato, and Ha. Xie, ”A Survey on SoftwareDefined Networking,” IEEE Communication Surveys and Tutorials, Vol. 17, No. 1, pp. 27–51, 2015. [4] B. Nunes, M. Mendonca, X. Nguyen, K. Obraczka and T. Turletti, ”A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks,” IEEE Commun. Surv. Tutor., vol. 16, no. 3, pp. 1617–1634, Aug 2014. [5] Paul Goransson, Chuck Black: Software Defined Networks: A Comprehensive Approach, Elsevier, 2014. [6] Service function chaining general use cases. [Online]. Available: https://tools.ietf.org/html/draft-liu-sfc-use-cases-08 [7] Service function chaining (sfc) architecture. [Online]. Available: https://tools.ietf.org/html/draft-merged-sfc-architecture-02 [8] Network service chaining problem statementr. [Online]. Available: https://tools.ietf.org/html/draft-quinn-nsc-problem-statement-03 [9] Network service header. [Online]. Available: https://tools.ietf.org/html/ draft-quinn-sfc-nsh-07 [10] OpenFlow-enabled SDN and Network Functions Virtualization. [Online]. Available: https://www.opennetworking.org/images/stories/ downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf

166