Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)

TOSEC: A TCP/IP Offload based Virtual Network Security Framework in NFV Environment

Authors
Hong-wei TANG, Sheng-zhong FENG, Xiao-fang ZHAO
Corresponding Author
Hong-wei TANG
Available Online December 2016.
DOI
https://doi.org/10.2991/cnct-16.2017.117How to use a DOI?
Keywords
NFV, Network Security, Virtual Machine, VCPU Scheduling, TCP/IP Offload
Abstract

There are two significant problems on NFV based virtual network security solution. One is that the traditional subnet-centered architecture cannot prevent insider attacks between virtual machines in the same subnet. The other is the performance degradation due to virtualization. Motivated by the above two points, we proposed a TCP/IP offload based virtual network security framework for NFV environment, called TOSEC. In TOSEC, network security systems are packaged in virtual machines, and are deployed on each host machine to provide security checking and filtering on network traffics for each individual virtual machine. Furthermore, we adopted a macro view on inter-VM network communication optimization. It eliminates repeated TCP/IP stack processing on virtual machines by employing TCP/IP offload technique, and securely shares Layer 7 payloads between the guest VM and related security VMs via inter-VM shared memory. Moreover, evaluations on the prototype based on KVM show that it significantly improves the communication performance of the guest VM and reduces the CPU utilization for both the guest VM and security VMs. Specifically, with one security VM deployed, the communication latency of the guest VM is reduced to 68%~48% of that in the general NFV deployment, while with two security VMs, the latency is reduced to 33%~22%.

Copyright
© 2017, the Authors. Published by Atlantis Press.
Open Access
This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).

Download article (PDF)

Volume Title
Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)
Series
Advances in Computer Science Research
Publication Date
December 2016
ISBN
978-94-6252-301-2
ISSN
2352-538X
DOI
https://doi.org/10.2991/cnct-16.2017.117How to use a DOI?
Copyright
© 2017, the Authors. Published by Atlantis Press.
Open Access
This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).

Cite this article

TY  - CONF
AU  - Hong-wei TANG
AU  - Sheng-zhong FENG
AU  - Xiao-fang ZHAO
PY  - 2016/12
DA  - 2016/12
TI  - TOSEC: A TCP/IP Offload based Virtual Network Security Framework in NFV Environment
BT  - Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)
PB  - Atlantis Press
SP  - 843
EP  - 852
SN  - 2352-538X
UR  - https://doi.org/10.2991/cnct-16.2017.117
DO  - https://doi.org/10.2991/cnct-16.2017.117
ID  - TANG2016/12
ER  -