A Novel Approach To Classify Cloud Entities: Universal Cloud Classification (UCC)

One of the fundamental requirements of Cloud Computing is the capability to provide scalable, transparent and isolated networks. This is achieved by using L2 segmentation via 802.1Q VLANs or overlay approaches such as 802.1ad, VxLAN, ”Stateless Transport Tunneling” (STT) or ”Network Virtualization using Generic Routing Encapsulation” (NVGRE). All of these technologies struggle to provide the required level of scalability, flexibility, performance and network isolation within a Data Center. Research efforts in the area of classification have fundamentally approached these challenges by introducing identifiers for segmentation or providing overlay solutions to tunnel traffic. However, these research approaches are too specific without tackling the actual Cloud Computing classification challenges. Here, we investigate classification approaches with the goal of introducing a scalable, optional, hierarchical, end-to-end and transparent Layer 3 provider, service and tenant isolation scheme. This proposal addresses major challenges and limitations of current cloud classification schemes by offering these five advantages: (1) hierarchical endto-end classification, (2) transparency to upper-layer protocols, (3) optional for en-route and endpoint evaluation, (4) flexibility, and (5) improved performance over current overlay technologies. The solution proposal will be implemented and evaluated based on its feasibility, functionality, performance and usability in cloud-related use-cases

Towards cloud-aware policy enforcement with universal cloud classification as a service (UCCaaS) in software defined networks

Network services are a critical component of today's networks. They apply critical functions (e.g. security, routing or quality of service) to traffic to enhance the network operators and application consumers experience. Today these services are inserted physically on the data-forwarding plane without providing much flexibility to deal with different traffic types or affiliations. Cloud Computing, however, demands policy enforcement on a per-Provider, per-Service and/or per-Tenant basis. In addition, there is an increasing need for dynamic transparent network chaining independent of the underlying transport infrastructure. We first introduce the concept of Universal Cloud Classification as a Service (UCCaaS). Followed by highlighting how it can be leveraged in conjunction with Network Service Headers (NSH) to address above challenges. UCC provides an addressing scheme to isolate traffic streams on a per-provider, per-service and/or per-tenant basis. To enable bi-directional policy enforcement in network functions we extend the UCC proposal by adding source and destination support. NSH is a way to steer network traffic dynamically across a set of network functions. We demonstrate the feasibility and advantages of our UCCaaS + NSH proposal with an example application, where a service chain defines Access Control Lists and traffic rate limiting on a per-Service and per-Tenant basis. Our proposal opens a door for a wide range of cloud-aware network services and functions

Network Segmentation in the Cloud A Novel Architecture Based on UCC and IID

Cloud Computing is known for its scalability, flexibility and on-demand workload creation. Today, cloud-enabled data centers utilize VLAN, VxLAN or GRE segmentations but these techniques, despite being widely deployed, have a variety of inherent technical and architectural limitations. In this paper we introduce a novel architecture leveraging UCC and IID for segmentation, rather than those traditionally used today (e.g., VLAN, VxLAN, etc.). The proposed architecture is entirely based on IPv6 and, for illustrative purposes only, is demonstrated using OpenStack as the cloud framework. This proposed reference architecture is based entirely on UCC and IID, two OpenStackindependent concepts, could easily be realized in outer cloud frameworks as well. UCC introduces cloud-specific traffic isolation within IPv6 extension headers. IIDs can be incorporated as a unique identifier within an IPV6 address to identify endpoints. The combination of both allows network devices to segregate traffic according to cloud service, cloud tenants and endpoint affiliation. Here, we highlight current shortcomings of existing segmentation techniques as well as define design considerations for the cloud framework in question (i.e. in this case OpenStack) to circumvent such limitations. The proposed architecture is depicted and explained in the context of a traffic flow example

Towards Cloud, Service and Tenant Classification for Cloud Computing

One of the major concerns cloud computing platforms face today is the lack of a unique identification of the 'who' within the network infrastructure. State-of-the-art technologies (such as VLANs or IP addresses) lack functionality to cope with the highly dynamic and scalable, ever changing and virtualized cloud-enabled data center infrastructures. A shared and limited address space or the loss of identification across boundaries render classification unusable for per-tenant, per-service or per-cloud-provider policies. In this work, we introduce the concept of a classification mechanism that is fine-grained enough to associate tenants, services and cloud providers to their network streams. The Tenant-ID, Service-ID and Cloud-ID is added as a tag to Layer 3 packets throughout the consumer-to-service communication. We argue that the proposed service and tenant isolation concept is generic enough to be applicable across the whole cloud environment, thereby eliminating current limitations and enabling new network functionality