During the last year cloud computing has become in the new internet ... The
thesis is based on the research of the advantages of IPv6 over IPv4 and how.
Vlad Gâdescu
Benefits of IPv6 in Cloud Computing Master of Science Thesis
Subject and examiners approved by the Faculty of Computing and Electrical Engineering Council on 11 January 2012 Examiners: Prof. Jarmo Harju MSc. Aleksi Suhonen
ABSTRACT
TAMPERE UNIVERSITY OF TECHNOLOGY Master’s degree program in Information Technology Gâdescu, Vlad: Benefits of IPv6 in Cloud Computing Master’s thesis, 54 pages June 2012 Major subject: Communication Networks and Protocols Examiner(s): Prof. Jarmo Harju and MSc. Aleksi Suhonen Keywords: cloud computing, ipv6
Efficiency is one of the main focuses of the world, today. As the entire world relies on computers and networks, their efficiency is of utmost importance. Energy, processing power, storage and data access must all be used and offered in a most profitable and economical way possible. The majority of companies and businesses cannot afford the implementation and deployment of huge data centres, for their specific requirements. Thus, from need of efficiency in both business and IT environment, the cloud computing idea emerged: online infrastructures in which clients buy or rent processing power and storage, according to their needs. During the last year cloud computing has become in the new internet evolutionary trend. Due to its material and monetary merits, it has gained increasing popularity. As IPv6 was developed as a response to the limitations of IPv4, IPv6 brings new features and advantages, which fit into the cloud computing paradigm and provide means to better develop new techniques from which the modern data centres can profit. The development and implementation of IPv6 has been underway for some years and consequently, its improvements over IPv4 are skilfully outlined and acknowledged. The thesis is based on the research of the advantages of IPv6 over IPv4 and how they can improve the operation and efficiency of cloud computing. In the first part background information is presented, giving a brief view on what cloud computing and virtualization is, as well as a few problems that customer might find in the cloud computing idea. As the advantages of IPv6 over IPv4 are widely known, but their benefits for data centres are rarely exposed, the second part of the thesis focuses on how cloud computing environment can benefit from IPv6 by adjoining IPv6 and cloud computing. As a result, the thesis tries to portray a better image to both customers and network administrators, so that they could properly see and understand why IPv6 and cloud computing should be used together.
ii
PREFACE
The thesis was written as a response to the ever growing idea of cloud computing and low deployment of IPv6. It was based on personal research done both at the university and spare time and it is heavily depended on papers published on IEEE and RFCs. During the writing process I concluded that the background information should be presented more thoroughly in order to better support the benefits IPv6 bring to the cloud concept. Moreover, the benefits are presented in such a way that the thesis might be used as a source to motivate a faster deployment of IPv6 in cloud computing data centres. I would like to thank Prof. Jarmo Harju and MSc. Aleksi Suhonen for their guidance in the writing process and for the formalities regarding the university thesis process and my friend that help me with proofreading.
Tampere, 29 May 2012
Vlad Gâdescu (
[email protected]) Str. Carpenului, Nr. 3 500256 Brașov Romania
iii
TABLE OF CONTENTS
ABSTRACT ................................................................................................................... ii PREFACE ......................................................................................................................iii TABLE OF CONTENTS .............................................................................................. iv LIST OF FIGURES ....................................................................................................... vi LIST OF ABBREVIATIONS....................................................................................... vii 1 Introduction ................................................................................................................. 1 2 IPv4 and IPv6 differences ........................................................................................... 3 3 Virtualization and IPv6 ............................................................................................... 7 3.1 VPNs .................................................................................................................. 8 3.1.1 Traditional versus virtualized ISPs ............................................................. 8 3.2 Virtualization software - hypervisors and virtual networking ............................ 9 3.3 Server farms and potential problems ................................................................ 11 3.3.1 Traffic overhead and load balancing ......................................................... 12 3.3.2 Localization and migration ....................................................................... 13 4 Cloud computing ....................................................................................................... 15 4.1 Software infrastructure versus hardware infrastructure ................................... 16 4.2 Implementations of Cloud computing .............................................................. 18 4.3 Insecurities and problems in cloud computing ................................................. 19 4.4 Future of cloud computing ............................................................................... 21 5 IPv6 benefits in cloud computing ............................................................................. 23 5.1 Security benefits ............................................................................................... 23 5.1.1 NAT avoidance ......................................................................................... 23 5.1.2 IPsec .......................................................................................................... 27 5.2 Network Management benefits......................................................................... 32 5.2.1 IPv6 addressing and interface identifiers .................................................. 32 5.2.2 Stateless approach ..................................................................................... 35 5.2.3 Address validation..................................................................................... 36 5.3 QoS benefits ..................................................................................................... 38 5.4 Performance benefits ........................................................................................ 41 5.4.1 Load balancing .......................................................................................... 41 iv
5.4.2 Broadcast efficiency .................................................................................. 43 5.5 Mobility benefits .............................................................................................. 45 6 Conclusions ............................................................................................................... 49 7 Bibliography .............................................................................................................. 51
v
LIST OF FIGURES
Figure 1. Differences between IPv6 and IPv4 .................................................................. 4 Figure 2. IPv4 header [3] ................................................................................................. 5 Figure 3. IPv6 Header [4]................................................................................................. 5 Figure 4. Fragmentation Header [4] ................................................................................ 6 Figure 5. Non virtualization vs. virtualization .................................................................. 9 Figure 6. Type 1 and Type 2 hypervisors........................................................................ 10 Figure 7. Hardware infrastructure and software infrastructure .................................... 16 Figure 8. Cloud Computing deployment models............................................................. 18 Figure 9. Basic NAT........................................................................................................ 23 Figure 10. AH and ESP header insertion ....................................................................... 24 Figure 11. Authentication Header [3] ............................................................................. 25 Figure 12. IPv4 vs. IPv6 AH authentication. .................................................................. 27 Figure 13. IPv6 addressing [41] ..................................................................................... 30 Figure 14. Migration and IP based authentication ........................................................ 30 Figure 15. Multiple addresses per interface and random generated addresses. ............ 33 Figure 16. Anycast .......................................................................................................... 34 Figure 17. Structure of a data centre and exponential number of machines.................. 43 Figure 18. Mobile IPv4 ................................................................................................... 45 Figure 19. MIPv6 and VM migration ............................................................................. 47
vi
LIST OF ABBREVIATIONS
AH - Authentication Header ARP - Address Resolution Protocol AS - Autonomous System CDN - Content Distribution Networks CN - Correspondent Node DNS - Domain Name Server DSCP - Differentiated Services Code Point ESP - Encapsulating Security Payload FA - Foreign Agent HA - Home Agent IaaS - Infrastructure as a Service ICMPv6 - Internet Control Message Protocol Version 6 IKE - Internet Key Exchange IPv4 - Internet Protocol Version 4 IPv6 - Internet Protocol Version 6 ISP - internet service provider MAC - Media Access Control MIPv4 - Mobile IPv4 MLD - Multicast Listener Discovery MN - Mobile Node MTU - Maximum Transmission Unit NAT - Network Address Translation ND - Neigbor Discover Protocol NIC - Network Interface Card OS - Operating System PaaS - Platform as a Service QoS - Quality of Service RFC - Request For Comments SA - Security Association SaaS - Software as a Service SLA - Service Level Agreement TCO - Total Cost of Ownership TCP - Transmission Control Protocol UDP - User Datagram Protocol uRPF - Unicast Reverse Path Forwarding VLAN - Virtual Local Access Network VM - Virtual Machine VPN - Virtual Private Network WAN - Wide Area Network vii
1 Introduction
Internet has evolved in the past two decades at a fast pace, beyond anyone’s expectations. It has offered new solutions to businesses and personal development. It has evolved from an only text based environment to an interactive one with all sorts of media. In the beginning of this decade, it made a major shift to Web 2.0 and again, everything changed. It seems that every now and then, a new development perspective arises that changes the status quo of the virtual world and how we perceive it. Nowadays it is cloud computing. Cloud computing is a technology that modifies the way how the businesses have to think about using the IT resources and the internet. Cloud computing makes use of virtualization to provide new kinds of services, from software to hardware. That means that now, commercial organizations can make use of incredible IT infrastructures at lower costs. Processing power can be accesses based on demand and on budgets. These all are great advantages, not only from the cost point of view, but also from the fact that it opens new possibilities of development for companies that could not afford large IT infrastructures. Cloud computing is still in its infancy and it is an emerging technology. It provides great benefits, but it is open to more improvements. New protocols and ideas can be coupled with virtualization to provide greater value or solve exiting problems. One protocol that can do this is IPv6. But the IT world is quite reluctant to using new technologies, which at a first glance do not provide any palpable benefits or advantages. This can be said also about businesses and business managers who do not see reason to invest money in something that is not broken. As a consequence, this leads to the inflexibility of the internet. The ossification of the internet (inflexibility and reluctance of new technologies) [1] and the wide spread of IPv4 in all the networks around the globe, made companies, big or small, unenthusiastic in implementing the new IPv6. A proof of this situation is actually the low deployment of IPv6 in the internet, specifically in virtual infrastructures, making this an issue for the companies and the customers too. Security, privacy, reliability, fast resource provisioning, mobility and other problems focused now on virtual environments, can be, at some degree, improved or solved by taking the next step, that being the implementation and development of infrastructures based on IPv6. Development has always been forced by some key elements that came at the right moment. Internet spread all over the globe and made IPv4 developed beyond anyone’s expectations. As stated by Peter Loshin this was the killer application for the older protocols [2]. Nowadays, cloud computing is the new killer application for IPv6. It can be considered that new internet will evolve around cloud computing and virtualization. IPv6 will have to be part of this progress, but for that to happen, the proper advantages have to be pointed out. A clear examination is needed, on why the 1
two technologies will help each other grow. Businesses as well as regular customers could do with a clear view on why cloud computing makes perfect sense with IPv6. The benefits of the IPv6 in the Cloud Computing environment have to be properly outlined and explained. This thesis will show the benefits and the need of implementing IPv6 so that the services and virtual environments may develop further more. The new protocol fits much better the needs of the new internet and that means companies as well as customers need to know the advantages they will get by switching to it. The thesis is structured as following: in Chapters two a brief comparison between IPv6 and IPv4 is made with the outline of the main differences of the next generation IP; in Chapter three, basic background and concepts of virtualization are offered; Chapter four presents the cloud computing idea along with information on how it is deployed in the network with a clear distinction between online hardware and software; Chapter five shows the benefits of IPv6 in the context of cloud computing and how they will affect the cloud computing data centres, and finally Chapter six presents the conclusion remarks.
2
2 IPv4 and IPv6 differences
It is widely known that TCP/IP is the backbone protocol stack with which the internet grew from anonymity and low coverage, to world wide spread and availability. TCP/IP went through a period of modifications and testing until it was adopted by the major players in networking at the time; universities and the military. However, it was designed in a period in which computer networks where in their infancy. They were seen as the pinnacle of the computer world, something revolutionary, but none the less, still not widely adopted. So, the TCP/IP stack started to be used in these small, rather primitive networks. No one thought that at some time, computers all over the world will be interconnected. Consequently, due to rapid and unforeseen development of networks, IPv4 is at a point in which its limits not only have been reached, but there are serious drawbacks that greatly limit the current internet services. IPv4 has been developed around the idea of interconnecting dedicated networks, for example different universities or research centres, government facilities and so on. At that time, for example, the number of addresses available (232) was seen more than enough for all the existing networks. Security was not a concern; routing tables and router performance with respect to IP header processing was not taken into consideration. However, all of these are now of utmost interest and concern. During the 90s, efforts were put into creating a new protocol that will address all these new problems that were not foreseen when creating the old IPv4. Thus, IPv6 came to fruition. One would think that by now IPv6 would be worldwide implemented. Even though the internet has passed through different concepts in resource management from horizontal and vertical scalability to cloud computing, IPv6 is not yet widely and fully deployed. Figure 1 presents some of the differences between IPv4 and IPv6: IPv6 has an address length of 128 bits, meaning that the pool of addresses will be large enough to serve all the present and future hosts on the internet. Moreover, the addresses are differentiated into block addresses that are meant for specific functions; they are valid only in specific parts of the networks, which are identified by the “scope”: link-local, unique local addresses, global. Besides the usual unicast and multicast addresses, IPv6 includes a new, anycast address format. IPsec is mandatorily supported in the new protocol, an aspect that can solve a lot of the security issues that arise with careless users. QoS can now be served directly through a field in the IPv6 header, which opens new possibilities in how to manage communications and application traffic. Fragmentation does not happen along the route with IPv6; this is beneficial because it decreases the work a router has to do in case packet fragmentation is needed.
3
Checksum is not included in the header; as with fragmentation this will release some of the burden on the router, since no calculation of the checksum is needed every time fields like hop limits are changed. However this function can be appointed to upper layer protocols or ICMPv6 headers. In IPv6, neighbor discovery protocol replaced the broadcasts and the ARP protocol, thus reducing network floods through more efficient LAN communication. With IPv6, any host on the network can autoconfigure itself. Manual configuration or even DHCP servers are not needed anymore, unless a certain situation requires them to.
IPv6
IPv4
Addresses are 128 bits in length
Addresses are 32 bits in length
IPsec is mandatorily supported
IPsec is just optional
QoS handling through flow label field in the header
No QoS identifier in the header.
Routers do not fragment the packets, just the sending node
Routers and host can fragment packets
No checksum in the header
Checksum in the header
IP to MAC resolution is done through Multicast Neighbour Solicitation
IP to MAC resolution is done through ARP broadcast
Broadcast addresses are replaced by linklocal scope all-nodes multicast address
Uses broadcast addresses to send traffic to all nodes on an subnet
Automatic configuration; does not require DHCP
Manual or DHCP configuration
Must support a 1280-byte packet size (no fragmentation)
Must support a 576-byte packet size (maybe fragmented)
Figure 1. Differences between IPv6 and IPv4 The differences between the two versions of IP are each meant to improve the overall performance of the protocol, increase security, mobility and flexibility of the IP itself. However, as with IPv4, the internet evolved into a direction which could not had been predicted, thus, nowadays, IPv6 has to envelope the needs of the new internet paradigm. The idea of cloud computing is quite recent, thus all the improvements were not meant explicitly for it. Therefore, the benefits and additions of IPv6 have to be put in context. However, a first step is to present the most obvious differences between the protocols.
4
Figure 2 and Figure 3 depict the headers of the two protocols. As it can be clearly seen, IPv6 header is simpler, with fewer fields. Consequently it can be concluded that it carries much less information than an IPv4 header, even though the length of the next generation IP is double (20 bytes versus 40 bytes). Some of the fields that are presented in the headers are however common to the two, but the names differ. Obviously, the version field indicates the IP version of the header, in the case of IPv4 it would be 4 and 6, in the case of IPv6. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2. IPv4 header [3]
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Traffic Class | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length | Next Header | Hop Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Source Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Destination Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3. IPv6 Header [4] Both the type of service and traffic class in IPv6 have the same function, to differentiate the service classes in QoS techniques. It has to be stated that both these fields have been modified from their original purpose and now they are used for DSCP in DiffServ QoS [5], as it will later be presented.
5
The total length and payload length fields define the entire packet length. In the case of IPv4 these field can indicate a packet of maximum length of 65,535 bytes. However, IPv6 is meant to carry heavy loads of traffic, much more than was originally thought in version 4. As a result, in case the payload length field has a value of 0, the packet will be considered a jumbogram, consequently being able to carry much more data than the MTU. The maximum value can reach 4,294,967,295 bytes. The time to live and hop limit are fields that limit the propagation of an IP packet to a certain amount of time; the time is represented by how many routers the packet has been passing through; each router decreases this value by one. The daisy chain concept is a new addition to the next generation IP. It allows a greater flexibility of the protocol, through the use of different headers that perform only specific tasks. These headers are added and removed based on the necessity of the data transmission. The next header filed in IPv6, was created to point to the existence, if that is the case, of another header behind the one that is processed. Accordingly, a chain of sequential header can be created, each one having a clear function and a simple structure. In IPv4, this was possible through the use of the option filed, but this approach makes the protocols much more inflexible and harder to process. Headers in IPv4 have variable length, while IPv6 headers are static. Hence, the IHL field defines the total length of version 4 IP headers, a field that is not needed in version 6. Flags and fragment offset are used in the case of packets being fragmented at the source or along the way of the data flow. In IPv6 these were eliminated, because fragmentation at routers is forbidden in version 6. However, the source of transmission can fragment the packet. In this case, a new header, which will take the fragmenting and recomposing responsibilities, will be added above the original IPv6 header, as depicted in Figure 4. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
Next Header
|
Reserved
|
Fragment Offset
|Res|M|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
Identification
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4. Fragmentation Header [4]
6
3 Virtualization and IPv6
Efficiency is always one of the main focuses in the computer world. Resources, storage and networks must meet high criteria of efficiency and at the same time with keeping a low degree of coupling between these entities. Virtualization is a concept that made all of this possible and provided the specialists with the means of high resource use for a high yield. Productivity, resource management and cost effectiveness can thus reach levels that are very tempting not only to IT specialists but to customers and business owners. Consequently, the virtualization paradigm started changing the existing internet and created new paths for development. In addition, virtualization can be seen as a disruptive technology that will drive away the inflexibility of nowadays internet. It has to be pointed out that virtualization and IPv6 can both profit from each other. Through a paradigm shift in the internet, IPv6 has now the opportunity to be faster deployed, but this is not enough. Benefits for virtualization with IPv6 have to be pointed out and explained in clear manner, thanks to the fact that IPv6 brings more subtle advantages that are not clearly defined and differentiated form already existing protocols. Virtualization can be applied to a broad range of concepts, like overlay networks; software, in which servers and OSs are created and run in virtual machines. IPv6 can bring improvement in performance, ease of use and troubleshooting. Networking equipment’s burden of processing is decreased through a simple representation of the IPv6 headers and structures. ICMPv6 new functionalities provide more efficient ways for hosts to communicate between each other and can prove to be a solution to the L2 broadcast and scaling problem presented in [6, 7]. Last, but not least, the compulsoriness of IPsec in IPv6 implementation makes all communications more secure through proper authentication and encryption, a requirement that should be mandatory in virtual environments. Based on the ideas presented in [8], it can be argued that in the future the role of the traditional ISPs will be modified. Nowadays, ISPs offer not only infrastructure access but services too. These two roles may at some point be divided and subsequently create separate entities. That means that the same separation has to be made when talking about protocols. IPv6 will have a greater impact in the underlying physical infrastructure of the virtual environment, but it will provide some advantages to the software component as well, like, for example, better VM migration. Businesses and potential customers of cloud services will have to make the same separation based on what their needs are from the cloud services: renting a whole cloud hardware infrastructure or only software services.
7
3.1 VPNs Virtualization as a concept has been around for many years [9], but not until recently has it grasped the whole internet through usage in different services. It can be said that this idea is still in its infancy and still has to prove itself and expose all the pros and cons attached to it. Fortunately, VPNs have been around for a longer time, proving their usefulness and making it possible to extrapolate their benefits to the virtualization concept. VPNs can be considered a type of virtualization by offering a method of creating an overlay, secured network over the public internet. They offer a little bit of a history lesson and a good example on how virtualization can benefit from implementation of new protocols. Nowadays VPNs start taking advantage of IPv6 thanks to the benefits and improvements it brings. It can be assumed that cloud computing will follow the path of VPN technology and profit from the enhancement IPv6 offers. IPsec is used in VPNs, but with IPv4, IPsec is harmed by NAT. That makes an obvious and direct benefit to switching to IPv6. Authentication headers can now be used thanks to the fact that NAT is obsolete in IPv6 networks and environments. Furthermore, in [10] it is clearly stated some of the advantages or of implementing VPNs over IPv6. This outlines a first step toward the goal of this thesis, showing that the new protocol has a beneficial impact on virtualization. Cloud computing and VPNs are two concepts that are tightly connected to each other. The virtual networks provide secured means to connect to remote data centres as well as an efficient and a robust way for roaming clients to access their services and data. Therefore, it can be concluded that cloud services benefit from more capable IPv6 based VPNs. 3.1.1 Traditional versus virtualized ISPs As virtualization increases its presence in internet, new role shifts will take place in the traditional ISP. As stated before, a proper delimitation will happen between hardware infrastructure and software infrastructure providers. Infrastructure providers will manage hardware equipments and will create the underlying physical networks, taking the role of traditional ISPs. Service providers will offer services, from virtual networks to different software services, creating a new entity, the virtual ISP. IPv6 transition and implementation can have a catalyst role in the development of both of these two new providers. But at present the low IPv6 deployment shows low resilience in implementing new protocols and comes to support the idea of internet ossification [1], something that is not adequate in a faster growing online environment. The ubiquity of virtualization and the fact that it can greatly benefit from the adoption of the next generation IP, will force the internet to relinquish its old habits. Consequently, it seems that there is a strong correlation between the future of the internet, virtualization and IPv6. As seen in [11], virtualization offers great test beds for development of technologies and offers new ways to use already existing infrastructures. It can greatly expand the use and possibilities of the internet. 8
The players that will have a place in the development and the future of the internet will have to understand that inflexibility is not something that is wanted in the great structures that are today’s internet. But, nonetheless, they will have to properly understand the advantages that new technologies will have to offer. As a result, tradition and virtualized ISPs will have to know the benefits that IPv6 will bring to their service, whether it is network wise or software wise.
3.2 Virtualization software - hypervisors and virtual networking When talking about cloud computing and all that is “virtual”, everything reduces to two essentials: virtualization software and hypervisors. This is the corner stone of all that the Internet is becoming. Without advances in this area, the idea of computing in the cloud would be unrealizable. Virtualization software gives the chance of multiple OSs to run on the same machine, it gives the opportunity to clearly separate resources independently of the underlying hardware, decrease cost, improve management and most importantly, to increase the efficiency of resource use. Hypervisors and virtual network adapters are two key software components that made virtualization possible.
Figure 5. Non virtualization vs. virtualization The hypervisor is software that shares the physical server resources between several virtual machines Figure 5. It separates the guest OS from the underlying host, or hardware. It controls the CPU, memory, I/O operations, in such a way that the VM instances “think” they can access all the actual resources of the server. Moreover, all guest OSs work without knowing about each other’s existence on the same hardware. Hypervisors are classified into two categories, as seen in Figure 6. Type one, or bare metal, implies that the hypervisor is installed and operates directly between the hardware and the VMs. The type 2 hypervisor is set up in an already existing installed operating system, the host OS. Hypervisors and their advantages to the computing would be without use if the VM could not connect to the outside world, to the network. 9
Regardless of the type, hypervisors have to use virtual network interfaces in order to create a connection between the guest OS and the real NIC.
Figure 6. Type 1 and Type 2 hypervisors Network adapters are present in the virtualized space. They make communication between VMs and between VMs and outside world possible. But contrary to the traditional network card, they are not represented by any kind of hardware. That means that they are implemented and work only at abstract, software level, meaning that their performance and ability to manage network traffic is paramount to the optimum functionality of the VM. Nevertheless, despite its software representation, the virtual adapter is seen by the guest operating system as a proper physical one. Furthermore, the network, host and protocols do not make any difference between NICs and its virtual counterpart. That pushes the importance of the virtual card, in the virtualized network, even further. Proper studies and tests have to be undertaken before proper deployment of data centres can occur. Functionalities differ from one virtual network device to another, as well as performance in the similar conditions. [12] Both, hypervisors and virtual network adapters lead eventually to the idea of virtual networks and virtual networking. This allows the VMs and their host operating system to communicate between each other as if they were using an actual, physical network. When deploying a data centre that will eventually support a cloud computing service, proper evaluation of the benefits of certain virtual cards as well as benefits and cons of the virtualization mode have to be assessed. Virtualization mode refers to how the guest systems, the host OS and the outside network will interact with each other. These modes commonly include bridge mode, 10
NAT mode and host only networking. In bridge mode the guest OS will connect to the physical LAN as if it were an actual machine, thus a transparent and independent mode of accessing the outside network is possible. NAT mode, offers the same functionalities as an ordinary NAT device. The guest OSs and the host will all share the same IP and MAC address. Host only networking refers to the restriction of communication only between the main machine and its hosting VMs. In this mode there is not interaction with the physical interfaces, but rather a loopback interface is created that facilitates the network traffic between the actual machine and its virtual instances. TUN/TAP is an open source virtual adapter that is used, in some virtualization software, to implement scenarios as the ones described before. It is composed of two modules: TUN, that operates at layer 3 of OSI model, dealing with IP packets and routing and TAP that simulates an Ethernet adapter that controls incoming and outgoing frames. It is used mostly in Linux based virtualisation software, from tunnelling protocols (OpenVPN, Hamachi) to virtual machine networking (KVM, VirtualBox). Other common virtualized devices are: AMD PCNet PCI II (Am79C970A), AMD PCNet FAST III, Intel PRO/1000 MT Desktop (82540EM), Intel PRO/1000 T Server (82543GC), Intel PRO/1000 MT Server (82545EM). [13, 14]. As stated in, [13, p. 88], the virtualization software has some limits that have to be taken into account, in respect to jumbo frames. This aspect comes to support the idea that proper assessment of both the network driver, hypervisor and network virtualisation mode have to be carefully made and correlated with the business plan so that optimum performance is achieved. IPv6 and its functionalities have to be properly evaluated based on the driver chosen or shipped by default with the hypervisor. Only at this layer, IPv6 is able to effectively demonstrate its new features and advantages to the networking environment.
3.3 Server farms and potential problems Server farms or data centres represent the base of the new, centralized internet. They are characterized by large efficiently cooled rooms, in which numerous servers run simultaneously to provide different services, from pure processor power to data base storage. Communication between these machines is done through high speed networking technologies and equipment. This results in potential problems that can cause the data centres to suffer performance problems, from high latency to network traffic bottlenecks and data corruption, making proper networking planning mandatory so this problem is avoided to a high extent. Different impediments in the data centres must be resolved so that efficiency is increased and the TCO would be within the planed limits. This is more important for data centres that support cloud computing services or provide virtual infrastructures. VMs can reach large numbers, from hundreds to thousands and maybe even more, hence there is an increased burden on the network through all these virtual machines communicate. Virtual server farms share the same potential problems as the traditional ones, where every single machine was represented by one and only one operating system. But 11
because virtualization brings high efficiency and consequently low idle times for servers, traffic in data centres tends to be more intense and denser. This correlates with increased burden on the links that connects the physical server to the routers and the outside networks. The ratio of VM per server, as stated in [15, 16] is quite high, reaching to 12:1 or 15:1 and potentially this ratio could increase even more in the near future. [17] Both application and network problems can compromise data centres. Even though these problems have a multitude of causes, IPv6 can bring some advantages that are worth taking into consideration. Server farms can have I/O bottlenecks especially with storage and data bases. The same can happen with traffic flow in the case of huge virtualized datacenters. This creates a commonly occuring problem: congestions. The new control implementation of IPv6, ICMPv6 can better cope with huge traffic flows. Also it provides new methods for management, troubleshooting and mobilty, functions that can greatly improve the quality and reliability of any data center and as a resultto any cloud computing platform. As stated before, virtualization can increase the traffic in a data centre a lot, mainly because each VM is seen as an independent machine, with its own IP and MAC address. That leads to the overwhelming number of broadcasts used by ARP functionalities. [18, 19]. This problem can easily be solved with IPv6, through neighbour discovery and anycast addressing. In the following subchapters some of the problems commonly seen in server farms are presents and preliminary solutions are exposed. 3.3.1 Traffic overhead and load balancing When talking about networking and data centres, traffic has a high impact on the overall performance of the services offered. TCP/IP packets are a sensitive issue that has long been treated with utmost respect and consideration. Inexact use and deployment of the stack can result in lot of data corruption, unnecessary data retransmission, traffic bottle necks, and high latency. This has lead to many studies that monitored the different behaviours of both IPv4 and IPv6 protocols have in different network environments. Form the application point of view, both Ethernet and IP headers are seen as overhead. Unfortunately the new IP protocol creates a bit of a problem when talking about this aspect. IPv4 header is at least 20 bytes long while IPv6 header is twice as large, reaching 40 bytes. When taking into consideration the fact that when IPsec is used with IPv6, the overhead of the protocols increase even more. This poses a problem, especially because the majority of packets in the internet are small size packets, in IPv4 [20] and in IPv6 as well [21]. That means that the overhead can compose quite a lot of the actual traffic, making data transmission less efficient. Furthermore, presented in this small scale test [22], IPv6 presents an increase in overhead compared to IPv4. This means, that potentially, the new protocol can create further problems in the data centres and consequently to the cloud computing idea. The flexibility of IPv6 is one of its strongest points. It can be customized according to the customer services that it has to serve and based on the traffic that it 12
handles. For example, the problems addressed earlier can be solved through customisation of the header. In LAN communications IPsec can be opted out, therefore reducing the overhead and extra information. Depending on the level of customization that the provider wants to apply, a solution like the one presented in [21] can easily avoid some of the problems. Furthermore, header compression protocols [23] can be used with IPv6. This might solve the problem of the overhead, and at the same time making use of the benefits and advantages that the next generation IP provides. Load balancing is a method that offers the possibility, to current data centres, to scale their computing power and distribute traffic and processing load across a multitude of servers. Furthermore, it offers a method to distribute the traffic load across different segments of networks. One of the methods the load balancing is using a network balancer; anycast addressing scheme can provide some help as well. Load balancers can benefit from the new functionality of neighbor discovery, improving the flexibility and scaling methods for the servers behind the load balancers. New servers added to the infrastructure can be easily detected. Additionally, as presented in [24], direct routing load balancing method, involves a problem regarding handling ARP requests. This issue may find its solution in full deployment of IPv6. Anycast addressing will reduce the need of the broadcast floods and can actually improve some of the load balancing methods. 3.3.2 Localization and migration Politics and government are always a possible problem in regard to any new initiatives and ideas that are foreign to them. Cloud computing is still in its infancy and it has not provided yet enough evidence for its benefits to the business world. That leads to government scepticism concerning data security, potential loss of businesses and the list can go on. This means that every country has its own rules when talking about potential cloud services, especially the ones that provide payment or financial services. Furthermore, big cloud computing businesses usually have more data centres scattered around the globe, for better coverage and service. As a consequence, in some cases VMs have to be moved from one physical server to another or even between two different data centres. In addition, VM migration can increase the flexibility of the computing processing power in grid computing by shifting VMs where they are needed. This will allow to dynamically moving virtual machines between data centres or physical servers to provide specific tasks, improve performance and resource load balancing. Stated in [25] and [26] are possible design objectives to achieve flexibility in data centres, with their associated design requirements. Both of them support the ideas that migration of VM across different physical servers has to be transparent to the user, all the data connections have to be maintained all over the migration process, it has to be done as fast as possible and the destination VM has to be 100% identical to the source one. In [26] and in [27] mobile IPv6 is proposed as a solution for better transfer of virtual machine, at the same time with keeping the migration requirements. 13
Furthermore, in [28] the migration of the virtual machines is done along with the persistent file that is used by the VM; usually a file of greater size that is stored on the local servers. In two of the above examples, IPv6 benefits are already exploited by implementing the mobile IPv6 for data transfer between data centres. It can be argued that mobile IPv6 use can be improved even more by implementing IPv6 QoS techniques in the home agent. This will provide better ways to deal with large amounts of VM migration and management. In [28], the migration of the persistent file may be improved by the use of the jumbograms that are a feature of the new IP protocol. All in all, virtual machine migration is one of the main problems that are present in the virtual data centres around the globe. Live migration is a great solution for providing the most flexibility in data centres, but also provides the means to offer to roaming customers the best services by moving the VMs physically as close as possible to them. Consequently, through the next generation IP, new advantages can be added and utilized.
14
4 Cloud computing
Cloud computing is used more and more often in the online environment and it can, at times, be a confusing term. Technically, it involves any kind of resources, software or hardware, which are created and sold as services, by third parties. Roughly, that means outsourcing IT infrastructure to specialized companies that will offer processing power or software, based on customer demand and budget. The term “cloud” comes from the fact that in different diagrams, the internet was always depicted as a cloud, through which all the smaller components, as nodes, hosts, smaller networks, would communicate with each other. That implies that cloud computing always involves the use and the need of an online component. Subsequently, resources are always accessed remotely through the use of the internet. Many people confuse the idea of virtualization with cloud computing. It has to be clearly stated, that virtualization is not cloud computing. Instead, virtualization is just a technical method to create an abstract entity from a physical one. As stated before in the thesis, virtualization created the idea of virtual machine and virtual network. Accordingly, it can be said that virtualization is just the means through which cloud computing is implemented and offered as a service. As stated before, cloud computing is all about services provided remotely and independently from the customers’ IT infrastructure. The “computing“ part refers to services that are sold over the “cloud”. Hardware infrastructure can be sold to customers, who in turn can customize it as they want, without being worried about managing and troubleshooting the data centre itself. Software is also an important part of the cloud computing idea. As it will be presented, when talking about software in the cloud, there are two different approaches that imply different levels of interaction with the underlying infrastructure; one with the possibility of creating your own applications and the other granting access to the ones that are predefined. The possibilities that cloud computing bring to the businesses communities, from customizable infrastructures to customizable cloud-based software are hard to ignore. This means that the “false starts” [8] that in the last years was a barrier and a mirage in front of different services like, multicast, security and differentiated services are now becoming an incentive in cloud computing. What is even better is that cloud computing relies on these services to grow. Popularity of cloud computing is growing very fast. More and more companies chose to outsource their IT needs to different companies around the world. The consequence is that, in the near future, cloud computing can grow beyond its capabilities and crush under its own success. IPv6 deployment has been slow up until now and maybe it will be in the future too, but “The introduction of IPv6 is envisaged as a solution, not only because of its huge address space, but also because it provides a platform for innovation in IP-based services and applications.” [34]. Thus, the 15
innovation that IPv6 can bring to cloud services, can truly launch the implementation of IPv6 at an increased the pace.
4.1 Software infrastructure versus hardware infrastructure In Cloud Computing, infrastructure can be divided into two parts: hardware and software. The reason behind this separation is that both can be sold as services or products. Cloud computing is all about offering some kind of outsourced infrastructure to companies that seek to be more efficient with their IT budgets or those that cannot afford it. Furthermore, based on the level of customization of these infrastructures, three building blocks can be defined for any cloud computing service: IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service).
Figure 7. Hardware infrastructure and software infrastructure Infrastructure can be defined as the underplaying structure that offers and allows upper layer services to perform their tasks. It allows the interaction between different entities using the same “language” or architectures. Figure 7 depicts the two infrastructures that make up the cloud computing concept. Online hardware is a collection of online physical or virtual resources that are accessed through a remote connection. They are represented by fully deployed networks. As it will be presented in the next chapters, some implementations of cloud computing, like private clouds, allow the use of resources through actual hardware rent. Physical servers, virtual servers or entire fully operational networks are rented by third 16
parties to the companies that need them; they are data centres, outside the client’s organization, that are maintained by a specialized firm. When talking about online hardware resources one must take into account all the components and the SLA that the provider will render. The servers, architectures and protocols used, all contribute to a stable, scalable and efficient service. It needs to be mentioned that the benefits of IPv6 are mainly seen at this lower level: the underlying hardware and network that comprise the online hardware. Moreover, the online hardware encompasses the virtualization process that takes place in these environments. Virtual machine managers, hard disks, network adapters and other virtualized hardware are very important in the whole picture of cloud computing. Virtualized hardware is very important in the overall performance of the services and new technologies can improve their operation. Outlining properly the advantages will not only lead to improving the hardware layer, but the online software layer will benefit from the new protocols and hardware development as well. IaaS, or infrastructure as a service, is the concept that turns the above motioned hardware resources, either physical or virtual, into a product that can be marketed. Through IaaS, cloud computing vendors can sell processing power, either offered as simple servers or as virtual resources (virtual machines, online storage, etc.) to different customers. In turn the customer has access to its own hardware infrastructure and has the option to modify and use it as he sees fit. Online software is the corner stone of cloud computing. It is the layer that provides the most services and functions and behaves as normal, locally installed software. To further expand, all the software programs that can be accessed remotely through a web browser or any other kind of remote connection technology, and behave as any other piece of local software can be considered online software. But we have to make a step deeper into the concept and split the online software into two branches. Providers can offer predefined software, for example Google Docs, Zoho and many more. Here the customer can only use and customize to some point the services that are already available. This approach to cloud computing is characterized by the SaaS or software as a service. On the other hand, services such as Google Apps, give more freedom for the customer to create their own application based on the existing tools offered by the provider and the specifications of the underlying software infrastructure. The customer has access to online databases storage and usage, website hosting, mobile software support any many more elements that he can use in its custom software. In other words, the customer has access to a platform on which he can build, according to some specifications, software. PaaS or platform as a service is the concept that turns custom online software into a product. In the online environment all the elements interact with each other through, simply put, networks and dedicated online connections. It can be thus deducted that the performance of the networks that support the online computing service is of critical importance. We have to be always aware of the fact that all data exchange is done, if not all the time, through remote connections that are influenced by the networking protocols. Specific online software needs to have the best performance when accessing remote databases or any other kind of data. Hardware has to be able to process very 17
efficiently the different protocols used in the communication between different physical machines and virtual machines. The benefits of newer protocols cannot be ignored and this is the case of IPv6, given its potential to improve the overall performance of virtual networks and the services that they provide. Even though online software is the most important component in cloud computing and online hardware is the transparent one, often unseen by the user, the execution of the software depends on the performance of the underlying hardware infrastructure, which in turn depends heavily on the machines and protocols they use. It has to be stated now that all the work will evolve around the hardware part and the protocol of the underlying network that serves the software component.
4.2 Implementations of Cloud computing Cloud computing offers online infrastructure that customers can adapt and use as they see fit. But to further understand the impact of a new protocol over these infrastructures we have to differentiate and detail the models in which cloud computing can be implemented. The deployment model of an online computing service can be divided into 4 categories: private cloud computing, hybrid cloud computing, cloud hosting and the most commonly used, public cloud computing
Figure 8. Cloud Computing deployment models Private clouding or internal clouding, as it is depicted in Figure 8, is one of the simplest models. It implies the uses of all available infrastructure by only one customer who can choose to host the data centre internally, in its own organization, or it can choose to be managed by a third party company. It the latter case, the customer will rent the cloud infrastructure, from an IaaS vendor. Consequently new development in the 18
computing and networking technologies can be implemented easily than in the other models; the customer is able to enforce and adapt the cloud infrastructure, from the actual physical servers and data connection to the protocols, software and security, as they consider suitable. One can argue that the private model lacks all the benefits that cloud computing brings to the IT world: on demand computing power, lower cost of ownership and flexibility. In some cases this may be true, but one has to be aware that this type provides the best security and thus it can be a first, timid step of a company towards cloud computing and its full benefits. In addition, private data centres offer the proper ways for big corporation to support the cost of such deployments, to implement its internal security politics and benefit of full security standards. Hybrid clouding, as the term implies, it is a service that merges two models into one: private and public service. This model offers a choice for the customers that want to reduce their IT service cost, by outsourcing a part of their IT infrastructure. This model can encompass all the building blocks of cloud computing: IaaS, Paas and SaaS. For example the user can choose to rent private hardware infrastructure for certain purposes, use a cloud platform to create custom software and deploy them on the infrastructure of a Paas vendor and use SaaS for email or document editing. Cloud hosting is external to the customer company and it provides the most flexible and budget friendly model. It is characterized by the possibility of renting virtual machines on a need basis. To proper understand the concept, Amazon AWS is such a service, in which a potential user can rent different VMs to perform any kind of job. Depending on the service, the VMs are rented based on hour usage, VM performance, traffic or other options. In addition to virtual machines, online storage can be bought and used. After the customer has finished using the rented resources, these are freed and made available for other purposes. Cloud hosting is another approach that IaaS can take. However, the entire physical infrastructure on which the cloud hosting service relays on is outside of the customer reach. Public cloud is a service that is generally available and requires the least knowledge about IT. This model is the most popular one amongst home users, because it provides the access to basic software and services, for example Google Docs, Google Calendar, Gmail, etc. Furthermore, public cloud service like Google Apps or Zoho Creator offer tools to create user specific application and deploy them on the cloud. However the user does not have the possibility to access and configure the hardware or software infrastructure in any way. As a result, public clouds can encompass the PaaS and SaaS building block and provide service free or, over a certain user, or traffic quota, a fee can be applied.
4.3 Insecurities and problems in cloud computing In the context of new ideas and concept arising, people tend to be reluctant to accept them. Scepticism and insecurity take a hold on their whole rational thinking and adventurous driving force. When these two emotions intersect the business environment, where risk, profits and even social status come into question, the issue at 19
hand further amplifies, arriving at a point in which new ideas are not only put aside, but are rejected as a whole and not even taken into consideration. The cloud computing business has seen this happening over and over again. Many companies are still reluctant when considering moving their IT infrastructure, if not all into the cloud, at least a part of it. Moreover, some of them are not even aware of the concept or about the fact that they are using some sort of cloud services, as stated by the president of Trend Micro, Dave Asprey in a survey about insecurities of cloud computing: “On top of that, some respondents didn’t even know they were using the cloud, much less securing it.” However, we have to be unbiased and acknowledge the fact that some of the problems put forward by several companies have real substrate. Businesses and their success are based on the confidentiality and security of their data. Cloud computing, through its definition, means outsourcing your data infrastructure to a third party company. Hence, all your data security is in the hand of a company outside your company’s policies, a company that may not implement and deploy the best methods to protect your data integrity and confidentiality. In a survey made in 2011 by Trend Micro [29], 43% of the surveyed companies had at some point security issues with their cloud computing providers. Furthermore, the article presents another interesting aspect pointing out another big concern. While security is still a problem, another arises in the form of performance and availability. The percentages presented, 50% of companies concerned about security and 48% about performance and availability, create a grim picture for the future of cloud computing. “Data in the cloud is vulnerable without encryption”. [29] In addition, companies encrypt the data they store in the cloud and tend to choose services that offer encryption in their offers. So, it can be determined that security concerns in the cloud, are strongly related to the need of powerful encryption of the data stored and reliable encryption key management. One of the problems that arise when talking about the encryption keys is the safe exchange, due to the fact that this is done usually over unsafe environment, like the internet. IPv6 provides a safer networking environment for encryption key exchange, through its authentication and encryption functionalities, defined in IPsec along with the framework protocol define by ISAKMP. Presented in this article [30], it is pointed out that security problems often can be attributed to unaware or unprepared customers, as well as to the provider itself not deploying enough security methods. Amazon cloud computing service’s business plan offers means for customers to create personalized VM and make them available for other users. This creates the possibility of many security breaches and data theft, due to inefficient and incomplete removal of sensitive information, before making the VM image widely available for other customers. One problem presented is the exploitation of SSH keys. [30, p. 396] One solution to this problem is to restrict the IP addresses that can access a certain VMs. With IPv4, that is deployed in the Amazon infrastructure it is almost impossible to achieve such a solution. But, with IPv6, this issue can be solved. Furthermore, the authentication, which is fully functional with IPv6, can offer protection against unauthorized access to deployed VMs. 20
Presented above is one the benefits that deployment of IPv6 can bring to a lot of cloud computing services around the internet concerning security. Performance concerns also have a solution in the next generation IP. NAT avoidance and the flexibility of the IP headers, can improve the latency and overhead of the network, as it will be presented later in the paper. IPsec, tunnelling, data integrity and security will all benefit from full deployment of IPv6. Insecurities about migrating to cloud infrastructures and services will diminish once cloud vendors will fully implement and make available IPv6 and understand that IPv6 will make solutions that are not possible with IPv4 possible. Furthermore, as customers and businesses realise that new technologies offer better tradeoffs that older ones, as with IPv4 versus IPv6, the grim sheet that covers cloud computing insecurities will not be as concerning as before.
4.4 Future of cloud computing Digital data is nowadays ubiquitous. The quantity that is processed and managed everyday grows exponentially, above values that can turn out to be unmanageable by small or medium companies. All fields of work require more and more data manipulation and process. That means, soon businesses will not be able to afford to storage and manipulate the data that they need, unless it is in an efficient and cost effective manner. Thus, cloud computing can be seen as a pertinent solution, one that sooner or later will be adopted by all the players in the information environment and more. The cloud adoption at general scale is imminent; its services will be used by more and more entities. In a survey made by KPMG International in 2010 [31], it was shown that the companies’ level of interest to incorporate cloud services into their business plans is increasing. Moreover, the survey presented bank and government institutions as being reluctant to the idea. However, in 2011 the US government issued a Cloud First policy [32] as a way to decrease the cost of IT infrastructure and at the same time to increase efficiency and ease of implementing new IT structures. As a consequence, a programme has been developed to accelerate the US government into adopting cloud technologies. [33] All of these come to support the idea of sudden change and adoption of formerly reluctant entities, regarding outsourcing IT and using cloud computing services instead. Author Christopher Barnatt, defines four categories of companies in one of his book [34], based on the adoption of cloud computing: pioneers, early adapters, late adapters and laggards. The peak of companies switching to cloud service, according to the author it will take place between 2010 and 2020, these being the early and late adapters. Correlated with the information presented above, with government trying to reduce cost and to create more efficient IT infrastructures, we can assume that online infrastructure, hardware and software will know a massive boom of customers. The growth of interest in online services will put great pressure on the security, performance, availability and data networks. This means that the possible upgrading of cloud computing, regarding any of the fields presented before, has to be not only taken 21
into consideration, but actually thoroughly examined for the possibility of improvements. Cloud services will experience more pressure coming from their customer, and it can no longer afford to postpone the adoption of new technologies, IPv6, being one of these. The future relies on cloud service vendors offering the best products with the introduction of the most efficient and reliable advanced technologies and on the customers who, nowadays, seem to be more aware of the better tradeoffs cloud can bring to their businesses. The benefits that IPv6 can bring to cloud computing can also help companies plan and develop cloud computing policies for their businesses. Therefore, IPv6 can not only help develop the technical performance, but also improve the view on cloud computing and reduce the uncertainty about security, privacy and performance.
22
5 IPv6 benefits in cloud computing
5.1 Security benefits Insecurity is one of the critical issues that generate reluctance to potential customers to make use of cloud computing. The fact that storing your sensitive data into the cloud might create potential losses for business due to low level of security should force cloud computing providers to deploy all the necessary methods to provide high security. Due to the limitation of IPv4, some of the techniques created to prolong the life of IPv4 can prove to be, in some situations, a barrier towards proper safe data transmissions. IPv6 has the potential to create a safer environment in which data can be exchanged easily with no down side for security. The mechanism developed to slow down the IPv4 address exhaustion, network address translation (NAT), can be considered one of the main obstacles that inhibit proper security in the cloud and stop the deployment of addiction protection measures. The protocols that assures secure IP communication, IPsec, through data authentication and encryption, is the main victim of NAT protocol. As it will be presented, by avoiding NAT new possibilities arise when deploying IPsec; the cloud computing customer will have better security options at its disposal. 5.1.1 NAT avoidance IPv6 came into existence with the idea of bringing new and advanced features that can solve some of the problems that IPv4 is facing with. We can start talking about the benefits that IPv6 brings to cloud computing from the most basic and obvious change in the protocol: the huge pool of addresses: 2128. The sheer number of addresses that are available not only solves the critical problem of running out of addresses but brings a few advantages regarding other aspects of networking, for example, NAT avoidance.
Figure 9. Basic NAT Figure 9 depicts the basics of a NAT router or any kind of NAT device deployed in a network. In this example the computer situated in the internal network of a company wants to communicate with a computer or server situated somewhere on the 23
internet. As it can be seen, the internal computer has assigned to it a private IPv4 address. To communicate, the internal computer sends its packets with the source address of 192.168.32.2 and destination address of the foreign computer, 198.51.100.2. But because the source address is not routable on the internet, the NAT device translates this address to a public one, in this case to 198.51.100.1 and sends the packet further along the way. Now, the original packet’s source address is of the NAT interface that faces the internet, but keeps the destination address. The server responses to the request at the address of 198.51.100.1 not knowing that solicitor is not represented by the same address. When the packet reaches again the NAT device, it will do the reverse process presented above: it will translate the public address into the private address of the original solicitor, 192.168.32.2 and send it accordingly, to the internal network computer. The importance of properly understanding the basic functionality of NAT resides in its effects on the security aspects concerning IPsec. Through address translation, parts of the original packets have to be changed, which in turn makes the use of some features of IPsec impossible. Authentication and encryption are the two
Figure 10. AH and ESP header insertion building blocks behind IP security. Authentication provides data integrity and validation of the source, while encryption provides confidentiality and ensures no data manipulation. This is done through AH and ESP headers that are added to the original packet. In addition, IPsec has two modes, tunnel (host to gateway communication) and transport (host to host communication) mode, which implies two different modes of header insertion, as presented Figure 10.
24
The authentication process implies creating a unique identification number, commonly a hash, based on some non mutable parameters, one of which is the source address in the IP header preceding the authentication header. The hash is added to the AH header; the receiver of the packet will apply the same algorithms on the same parameters and it will compare the resulted hash with the one received. In the case they do not match, the packet will be discarded. Going back to the principles behind how NAT works, we can clearly see that if the send-packet’s IP is modified in any way along the route, the authentication will fail at the receiver. In consequence, when using the authentication mechanism provided by the AH header along a route that at some point has a network translator mechanism, the communication will fail. So, through NAT avoidance, full IPsec functionality can be achieved. AH and ESP headers offer almost the same functionalities with respect to authentication, hence, it can be said that there is not much loss in the case of failure when using the AH header in cloud computing communication. However, this is true to the point that ESP provides authentication for only a part of the original packet. The authentication is made only for the tunnelled packet, and does not take into consideration the headers that are outside the tunnel, as it can be seen in Figure 10. On the other hand, AH extents its protection on the IP and all extension headers (even the hop-by-hop ones) that precede it, regardless of the transport type applied. In Figure 11 the authentication header and its fields are presented. The integrity check values or ICV is an integral multiple of 32 bits and it carries the authentication data for the packets to which it was attached. The values are created based on nonmutable headers; headers that are known will not change their filed values along the route to destination. These values are use in a hash function and create a unique authentication number. Based on this, the destination can verify the integrity of the packet and that it was not modified along the way. As stated before, if a NAT device exists along the route, the values in the non-mutable field, especially the source IP address, will change and thus the integrity check will fail. It can be observed that in this case, no real end-to-end IPsec connection can be achieved and consequently neither complete security. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Integrity Check Value (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11. Authentication Header [3] NAT is still widely employed due to the ubiquitous nature of IPv4. However, the exhaustion of addresses imposes the use of network translator in cloud computing 25
environments. For example, Amazon EC2 does not provide unique, routable IP addresses to the VM instances in the cloud, but rather uses NAT mechanism to map routable IP addresses to customer accounts or virtual private clouds [35]. One of the benefits of cloud computing is the possibility to access data from everywhere, regardless that is from inside the corporate network or from an outside host. As a result, not being able to have a proper end-to-end connection with the cloud services or virtual servers rented in the cloud can have consequences on the security, confidentially and integrity of the data stored in the cloud and the functionality of IPsec. Security and data integrity is offered only on a part along the way. Amazon, for example, ensures security through VPN gateways. All security is done between the customer gateway and Amazon’s gateways or customer hosts and Amazon’s gateway, so no end-to-end authentication is taking place. The traffic between the cloud service provider gateways and the final virtual machine, host, etc. is left unprotected from the point of view of authenticating the original source. Furthermore, even in tunnel mode, the information outside is not authenticated. Stated in RFC 4306 [36, p. 6] it is clear that end-to-end security in not fully applicable to IPv4 networks. IKE is an important part of IPsec and therefore of IPv6. It is a protocol that helps the negotiation between two peers of certain security features, like cryptographic algorithms and private keys for ESP and/or AH security association. In some case, when NAT modifies parts of the TCP/UDP header, as the source and destination port, IKE functionality is impaired by the network translator. For communication, ESP uses port 500 to identify itself. However, ESP encrypts the upped headers of the IP packets, as it can be seen in Figure 10, including the TCP/UDP header. Thus, NAT cannot “see” the source and destination port, needed in the case of NAT with port translation; resulting into improper manipulation and forwarding of the incoming packet. The solution to this problem is offered in [37], through and UDP encapsulation of the already tunnelled packet. However, this can be treated as an example of a solution to a problem that may be easily treated with IPv6. Furthermore, the NAT problem and the solution offered with the UDP encapsulation of IPsec tunnelled packets, increases the complexity of a system which is already highly complex: the virtual environment, the data centres and the networking sub-layer on which they all rely for proper functionality. NAT avoidance, at a first glance, does not seem to provide a substantial benefit. However, as the next chapter will show by eluding NAT from the data centres topologies, IPsec will become bring new security possibilities. Furthermore, cloud computing providers have to be as transparent as possible towards the client. As a principle, it would be ideal that no client-traffic manipulation should be done. However, nowadays this takes place due to technology limitation, a problem that forced the creation of the NAT protocol. This imposes a fast transition to IPv6 to take advantage of its benefits. But, until the IPv6 will not be adopted on a large scale, customers and provides will have to use techniques of transition, which in this case involve the use of NAT on some scale. Conversely, as it will see in a later chapter, in some cases NAT will still has to be used to provide some services to data centres. NAT avoidance is most benefic when talking about IaaS infrastructure and not PaaS or SaaS 26
5.1.2 IPsec Security on the internet is one of the great concerns in the online environment. It is also a great barrier for certain companies to embrace the cloud paradigm. The worries that the data stored and transmitted between the customer and the cloud provider are not safe and well protected, still dictates the choices of a lot of companies and potential customers. However, with the development of IPv6, IPsec comes to offer the means to protect the data in the internet.
Figure 12. IPv4 vs. IPv6 AH authentication. IPsec is a protocol developed to serve IPv6. But, because of the slow deployment of the next IP, IPsec was adopted for IPv4 as well. As one would expect, IPsec cannot fully work with IPv4 and the existing networks, in which new “patches” were created to slow down the problem of address space. Furthermore, due to these needed techniques, proper end-to-end security of IPsec can be broken, as it can be seen in Figure 12. Therefore the issue of the IPv4 cloud-provider customer not having any idea where between the points along their connection proper encryption and authentication is made arises. Pragmatically, they do not even have to know. This is a big problem, because basically a user can access cloud services from anywhere, not 27
only from the protected environment of intra-networks of the companies. It is mandatory, that proper security is offered to the regular user, as transparent as possible and as close as possible to the two end points of the internet connection. It is said that it is easier to hack one computer than one data centre. Thus, the security of virtual private cloud or cloud infrastructures is as strong as the weakest host. Proper security has to be offered equally to all entities that are present in the data centre of the cloud provider. It can be accomplished through IPv6 deployment in which support for IPsec is mandatory and can function at its fullest. When talking about IPsec a few mandatory concepts have to be noted. IPsec makes use of three important databases on which all the functionality is based: security policy database (SPD), security association database (SAD) and peer authentication database (PAD). SPD – stores and specifies the services that are offered to IP datagrams. These services are: bypass, discard and protect and are separated into three different data bases: SPD-I, for inbound traffic that is bypassed or discarded from IPsec, SPD-O for outbound traffic that is bypassed or discarded from IPsec and SPD-S for securing traffic which is identified based on certain terms (selectors: remote IP, destination IP, e-mail, DNS name, NAME). [38, p. 19] SAD – stores the security association (SA) parameters that were negotiated between peers: cryptographic keys, algorithms used for encryption, etc. [38, p. 34]. It is linked to SPD to provide appropriate IPsec handling. PAD – the database specifies the peers that are allowed to negotiate IPsec SAs with the host. [38, p. 43]. It makes a connection between IKE and SPD. Based on the above databases and on the fact that they work as an access-control list or firewall [38, p. 21], it can be inferred that IPsec can offer not only data integrity, confidentially and security, but also data filtering. The huge address pool that IPv6 offers, the possibility of uniquely identifying a host and NAT avoidance give the customers and the cloud computing providers more options to secure their data communication and data centres. NAT avoidance, when seen in the context of IPsec, also helps resolving the problem in which the same security associations is offered to other computers. This may easily happen in data centres where the flexibility of the host is greater, going on and off the network. Security associations (SA) which use remote IP as selector can confuse the original SA peer with the new host to which the same address was assigned by a DHCP server, as stated in RFC4301. [38, p. 36] Even if this problem can be avoided through proper mechanisms, through the use of IPv6 and IPsec, innately this would not occur. As stated before, with IPv6 and IPsec proper end-to-end authentication can be achieved and thus the functionality of the AH header can be used at the full potential. Man-in-the-middle attacks can be, consequently, efficiently contra attacked. Furthermore, in most cases, data has to be only authenticated, no encryption needed. 28
This reduces the performance stress on the VPN gateways or IPsec hosts by excluding the use of heavy encryption algorithm. Moreover, as cloud computing services are available all across the globe, AH authentication may cover a legal issue as well. Some countries have strict laws concerning encryption and transferring encrypted data across the borders and others have even tried to ban encryption as a whole [39]. However, authenticated data has no restrictions whatsoever, therefore, for cloud computing services it would be the perfect security trade off. Depending on the customer policies, data stored in the cloud and its sensitivity, AH authentication will be best to use from both performance perspective and legal issues as well. On the other hand, in case of need, IPsec offers the possibility to negotiate IP payload compression, which can reduce the needed processing power. [40] One may argue the solution of authenticating and encrypting the traffic of every user that accesses the services of a cloud provider may be unrealistic. However, IPv6 in conjunction with IPsec can offer a very grain or coarse data filtering depending on the needs of the user. In case a customer rents a virtual private cloud (VPC), he can easily custom configure the criteria on which data is authenticated and/or encrypted or discarded. When talking about the IPsec security, it has to be noted that the security associations that are created between peers or host and VPN gateways are only one direction and separate for AH and ESP. That means, that, for example, traffic can be only encrypted when send from the server to the client and only authenticated when it is from client to server. Security can be asymmetrically deployed, different security measures being applied to different datagrams. Firewall-like capabilities of the IPsec, offer through the databases presented above, implies the fact that a lot of the traffic can be discarded as well, if certain criteria are not met. Furthermore, VPN tunnel mode can be used to create a connection between the VPN gateway of the customer and that of the cloud computing provider and only the traffic that comes from outside this tunnel to be authenticated and/or encrypted. The fact that authentication can be used as it was really intended by IPv6, by even authenticating the IP address, give the providers and the customers a broader range of possibilities to deploy security measures. Authenticating the IP header of the packet, especially in the case of the source address, opens a new and more direct way for identifying a host as friendly or not. As it was stated before, cloud providers, like Amazon, deploy security implementation in which VPN gateways are use. These are configured by the client. Because an IPv6 host has a unique address and does not need to be behind a NAT device for conserving the address pool, it can be very easily identified and offered security tailored to its needs. Also, it can give the provider and/or to the customer a detailed way to discard or secure traffic coming from a certain host or client. Furthermore, in case a host inside the cloud data centre is infected or compromised and starts behaving accordingly, it will be easier to spot and ban its access to the internet and intranet.
29
With IPv6 all host on the internet may have a unique address. However, due to the way the addressing scheme works, some portions of the IP may change when moving from one ISP to another, or when even migrating within the same network. This
Figure 13. IPv6 addressing [41] will make it a little bit harder to identify a user or host based on the IP. Figure 13 presents the way an IPv6 address is divided and what is the meaning of each group. Site Prefix and the subnet ID are parts of the address that may change when a host leaves a network and joins another one. However, the last 64 bits of the address are generated based on the MAC of the network card the host uses. This part will always be the same, no matter where or in what network the host in question resides. The SPD used by IPsec use some selectors to identify characteristic of the datagrams, such as: source address, destination address or NAME. The NAME selector was created especially for hosts that roam around other networks, “road warriors” that exist outside the parent network [38, p. 28]. Based on the settings of this selector and the source IP address, a host can uniquely be identified and thus properly treated. Like stated above, this will be a way to identify a host that is outside the trusted network of a company. It also provides a method of identifying traffic that has to be treated different that the one that flows through a trusted VPN (created between a customer and its cloud provider).
Figure 14. Migration and IP based authentication Figure 14 presents the case of such a road warrior which moves from ISP 1 to ISP 2. As it can be seen the IPv6, address changes as the host move, but the last 64 bits remain unchanged. Furthermore, these 64 bits should be unique to that host and must be treated accordingly. Since IPsec does not impose the use of any specific algorithms for 30
authentication or encryption, the solution to uniquely identify a host over the internet can be implemented by the cloud service provider or developed as new standards. For example, a host can be identified based on the NAME selector and the unchangeable portion of the IP address. This will give a more direct way of controlling who can access certain data in the cloud. Moreover, the byte string can also be stored in the NAME selector, which can be a hash that is based on the last 64 bits of the IP and email address, computer name, user name etc. This provides a method not only to authenticate the packet, but to actually provide a 1:1 connection between the interface and the user that had accessed the cloud resources. However, these methods can be hard to adopt when talking about big companies and big cloud providers. Authenticating every connection in this way, in an end-to-end fashion may by contra-productive. Cloud providers, as in case of Amazon usually offer the services of VPN gateways. These gateways will be more appropriate to authenticate and check the identity of the users and, if needed, apply security mechanism on the datagrams. But, the advantage of the authentication method presented before, is that in case of need, certain host or VM in the cloud that may hold very sensitive data may identify every user. Small companies, that are more inclined to benefit from the financial advantages of cloud computing can, however, implement some traffic filtering in IPsec, based on the unique addresses that every host has. For example, companies with 10-20 computers can easily give access, based on the IPv6 address, only to those hosts in an end-to-end manner. Furthermore, this security implementation is easy to deploy and more importantly it is transparent and independent of the upper layer applications. Cloud computing companies must have a great concern about the inner security of their data centres as well. They should try to secure the traffic that is exchanged between different machines, VPS, etc. as well as the control traffic. One requirement for the security policies can be the authentication of the peers that initiate a conversation. In [42] threats for networks are divided in three planes: management plane, control plane and data plane. ICMPv6 is a protocol that is a part of the data plane and that it is used in case of neighbor discovery protocol. “The Neighbor Discovery (ND) Protocol is responsible for router and prefix discovery, duplicate address detection, neighbor reachability and link-layer address determination. ND’s function is similar to IPv4’s ARP and some ICMP functions. The autoconfiguration mechanisms depend on ND. The greatest advantage of ND and IPv6 auto configuration on IPv4 is that they are entirely IP based, as opposed to IPv4 ARP or DHCP that are link-layer protocol dependent. As a consequence IPsec AH or ESP could be used to authenticate or secure these protocols. While it is possible, currently this is not the practice.” [43] It can be clearly seen that security inside large data centres can be achieved easier with the help of IPsec and IPv6. Security, integrity and confidentiality can be applied to all the data planes (management, control, data), something that cloud not be accomplished with IPv4. Furthermore, IPsec is transparent to the upper layers and thus is independent and does not influence in any way the software that a customer may use inside the cloud. 31
5.2 Network Management benefits IPv4 emerged as a standard protocol at a time when networks were neither something common and nor world wide spread. Thus, IPv4 was, and still is, overcome by the large size the internet has grown into. As a consequence, the way a native IPv4 data centre is managed today is not very efficient due to its size. In a cloud computing environment, IPv4 is even more outdated, due to the dynamic nature of the machines that exist on the network. The “pay as you go” method employed by cloud computing providers, means that network topology in a data centre is unpredictable and hard to manage and track. However, IPv6 was developed exactly for this reason: to better cope with and integrate large networks, in which management has to be very efficient, transparent and as automated as possible. Even though cloud computing was not a concept yet developed when the plan for IPv6 emerged, the tools it offers fit perfectly in the “in the cloud” paradigm. IPv6 provides multiple addresses per interface, link-local, global-unicast and unique local, a different addressing scheme than “on address per interface” that exists in IPv4. This offers different ways of host and network management. The stateless configuration of IPv6 along with ND provides independent host management from a centralized point. 5.2.1 IPv6 addressing and interface identifiers One of the reasons for developing IPv6 was the address exhaustion from IPv4. Hence it was decided that the new IP addresses should be 128 bit long compared to the 32 bit IPv4 addresses. In this way it was assured that the number of possible addresses will be enough to last for the foreseeable future and be used by all the internet capable devices. However, the differences do not reduce only to the high number of available addresses but it extends to the meaning of the address in the context of network and to the way of generating an address. Interface identifiers are used to uniquely define a host and can be generated in many ways, from manual to automatic or stateless configuration. The method to generate an IPv6 identifier by using the EUI-64 address format is defined in [44, p. Appendix A]. This method will be using the IEEE 802 address, also know was MAC (media access control address) to generate a global unique address. To EUI-64 address format will be added another 64 bits. These will define the scope of the IPv6 address as well as identify the subnet, company, ISP and registrant of that particular IP. The scope of an IPv6 address is to define its reach ability and routing policies in the local network and in the internet. Thus, address scopes can be defined as follows:
Interface-local: it represents loopback addresses. Link-local: address that has functionality only on the same network link. They cannot be router.
32
Unique local addresses it is an address that has significance only inside a certain domain or organization, thus it cannot be routed outside of that specific network. It is similar to IPv4 private addresses. Global: addresses that are routable on the internet; public addresses.
The fact that in IPv6 an interface can have multiple scope addresses can be seen as an increase in complexity, for both the data centres administrators as well as for the clients. However, at a closer look, this new addressing scheme is benefic for the data centres that host cloud services, as depicted in Figure 15. Unique local address can be used for server management or even VM management. In this way, the traffic can be easily divided between “control and management” and the other traffic. All the management services that run on a physical server or a VM can be bound to one unique local address, for better protection against outside attacks. Moreover, cloud service providers can easily create a management network inside the data centre without affecting usual traffic and with no access from the outside world. This would also reduce the complexity of the network, in case the administrators prefer not to use VLAN technologies. In the case a cloud computing provider offers services for virtual server and online storage separately, as Amazon EC2 does, the customer or the administrator would have the option of allowing only certain IPs to access the storage server (or virtual hard drive), which can be easily set and configured in servers like Samba. This would, however not be possible with IPv4, primarily because inside the data centres, the private range of IPv4 address is still used. Moreover, it is very likely that the addresses will change constantly as they are assigned by a DHCP server. With distinctive local addresses, private unique addresses can be bound to certain machine or servers (as it
Figure 15. Multiple addresses per interface and random generated addresses. will be seen later, IPv6 offers efficient methods for anti-spoofing as well). This will increase the security of the service that is deployed inside the cloud. Also, through a unique identification of host, unauthorized accesses can be easily logged and traced 33
inside the data centre, consequently reducing the probability of attacks coming from inside the network. Through multiple IP addresses per interface, the IPv6-enabled cloud-host unnecessary exposure to the outside internet can be reduced; a scenario is presented in Figure 15. A machine that runs in cloud can be both server and client. In this case, the host can have a global unique address for accepting an incoming connection, another one for queries as a client and another address for use in the local domain environment. For example a host will have a different address when responding to a DNS query than when initiating a connection with a peer. For ongoing connections, privacy extensions can be used, as they are defined in [45], for generating random addresses. This will create an “asymmetric” method of addressing, with the advantage that a certain machine can conceal its functions (server only or server/client). Furthermore, this will help when talking about IPsec and the SA created between peers. Through this method of multiple addresses per host and address per scope of client (server or client) a granular policy on how IPsec can manage packets can be employed.
Figure 16. Anycast Figure 16 presents a new concept in that IPv6 has brought: anycast. For better management of data access and communication in IPv4 there were three types of addresses created: unicast (one-to-one communication), broadcast (one-to-all communication) and multicast (one-to-many communication). However, a new addressing technique was introduced: anycast (one-to-one-of-many communication). More to the point, through unicast one host or source can access the data/server/host that is closest to its proximity, as presented in the above figure. Anycast can be used to determine the closest geographical data centre of the cloud computing provider. For example, in case a user travels from a country to another or from a continent to another, through the usage of anycast addressing, the client can access their data from the closed data centre. In conjunction with VM migration or any other type of data distribution techniques, anycast address could provide the easiest and the simplest way for traffic, data access and data withdrawal. Furthermore, anycast addresses seem to be the best way to efficiently use bandwidth and processing power, 34
by using the closest available resources. Also, in the world of Content Distribution Networks, networks which usually spread across multiple regions, anycast methods of accessing data fit perfectly. 5.2.2 Stateless approach The high number of IPv6 addresses and the incredible elastic nature of a cloud computing data centre create the perfect environment for stateless configuration of host, or in other words for the auto configuration possibilities without any persistent data stored on the network. Data centres that host cloud computing services distinguish themselves through an arbitrary number of servers or VM that run at some point on the network infrastructure. This means that the addressing of such a data centres would take a lot of man power. Even if DHCP is involved, in some cases, the configurations and number of servers needed would increase the complexity even more. The statement: “The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable.” [46] fits perfectly in the paradigm of virtual infrastructures. Data centres and their cloud services should focus on stateless configuration of their machines rather than on a centralized service. Regardless of the truistic nature of the statement “A complex entity will always generate more problems than a simpler one”, it is the ground stone for the world of data centres and implicitly cloud computing. As presented above, some security measures that are deployed can increase the complexity of the whole system (IPsec). Auto configuration reduces the burden of administrator when considering addressing of hosts in a network. Furthermore, in cloud computing environments, this is a benediction, because it fits perfectly on the dynamic nature of the data centres, with hundreds, if not thousands of VMs and server going online and offline at an incredible rate. Compared with IPv4 auto configuration, IPv6 takes it a few steps further. The machine is able to configure on its own, with all the information needed for both link access as well as internet access. Some argue that a DHCP server will still be a good idea, in order to provide the randomness of IPs, thus screening the host for possible attacks. However, IPv6 auto configuration can implement all the benefits of using a DHCP server. In [45] and [47] support the stateless approaches, by generating random addresses. Hence, some of the benefits of DHCP’s randomness of addresses can be easily substituted by this kind of IPs. Moreover, the issue of privacy arisen with the use of the MAC address in the interface identifier, [2, p. 282] [48], can yet again be easily solved by the host itself, through the same random generated addresses. Elasticity is a defining term for virtual infrastructures. It is very important that new resources are available as soon as possible to be used by upper layer services. That means the effectiveness and complexity of the addressing method is of utmost importance. DHCP servers, which are nowadays mandatory in big networks, face a challenge in being valuable. For example, DHCP request use broadcast messages to contact DHCP servers. In the best of the cases, at the expense of more configurations done to the routers, a DHCP server could attendant more networks, (they will have to 35
forward the host’s DHCP requests; DHCP relays). On the other hand, in the worst of the cases, this would mean that every segment of a network would have a DHCP server. Furthermore, even for basic connectivity, a host will still depend on the central server. The fact that a new, additional machine has to be deployed on the network, to provide even the basics connectivity, does not scale well with the need of fast available resources in data centres. Through stateless auto configuration hosts can configure themselves to the point they are available on the network (link-local). This will provide a basic connectivity and communication with the hosts on the same link. This means that as soon it is online the host can communicate to some degree and most importantly it will not depend on any other service for this. However, for broader communication address (site-local, global), the host has to petition information form a device that is indispensable to any network, hence it will be omnipresent in all networks: the router. The petition is done via multicast addressing, to a device already on the network and not to an additional one, like the DHCP server. It can be concluded that stateless configuration the complexity of the whole cloud computing data centre can be reduced. Furthermore, it supports the idea that by simplifying something you can afford the complexity of other, possibly more important systems. 5.2.3 Address validation The development of cloud computing with its huge processing power and affordability means that attackers have now more powerful tools than ever to accomplish their goals; hence attacks coming from the cloud computing providers are increasing steadily. Address spoofing has always been one of the means for hackers to hide their traces, high-jack traffic and more. Thus, cloud providers face a great responsibility in trying to stop such users to exploit their infrastructure as a platform for denial of service (DoS) or distributed DoS. In addition, the importance for cloud infrastructure providers to protect themselves against such attacks is even more imperative that in traditional environments. This is because the attacks are more likely to come from inside the cloud provider network and are focused on the information of the companies that use those providers. Address spoofing problem has been addressed many times and solutions have been proposed. Although there are methods in use today for filtering incoming packets and checking their source address as a mean of validation, these mainly apply at a macro level, without a method of checking the validity of the packets at a more grained level. Such examples are ingress filtering and unicast reverse path forwarding. Moreover, these do not provide any protection against spoofing attacks from within the network, attacks that are more likely to occur in a cloud data centre. DoS attacks can cause massive drainage of computing power, which, translated in “cloud” terms, might mean a heavy loss in availability and money. IPv6 and all the protocols behind it that provide extra functionalities bring viable solutions to the problem. By deploying full support for IPv6, cloud providers can easily 36
prevent spoofing attacks. Presented in [47], cryptographic generated addresses are offered as a solution to verify that the sender uses the address assigned to it. Furthermore they are themselves present as viable solutions for mobile environments [49], a benefit that can be exploited in the case of new cloud related services, as well as a benefit for cloud computing users, which can move from one network to another. IPv6 implementation can prove to be optimum for verifying the authenticity of a customer/client without deploying any key exchange infrastructure. With IPv4, attackers can use ARP as a way to high jack traffic and redirected to an unwanted host. As with IP addressing spoofing, ARP can be subject to the same kind of attacks. However, IPv6 does not use ARP protocol, but instead the neigbor discovery (ND) protocol takes all its tasks. ND can be as well subject to attacks, but, unlike ARP, ND can be protected and can be used against spoofing attacks. In [50] is presented a way of securing ND with the use of cryptographic generated addresses (Secure Neigbor Discovery). This is a huge benefit compared to what IPv4 has to offer, because this mechanism can be only applied to IPv6 networks and it is furthermore independent from IPsec. It can be clearly seen that IPv6 has more security and contra-attack measures options that can be used based on virtual environment. When talking about cloud computing data centres, intranet security is quite sensitive and has to have a great deal of concern for the security department. As stated before, in a cloud provider data centre, the attacks from within the network are more likely. Traditional source verification techniques that are now used in the IPv4 network do not validate the source address at host level, but rather at network prefix level (ingress filtering and uRPF). However in [51] is presented a solution based on IPv6 and SEND that can validate the addresses of the host inside a network. Through this method, data centres might be able to prevent the illegitimate use of addresses for spoofing attacks. Additionally, this method will protect providers from legal issues, such as liability form spoofing attacks and will discourage attackers to use cloud resources for their attacks. As the world of cloud computing is growing and seems to attract more services (gaming, video, blogging, etc.) accountability for user actions that exploit the recourse and power of the cloud data centres has to be deployed and as demonstrated, IPv6 being able to provide the best tools for this. In [52] a technique presenting a method of validating the source at a greater level, explicitly the source addresses can be validated as coming from the right host, or originating from the AS that it indicates where it comes from. This comes as a source validation solution, based solely on IPv6 that can be used in multi site data centres which are spread across multiple continents, similar to Amazon EC2. The two methods of source validation [51] [52], can be simultaneously implemented in data centres to prevent spoofing attacks within and as well as between the providers of different data centres. In [48], a thesis is promoted that by stateless auto configuration of the IPv6 host and the deterministic method of creating and IPv6 address, a host, and eventually a user can be easily geotagged, traced and its data traffic analysed, in some cases even with malicious intents. With CGA, the anonymity of the users is be secured. This is particularly welcomed when sensitive data is stored in the cloud and certain information 37
about the host must be concealed, primarily the embedded MAC address from the network identifier, for potential eavesdroppers. This will prevent a potential attacker to determine the predominant OS a certain network has. However, this will not reject methods for source validation IPv6 and all its aspects of flexibility is a perfect fit for all purposes the flexible virtual environment encompassed by cloud computing. It presents itself as a panacea protocol that is not only simple, but also offers viable solutions and options to a lot of problems that generate insecurity in the cloud computing businesses. Through IPv6, multiple security measures can be implemented based on the need of the provider as well as on the need of the user. Furthermore, when dealing with the new version of IP, one has to see pass the potential problem, as presented in [48], and accept that on the long run, its versatility offers solutions and means of improvement.
5.3 QoS benefits The internet is a best effort network in which there is no discrimination between the participants, packets, flows and users. All components are treated equally. A problem arises in the modern networks, in which more and more traffic sensitive applications are used and deployed around the world. Furthermore, as real time services between common users are growing in popularity: video conferencing, online gaming, audio services and financial information, it leads to a greater pressure on the networks to further advance in traffic quality policy. Quality of service (QoS) assures the services for providers to meet the requirements for certain types of data flow or packets, as stated in prior service agreements with the customers or based on their own needs. Service-level agreements (SLA) can bring advantages to cloud computing companies that provide some sort of real time software or services. Even though the implementation and inner workings of QoS in both IPv4 and IPv6 are mostly the same, there are still small, fine differences that can bring value to the companies that look to profit from them. QoS services are split into two main architectures: integrated services or IntServ and differentiated service or DiffServ. They provide two different modalities to implement QoS elements. IntServ uses the idea of resource reservations. In other words, before sending information to the destination, the source has to reserve the resource needed for that particular data flow. Moreover, the receiver has to reserve its own resources too, making this architecture unidirectional. Resource reservation will be persistent while the data flow exists. In addition, when the communication ends, the resources have to be explicitly released. To some extent, this approach resembles virtual circuit networks. The resource reservation in IntServ can be a problem in large virtual environments and can compromise the network. Every router along the flow of the data will have to maintain the state of the resources reserved. This tends to put a lot of strain on the equipments and processing efficiency. In large virtual environments with thousands of virtual machine instances, it can lead to inefficient use of infrastructure. Additionally, the persistence of the virtual circuits is not well suited for the flexible, 38
dynamic natures of the cloud computing environments. However, the existence of flow label field in IPv6 was designed bearing in mind such resource reservation techniques. It can be used to better identify packets of the same flow, or in the context of IntServ, of the same circuit. DiffServ method relies on a more coarse-grained approach. Contrary to the IntServ architecture, DiffServ has a per-hop-behaviour. That means that all equipments along the route that will analyse IP packets, will be able to make their own decisions based on some predefine policies. Data which will flow in the network that uses DiffServ will be classified depending on the provider’s needs or based on certain SLAs. For this to be accomplished, the bytes in the ToS field (IPv4) or Traffic Class (IPv6) are used to differentiate between packets and how they will be treated. Table 1 shows the different DSCP markings that are use for packet classification and behaviour. EF (express forwarding) is used to mark packets that are delay sensitive, like audio data. The rest represent different levels of importance, starting from tier 1, AF1, with its lowest drop policy, AF11, to the less important tier AF4, with its lowest priority sublevel AF43. Per Hop Behaviour BE EF AF1 AF2 AF3 AF4
Low Drop Medium Drop High Drop 0000 – No special treatment (best effort delivery) 101110 It is used for time critical applications 001010(AF11) 001100(AF12) 001110(AF13) 010010(AF21) 010100(AF22) 010110(AF23) 011010(AF31) 011100(AF32) 011110(AF33) 100010(AF41) 100100(AF42) 100110(AF43)
Table 1 IPv4 and IPv6 use these identifiers in the same way, so there is no difference in the methods of how DiffServ is implemented for either IPv4 or IPv6 networks. It is worth mentioning that QoS in cloud computing is more easily and more suitably implemented using later architecture. Data centres can apply their own QoS polices, independent from the outside world and they do not have to base them greatly with respect to other external infrastructures, due to the fact that different DSCP are mapped locally. Problems can arise in both architectures, but the small improvements in IPv6 can work out some of them. As mentioned earlier, the flow label field in IPv6 header was created to improve such architectures. Papers such as [53] analysis the performance of using flow label in QoS implementation and provide an alternate solution to the already existing IPv4 only QoS. This reflects the flexibility of new IPv6 based QoS techniques. Flow label can change the way QoS is deployed in data centres. In IPv4, a packet is determined to belong to the same data stream, and hence same policies should be applied to it, based on a 5-element tuple: source address, destination address, protocol, source port and destination port. Because of flow label in IPv6, routers base their QoS decisions and which policies to use on just a 3-element tuple: source address, destination address, flow label. As it can be seen in picture 4, flow label is placed before the source and destination addresses; all information about the packet is immediately 39
available regardless of higher headers or protocols. This is not possible with IPv4, which has to analyse the TCP or UDP header for the source and destination ports. Furthermore, IPv4 5-element tuple raises another problem: “Quality of Service (QoS) is available in IPv4 and it relies on the 8 bits of the IPv4 Type of Service (TOS) field and the identification of the payload. IPv4 Type of Service (TOS) field has limited functionality and payload identification (uses a TCP or UDP port) is not possible when the IPv4 packet payload is encrypted.” [54] This affirmation is also backed up in the book “Deploying IPv6 networks”. [55, p. 179] This means in some cases, the cloud providers using IPv4 cannot offers QoS services to users that want to uses encryption on their traffic. On the other hand, with IPv6 and flow label, proper QoS is not lost due to encryption that might happen with IPsec or at higher level. The network management can take benefits by the QoS that IPv6 can offer. With flow label, packets can be separately managed, even when security protocols are deployed. Furthermore, the fact that control protocols can be secured with encryption (NDP; Mobile IPv6 updates (binding updates, etc.)), raised the problem of proper flow based QoS. In a fully dynamic environment as the one in cloud computing data centres, troubleshooting, error reporting, management, configuration, etc. have to have priority, so that the resources will be rapidly and highly available. Management traffic can be treated as of critical importance traffic even when IPsec has been deployed for encryption the traffic. IPv4 allows fragmentation of packets along the route from source to destination. The most important part of fragmentation is MTU or maximum transmission unit. It refers to the maximum length that a packet can have when sent across the network form the source to destination and it is usually 1500 bytes. In the case the packet exceeds the MTU of the link, routers along the path will fragment it. This creates two problems. Firstly, by fragmentation, the router processing power is used for splitting the packets into smaller ones, with respect to the MTU. Secondly, the overhead of the packets is increased, because of the fragmentation flag and fragment offset field have to be set and calculated. The effect of these problems is usually increased delay and, in the case of heavy traffic, it can create congestion due to packet processing time. As a result QoS has to suffer in case of packets exceeding the MTU; excess MTU can break QoS. IPv6 does not allow the intermediate fragmentation of the packets. To support this requirement, the minimum MTU of IPv6 packets has increased to 1280 bytes, as well as the need for any node to use path MTU to discover the maximum size of a packet between itself and the destination. As a consequence, IPv6 can provide better and faster data delivery and suites better the modern networks, in which there is an increase of traffic composed out of time sensitive data or file transfer. Furthermore, in case the fragmentation is still needed, it is done only end-to-end and does not put any pressure on the intermediate network that lay between the source and destination. The fragmentation header is used, so the routers along the path will not have to analyse or process this header. In [56], data centre design requirements have been modelled in order to cut the problems that occur in data centres and impose more traffic engineering techniques both in data centre and the outside networks. These are: 40
Multipath routing. Coordinated scheduling using a global view of traffic. Exploiting short-term predictability for adaptation.
Correlating the data centre requirements stated above with the following quote: “We find that existing techniques perform sub-optimally due to the failure to utilize multipath diversity, due to the failure to adapt to instantaneous load, or due to the failure to use a global view to make routing decisions.” [56]. It seems that IP related problems like load balancing and multipath traffic engineering represent a big dilemma in data centres and consequently to cloud computing. IPv4 provides some solutions to these problems, particularly to the multihoming technique; the technique through which one customer has two or more connection to ISPs for redundancy and load balancing. Even though IPv4 offers solution to multihoming [57], there is more effort put into bringing all the possible solutions and advantages that can IPv6 bring to these problems, though multi6 IETF working group. RFC 6438 [58] presents a solution that uses the unique feature of IPv6, the flow label, for a technique that will allow multipath routing in the tunnelled environments. As a lot of companies might opt to use to tunnel their traffic, through IPsec or other protocols, this solution would provide to be optimum for a data centres to uniformly distribute their outgoing traffic between more providers. In the long run, the new IP will provide new benefits to the modern data centres and to future cloud computing services. As seen in [58], the new features that exist in IPv6 are already used for improving traffic engineering and QoS methods that can be applied to benefit the data centres and the cloud computing services.
5.4 Performance benefits Performances along with resource availability are two characteristics that define the quality of one cloud service; they are the corner stone that can destroy or help develop an online service provider. As a consequence, these two features must have priority in their importance. IPv6 can improve both of these, adding value to the service that the provider is offering. Anycast can improve resource availability and latency as well as provide location aware rerouting. Broadcasting, as it will be presented, is of extreme sensitivity when situated in the context of data centres. Fortunately, IPv6 has the means through its design and collateral protocols (ND, ICMPv6) to offer pertinent solutions that do not imply a change in the cloud computing paradigm. 5.4.1 Load balancing A previous chapter underlined the benefits of opting out NAT equipments form the network. However, the benefits of this action apply to a client/server connection, as, for example, between a client and its VM or virtual server. In the case of a PaaS or SaaS 41
infrastructure, a one-to-one connection between the client and a peer (VM, physical server, VPS) service is unlikely. Load balancing is, however, of much greater importance when talking of PaaS and SaaS. Clients’ request, information and information access of the services is split among a large number of machines. In this way optimum performance is offered to the end consumer. For this reason an efficient method of distributing the load among these machines is imperative. IPv6 Anycast proves to be a feasible solution for improving the load balancing and failover mechanisms. Figure 16 offers a view of what an anycast address is: severs with the same IP address are located at different geographical locations; when a client request services from these servers, the ones that are closest to the client will answer. The advantage of this addressing scheme is that it offers the possibility of failover mechanisms without the need for any heavy reconfiguration in the eventuality of data centres going offline. With IPv6 anycast, optimum solutions can be more easily achieved in case of decreased complexity and availability in cloud computing data centres. As presented in the paper “Anycast as a Load Balancing feature” [59], it is shown how anycast can provide the means of failover mechanisms between the load balancers of the same company. Furthermore, as it was concluded in the paper, anycast is a solution for fast network recovery in case of data centres failure. Also, it offers the means of reducing complexity and administration costs. Anycast is a stateless mechanism. As a result, anycast cannot assure that the datagrams of the same data flow will always be delivered to the same location. This means that in some case, TCP session cannot be sustained or kept alive. This means that, by itself, anycast addressing scheme can be used for UDP transmissions. DNS services, as a protocol that uses mainly UDP, can be created to be aware of anycast addressing. This created a support for geo-aware DNS, which can provide low latency and optimum resource allocation to customers. As an example, Amazon already provides this method in its Router 53 DNS service. [60] However, at this time this is supported only over IPv4. The modular nature of IPv6 can provide improvements for anycast as well. This signifies that based on certain needs, methods can be created to provide the services required for cloud computing providers. In the article “IPv6 Anycast Routing aware of a Service Flow” [61], a solution is presented based on functionalities of neighbour discovery protocol; the state of a certain traffic flow can be sustained and redirected to the same server, every time an anycast service is used. Furthermore, it has to be pointed out that such solutions are transparent and independent from upper layer application. This creates the perfect environment for cloud computing software and application since they do not have to be modified to support new IPv6 functionalities. In the short introduction of load balancing [24]a method called Direct Routing is presented as being one of the most efficient ones. It implies the use of a load balancer that changes the destination MAC address on the fly such that every time a different server answers the request. Furthermore, each server behind the load balancer will use the same virtual IP address to answer to the requests. However, this method, as pointed out in the article, presents a difficulty in deployment: the servers behind the load 42
balancer do not need to answer the ARP request as this will destroy the functionality of this load balancing method (every MAC will be mapped to a different IP, and not to a Virtual IP). As it was already mentioned, IPv6 does not need the use ARP, as it was replaced by a new protocol, neigbor discovery. Therefore, it can be possible to avoid the problem of ARP response and create a more efficient way for the load balancer to create a poll of MAC addresses of the servers behind it through ND mechanisms. 5.4.2 Broadcast efficiency Broadcast is a legacy method presented in Ethernet communications which is characterized by the flooding of the network with layer 2 datagrams. A broadcast domain is represented by a LAN segment through which broadcast datagrams can be propagated to all host residing on the particular LAN. ARP and DHCP base their services on this method of host access. In small scale networks in which all broadcast domains have a small or moderate number of hosts, flooding the network with traffic in order to find the needed destination might not be problematic. However, in data centres broadcasting traffic might prove to be wasteful and dynamic enough.
Figure 17. Structure of a data centre and exponential number of machines When traffic flooding occurs, it will be forwarded all around the network. As presented in the Figure 17, if broadcast occurs all the servers in the data centre cluster will “hear” it; all links will be affected by the traffic. The switch to which all the servers are connected will forward the datagrams to all neighbouring host. The ratio of VM per server, as stated in [15, 16] can reach quite high numbers, 12:1 or 15:1 with high likelihood that this ratio will increase even more in the near future. This is portrayed by Figure 17 in which every rack can hold a high number of servers which in turn have a large number of VM. [17] This leads to the idea that on only one link, high numbers of hosts will reside (15+). Furthermore, in a presentation by David Hadas of IBM Haifa Research Lab [6], it is stated that the number of physical and virtual network interfaces that might exists in a large data centre can reach up to 100,000,000. In the paper “The Cost of a Cloud” [25], it is stated that a layer 2 domain can support up to 4,000 hosts. “Moreover, since ARP is required between each source and destination pair, its 43
broadcasting overhead increases in proportion to the number of communicating host pairs.” [62] As a result, in data centres, the overhead of broadcasting and broadcasting based services, as ARP, DHCP, NetBIOS, etc. means the decrease in bandwidth efficiency. However, due to the limitation of Ethernet broadcast the L2 domain is usually split to support up to a few hundred hosts, through VLAN technologies, although this leads to extra configuration and inefficient use of IP addresses. [62, p. 1] Even when logically dividing the broadcast domain for better optimization, Ethernet still experiences scalability problems. Consequently, no broadcast flooding is desirable in data centres, or at least the reduction of such traffic must be crucial. IPv6, as presented many times, renounces the service of ARP and in some case the services of DHCP. IPv6 uses multicast for L2 address discovery. This method reduces the amount of unsolicited traffic to be propagated through the network. ARP or address resolution protocol is used for mapping MAC addresses to IP addresses. When a host wants to send messages to a specific destination, it requires the destination MAC and destination IP addresses. Through different means, the destination IP address is determined or already known. In case the source does not have the destination MAC address in cache, it has to detect it. This is done through flooding the network with a packet which contains the destination IP address, that is already known and the broadcast MAC address: FF:FF:FF:FF:FF:FF. This message reaches all hosts on the LAN segment, but only the host with the specified destination IP address responds. In a cloud computing data centre these requests might happen more frequently than in a common network. One of the reasons is the dynamic nature of the network topology, in which host/servers/client go on and offline in a very fast manner, based in the need of the upper layer software and services provided to the customers. ND takes the place of ARP. Instead of broadcast, it uses multicasting for address resolution. When performing address resolution, the source sends the request with the solicited-node multicast address IP destination and multicast MAC address as destination. The solicited-node multicast address is formed by adding the prefix ff02::1:ff/104 to the 24 least significant bits of the link-local unicast address, resulting in and address of the from: ff02::1:ffXX:XXXX. The destination MAC address is similarly created, by adding the multicast prefix 33:33:FF in front of the 24 least significant bits of the same link-local unicast IPv6 address, resulting in a destination MAC address of 33:33:FF:XX:XX:XX. As the destination host already joins the multicast group determined by ff02::1:ffXX:XXXX and 33:33:FF:XX:XX:XX, it is, the only host that will receive the address resolution request. Thus, no other host on the LAN is disturbed with unnecessary requests. In some cases, due to address conflict, more than one host can receive the message. However, the number of hosts that will be affected is small. Furthermore, for optimum and true no-broadcast environment, the switches that exist in the network must support MLD snooping, for proper and true multicasting. As can be seen from the comparisons of ARP and ND and how broadcasting is avoided with IPv6, it can be concluded that by deploying IPv6 in a data centre, the goal of reducing flooding traffic might be achieved. With the high number of servers and 44
VM that will function simultaneously in cloud computing data centres, correlated with the low flexibility and performance of broadcast services, as well as the imposing need of reducing broadcasting, IPv6, with its ND protocol can provide an optimum future solution.
5.5 Mobility benefits Mobile internet services are becoming very affordable for the common customer. This indicates that cloud computing services will be more and more accessed from mobile devices that roam between different networks. They will present the focal point of the mobile internet: “The killer application for cloud computing is mobile computing: equally, the killer app for mobile computing is the cloud. [...] Without cloud computing services, mobile devices offer limited capabilities.” [63] Moreover, as future companies and businesses move to the cloud, the cloud will take the role of “home data centre”. As a result, both mobile internet and cloud services providers should be interested in deploying the most efficient solution for providing mobility.
Figure 18. Mobile IPv4 The idea of mobile IP is to provide a solution to the connectivity problem when one host moves from an initial, home network to a foreign one. As the IP address changes as a result of this migration, all communication sessions that were initiated in the home network will break down. Therefore, mobile IP for IPv4 was created, its basic communication mechanisms are presented in Figure 18 along with its two most common scenarios. 45
MIPv4 poses some rather serious limitations that, in some cases, make it difficult, if not impossible, to deploy and use. Firstly, for mobile IP to work with IPv4, a foreign agent must exist in the foreign network. This is needed to manage all the communication between the MN (mobile node) and the HA (home agent) as well as determining that MN is on a foreign network. However, plenty of networks all over the world do not deploy such a device, meaning that, in some cases, mobile IP cannot be used at all. Secondly, MIP uses triangular routing, scenario number 1 presented in Figure 18; data from a certain node to the mobile node is routed through a home agent, while returning traffic is direct. However, because of the limitation of IPv4, this technique might be problematic. The MN uses its home address as source address. This can pose problems because it might be seen as spoofing attacks. This can be averted, by tunnelling: all traffic is routed through the HA and FA and encapsulated in IP-IP or other protocols. MIPv6 is not an addition to IPv6, as is the case with MIPv4. It is an integrated functionality. This means that all IPv6 capable devices on the internet can, theoretically, use all the functionalities of the mobile IP. Moreover, in the next generation mobile protocol, no FA (foreign agent) is used. This results in MIP being a real mobile solution. Devices and users will depend only on the policies of the companies that will want to implement such a feature; they will still have to deploy a HA. In most cases, due to source addresses verification, in MIPv4, tunnelling all traffic between FA and HA will be the choice. The latency and the overhead of the tunnelling protocol can be fatal to real time communication. The time between an IPv4 MN’s arrival in a foreign network and the moment it can start receiving packets can be quite high, due to all the setup messages that have to be exchanged. As well, the encapsulation of the original packet into another IP packet, (IP-IP, IPsec, etc.) increases the overhead. In MIPv6 all traffic between MN and CA is forwarded by default through the home agent. However, unlike mobile IPv4, the modular nature of IPv6 is used; a new mobility header is defined, that handles all the necessary information between the mobile node and its home agent. The traffic flow is more efficient and the traffic can be better handled. Also, MIPv6 proposes a technique that will help avert the HA in case of congestion or just for better, direct connection between MN and CN: route optimization. Through this method, direct, bidirectional communication can be achieved between the two nodes. Moreover, to reduce latency and improve reliability for real time applications, MIPv6 improves the handovers of connections from the home network to the new one. [64] As stated in a previous chapter, virtual machine migration is one of the main problems that are present in virtual data centres around the globe. By moving powered on VM machine across a network, data centres can improve their scalability and resource efficiency and availability. As a physical server gets overwhelmed, a solution to keep providing services to the customers is moving the VMs to machines that are either lightly used or newly attached on the network. One of the most used methods for VM relocation is live migration. It provides the means to move a VM across the same link. Before a virtual machine is moved all its 46
information (memory, storage, and network connectivity) are first copied to the destination. However, this method has a rather low coverage, as the machine can be moved only on the same LAN segment. Also, it has applicability with both IPv4 and IPv6. Nevertheless, because of the addressing structure of IPv6, the basic connectivity of an IPv6 host is achieved very quickly, with the use of the link-local address. So, in the case that new servers are attached to the network, they will become available very fast for the potential migration of VMs. Methods have been proposed, related to MIPv6 that take the live migration technique at a global scale, such as presented is the paper: “A Performance Improvement Method for the Global Live Migration of Virtual Machine with IP Mobility” [27] As previously presented, anycast can provide geo-location mechanisms. Therefore, with IPv6 anycast along with the MIPv6 and global live migration, new techniques can be development such that VMs can be moved automatically to a data centre closer to the user. This will provide beneficial resource optimization, for both data centres, that will be able to optimize their bandwidth and resource use, and customers, who will benefit from high internet speed and lower delays. Basic functionality is presented in Figure 19.
Figure 19. MIPv6 and VM migration The initial communication between the user and a cloud computing based VMs is done in a direct fashion, as presented. When the MN moves its location, it announces that to the HA, which binds the care-of-address to the home address. Now, the data flows from the MN to the HA and VM. For location determination, a route optimization has to be started in order for the virtual machine to determine the true address of the mobile node. Based on the address, the VM takes the decision to migrate or not. In case it determines that moving to a new data centre is optimal, the VM can apply live 47
migration procedures, as presented in [27] or [65]. While the machine is moved to a new location, the traffic flows through the original path. After the migrating has finished, the temporary traffic is routed through the data centre HA, client’s HA and MN. Again, a route optimization procedure takes place, which will connect the mobile node and the VM directly. Based on the general and most obvious drawback presented above, mobile IPv4 proves to be at best a transition mechanism. Due to the need for an FA on the foreign network, it is unlikely that MIPv4 will be deployed on a large scale. In addition to address depletion, MIPv4 will not be able to cope with the increasing number of mobile devices that will access the internet. Moreover, as the cloud computing world is increasing in both importance and communication sensitive applications that might be offered by cloud computing providers, the need for continuous-sessions communication is paramount. MIPv6 presents itself as the perfect answer. Furthermore, as internet services will be available on fast moving means of transportation (cars, trains, airplanes), and as more and more mobile terminals (iOS, Android, Windows Phone 7, etc.) are getting online every day, session control and localization are important for true, reliable and interactive services.
48
6 Conclusions
As cloud computing is increasing in popularity among common user, businesses and even governmental agencies, the importance of better performance, security and reliability is greater than ever before. Data stored and accessed from the cloud has to be properly secured and available at any time, such that client’s confidence in such services could break the insecurities that are nowadays wide spread towards security, bad handling of sensitive data, etc. IPv4 has long been and still is the dominant protocol in the internet. As a consequence it is also deployed and used on a large scale in data centres all over the world. However, IPv4 is an outdated protocol that is not suitable to cope with the large network topologies presented nowadays in the internet. The workarounds developed along the years to preserve the address pool and to give new additional functionalities, have created from IPv4 a cumbersome, sometimes hard-to-manage protocol. The future importance of virtualization and virtual environments along with the possible division of ISPs between traditional ISPs and virtual ISPs will put an even bigger pressure on how IP addressing behaves and performs in data centres. IPv6 is the next protocol that has some obvious, first hand advantages over its predecessor. It was created from the idea of a new protocol that can handle a huge number of hosts, in complicated network topologies. It was created as being a protocol that is self depended, through autoconfiguration. All the inefficient mechanisms, such as ARP and broadcast have been removed and replaced with others ones. While the obvious advantages, like the huge address pool, provide improvement and benefits to the data centres, other advantages are a direct consequence of these first hand improvements. The possibility to avoid NAT, gives the option for cloud computing providers to offer proper end-to-end security to the customers that really need or want such features. IPsec, as an integrated feature of IPv6, can provide a native solution for security problems. Traffic can be better filtered at network level, offering transparent and independent security from the upper layer applications. The structure of IPv6 addressing scheme gives the possibility for better optimization and management of traffic that flows inside and between the internet and data centres. As the number of potential unique addresses is big, new solution can be given to source address validation techniques, which were not able to be applied or were unpractical with IPv4. QoS and the new flow label in the header, together with “no fragmentation” along the route of the packets, created a better environment for real-time application and traffic. Furthermore, the fact that cloud computing services are usually deployed on a global scale, localization becomes an important feature. Anycast provides a native method and less unwieldy techniques for localization. Traffic can be better forwarded towards the data centres that are the closest to the user, thus, offering the best possible network performance, in respect to bandwidth and 49
latency. Load balancing can take advantages of the anycast addresses of IPv6 in the same manners as localization. Moreover, IPv6 offers a more realistic method for its version of Mobile IP. Studies were and are still carried to optimize and model MIPv6 to offer the means for data centres to adapt to changing resource requirements. VMs can be moved as needed, between physical server and between data centres, providing a new step in resource scalability and availability. MIPv6 brings the resources in closer proximity to the users. IPv6 is a scalable and modular protocol. As it was seen plenty of times, it offers the advantages of being flexible in adding new features and options based on data centres’ requirements. This is done with little to no intervention in the structure of the internet or applications that use the network infrastructures. The advantages that it brings over IPv4 open a new spectrum of possibilities. With IPv6, cloud computing could really benefit from the improvements that the next generation IP brings. IPv6 will create a friendlier environment in which cloud based services will develop, probably, at a faster scale. Additionally, putting the very well known advantages of IPv6 in the context of data centres and cloud computing, has the benefit of creating a more clear idea of the options that will arise once IPv6 is fully deployed in the data centres. IPv6 was not developed with the cloud computing paradigm in mind. However, it was shown that it presents itself as a much better protocol, whose improvements seem to fit perfectly on the problems that data centres face or might face in the future. Even though, the full deployment of a native IPv6 infrastructure might be regarded as rather expensive, both by network administrators and managers, the benefits outweigh the costs. Less complicated infrastructures with more efficient communication and partially autoconfigured host are a good trade-off. Getting the advantages of IPv6 over IPv4, the obvious and less obvious ones and putting them side by side with the cloud computing world, has the potential of portraying a better picture of the importance that IP next generation has in the development of cloud computing.
50
7 Bibliography
[1] [2] [3] [4] [5]
[6]
[7] [8]
[9]
[10]
[11] [12]
[13]
[14]
[15]
[16]
J. Turner and D. Taylor, Diversifying the internet, Proceedings of IEEE GLOBECOM, 2005, pp. 755--760. P. Loshin, IPv6 Theory, Protocol and Practice, 2nd ed., Elsevier, 2004, pp. 14-15. S. Kent, IP Authentication Header, RFC 4302, IETF, 2005, p. 34. S. Deering and R. Hinden, Internet Protocol, Version 6 (IPv6) Specification, RFC 2460, IETF, 1998, p. 39. K. Nichols, S. Blake, F. Baker and D. Black, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers, RFC 2474, IETF, 1998, p. 19. D. Hadas, Network Abstraction The Network Hypervisor, Haifa Research Lab, November 2010. [Online]. Available: http://www.research.ibm.com/haifa/Workshops/cloud2010/present/David_Ha das_AbstractedNetworks.pdf. [Accessed 21 November 2011]. A. Myers, T. E. Ng and H. Zhang, Rethinking the Service Model: Scaling Ethernet to a Million Nodes, 2004. N. Feamster, L. Gao and J. Rexford, “How to Lease the Internet in Your Spare Time,” ACM SIGCOMM Computer Communication Review, vol. 37, pp. 61-64, 2007. P. Ganore, Virtualization – A Little History, ESDS , 11 November 2011. [Online]. Available: http://www.esds.co.in/blog/virtualization-a-little-history/. [Accessed 18 November 2011]. J. De Clercq, D. Ooms, M. Carugi and F. Le Faucheur, BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN, RFC 4659, IETF, 2006, p. 48. T. Anderson, L. Peterson, S. Shenker and J. Turner, Overcoming the Internet impasse through virtualization, Computer, vol. 38, pp. 34 - 41, april 2005. VMware, Performance Comparison of Virtual Network Devices, 2008. [Online]. Available: http://www.vmware.com/files/pdf/perf_comparison_virtual_network_devices _wp.pdf. [Accessed 22 November 2011]. Oracle Corporation, Oracle VM VirtualBox User Manual, 2011. [Online]. Available: http://download.virtualbox.org/virtualbox/UserManual.pdf. [Accessed 22 November 2011]. WMware, Virtual Network Components, WMware, [Online]. Available: http://www.vmware.com/technical-resources/virtual-networking/networkingbasics.html. [Accessed 22 November 2011]. WMware, Increase Energy Efficiency with Virtualization, WMware, [Online]. Available: http://www.vmware.com/solutions/green-it/. [Accessed 23 November 2011]. K. Marko, Server Virtualization Panacea Or Over-Hyped Technology?, Tech & Trends, vol. 29, no. 6, p. 24, 9 February 2007 . 51
[17] S. Rupley, Eyeing the Cloud, VMware Looks to Double Down On Virtualization Efficiency, Gigaom, 27 January 2010. [Online]. Available: http://gigaom.com/2010/01/27/eyeing-the-cloud-vmware-looks-to-doubledown-on-virtualization-efficiency/. [Accessed 23 November 2011]. [18] H. Shah, A. Ghanwani and N. Bitar, ARP Broadcast Reduction for Large Data Centers, Proposed Standard Internet Draft, IETF, 2011, p. 9. [19] C. Thacker, Rethinking data centers, 2007. [Online]. Available: http://netseminar.stanford.edu/seminars/10_25_07.ppt. [Accessed 24 November 2011]. [20] W. John and S. Tafvelin, Analysis of internet backbone traffic and header anomalies observed, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pp. 111--116, 2007. [21] R. K. Murugesan, S. Ramadass and R. Budiarto, Improving the performance of IPv6 packet transmission over LAN, IEEE Symposium on Industrial Electronics Applications, vol. 1, pp. 182 -187, October 2009. [22] D. Simmons, IPv6 protocol overhead, Caffeinated Bitstream, 11 November 2010. [Online]. Available: http://cafbit.com/entry/ipv6_protocol_overhead. [Accessed 24 November 2011]. [23] E. Ertekin, C. Christou and B. A. Hamilton, IPv6 Header Compression, June 2004. [Online]. Available: http://www.6journal.org/archive/00000068/01/Emre_Ertekin_Christos_Christ ou.pdf. [Accessed 24 November 2011]. [24] Loadbalancer.org , Loadbalancer.org supported load balancing methods, Loadbalancer.org , [Online]. Available: http://loadbalancer.org/load_balancing_methods.php. [Accessed 24 November 2011]. [25] A. Greenberg, J. Hamilton, D. A. Maltz and P. Patel, The cost of a cloud: research problems in data center networks, SIGCOMM Comput. Commun. Rev., vol. 39, no. 1, pp. 68--73, December 2008. [26] E. Harney, S. Goasguen, J. Martin, M. Murphy and M. Westall, The Efficacy of Live Virtual Machine Migrations Over the Internet, Second International Workshop on Virtualization Technology in Distributed Computing, pp. 1 -7, November 2007. [27] H. Watanabe, T. Ohigashi, T. Kondo, K. Nishimura and R. Aibara, A Performance Improvement Method for the Global Live Migration, Proc. the Fifth International Conference on Mobile Computing and Ubiquitous Networking (ICMU 2010), April 2010. [28] R. Bradford, E. Kotsovinos, A. Feldmann and H. Schiöberg, Live wide-area migration of virtual machines including local persistent state, Proceedings of the 3rd international conference on Virtual execution environments, pp. 169-179, 2007. [29] Trend Micro, Cloud Insecurities: 43 Percent of Enterprises Surveyed Have had Security Issues With Their Cloud Service Providers, 6 June 2011. [Online]. Available: http://apac.trendmicro.com/apac/about/news/pr/article/20110926071604.html. [Accessed 10 March 2012]. [30] S. Bugiel, S. Nürnberger, T. Pöppelmann, A.-R. Sadeghi and T. Schneider, 52
[31] [32] [33]
[34] [35]
[36] [37] [38] [39]
[40] [41]
[42] [43] [44] [45] [46] [47] [48]
[49]
AmazonIA: when elasticity snaps back, Proceedings of the 18th ACM conference on Computer and communications security, pp. 389--400, 2011. M. Chung and J. Hermans, From Hype to Future, KPMG, Amsterdam, 2010. V. Kundra, Federal Cloud Computing Strategy, The White House, Washington, 2011. L. Badger, D. Bernstein, R. Bohn, F. de Vaulx, M. Hogan, J. Mao, J. Messina, K. Mills, A. Sokol, J. Tong, F. Whiteside and D. Leaf, High-Priority Requirements to Further USG Agency Cloud Computing Adoption, vol. 1, Gaithersburg: National Institute of Standards and Technology, 2011. C. Barnatt, A Brief Guide to Cloud Computing, London: Constable & Robinson Ltd., 2010. Amazon, Feature Guide: Amazon EC2 Elastic IP Addresses, Amazon, 31 July 2010. [Online]. Available: http://aws.amazon.com/articles/1346. [Accessed 12 march 2012]. C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306, IETF, 2005, p. 100. T. Kivinen, B. Swander, A. Huttunen and V. Volpe, Negotiation of NATTraversal in the IKE, RFC 3947, IETF, 2005, p. 17. S. Kent and K. Seo, Security Architecture for the Internet Protocol, RFC 4301, IETF, 2005, p. 101. IBM, Authentication Header, IBM, [Online]. Available: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frza ja%2Frzajaahheader.htm. [Accessed 20 March 2012]. A. Shacham, B. Monsour, R. Pereira and M. Thomas, IP Payload Compression Protocol (IPComp), RFC 3173, IETF, 2001, p. 13. Oracle, Planning an IPv6 Addressing Scheme (Overview), Oracle, [Online]. Available: http://docs.oracle.com/cd/E19082-01/819-3000/ipv6-overview7/index.html. [Accessed 21 March 2012]. N. Ziring, Router Security Guidance Activity (SNAC), National Security Agency, Maryland, 2006. S. Szigeti and P. Risztics, Will IPv6 bring better security?, Proceedings in Euromicro Conference, pp. 532 - 537, August 2004. R. Hinden and S. Deering, IP Version 6 Addressing Architecture, RFC 4291, IETF, 2006, p. 25. T. Narten, R. Draves and S. Krishnan, Privacy Extensions for Stateless Address Autoconfiguration in IPv6, RFC 4941, IETF, 2007, p. 23. S. Thomson and T. Narten, IPv6 Stateless Address Autoconfiguration, RFC 2462 , IETF, 1998, p. 25. T. Aura, Cryptographically Generated Addresses (CGA), RFC 3972, IETF, 2005, p. 22. S. Groat, M. Dunlop, R. Marchany and J. Tront, IPv6: Nowhere to Run, Nowhere to Hide, International Conference on System Sciences (HICSS), pp. 1 -10, January 2011. S. Qadir and M. U. Siddiqi, Cryptographically Generated Addresses (CGAs): A survey and an analysis of performance for use in mobile environment, IJCSNS International Journal of Computer Science and Network Security, 53
[50] [51]
[52]
[53]
[54]
[55] [56]
[57] [58] [59]
[60] [61] [62]
[63]
[64] [65]
vol. 11, no. 2, pp. 24-31, 2011. J. Arkko, J. Kempf, B. Zill and P. Nikander, SEcure Neighbor Discovery (SEND), RFC 3971 , IETF, 2005, p. 56. A. Kukec, M. Bagnulo and M. Mikuc, SEND-based source address validation for IPv6, International Conference on Telecommunications, pp. 199 -204, June 2009. P. Tan, Y. Chen, H. Jia and J. Mao, A hierarchical source address validation technique based on cryptographically generated address, Computer Science and Automation Engineering , vol. 2, pp. 33 -37, 2011. E. Ahmed, M. Aazam and A. Qayyum, Comparison of various IPv6 flow label formats for end-to-end QoS provisioning, IEEE 13th International Multitopic Conference, pp. 1 -5, December 2009. omnisecu.com, “Limitations of IPv4,” omnisecu.com, 2008. [Online]. Available: http://www.omnisecu.com/tcpip/ipv6/limitations-of-ipv4.htm. [Accessed 28 April 2012]. C. Popoviciu, E. Levy-Abegnoli and P. Grossetete, Deploying IPv6 Networks, Indianapolis: Cisco Pres, 2006. T. Benson, A. An, A. Akella and M. Zhang, The Case for Fine-Grained Traffic Engineering in Data Centers, Proceedings of the 2010 internet network management conference on Research on enterprise networking, pp. 2-2, 2010. J. Abley, K. Lindqvist, E. Davies, B. Black and V. Gill, IPv4 Multihoming Practices and Limitations, RFC 4116, IETF, 2005, p. 13. B. Carpenter and S. Amante, Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels, Internet-Draft, IETF, 2011, p. 10. F. Weiden and P. Frost, Anycast as a load balancing feature, Proceedings of the 24th international conference on Large installation system administration, pp. 1--6, 2010. Amazon Web Services, Amazon Route 53, Amazon Web Services, [Online]. Available: http://aws.amazon.com/route53/. [Accessed 13 May 2012]. Y.-H. Kang and B.-G. Jung, IPv6 Anycast Routing aware of a Service Flow, IEEE International Symposium on Consumer Electronics, pp. 1 -4, June 2007. C. Kim and J. Rexford,“Revisiting Ethernet: Plug-and-play made scalable and efficient, Proceedings of the 2007 15th IEEE Workshop on Local and Metropolitan Area Networks, pp. 163-168, 2007. Vodafone, Cloud computing and enterprise mobility, Vodafone, 24 January 2011. [Online]. Available: http://enterprise.vodafone.com/insight_news/2011-0124-cloud-computing-and-enterprise-mobility.jsp. [Accessed 15 May 2012]. R. Koodli, Mobile IPv6 Fast Handovers, RFC 5568, IETF, 2009, p. 51. J. Chen and X. Chen, Mobile IPv4/IPv6 virtual machine migration transition framework for cloud computing, Journal of Convergence Information Technology, vol. 7, no. 3, pp. 226-232, 2012.
54
