Technical Field
This disclosure relates generally to protecting resources in a virtualized networking environment.
Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run network applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
Software Defined Networking (SDN) is a new network paradigm that separates each network service from its point of attachment to the network, creating a far more dynamic, flexible, automated, and manageable architecture. Using this approach, administrators can easily move virtual resources throughout the network, create private virtual networks that meet specific performance and security needs, and use a host of other high-value applications. SDN abstracts flow control from individual devices to the network level. Similar to server virtualization, where virtual machines are de-coupled from the physical server, network-wide virtualization gives administrators the power to define network flows that meet the connectivity requirements of end stations and to address the specific needs of discrete user communities. SDN pulls the intelligence away from the hardware while still implementing rich feature sets. SDN uses a modular approach that is structured and layered to provide the same functions as a traditional network device, yet in a centralized and highly-available fashion.
SDNs address the administration requirements of large scale networks, both physical and virtual. Using an SDN, service providers that deliver network capability to multiple clients are able to manage their policy and event data distinctly and separately. This multi-tenant capability is an important value proposition to service providers and tenants alike.
There are two common mechanisms for information transmission in an SDN: “direct” and “overlay.” Direct information transmission uses raw network frames and the information they convey; in contrast, overlay networks use encapsulation (tunneling) to transmit additional information (e.g., tenant identity) in addition to the encapsulated information. An SDN tunneling protocol associates a tenant-specific flow with a protocol tunnel, which contains tenant identification information. While both types of information transmission are commonly-used, there is significant overhead associated with processing flows encapsulated in tunneling protocols. As a consequence, the application of tenant-specific policy to tenant-specific network flows is difficult to carry out in a highly-performant manner.
There is need to provide for high performance tenant-specific processing using direct SDN properties, while avoiding overlay overhead that is incurred by the need to process tenant-specific flows encapsulated in tunneling protocols.