Technical Field
This disclosure relates generally to protecting resources in a multi-tenant networking environment.
Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run network applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
Software Defined Networking (SDN) is a new network paradigm that separates each network service from its point of attachment to the network, creating a far more dynamic, flexible, automated, and manageable architecture. Using this approach, administrators can easily move virtual resources throughout the network, create private virtual networks that meet specific performance and security needs, and use a host of other high-value applications. SDN abstracts flow control from individual devices to the network level. Similar to server virtualization, where virtual machines are de-coupled from the physical server, network-wide virtualization gives administrators the power to define network flows that meet the connectivity requirements of end stations and to address the specific needs of discrete user communities. SDN pulls the intelligence away from the hardware while still implementing rich feature sets. SDN uses a modular approach that is structured and layered to provide the same functions as a traditional network device, yet in a centralized and highly-available fashion.
SDNs address the administration requirements of large scale networks, both physical and virtual. Using an SDN, service providers that deliver network capability to multiple clients are able to manage their policy and event data distinctly and separately. This multi-tenant capability is an important value proposition to service providers and tenants alike.
Under the covers of a cloud deployment is the cloud provider's infrastructure comprised of networking, hypervisors, and services required to enable individual instances to operate on behalf of the provider's customers. A cloud user (consumer) sees a typical computing environment having processors, memory, and networking. Their environment is distinct from other “cloud instances,” and from their perspective isolated except via the network connectivity to which their services have access. In such an environment, and from the perspective of two different cloud consumers (or “tenants”), devices distinct to their particular environments could have precisely the same attributes, i.e. MAC and IP addresses, netmask, and VLAN tags. From each of their perspectives, they would have their own unique addressing. Further, a single tenant might have multiple or “cloned” virtual environments, each with the same “local” attributes. The network “overlay:” is one technology that supports this kind of model. It does so by encapsulating the network traffic from a particular cloud instance, in that encapsulating layer disambiguating (in that encapsulating layer) what are otherwise duplicated addresses residing in two (or more) cloud instances. The result is that the network settings in each tenant are independent and isolated from the others.
When network services like firewalls, intrusion detection and protection, or forensic services want to address such multi-tenant environments, they need a mechanism to distinguish the network traffic between each tenant. For instance, two tenants could send the identical packets to one of the network services mentioned above. A Packet Processing Module (PPM) or device (PPD) representing that service must identify which tenant, in addition to the core network attributes (like MAC and IP addresses) sent the packet. This is necessary to enable the PPD to attribute the packet to a particular tenant and to distinguish distinguish it from others. The technique of network overlay, which involves encapsulating network traffic in an additional layer, is one solution to this otherwise ambiguous network traffic. As described above an overlay encapsulates the original packet in an additional layer, the overlay packet, which can add an additional information about the original, e.g., the tenant, group, or cloud instance to which it is associated. Overlays of this type are based on protocols that encapsulate or “tunnel” traffic. An “overlay aware” PPM is a process that processes both the core and tunneled traffic, and that consumes the metadata of the encapsulating protocol to determine to which tenant or tenants the encapsulated traffic is associated.
Network overlays introduce several challenges, each of which represent a potentially negative performance impact. The overlay protocol is both visible and must be handled by a PPM in addition to handling the encapsulated traffic. Second, because an overlay wraps or encapsulates another packet protocol, it necessarily introduces processing latency, insofar as at the network, or lowest layer of the network stack, the overlay protocol must be processed and the encapsulated packets must be processed.