Handover：A Mechanism to Improve the Availability of Network Services after Live Migration under Private Networks

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：60

、訪客IP：3.15.220.230

姓名

鍾致曜(Zhi-Yao Zhong) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Handover：A Mechanism to Improve the Availability of Network Services after Live Migration under Private Networks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著基礎設施即服務(Infrastructure as a Service, IaaS)市場的快速成長，如何讓IaaS服務提供一個具有高度可靠性及可用性的作業環境變得更加重要。因此，在經過虛擬機器的即時移轉後，要如何保持網路服務的連線將會是一個重要的議題。在本研究中，我們提出了一個在廣域網路中進行即時移轉後，仍然能夠維持用戶的TCP連線狀態的機制，稱作Handover。當虛擬機器的IP位址因為即時移轉的緣故而有變動的時候，Handover會透過在iptables的nat table裡插入一條OUTPUT規則，使用戶對外送出的封包被重新導向到虛擬機器的新IP位址。此外為了避免轉向後的連線被NAT路由器所阻擋，我們還加入了一個偽造的三方交握步驟。從實驗結果可以看到Handover的確能夠在不同的網路環境中發揮作用，並且這個連線切換的過程只需要額外消耗大約0.165秒的時間。Handover可以被應用在絕大多數以Unix為基礎的作業系統裡。不只如此，它或許還會被整合進一個分散式阻斷服務攻擊(Distributed Denial of Service, DDoS)的防禦系統之中。隨著Handover與DDoS防禦系統剩餘部件的搭配部署，我們相信這將會成為一個抵禦DDoS攻擊的有效手段。

摘要(英)

With a rapid growth of the Infrastructure as a Service (IaaS) market, it becomes more important for IaaS services to provide the work environment with high reliability and availability. Therefore, how to maintain the network connections after live Virtual Machine (VM) migration is going to be a big issue. In this research, we propose a new mechanism to keep clients’ TCP sessions across live migration over Wide Area Networks (WANs), called Handover. After the VM’s IP address changed after live migration, Handover inserts an OUTPUT rule in the nat table of iptables to redirect the client’s outgoing packets to the new IP address of the VM. In addition, we apply a fake three-way handshake mechanism to prevent the redirected traffic from being blocked by the NAT router. The experimental results demonstrate that Handover is effective in varied network environments, and the overhead of this changeover process is about only 0.165 seconds. Handover can be utilized in most of Unix-based systems. Furthermore, it may be integrated into a Distributed Denial of Service (DDoS) Defense System. By deploying the remaining parts of the DDoS defense system with Handover, we believe it could serve as a useful method to guard against DDoS attacks.

關鍵字(中)

★ 即時移轉
★ Netfilter佇列
★ 網路位址轉換路由器
★ 三向交握

關鍵字(英)

★ Live migration
★ NFQUEUE
★ NAT router
★ Three-way handshake

論文目次

中文摘要 i
Abstract ii
誌謝 iii
Contents iv
List of figures v
List of tables vi
Chapter 1 Introduction 1
Chapter 2 Background 4
2.1 Live Migration 4
2.2 Libvirt 6
2.3 Netfilter 7
2.4 NFQUEUE 8
Chapter 3 Related Work 10
3.1 Live wide area migration including persistent state 10
3.2 Live wide area migration using type II hypervisor 10
3.3 Seamless live migration of virtual machines over the WANs 11
Chapter 4 System Design 13
4.1 Components in Handover 14
4.2 Execution flow 15
Chapter 5 Evaluation 20
5.1 A request-response cycle 21
5.2 Execution time of apt-get update 21
5.3 Extra experiments 23
Chapter 6 Discussion 24
Chapter 7 Conclusion 26
Reference 27

參考文獻

[1] K. F. C. Clark, S. Hand, J.G. Hansen, E. Jul, C. Limpach, I. Pratt, A. Warfield, "Live migration of virtual machines," NSDI′05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, vol. 2, pp.273-286, May 2005.
[2] P. D. F. Travostino, L. Gommans, C. Jog, C. de Laat, J. Mambretti, I. Monga, B. van Oudenaarde, S. Raghunath, P.Y. Wang, "Seamless live migration of virtual machines over the MAN/WAN," Future Generation Computer Systems, vol. 22, pp.901-907, Oct 2006.
[3] VirtualBox Teleporting [Online]. Available: https://blogs.oracle.com/vreality/entry/teleporting
[4] VMware vMotion [Online]. Available: http://www.vmware.com/products/vsphere/features/vmotion
[5] KVM migration [Online]. Available: http://www.linux-kvm.org/page/Migration
[6] Performing VM migration under Xen [Online]. Available: http://wiki.xen.org/wiki/Migration
[7] E. K. R. Bradford, A. Feldmann, H. Scioberg, "Live wide-area migration of virtual machines including local persistent state," Proceedings of the 3rd International Conference on Virtual Execution Environments, pp.169-179, June 2007.
[8] O. I. Samuel A. Ajila, "Efficient live wide area VM migration with IP address change using type II hypervisor," IEEE 14th International Conference on Information Reuse & Integration, pp.372 - 379, 14-16 Aug 2013.
[9] Wikipedia. Live Migration [Online]. Available: https://en.wikipedia.org/wiki/Live_migration.
[10] Wikipedia. Denial-of-service attack [Online]. Available: https://en.wikipedia.org/wiki/Denial-of-service_attack
[11] Libvirt [Online]. Available: https://libvirt.org
[12] Wikipedia. Netfilter [Online]. Available: https://en.wikipedia.org/wiki/Netfilter
[13] Die.net. iptables [Online]. Available: http://linux.die.net/man/8/iptables
[14] NFQUEUE target [Online]. Available: http://security.maruhn.com/iptables-tutorial/x9983.html
[15] VPN Gate [Online]. Available: http://www.vpngate.net

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2016-8-1

推文