Virtualization security gateway system
Technical Field
The invention belongs to the technical field of network monitoring, and particularly relates to a virtualization security gateway system.
Background
The Remote Direct Memory Access (RDMA) technology unloads the processing of the protocol stack to the network card, and the network card directly accesses the Memory data by using the DMA technology after analyzing the data packet, thereby avoiding multiple copies of the data. Meanwhile, the CPU is released from network data transmission through data processing unloading, and the use efficiency of the CPU is improved. By the characteristics of zero copy and kernel bypass, low delay, high throughput and high performance in the data transmission process are realized.
However, RDMA itself is designed for a single-tenant environment, and presents significant challenges when faced with a multi-tenant environment on a single host in cloud computing. One of the problems is that RDMA, a technique that bypasses the core, does reduce latency to some extent, but it is this approach that bypasses the core that is not conducive to monitoring the transfer of data. In a conventional TCP/IP network, since data must be processed by the kernel network protocol stack, a monitoring module may be placed on the host to monitor this. However, RDMA completely bypasses the kernel, the data transmission process is not sensed by the kernel, and the previously existing methods cannot realize the monitoring of the security event. Protection of user data cannot be achieved, which is a serious problem for a cloud environment.
In this context, virtualization of RDMA is a more desirable policy. Under the support of virtualization, monitoring of data transmission can be realized by setting a component on a virtual machine for capturing commands issued by an application program, however, the virtualization in a pure software form inevitably causes a sharp decline of network transmission performance, and the original purpose of low delay and high throughput using RDMA is violated. Therefore, hybrid virtualization using a combination of software and hardware is a relatively good implementation. MasQ proposed by Hua is an RDMA virtualization solution applied to private cloud, and uses the idea of separating control path and data path. The system makes full use of the buffer property of RDMA, realizes the virtualization of RDMA by operating the state information of Queue Pair (QP), and realizes the disconnection of data connection by modifying the state information of QP on the safety function.
At present, research on RDMA virtualization is less, only a few companies such as Huaye and Microsoft have certain implementation, some of the companies are completely realized by software, all traffic needs to be forwarded by a repeater on a host, and great performance loss exists. While the other part distinguishes the data path and the control path, and still needs to realize the partial control on the safety by means of the function of the TCP/IP. In terms of security, conventional security monitoring requires inspection of each data stream, which results in a relatively large performance loss. In general, few security gateways have been studied for virtualization of RDMA in a cloud computing environment.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a virtualization security gateway system, so as to solve the problems in the prior art that the RDMA virtualization performance loss is too large, the dependence on the TCP/IP related security policy is too strong, the security monitoring flow of the network security boundary is too complex, and the overhead caused by monitoring all data is large.
As a preferred technical solution of the present invention, the virtualized security gateway system is composed of two parts, including the following:
hybrid virtualization of RDMA;
the method adopts mixed virtualization combining software and hardware to realize the virtualization of RDMA on a Single host, the scheme is combined with the separation of a data path and a control path in a software defined network, and the virtualization is realized by using the Single-root input/output virtualization (SR-IOV) and software virtualization modes of a network card on the premise of ensuring sufficient data transmission;
a virtualized security gateway;
on the basis of the realization of RDMA hybrid virtualization, a security gateway aiming at RDMA is designed, the connection of the RDMA is monitored, the monitoring of specific data transmission is not involved, and the low-delay characteristic of a system is ensured;
integration of RDMA operations with a security gateway;
the operational flow of the integrated RDMA hybrid virtualization and virtualization security gateway is as follows, when an application in a virtual machine issues an RDMA request:
s1: if the command is a data transmission command, directly sending a request to the VF distributed by the SR-IOV by the driver according to the original scheduling process to finish the data transmission;
s2: if the command is a connection-related command such as rdma _ connect, the command is forwarded to a resident process-monitoring module on the host computer through a socket interface according to the modified function, and the task is analyzed;
s3: in the monitoring module, firstly, the transmitted data is analyzed, information such as a host number, a virtual machine number, a read-write type and the like is taken out of the data, and then the data is matched with a rule linked list of a safety rule base stored on a physical host;
s4: if the security rules are not matched, the monitoring module sends a corresponding request to the network card and returns the returned information to the application program on the virtual machine again so that the application program can complete subsequent data transmission, and meanwhile, the monitoring module caches the relevant information of the running connection so as to continuously monitor the data later;
s5: if the security rule is matched, the connection is forbidden, and the monitoring module directly prevents the establishment of the connection and returns information of failure in creating the connection to the application program.
As a preferred technical solution of the present invention, the virtualized security gateway includes a monitoring module, a security rule base, and a rule distribution module, wherein,
a monitoring module: and the resident process in the user space is used for receiving the control command forwarded from the virtual machine, analyzing the command and matching the command with the rule base. The monitoring module caches the existing connection so as to facilitate subsequent continuous monitoring;
a security rule base: the component stores security rules specified by a user, all the rules are connected in series in a linked list mode, and the monitoring module determines whether security exception exists or not by traversing the rule base;
a rule distribution module: the module is unique in the system and can be placed on a trusted host in the system, and when a user needs to update the security rules, the rule updating, adding or deleting operation is sent to each host through the rule distribution module.
In order to ensure the reliability of rule transmission, the rule distribution module uses RDMA bilateral primitive SEND/RECV when sending the rule to other hosts, the host SENDs RDMA _ RECV operation to the host holding the rule distribution module in advance when the system is started, and then waits for the event to be triggered;
when the rule needs to be operated, the rule distribution module SENDs the rule to each host by using the SEND command, so that the RECV command is consumed, and then initiates a RECV operation again, so that each host is ensured to wait for receiving the updating, adding or deleting operation of the rule all the time.
As a preferred technical solution of the present invention, in step S4, the monitoring module continuously monitors the established connection (placed in the connection cache whenever there is an allowed connection), and when a new rule is added or updated or deleted, the monitoring module scans the existing connection and performs further operation according to the matching result.
As a preferred technical solution of the present invention, in step S5, if some of the existing connections match the security rules, the monitoring module needs to immediately send a request for disconnecting the network card and send information of disconnecting to the application program, so as to ensure that subsequent data reading and writing can not be performed any more, and simultaneously clear the cache of the connection information.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the technical scheme, the RDMA virtualization and security gateway combination method provided by the invention has the advantages that through a hybrid virtualization technology combining software and hardware, data transmission is realized through SR-IOV to ensure the advantages of low delay and high throughput of RDMA, on the basis, the security gateway is combined into a virtualization scheme, and through a mode of only monitoring a connection process, the high load of a security module in the process of matching security rules of all data streams is reduced, so that the virtualization performance is ensured, and the security of a system is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic diagram of an RDMA virtualization model provided by an embodiment of the invention;
FIG. 2 is a schematic diagram of a monitoring part architecture provided by an embodiment of the present invention;
fig. 3 is a flowchart illustrating an application initiating an RDMA operation according to an embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
A virtualization security gateway system, the virtualization security gateway system is composed of three parts, including the following:
hybrid virtualization of RDMA;
the mixed virtualization combining software and hardware is adopted to realize the virtualization of RDMA on a single host, the scheme is combined with the separation of a data path and a control path in a software defined network, and the virtualization is realized on the premise of ensuring sufficient data transmission;
specifically, referring to fig. 1, fig. 1 is a system architecture diagram of a hybrid virtualization implementation, which needs to use a programming interface library (verbs API) to interact with a network card driver during transmission based on RDMA, and the function library is located on each virtual machine. In order to implement the differentiated operation of different types of commands, functions in a part of function libraries can be modified and recompiled, so that the part of functions can be ensured to directly forward commands sent by an application program to a monitoring module on a host for further processing when being called.
The data path refers to a path of pure data transmission in RDMA, such as READ/WRITE/SEND/RECV and the like, and the part of the operation occupies a large part of time in a complete RDMA connection and transmission process. It is therefore impractical to use software virtualization for this aspect with a large performance penalty. Considering that the current commercial RDMA network cards all support SR-IOV technology, and the performance almost close to that of bare computers can be achieved by using SR-IOV, a VF is allocated to a virtual machine needing to use the RDMA network in the actual use process. For data transmission commands, the network card can be directly interacted with, and the intervention of a virtual machine monitor (hypervisor) and a kernel protocol stack is not needed.
The control path refers to commands in RDMA transfers related to connection and memory operations, such as establishing a connection, disconnecting a connection, creating a queue pair QP, and the like. The use of these commands, and the creation of the associated data structures, determines the network connection channels that need to be used in subsequent data transfers. It should also be noted that the delay time occupied by this part is relatively short. Therefore, forwarding monitoring is performed on this part, on one hand, a certain degree of monitoring can be performed on the RDMA transmission, and on the other hand, excessive overhead is not caused. In the system design, the function in the function library which needs to be modified is relevant to the aspect. After modification, the virtual machine will forward the relevant commands to the monitoring module on the physical host through the socket communication mechanism.
A virtualized security gateway;
specifically, referring to fig. 2, fig. 2 is an architecture diagram of a security gateway,
on the basis of the realization of RDMA hybrid virtualization, a security gateway aiming at RDMA is designed, the connection of the RDMA is monitored, the monitoring of specific data transmission is not involved, and the low-delay characteristic of a system is ensured;
the virtualization security gateway comprises a monitoring module, a security rule base and a rule distribution module, wherein,
a monitoring module: and the resident process in the user space is used for receiving the control command forwarded from the virtual machine, analyzing the command and matching the command with the rule base. The monitoring module caches the existing connection so as to facilitate subsequent continuous monitoring;
a security rule base: the component stores security rules specified by a user, all the rules are connected in series in a linked list mode, and the monitoring module determines whether security exception exists or not by traversing the rule base;
a rule distribution module: the module is unique in the system and can be placed on a trusted host in the system, and when a user needs to update the security rules, the rule updating, adding or deleting operation is sent to each host through the rule distribution module.
In order to ensure the reliability of rule transmission, the RDMA bilateral primitive SEND/RECV is used when the rule distribution module SENDs the rule to other hosts. All hosts will issue RDMA RECV operations to the host holding the rule distribution module in advance at system startup and then wait for the event to be triggered. When the rule needs to be operated, the rule distribution module SENDs the rule to each host by using the SEND command, so that the RECV command is consumed, and then initiates a RECV operation again, so that each host is ensured to wait for receiving the updating, adding or deleting operation of the rule all the time.
A combination of virtualized RDMA with a virtualized security gateway;
the operation flow of the RDMA hybrid virtualization and virtualization security gateway after being integrated is as follows, please refer to fig. 3 together, when an application in a virtual machine issues an RDMA request:
if the command is a data transmission command, directly sending a request to the VF distributed by the SR-IOV by the driver according to the original scheduling process to finish the data transmission;
if the command is a connection-related command such as rdma _ connect, the command is forwarded to a resident process-monitoring module on the host computer through a socket interface according to the modified function, and the task is analyzed;
in the monitoring module, firstly, the transmitted data is analyzed, information such as a host number, a virtual machine number, a read-write type and the like is taken out of the data, and then the data is matched with a rule linked list of a safety rule base stored on a physical host;
if the security rules are not matched, the monitoring module sends a corresponding request to the network card and returns the returned information to the application program on the virtual machine again so that the application program can complete subsequent data transmission, and meanwhile, the monitoring module caches the relevant information of the running connection so as to continuously monitor the data later;
if the security rule is matched, the connection is forbidden, and the monitoring module directly prevents the establishment of the connection and returns information of failure in creating the connection to the application program.
In addition, it should be noted that the monitoring module may continuously monitor the established connection (which is placed in the connection cache whenever there is an allowed connection), and when a new rule is added or updated or deleted, the monitoring module may scan the existing connection and perform further operations according to the matching result.
If some of the existing connections are matched with the safety rules, the monitoring module needs to immediately send a disconnection request to the network card and send disconnection information to the application program, so that subsequent data reading and writing can not be carried out any more, and meanwhile, the cache of the connection information is eliminated.
The invention designs an RDMA virtualization implementation scheme and a security gateway system based on the virtualization, which can realize the monitoring and access control of a physical host to the network traffic on a virtual machine. The system is based on KVM/QEMU, realizes data transmission by using RDMA, and uses a hybrid virtualization solution combining software and hardware and connection-based security monitoring. In order to guarantee the advantages of RDMA and the performance of a system, the data path and the control path of virtual machine data transmission are separated by utilizing the idea of a software defined network. The data path uses the SR-IOV technology to allocate a virtual function VF for the virtual machine, thereby ensuring that the data transmission process is close to the original performance of the bare computer. The control path is mainly responsible for operating related commands such as connection and the like, wherein software is used for assisting virtualization, a function library is modified on the virtual machine level, and the control commands can be redirected to a monitoring module on the physical host. And the monitoring module realized on the physical host is responsible for analyzing the command transmitted by the virtual machine and discovering potential safety problems by traversing the safety rule base. And transmitting to the RDMA network card under the condition of ensuring the security.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.