Secure and Dependable Virtual Network Embedding

Network virtualization has emerged as a powerful technique to allow multiple heterogeneous networks specified by different users to run on a shared infrastructure. A major challenge is how to make efficient use of the shared resources. Virtual Network Embedding (VNE) addresses this problem by finding an effective mapping of the virtual nodes & links onto the substrate network. For some scenarios, VNE has been studied in some detail in the network virtualization literature [1]. The problem was shown to be computationally intractable, but recent research has explored efficient heuristics to tackle the challenge. Motivation. The VNE problem is traditionally formulated with the objective of maximizing network provider revenue by efficiently embedding incoming virtual network (VN) requests. This objective is subject to constraints, such as processing capacity on the nodes and bandwidth resource on the links. A mostly unexplored perspective on this problem is providing some security assurances, a gap increasingly more acute. With the advent of network virtualization platforms [2], cloud operators now have the ability to extend their cloud computing offerings with virtual networks. To shift their workloads to the cloud, tenants trust their cloud providers to guarantee that their work-loads are secure and available. Unfortunately, there is an increasing number of evidence that problems do occur, of both the malicious kind (e.g., caused by a corrupt cloud insider) or benign (e.g., a cloud outage) [3]. We thus argue that security and dependability is becoming a critical factor that should be considered by virtual network embedding algorithms. To the best of our knowledge the only work that explores VNE security is the recent proposal by Liu et al. [4]. Despite its relevance, the authors fail to respond to the problems mentioned above: they do not contemplate dependability; and consider a single cloud provider, thus the model assumes complete trust in this entity. Contribution. We propose a VN embedding solution that considers security and dependability as first class citizens. For this purpose, we introduce specific security constraints including, for instance, the possibility of a virtual machine attacking another virtual machine (e.g., a side-channel attack) or replay attacks on physical links. As substrate resources may fail, we also take into account dependability constraints, including the ability to tolerate failures, by ensuring that additional computing and communication resources are allocated during the process of embedding. To further extend the resiliency properties of our solution , we assume a multiple cloud provider model …