第四章 實作技術與實驗結果
4.8 多路寬頻負載平衡器實驗結果
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
圖4.20 初始資料流表。︒
圖4.21 隨需調整後資料流表。︒
圖4.22 成功存取Server1。︒
4.8 多路寬頻負載平衡器實驗結果
實驗環境建置完成後,先測試round robin負載平衡演算法,由控制器以輪詢的⽅方式動態 分配需求,每條資料流表項有效時間為5秒。︒第⼆二組則使⽤用本研究所提出之⽅方法,依據 實際網路狀況進⾏行負載平衡。︒兩組分別需進⾏行4次(H2-H4頻寬流量10%、︑20%、︑30%、︑
40%)測試,測試在不同頻寬使⽤用率下,負載平衡演算法的效能。︒
圖4.23-4.24為測試頻寬10%的測試案例,其⽬目的在測試整體頻寬使⽤用率低時,負載 平衡演算法的效能表現︔;圖4.25-4.26為測試頻寬20%的測試案例,其⽬目的在測試整體頻 寬使⽤用率中等時,負載平衡演算法的效能表現︔;圖4.27-4.28為30%的測試案例,其⽬目的 在測試整體頻寬使⽤用率接近滿載時,負載平衡演算法的效能表現。︒H2-H4各產⽣生30%的 流量,佔⽤用整體45%的可⽤用頻寬(30%*3/200%),在H1測試案例到達100%時,佔⽤用整體 50%的可⽤用頻寬(100%/200%),總使⽤用頻寬達到95%(45%+50%)︔;圖4.29-4.30則為40%
‧
H2-H4共佔⽤用120%的可⽤用頻寬,加上H1測試案例到達80%時,總使⽤用頻寬兩條對外線 路總和的100%,H1測試案例90%與100%時,整體使⽤用率會超過兩條對外線路總和。︒
由測試結果可看出,在平均頻寬使⽤用率10%測試案例時,由於整體頻寬使⽤用率不
⾼高,在負載平衡效能上並無太⼤大影響,如圖4.23、︑4.24所⽰示,平均頻寬使⽤用率最佳情況 (traffic load 100%)下提升7.2%(0.972%-0.9%),封包遺失率(traffic load 100%)最佳情況減 少5.5%(6.00%-0.50%)。︒
圖4.23 10%測試-平均頻寬使⽤用率。︒
Test Scenario 10%
Average bandwidth ratio (%)
0
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧
圖4.24 10%測試-Packet loss rate。︒
Test Scenario 10%
Packet loss rate (%)
0 1.5 3 4.5 6
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
Traffic load round robin bandwidth
round robin usage rate(%)
SDAW bandwidth
SDAW usage rate(%) 10% 1.00 Mbits/sec 100 1.00 Mbits/sec 100 20% 2.00 Mbits/sec 100 2.00 Mbits/sec 100
30% 3.00 Mbits/sec 100 3.00 Mbits/sec 100
40% 4.00 Mbits/sec 100 4.00 Mbits/sec 100 50% 5.00 Mbits/sec 100 5.00 Mbits/sec 100 60% 6.01 Mbits/sec 100 6.00 Mbits/sec 100 70% 7.00 Mbits/sec 100 7.00 Mbits/sec 100
80% 7.99 Mbits/sec 100 8.00 Mbits/sec 100
90% 8.55 Mbits/sec 95 9.00 Mbits/sec 100 100% 9.00 Mbits/sec 90 9.72 Mbits/sec 97.2
‧
表4.4 10%測試-Packet loss rate。︒
⽽而在平均頻寬使⽤用率為20%的測試案例,整體頻寬使⽤用率中等時,雖然在整體表 現上沒有明顯的提升,但是可以看到在round-robin演算法在主要頻寬測試案例50%、︑
80%、︑90%時,在還有⾜足夠頻寬能使⽤用時,卻產⽣生頻寬使⽤用率下降的情況,這是因為 round-robin演算法只能單純依照輪詢機制進⾏行負載平衡,卻無法依據實際線路使⽤用率 進⾏行分配,當分配需求到壅塞的線路,會導致效能耗損。︒如圖4.25、︑4.26所⽰示,平均頻 寬使⽤用率最佳情況下(traffic load 80%)提升15%,封包失率最佳情況(traffic load 80%)減 少10.75%。︒
Traffic load round robin loss packet
round robin total packet
round robin packet loss rate(%)
SDAW packet loss rate(%)
10% 19 4253 0.45 0 4253 0.00
20% 50 8505 0.59 0 8505 0.00
30% 56 12754 0.44 0 12756 0.00
40% 111 17007 0.65 7 17005 0.04
50% 163 21258 0.77 10 21258 0.05
60% 288 25510 1.10 23 25506 0.09
70% 306 29762 1.00 49 29757 0.16
80% 903 34011 2.70 85 34005 0.25
90% 1531 38274 4.00 156 38272 0.41
100% 2485 41413 6.00 207 41413 0.50
‧
Traffic load round robin bandwidth
round robin usage rate(%)
SDAW bandwidth
SDAW usage rate(%) 10% 1.00 Mbits/sec 100 1.00 Mbits/sec 100 20% 2.00 Mbits/sec 100 2.00 Mbits/sec 100
30% 3.00 Mbits/sec 100 3.00 Mbits/sec 100
40% 4.00 Mbits/sec 100 4.00 Mbits/sec 100 50% 4.90 Mbits/sec 98 5.00 Mbits/sec 100 60% 6.00 Mbits/sec 100 6.00 Mbits/sec 100
70% 6.86 Mbits/sec 98 7.00 Mbits/sec 100
80% 6.80 Mbits/sec 85 8.00 Mbits/sec 100
90% 8.28 Mbits/sec 92 9.00 Mbits/sec 100
100% 8.60 Mbits/sec 86 9.72 Mbits/sec 97
Test Scenario 20%
Average bandwidth ratio (%)
0
Traffic load %
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧
圖4.26 20%測試-Packet loss rate
表4.6 20%測試-Packet loss rate
Traffic load round robin loss packet
round robin total packet
round robin packet loss rate(%)
SDAW packet loss rate(%)
10% 25 4253 0.59 0 4253 0.00
20% 40 8504 0.47 0 8505 0.00
30% 97 12757 0.76 0 12756 0.00
40% 131 17008 0.77 8 17007 0.05
50% 439 21252 2.10 11 21260 0.05
60% 358 25508 1.40 43 25505 0.17
70% 268 29695 0.90 56 29759 0.19
80% 1694 33996 11.00 84 34013 0.25
90% 1852 37221 5.00 147 38282 0.38
100% 4198 41418 10.00 208 41407 0.5
Test Scenario 20%
Packet loss rate (%)
0 3 6 9 12
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧
所⽰示,平均頻寬使⽤用率最佳情況下(traffic load 90%)提升25%,封包遺失率最佳情況下 (traffic load 90%)減少17.5%。︒圖4.27 30%測試-平均頻寬使⽤用率 Test Scenario 30%
Average bandwidth ratio (%)
0
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧
圖4.28 30%測試-Packet loss rate
Traffic load round robin bandwidth
round robin usage rate(%)
SDAW bandwidth
SDAW usage rate(%) 10% 1.00 Mbits/sec 100 1.00 Mbits/sec 100 20% 2.00 Mbits/sec 100 2.00 Mbits/sec 100
30% 3.00 Mbits/sec 100 3.00 Mbits/sec 100
40% 4.00 Mbits/sec 100 4.00 Mbits/sec 100 50% 4.65 Mbits/sec 93 5.00 Mbits/sec 100
60% 5.72 Mbits/sec 95 6.00 Mbits/sec 100
70% 6.37 Mbits/sec 91 7.00 Mbits/sec 100
80% 7.44 Mbits/sec 93 8.00 Mbits/sec 100
90% 6.75 Mbits/sec 75 9.00 Mbits/sec 100 100% 7.70 Mbits/sec 77 9.72 Mbits/sec 97.2
Test Scenario 30%
Packet loss rate (%)
0 5 10 15 20
Traffic load %
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧
表4.8 30%測試-Packet loss rate
最後,在平均頻寬使⽤用率為40%的測試案例中,可看到round-robin演算法從⼀一開始 就有效能不穩定的現象,在主要頻寬測試案例40%後,效能明顯下降。︒我們所提出的
⽅方法,在主要頻寬測試案例60%後,因流量已超過線路負載,無多餘頻寬可做負載平
Traffic load round robin loss packet
round robin total packet
round robin packet loss rate(%)
SDAW packet loss rate(%)
10% 9 4253 0.21 0 4253 0
20% 32 8505 0.38 0 8505 0
30% 97 12756 0.76 2 12756 0.016
40% 182 17007 1.1 3 17007 0.018
50% 646 21259 3 15 21259 0.071
60% 104 25028 0.42 18 25511 0.071
70% 1054 28112 3.7 31 29761 0.1
80% 1636 33924 4.8 108 34013 0.32
90% 6296 35711 18 160 38283 0.42
100% 5155 38113 14 207 41415 0.5
Traffic load round robin bandwidth
round robin usage rate(%)
SDAW bandwidth
SDAW usage rate(%) 10% 990 Kbits/sec 99 1.00 Mbits/sec 100
20% 1.96 Mbits/sec 98 2.00 Mbits/sec 100
30% 2.95 Mbits/sec 98 3.00 Mbits/sec 100 40% 3.88 Mbits/sec 97 4.00 Mbits/sec 100
50% 4.59 Mbits/sec 92 5.00 Mbits/sec 100
60% 5.04 Mbits/sec 84 5.84 Mbits/sec 97
70% 6.04 Mbits/sec 86 6.21 Mbits/sec 89
80% 5.25 Mbits/sec 66 7.00 Mbits/sec 88
90% 6.38 Mbits/sec 71 6.96 Mbits/sec 77
100% 6.80 Mbits/sec 68 7.49 Mbits/sec 75
‧
⽰示,平均頻寬使⽤用率最佳情況下(traffic load 80%)提升22%,封包遺失率最佳情況下 (traffic load 80%)減少16%。︒
Traffic load round robin loss packet
round robin total packet
round robin packet loss rate(%)
SDAW packet loss rate(%)
10% 32 4252 0.75 0 4253 0.00
20% 173 8504 2.00 0 8504 0.00
30% 215 12755 1.70 2 12756 0.00
40% 220 17003 1.30 2 17007 0.00
50% 1288 21256 6.10 8 21259 0.00
60% 3569 25497 14.00 101 25510 0.40
70% 3371 29759 11.00 2722 29760 9.10
80% 9051 31879 28.00 4054 34010 12.00
90% 8222 36023 23.00 7905 38279 21.00
100% 10843 41290 26.00 8766 41432 21.00
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
圖4.29 40%測試-平均頻寬使⽤用率
表4.9 40%測試-平均頻寬使⽤用率 Test Scenario 40%
Average bandwidth ratio (%)
0 25 50 75 100
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
圖4.30 40%測試-Packet loss rate
表4.10 40%測試-Packet loss rate
Test Scenario 40%
Packet loss rate %
0 7.5 15 22.5 30
Traffic load (%)
10 20 30 40 50 60 70 80 90 100
round robin SDAW
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
第五章 第五章 結論
5.1 總結
本論⽂文介紹了SDN軟體定義網路及防⽕火牆的相關技術及現況,並在此基礎上,實作⾃自 動化防⽕火牆。︒利⽤用軟體定義網路的特性,使交換機具有學習的功能,在觀測時間內⾃自 動學習經過的流量特徵,並將其特徵加入交換機規則內,待觀測時間結束後則封鎖其 它流量。︒除此之外,為了加強⾃自動化防⽕火牆的延伸功能,又提出入侵偵測系統及隨需 的註冊機制,利⽤用入侵偵測系統對內部網路進⾏行更嚴密的防護,發現有危害時也能即 時阻擋。︒並利⽤用隨需的註冊機制,提供特定主機供使⽤用者註冊,有效降低⼈人⼯工作業。︒
最後,我們導入負載平衡機制,透過收集交換機上實體埠與flow entry相關資料,依據 實際使⽤用量進⾏行負載平衡,有效提升網路使⽤用率。︒
對於實驗部分,本⽂文也詳細介紹整體的硬體架構及實驗所⽤用到的相關軟體,也詳 細說明安裝與操作步驟。︒最後,經由實作驗證本⽂文中所提出各功能之可能性,包含⾃自 動化防⽕火牆、︑入侵偵測系統以及隨需的註冊機制。︒經由實際的測量結果,在本⽂文所提 出之負載平衡架構下,能有效提⾼高整體網路使⽤用率 ,在最佳情況下,可提升25%平均 頻寬使⽤用率,減少17.5%封包遺失率。︒
5.2 未來研究⽅方向
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
本論⽂文提出了⾃自動化防⽕火牆的架構,但未在效能上多做考量。︒隨著網路環境⽇日益複雜、︑
防⽕火牆規則與⽇日俱增,如何有效管理⾃自動學習規則,避免因持續增長的規則數量,影 響資料流表項的查找時間,是未來可深入研究的⽅方向。︒⽽而在入侵偵測系統部分,誤判
⼀一向是難以完全克服的難題,如何利⽤用SDN所能收集到的網路資訊結合入侵偵測系 統,提供更準確的判斷,避免因誤判所帶來之相關問題,是未來可再深入研究之處。︒
關於負載平衡機制,本⽂文中所採⽤用⽅方法為收集相關資訊,但可以互相備援之線路,均 為⼈人⼯工⼿手動設定,如何有效地發現路由,⾃自動尋找備援路線,是未來可再深入研究的 部分。︒
‧
[1] B. Lantz, B. Heller and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., pp.19:1 -19:6 2010.
[2] C. Monsanto, J. Reich, N. Foster, J. Rexford and D. Walker, "Composing software-defined networks," Proc. 10th USENIX Symp. on Networked Systems Design and Implementation, NSDI., pp.1 -14 2013.
[3] D. Levin, A. Wundsam, B. Heller, N. Handigol and A. Feldmann, "Logically centralized?:
state distribution trade-offs in software defined networks," Proc. 1st workshop on Hot topics in software defined networks, HotSDN., pp.1 -6 2012.
[4] Django, https://www.djangoproject.com, retrieved date:2015/04/13.
[5] Django Wiki, https://zh.wikipedia.org/wiki/Django, retrieved date:2015/04/13.
[6] H. Hu, W. Han, G.-J. Ahn and Z. Zhao, "FLOWGUARD: building robust firewalls for software-defined networks," Proc. 3rd workshop on Hot topics in software defined networks, HotSDN., pp.97 -102 2014.
[7] H. Long, Y. Shen, M. Guo, and F. Tang, "LABERIO: dynamic load-balanced routing in OpenFlow-enabled networks," Proc. 27th Advanced Information Networking and Applications, AINA., pp. 290 -297 2013.
[8] I. F. Akyildiz, A. Lee, P. Wang, M. Luo and W. Chou, "A roadmap for traffic engineering in SDN-OpenFlow networks," Computer Networks, Vol. 71, pp.1-30 2014.
[9] Iperf, https://iperf.fr, retrieved date:2015/06/18.
[10] IDSwakeup, http://www.hsc.fr/ressources/outils/idswakeup/, retrieved date:2014/10/15.
[11] K. Bakshi, "Considerations for software defined networking (SDN): approaches and use cases," Aerospace Conference, pp. 1-9, 2013.
[12] KVM, http://www.linux-kvm.org/, retrieved date:2014/10/12.
‧
[13] L. Yu and D. Pan, "OpenFlow based load balancing for fat-tree networks with multipath support," Proc. 12th IEEE International Conference on Communications, 2013.
[14] M.-K. Shin, K.-H. Nam, and H.-J. Kim, "Software-defined networking (SDN): a reference architecture and open apis," International Conference on ICT Convergence, ICTC., pp.360 -361 2012.
[15] M. Jarschel, T. Zinner, T. Hoßfeld, P. Tran-Gia and W. Kellerer, “Interfaces, attributes, and use cases: a compass for SDN," IEEE Communications Magezine., vol.52, no.6, pp.210 -217 2014.
[16] M. Koerner, O. Kao, "Multiple service load-balancing with OpenFlow," Proc. 13th High Performance Switching and Routing, HPSR., pp. 210-214 2012.
[17] Mininet, http://mininet.org,retrieved date:2014/10/15.
[18] N. Handigol, S. Seetharaman, M. Flajslik, N. McKeown, and R. Jo- hari, "Plug-n-Serve:
load-balancing web traffic using OpenFlow," Proc ACM SIGCOMM (Demo), 2009.
[19] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S.
Shenker and J. Turner, "OpenFlow: enabling innovation in campus networks,"
SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp.69 -74 2008.
[20] OpenFlow Switch Specification 1.3.2, https://www.cs.princeton.edu/courses/archive/
fall13/cos597E/papers/openflow-spec-v1.3.2.pdf, retrieved date:2014/10/21.
[21] Open Network Foundation, https://www.opennetworking.org/, retrieved date:2014/10/
13.
[22] Open vSwitch, http://openvswitch.org/, retrieved date:2014/10/12.
[23] Openflow, https://www.opennetworking.org/sdn-resources/openflow, retrieved date:
2014/10/15.
[24] POX Wiki, https://openflow.stanford.edu/display/ONL/POX+Wiki, retrieved date:2014/11/03.
[25] R. Wang, D. Butnariu and J. Rexford, "OpenFlow-based server load balancing gone wild," Proc. 11th USENIX Conf. Hot Topics Manage. Internet Cloud Enterprise Netw.
Services, pp.12 2011.
‧
[26] SDN architecture ,https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN_ARCH_1.0_06062014.pdf ,retrieved date:2015/
02/21.
[27] SDN Architecture, https://www.sdxcentral.com/resources/sdn/inside-sdn-architecture/, retrieved date:2014/10/15.
[28] Software-Defined Networking: The New Norm for Networks, https://
www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf ,retrieved date:2014/10/15.
[29] Snort, http://www.snort.org/, retrieved date:2015/04/10.
[30] Unix domain socket, https://en.wikipedia.org/wiki/Unix_domain_socket, retrieved date: 2015/01/08.
[31] Ubuntu, http://www.ubuntu.com/index_roadshow, retrieved date:2014/10/15.
[32] VirtualBox, https://www.virtualbox.org/, retrieved date:2014/10/15.
[33] Z. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “SIMPLE-fying middlebox policy enforcement using SDN,” Proc. Conf. Appl. Technol. Architect. Protocols Comput.
Commun., pp.27 -38 2013
[34] 簡旭彤,林盈達,SDN 網路安全架構:以防⽕火牆為例,國⽴立交通⼤大學資訊⼯工程系,
September 30,2014. http://speed.cis.nctu.edu.tw/~ydlin/miscpub/indep_HsuTung.pdf, retrieved date:2014/10/15.
[35] 蕭翔之,入侵偵測與預防系統簡介與應⽤用,http://avp.toko.edu.tw/docs/class/3/入侵 偵測與預防系統簡介與應⽤用.pdf,retrieved date:2015/04/15.
[36] 張浩置、︑楊中皇、︑林志鴻,基於規則分類的網路入侵偵測系統之效能分析與改善,
http://security.nknu.edu.tw/psnl/publications/2009IMNT_Snort.pdf, retrieved date:
2014/10/25.
[37] 防⽕火牆 Wiki,https://zh.wikipedia.org/wiki/防⽕火牆,retrieved date:2015/01/08.
[38] 防⽕火牆原理,http://tpc.k12.edu.tw/1001215331/6/0322/網路_防⽕火牆原理.pdf,
retrieved date:2015/01/08.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[39] PyPy, http://pypy.org, retrieved date:2014/10/15.