Professional Documents
Culture Documents
Securing Virtual Machine Orchestration with
Blockchains
2
5) VMOA verifies whether the orchestration transaction
is valid or not, by querying a local registry; if yes,
it sends an acknowledgemennt via a CTE (Clear to
Execute) message to the VMM; if not, the VMOA sends
a negative acknowledgement.
It is worth noting here that the way the validation is
performed could rely on a distributed database system
for the registry.
6) In case of positive acknowledgement at the previous
step, the VMM authenticates the orchestration com-
mand request, and sends a positive acknowledgement
(ACK) to the VM orchestrator. Otherwise, a negative
Fig. 2. VMOA authentication protocol acknowledgement can be propagated back to the VM
orchestrator. If positive ACK, then the command is
executed.
In the following, we present a trustful model aiming at
Centralized entities represent a single point of failure threat,
going beyond legacy practices to secure the cloud orchestration
that can disable nodes synchronization after system recovery.
channel. We refer to the orchestration command authentica-
It is important to emphasize that there must be a trust in
tion function as Virtual Machine Orchestration Authenticator
such centralized entities considering that it has the authority
(VMOA). A VMOA node is a server that functionally has to
to change data and jeopardize its integrity and authenticity.
be seen as an intermediate machine between an orchestration
server and the virtualization server supporting the VM to be B. Blockchain VMOA
authenticated. We first present how to run a VMOA function as We propose in the following a way to run the VMOA
a centralized server, detailing the required signaling for such a function using a blockchain system shared between the vir-
case. Then, we show it can be reinterpreted under a blockchain tualization server, the orchestrator and VMM agents. Indeed,
system. the number of orchestrators and the number of virtualization
A. Centralized VMOA servers may vary in time. The blockchain VMOA we envision
is completely decentralized, with no hierarchy between orches-
Figure 2 illustrates the signaling message exchange between trators, and no hierarchy between virtualization servers. The
the orchestrator, VMOA and VMM nodes, for the case where distributed VMOA database can hence work as a distributed
the VMOA function is deployed on a single server. Often, au- ledger system.
thentication servers are realized as a single centralized entity, In a blockchain VMOA, the general steps are as follows.
at least logically. In such a configuration, we can identify six Before issuing an orchestration request (create, destroy, resize,
main steps where authentication is run at both the orchestrator- copy, migrate) to a virtualization server, the orchestrator stores
VMOA and VMM-VMOA interfaces, as explained hereafter. the request on the shared database using as a transaction.
1) A cloud orchestrator issues a VM orchestration RE- Upon VMOA configuration, a VM orchestration command is
QUEST instruction concerning, for instance, a VM issued to the virtualization server, which then uses VMOA to
create, copy, destroy, migrate or resize command, which authenticate the orchestration command. In a case of negative
is identified with its ID, the ID of the involved virtual- confirmation from VMOA, the orchestration command is not
ization servers, the IDs of the involved VMs, and related executed, while if it is confirmed, the command is carried
assets, meant as the related amount of resource required out by the virtualization server VMM that in turn, if the
by the VM for each involved network and computing command is successful, confirms the successful operation to
resource. the orchestrator. We later detail these steps once the proposed
2) The VMOA node verifies if the orchestrator has the VMOA structure and transaction management is described.
authorization to issue orchestration commands, querying Figure 3 illustrates an abstract atomic view of the
a local registry; if yes, the VMOA sends a positive blockchain VMOA system. The system can be composed
ACK message to the VM orchestrator; if not, a negative of multiple orchestrator servers, multiple host servers and
acknowledgement is sent. multiple VMOA agents on physically distinct servers from or-
3) If the acknowledgement from the previous step is pos- chestrators and the host servers. Host servers and orchestration
itive, the VM orchestrator sends the orchestration RE- servers run VMOA agents locally.
QUEST command to the virtualization server concerned
with the VM. C. Qualitative comparison
4) The VMM of the virtualization server, before actually In the following, we further stress the differences between
running the command, queries VMOA sending a RTE a blockchain system and a centralized one for VMOA, as
(Ready to Execute) message in order to authenticate the summarized in Table I for few key aspects. We refer in the
orchestration command. following to blockchain VMOA as B-VMOA.
3
One way to palliate to the validation computing latency
drawback of standard blockchain, bitcoin-like, approaches, is
to adopt a private blockchain model. As described in [4],
with private blockchains the adoption of other consensus
protocols than the proof-of-work one can make the load of the
transaction validation tunable down to acceptable transaction
validation time. Such design choices are also to be a function
of the number of nodes in the network and the desired level
of robustness against attacks.
IV. B-VMOA TRANSACTION MANAGEMENT
We describe in this section how transactions are identified
and managed in B-VMOA.
A transaction is uniquely identified by the following in-
formation: issuer ID, command assets, receiver ID, VM ID
and timestamp. The issuer could be any orchestrator in the
network and the receiver could be any VMM. An orchestration
Fig. 3. Distributed Virtual Machine Orchestrator Authenticator (VMOA). alters the state of a VM (e.g., VM create, copy, destroy,
migrate, resize). Orchestration command assets are the corre-
TABLE I sponding resource attributes (e.g., memory, processor, network
C ENTRALIZED VS BLOCKCHAIN VMOA. resources). The VMOA function is operated with a set of
VMOA agents that may be integrated to the orchestrator node,
Blockchain VMOA Centralized VMOA to the virtualization server node and/or to the independent
records integrity - server. The storage of the assets needs therefore to make use
availability - of a distributed database.
fault tolerance - In the case B-VMOA runs at the orchestrator node, steps 1-2
computing time - in Figure 2 are inter-process communications within the same
trustless nodes - orchestrator machine. In the case B-VMOA runs at the VMM
node, steps 4-5 in Figure 2 are inter-process communications
within the same virtualization server machine. In the case B-
VMOA agents are integrated to the orchestrator nodes and to
Decentralized transaction validation by all participants in a the virtualization server nodes, steps 3-6 in Figure 2 may
blockchain network makes record integrity stronger compared be omitted. The B-VMOA agent running locally informs the
to centralized systems. In centralized databases, the assumed virtualization server that there is a command addressed to it.
implicit trust in the centralized entity represents a threat to In a B-VMOA system, the database is implemented by a dis-
data integrity as well. VMOA, when based on the blockchain tributed ledger that is written and read by multiple distributed
technique, could be deployed among trustless nodes. Due to nodes concurrently. The way the distributed ledger is used
the way data is linked, any small change attempt would result supports decentralized validation of orchestration commands.
in entirely different block hash, making it unfeasible. Single The B-VMOA ledger consists of orchestration command trans-
point of failure avoidance makes B-VMOA intrinsically more actions, a transaction being characterized by the transaction
robust than the centralized approach. Indeed, access to data records already mentioned, and any other additional field that
storage in a centralized legacy database systems makes it could reveal useful for the orchestration operation, such as
dependent on a third party that, if compromised, can corrupt for instance a blockchain transaction time-out. The ledger is
and change stored data. A related feature listed in Table I stored at all B-VMOA blockchain nodes. The virtualization
is fault tolerance. In B-VMOA, many nodes have a copy of server, more precisely its VMM, is able to authenticate the
the ledger, and all copies are equally trustful. Because of its orchestration command checking if there is a valid correspond-
distributed nature, transactions can keep being updated even ing transaction stored in the VMOA ledger. An execution time
upon network failure. Once a failed node is back, it can limit can also be associated with the transaction. Orchestrators
readily retrieve all missed transaction, updating its copy of the should be the only nodes able to issue commands. Every com-
ledger. Consequently, any node can be safely removed from mand corresponds to a particular transaction. Consequently,
the system, which is not the case of centralized VMOA. every action in a system (e.g., VM create, copy, move, resize)
On the other hand, a centralized VMOA can be considered is associated with a transaction created by the orchestrator.
superior in terms of computing time compared to B-VMOA. Positive acknowledgement corresponds to command validation
In the latter, minutes can be spent to validate a transactions in- by the VMOA blockchain network. Virtualization servers
stead of milliseconds or less. In blockchain, P2P cryptography VMM may implement a transaction when receiving an explicit
communication has a large computing overhead. command from the orchestrator then verifying its validation in
4
resource to manage and hence one single currency asset. Two
asset management strategies are possible, at bootstrapping:
1) All assets corresponding to server computing resources
are owned by the orchestrator, and the servers own 0
assets.
2) The digital asset corresponding to a server computing
resource is owned by the given server, and orchestrators
own 0 assets.
The first case can be problematic, while the second case can
ease the implementation. In the first case, at bootstrapping,
Fig. 4. A 3-block VMOA blockchain structure example.
the orchestrator owns a sufficient number of assets to transfer
in order to create new VMs. In such a case, one does not
need to plan for a smart contract component in the block
the blockchain and then confirming correct execution to the structure. Every new VM creation corresponds to a transaction,
orchestrator. Alternatively, VMMs may autonomously recog- with asset transfer from the orchestrator to the server VMM.
nize themselves in a new transaction in the VMOA blockchain When and if all assets are owned by server VMMs, all
ledger they run locally. local computing resources are occupied by running VMs.
Let us detail in detail how B-VMOA treats computing and A possible problem with such a strategy is that when the
network resources related to VM orchestration commands as virtualization server resource has to be freed (e.g., in relation to
currency assets. For each orchestration command, one or many a VM destroy or migration orchestration command), logically
transactions are executed with resource assets transfer from a transaction moving back assets from the server to the or-
virtualization server to another virtualization server and/or to chestrator should happen. Therefore, due to cloud stack control
the orchestrator. centralization, the orchestrator should issue transactions where
it is not the source of the asset, but the destination. While
A. Block construction this behavior is technically implementable with ad-hoc code, it
does not readily apply to transaction management in existing
Every orchestration transaction is stored in the B-VMOA
blockchain systems where the issuer of a transaction is the
ledger, using a blockchain data structure. One orchestration
source of the asset and not the destination.
transaction can involve multiple computing resource-level
In order to mitigate this possible source of conflict and
transactions, grouped in a same B-VMOA block. Starting a
implementation incompatibility, the second strategy appears
system for the first time, B-VMOA builds the genesis blocks,
as more appropriate than the first one. With the second
which is the first block in a system. All later transactions are
strategy, a transaction corresponding to an operation freeing
stored in additional blocks chained together and building a
resources in a server (e.g., related to a VM destroy or migration
chain of blocks (where blocks are linked by an identifier result
orchestration command) is issued by the server VMM with
of a hashing function on the block binary components). A
as asset destination the orchestrator. As such an orchestration
3-block VMOA blockchain example is illustrated in4. Each
command is originally initiated by the orchestrator, and not
block contains timestamp, transactions, and the hash id of a
by the VMM, there is the need to plan for a dual transac-
previous block; optionally, it can contain a smart contract [9]
tion from the orchestrator to the VMM, which triggers the
that, as explained hereafter, is a code object to instruct
actual transaction from the VMM to the orchestrator; this
operations to trigger upon block validation. All data in a block,
can be implemented by means of smart contract in the dual
including the hash id, is hashed and is used as link with the
transaction block. Symmetrically, the same process linking the
next block in a chain. This specific blockchain data structure
actual transaction to its dual transaction exists when computing
ensures data security.
resources have to be allocated to VMs: let us suppose that
In a blockchain network, a decentralized consensus pro-
no resource is used at the virtualization server when an
tocol, involving all or a subset of the nodes, is needed to
orchestration command requiring resource usage (e.g., VM
validate transactions. In VMOA, a private blockchain network
creation); in order to perform such an operation, the VMM first
is built. Nodes to be involved in the transaction validation can
must be triggered by an actual transaction from orchestrator,
be the virtualization servers, the orchestrators, and/or dedicated
then followed by a dual transaction from the VMM.
hardware and/or dedicated virtual machines.
C. The dual transaction abstraction
B. Blockchain operations Therefore, adopting the second strategy described above, we
In B-VMOA, resources are treated as pseudo-currencies. conceive an orchestration command as a trade of two assets:
For example, one currency for the number of CPUs, another an actual one managed by an actual transaction and meant to
one for the amount of RAM memory, another one for the represent the actual resource asset, and a dual artificial one
access link capacity, another one for wide-area-network link managed by a dual transaction meant to represent a trader as-
resources, etc. As an example, suppose we have a single set, where the dual transaction and the trader assets are artifacts
5
The total number of actual assets per VMM corresponds to
the real memory owned by each server. In the genesis block,
one of the transactions should have an equivalent amount of
actual assets dedicated to the corresponding VMM. The same
applies to any computing resource involved in a virtualization
stack. As a given orchestration action is expected to act
on more than one computing resource, a VMOA block can
contain as many transaction entries as computing resources
involved.
Execution of commands directly corresponds to the different
orchestration transaction entries, which obviously means that
assets are redistributed after every orchestration command.
Additionally, as transactions do not include any fees, the total
Fig. 5. Representation of the transactions corresponding to allocation and number of assets must be the same in every moment. For
deallocation orchestration commands. each transaction to be considered as valid, consensus must be
reached.
6
Fig. 6. A 5-block VMOA blockchain example. ‘A’indicates actual resources, while ‘T ’indicates trader dual resources.
TABLE II but require all nodes to know all the other nodes [10]. In
M EMORY RESOURCE ASSET MANAGEMETN WITH B-VMOA EXAMPLE . our case, there may be no need for the nodes processing the
transactions, i.e., orchestrators and VMMs, to be anonymous.
Orchestrator VMM1 VMM2
Assets owned Actual T rader Actual T rader Actual T rader Moreover, B-VMOA needs low latency performance and smart
Step 0 0 256 128 0 128 0 contracts features. The combination of these high-level re-
Step 1 64 192 64 64 128 0
(VM creation) quirements lead us to the choice of a private and permissioned
Step 2 32 224 96 32 128 0 blockchain system.
(VM resize)
Step 3 32 224 128 0 96 32 Among the various blockchain systems made available in
(VM migration)
Step 4 256 0 128 0 128 0 open-source as described in [4], the Hyperledger Fabric is,
(VM destroy) for the moment, the one that meets B-VMOA requirements.
Hyperledger is an open source blockchain platform, supported
by IBM and the Linux Foundation, since 2015. It builds a
• Step 4 - the fifth row shows the assets variation after private blockchain system in which the nodes in the network
the orchestrator issues a VM1 destroy command (by form a private chain and share the data. Currently, it has three
transferring 32 Actual assets) to VMM2 and VMM2 has main modules:
freed resources (by trading back 32 Trader assets). This
1) Membership services: it is the place where any new
is illustrated as a final block in Figure 6.
member has to register while joining the network. This
This simple example is referred to the RAM resource, and a acts like a Certificate Authority (CA) and maintains and
completely independent equivalent process could be run for the blacklists the different nodes.
CPU resource, the access network link bandwidth related to 2) Blockchain services: it runs the consensus module, the
the operation of VMs, the wide-area-netwok link bandwidth in actual ledger service and the P2P protocol.
case of geographically distributed virtualized network function 3) Chaincode services: it contains the chaincode, which run
overlays, etc. For instance, each VM can be instantiated smart contracts in dockerized containers. The currently
with an amount of virtualization server access link bandwidth supported chaincode language is Go, with support for
consumption. Indeed, the bottleneck is typically supposed to Java, announcing the support for other languages coming
be the access link in cloud/NFV systems. Following the same in future releases [11]. The chaincode is a decentralized
scenario as in Table II, the trader assets can represent a pledge transactional program, running on the blockchain vali-
for the CPU or network bandwidth resource. dating nodes. The Docker is hosting chaincode without
VI. I MPLEMENTATION ASPECTS relying on any particular virtual machine or computer
language.
Many open source projects have been initiated in order to
make blockchain more popular and able to match different The Hyperledger-Fabric modular architecture enables dif-
business models and applications. The main difference be- ferent modules in the system. For instance, you can either
tween them is whether they are permissioned or permission- have a single validating peer without a need for consensus, or
less [4]. Another key differential aspect is about attack vector use PBFT consensus algorithm. It provides an implementation
mitigation methods, via consensus techniques. of the Byzantine Agreement, with advanced features in fault
As examined in [4], public blockchains based on PoW tolerance and scalability. In addition, with such a platform
consensus have several drawbacks directly related to confiden- there is no need for a built-in currency or a public ledger.
tiality, power consumption, execution time constraints, lack of Another advantage is that one can write the chaincode using
the required throughput (e.g., up to 7 tx/second with Bitcoin). JAVA or Golang, which are familiar and widely adopted by
On the other hand, blockchains based on advanced Byzantine a very large community of developers [12]. Therefore, as a
Fault-Tolerant (BTF) state-machine replication protocols offer future work we plan to use the Hyperledger Fabric as a suitable
much better performance in terms of throughput and latency, platform for a VMOA proof-of-concept.
7
VII. C ONCLUSION
This paper presents a work in progress toward the design
and implementation of a private blockchain system for man-
aging the authentication of virtual machine orchestration com-
mands in cloud computing and network function virtualization
systems. We specified the basic primitives that are needed
as well as conceptual boundaries. Our on-going work targets
the proof-of-concept implementation of our proposal using a
hyperledger blockchain system.
R EFERENCES
[1] R. Mijumbi and et al., “Network function virtualization: State-of-the-
art and research challenges,” IEEE Communications Surveys Tutorials,
vol. 18, pp. 236–262, 2016.
[2] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system.” Oct.
2008, [Online] https://bitcoin.org/bitcoin.pdf, access date: August 5,
2017.
[3] “Survey on Blockchain Technologies and Related Services FY2015
Report,” Nomura Research Institute, Tech. Rep., 03 2016.
[4] N. Bozic, G. Pujolle, and S. Secci, “A tutorial on blockchain and
applications to secure network control-planes,” in 2016 3rd Smart Cloud
Networks Systems (SCNS), Dec 2016, pp. 1–8.
[5] R. C. Merkle, “A digital signature based on a conventional encryption
function,” in Conference on the Theory and Application of Crypto-
graphic Techniques. Springer, 1987, pp. 369–378.
[6] K. Christidis and M. Devetsikiotis, “Blockchains and smart contracts for
the internet of things,” IEEE Access, vol. 4, pp. 2292–2303, 2016.
[7] S. Tim, “Consensus-as-a-service: a brief report on the emergence of
permissioned, distributed ledger systems,” R3, Technical Report, 6 Apr
2015.
[8] G. Greenspan, “Blockchains vs centralized databases,”
2016, [Online] http://www.multichain.com/blog/2016/03/
blockchains-vs-centralized-databases/, access date: August 5, 2017.
[9] “A next-generation smart contract and decentralized application plat-
form, Ethereum white paper,” 2014, [Online] https://github.com/
ethereum/wiki/wiki/White-Paper, access date: August 5, 2017.
[10] M. Vukolić, “The quest for scalable blockchain fabric: Proof-of-work
vs. bft replication,” in International Workshop on Open Problems in
Network Security. Springer, 2015, pp. 112–125.
[11] “Hyperledger Whitepaper,” 2015, [Online] http://www.the-blockchain.
com/docs/Hyperledger, access date: August 5, 2017.
[12] “7 blockchain technologies to watch out for in 2017,”
2017, [Online] https://medium.com/@gaurangtorvekar/
7-blockchain-technologies-to-watch-out-for-in-2017-4b3fc7a85707,
access date: August 5, 2017.