在Openstack上探討防火牆之虛擬網路功能的高可用性與實作

Abstract

由於虛擬網路功能(Virtual Network Function , VNF)能夠把特殊的網路功能(如:防火牆、DNS)以軟體的方式呈現，並不需要專屬的硬體設備配合，這個特性能夠讓資料中心的設備需求變的簡單。也就是說，更新或增加任何的網路功能不用另外更動硬體。 同樣為了使雲端服務更靈活方便，在Openstack的發展中，也逐漸支援或提供愈來愈多的VNF。雲端平台上能提供的VNF數量會持續上升。放在雲端的服務，不管是雲端平台提供的，還是使用者自己放上雲端的，其服務的系統架構會愈來愈複雜。 於是一旦整個服務的其中一個環節出現問題，則會使整個系統不能正確提供服務。要改善這個問題，就要為我們的服務提供High Availability高可用性(HA)，使系統即使出現問題但仍能繼續正常運作。 在我們的論文中，我們著重探討在Openstack上之VNF的HA。我們提出了一個利用與HA相關的各種open software，並且配合shell script在虛擬機器(Virtual Machine, VM)上實現VNF的系統架構，此方法能運用在各種VNF上。然而因為VNF有太多種類，因此在我們的論文中挑選在實現HA上最為繁瑣的防火牆(Firewall ,FW)為討論對象，從Active Passive模式的防火牆到Active Active模式的防火牆皆在本論文的討論範圍內。 為了要達到防火牆的HA，我們至少需要做到三件事。首先，能夠讓網路封包能在原本負責的防火牆不能提供服務時，送到其他正常的防火牆提供服務。再來，就是要能夠把原本提供服務的防火牆設定的防火牆規則，與其他有可能接替服務的防火牆同步防火牆規則。最後，在將網路封包從不能提供服務之防火牆轉移到給其他正常的防火牆處理時，要能夠繼續維持原本的連線session，使得原本正在使用的網路連線繼續保持，不需要再重新連線。

We know that virtual network function (VNF) can turn the traditional network functions into software, so the network function doesn’t need any special hardware to support. This feature makes the hardware requirement for the data center become easier than before. It means that you don’t have to change the hardware when updating the network functions or setting the new network functions. Likewise, for the purpose of making cloud service more convenient, Openstack is going to support or offer more and more VNF these years. The numbers of the VNF on the cloud platform will rise up. The VNF service structure, which is ether put form user or offered from cloud platform, will become more and more complicated. Therefore, once there is an error occurred at some point, it might cause a single point of failure. To prevent that kind of thing form happening, we must apply high availability (HA) to our service, which makes our service system keep working after the error occurred. We will focus on the high availability of VNF on Openstack in our paper. We present a NFV system structure which is based on virtual machine (VM) and is using HA related open software with shell scripts. This kind of VNF structure may be used on most kind of VNF. But there are too many kinds of VNF, we choose firewall, the most completed one to achieve HA, as discussion VNF in this paper. Both “Active Passive” mode firewall and “Active Active” mode firewall are being discussed. To achieve the HA of firewall, we must at least doing three things. First, forwarding the packets to the firewall which is in the right state while the original firewall is error. Second, the firewall rule setting on the original firewall must be synchronized to other backup firewalls. The last thing is the session of connection must also be maintained while switching the packet flow from the error firewall to backup firewall.