Seamless virtual machine live migration on network security enhanced hypervisor

Abstract

Since the virtual network traffic is invisible outside the hypervisor, it is impossible for traditional network-base security devices to harness the attacks happened in virtual computing environment. Industry and academies adopt the network security enabled hypervisor (NSE-H) to protect virtual machines (VM) residing in the virtual network. In this paper, we identified the insufficiency of the existing live migration implementation, which prevents itself from providing transparent VM relocation between NSE-Hs. This occurs because the contemporary migration implementation only takes VM encapsulated states into account, but ignores VM related security context(SC) needed by NSE-H embedded security engines (SE). We presented a comprehensive live migration framework for the NSE-H, considering both the execution context encapsulated in VM instance and the VM related security context within the SEs. We built a prototype system of the framework based on stateful firewall enabled Xen hypervisor. Our experiment was performed with realistic applications and the results demonstrate that the solution complements the insufficiency without introducing significant performance downgrade. Even in the worst case, the downtime that occurs during migration increases no more than 15%, comparing to existing implementation.