• Aucun résultat trouvé

Platform for programmable heterogeneous virtual middleboxes

N/A
N/A
Info
Télécharger
Protected

Academic year: 2021

Partager "Platform for programmable heterogeneous virtual middleboxes"

Copied!
22
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Platform

for

programmable

heterogeneous

virtual

(2)

The team

Laurent Mathy (Supervisor)

Cyril Soldani (Language / code analysis / private NFV) Emmanouil Psanis (Synchronization)

(3)

Programmable

Stir network innovation

Deploy middleboxes in the Cloud

We develop a platform for

programmable heterogeneous virtual

(4)

Platform

It needs to be

flexible (for various current and future middleboxes)

secure (isolation between tenants w.r.t data and

resources)

fast (low latency, high throughput)

easy to use

We develop a platform for

programmable heterogeneous virtual

(5)

Heterogeneous

GPU

NetFPGA

Tilera

CPU

We develop a platform for

programmable heterogeneous virtual

(6)

Consolidate

middleboxes

- Full-VM not the right abstraction for performance

- Fine grained (eg. Tailtrie : multiple FIB on GPU with partial similar data)

Migrate them between the underlying hardware

-

Virtualize data structures for heterogeneous hardware (Tile, NetFPGA, GPU, x86)

Virtual

We develop a platform for

programmable heterogeneous virtual

(7)

What

will

be

the

platform

?

(8)

?

Why not?

 General purpose

 Have all the needed softwares

 Provide isolation through process mechanism  Paper about running things on GPU, FPGA, ...

(9)

Kernel Network Stack

is

Slow

“Too much”

general purpose

Lot of

systems calls

to receive and send

packets

(10)

First work

Lot of

I/O

frameworks

available

Netmap improved DPDK Netmap PF RING PacketShader I/O Linux Kernel PCAP (12 cores) PCAP 0 200 400 600 800 1000 0 10 20 30 40

Packet size (bytes)

T h ro u g h p u t (G b p s)

(11)

Those

frameworks

deliver

RAW

packets

quickly

to

user-space

(12)

Click

modular

router

Flexible, easy-to-use, component-based configuration Existing reusable elements for common networking

functions

Available in user-space with some of the above frameworks

(13)

FastClick - DPDK

FastClick - Netmap

DoubleClick

Original Netmap

Click Kernel (12 cores)

PCAP (12 cores)

Linux Socket (12 cores)

Click Kernel (4 cores)

0 200 400 600 800 1000 0 10 20 30 40

Packet size (bytes)

T h ro u g h p u t (G b p s) Second work

Enhance click

Multiple I/O Framework integrations, but perfectible

Globally enhance Click with multiqueue support, batching,

zero-copy, better multithreading...

Forwarding test case

(14)

FastClick

ANCS'15

• Review the need for high speed I/O frameworks more suited than kernel API and compared them

• Using proposed ideas and new ideas of our own, we showed

that FastClick was fit for purpose as a high speed userspace packet processor and opens the door for implementation of middleboxes and NFV

• FastClick is available at

http://fastclick.run.montefiore.ulg.ac.be/

Routing test case

FastClick - DPDK

FastClick - Netmap

DoubleClick

Original Netmap

Click Kernel (12 cores)

Linux

Click Kernel (4 cores)

0 200 400 600 800 1000 0 10 20 30 40

Packet size (bytes)

T h ro u g h p u t (G b p s)

(15)

Current work

Add

flow

support to FastClick

Middlebox functionalities needs it :

Attack spitted across multiple fragmented packets HTTP Reconstruction for ad-removal

defacing detection Proxy-caching

DPI …

(16)

Flows

Classification

of packet into micro-flows

Eg. :

- TCP micro-flows - IP Pair

- Packets from one AS to another AS - ?

Wait

for more packets mechanism

(17)

The Click way

FromDevice(eth0) Classifier

ARP ARP elements

IP ClassifierClassifier DPI Element IP TCP dport = 80 NAT Element - Multiple classifiers

- Multiple flow table (each element has a hash table to access a per-flow space) Also “the industry” way : multiple VM, reclassifying each time

(18)

One big classifier

FlowDispatcher

ARP ARP elements

IP Classifier FlowDispatcher DPI Element IP NAT Element FlowClassifier class DPIData { StateMachine s; Packet* awaiting_packets; }

class NAT Data { U32 old_ip; U32 new_ip; u16 old_dport; u16 new_dport; } Int output_nr; Int output_nr;

Flow rule data Flow Local Storage Flow Control

Block

Space computed at configuration time

FromDevice(eth0)

TCP dport = 80

(19)

Flow detection

One big classifier

0 1

(20)

Wait

for more packets mechanism

“Run to completion|buffer” execution model

Try to process one packet through all elements in the pipeline.

Either :

- Execution finish in an output element

- Element asks for more packets, keeping that one in a buffer (per sub-flow, per element)

Process next packet

→ Avoid the cost of a context switch we would have with a socket

(21)

- Flow system (nearly finished)

- Quick packet classification

- Fast rule specialization

- Multi-dimensional

- Partially offloadable

After that :

Make click elements compatible with some

hardware devices (GPU, NetFPGA, …)

Handle the migration of those elements

→ Optimisation problem, data consistency, ...

(22)

Questions, (possibly) answers

and discussion

?

A programmable middlebox platform that can run on top of

“what's available”, with fine grained virtualization and

Références

Télécharger maintenant ( PDF - 22 Page - 1.58 MB )

Documents relatifs

Négociation de traversée de NAT dans IKE

Pour récupérer de cela, les extrémités qui ne SONT PAS derrière le NAT DEVRAIENT utiliser le dernier paquet valide IKE ou IPsec encapsulé dans UDP provenant de l’autre

Traduction d'adresse réseau IP traditionnelle (NAT traditionnelle)

Dans un dispositif de NAT de base, lorsque les nœuds du réseau privé sont plus nombreux que les adresses disponibles pour la transposition (disons un réseau privé de classe B

Implications architecturales des NAT

Ce n'est pas possible pour toutes les applications (comme pour l'authentification fondée sur IP dans SNMP) et même avec des passerelles d'application sur le chemin, il peut

Terminologie et considérations sur les traducteurs d'adresse réseau (NAT) IP

Le "client RSAP-IP " peut être défini de façon similaire à celle du client RSA-IP avec la variante que le client RSAP-IP suppose un couple de (adresse externe, identifiant

Extensions à FTP pour IPv6 et les NAT

Le code numérique spécifié ci-dessus et les informations de protocole entre les caractères '(' et ')' sont tous deux destinés à l’automate logiciel qui reçoit la réponse ;

Tunnelage IP dans IP

Si le datagramme devrait violer l'état du tunnel (comme avec une MTU supérieure à la MTU du tunnel lorsque le fanion Ne pas fragmenter est mis) le routeur renvoie un message

Ingestion of U(nat),

The results also suggest very strong association of the radionuclides between the vegetables and water and reveals that water is more conducive for high radioactivity occurrence

8 risques nat adaptationregion

données issues de la plateforme RHYTMME et de la modélisation AIGA..  Qualification du cumul de pluie