A low-level dive into building a high-speed NFV dataplane for service chaining

To cope with the growing performance needs of security appliances in datacenters or the network edge, current middlebox functionalities such as stateful firewalls, NATs, DPI, content-aware optimizers or load-balancers are self-contained software. They avoid OS services as those are not tailored for NFV and use most of the time RAW sockets, or specific I/O frameworks (DPDK, Netmap, ...) to receive raw packets.

In this work, we present a system specifically designed to run a pipeline of VNFs. The system combines the classification and sessions needs of the VNFs. We build an abstract view of flows and use it to implement support for seamless inspection and modification of the content of any flows (such as TCP or HTTP), automatically reflecting a consistent view, across layers, of flows modified on-the-fly. This brings together the advantage of reusing software components with the performance provided by state-of-the-art high-speed NFV frameworks that force reimplementing protocol specifics in each application.

We show unique considerations about factorizing session management and multi-protocol support for high-speed in-the-middle inspection and modification of flows. The system also offers automatic, session-aware parallelism to handle a large number of flows.