[en] Network functions such as firewalls, NAT, DPI, content-aware optimizers, and load-balancers are increasingly realized as software to reduce costs and enable outsourcing. To meet performance requirements these virtual network functions (VNFs) often bypass the kernel and use their own user-space networking stack. A naïve realization of a chain of VNFs will exchange raw packets, leading to many redundant operations, wasting resources. In this work, we design a system to execute a pipeline of VNFs. We provide the user facilities to define (i) a traffic class of interest for the VNF, (ii) a session to group the packets (such as the TCP 4-tuple), and (iii) the amount of space per session. The system synthesizes a classifier and builds an efficient flow table that when possible will automatically be partially offloaded and accelerated by the network interface. We utilize an abstract view of flows to support seamless inspection and modification of the content of any flow (such as TCP or HTTP). By applying only surgical modifications to the protocol headers, we avoid the need for a complex, hard-to-maintain user-space TCP stack and can chain multiple VNFs without re-constructing the stream multiple times, allowing up to 5x improvement over standard approaches.
Disciplines :
Computer science
Author, co-author :
Barbette, Tom ; Université de Liège - ULiège > Montefiore Institute of Electrical Engineering and Computer Science ; Division of Software and Computer Systems (SCS), KTH Royal Institute of Technology, Kista, Sweden
Soldani, Cyril ; Université de Liège - ULiège > Montefiore Institute of Electrical Engineering and Computer Science ; Division of Software and Computer Systems (SCS), KTH Royal Institute of Technology, Kista, Sweden
Mathy, Laurent ; Université de Liège - ULiège > Montefiore Institute of Electrical Engineering and Computer Science ; Division of Software and Computer Systems (SCS), KTH Royal Institute of Technology, Kista, Sweden
Language :
English
Title :
Combined Stateful Classification and Session Splicing for High-Speed NFV Service Chaining
Publication date :
December 2021
Journal title :
IEEE/ACM Transactions on Networking
ISSN :
1063-6692
eISSN :
1558-2566
Publisher :
Institute of Electrical and Electronics Engineers Inc.
F.R.S.-FNRS - Fonds de la Recherche Scientifique [BE] ERC - European Research Council [BE]
Funding text :
Fond National de la Recherche Scientifique (FNRS) through the Projet De Recherche (PDR) ePi Project; European Research Council (ERC) through the European Union’s Horizon 2020 Research and Innovation Programme
J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar, "Making middleboxes someone else's problem: Network processing as a cloud service, " in Proc. ACM SIGCOMM, Aug. 2012, pp. 13-24.
V. Sekar, N. Egi, S. Ratnasamy, M. K. Reiter, and G. Shi, "Design and implementation of a consolidated middlebox architecture, " in Proc. USENIX Conf. Netw. Syst. Design Implement. (NSDI), 2012, pp. 323-336.
Z. Wang, Z. Qian, Q. Xu, Z. Mao, and M. Zhang, "An untold story of middleboxes in cellular networks, " in Proc. ACM SIGCOMM Conf. SIGCOMM (SIGCOMM), 2011, pp. 374-385, doi: 10.1145/2018436.2018479.
G. P. Katsikas, M. Enguehard, M. Kúzniar, G. Q. Maguire, Jr., D. Kostíc, "SNF: Synthesizing high performance NFV service chains, " PeerJ Comput. Sci., vol. 2, p. e98, Nov. 2016.
A. Bremler-Barr, Y. Harchol, and D. Hay, "OpenBox: A software-defined framework for developing, deploying, and managing network functions, " in Proc. ACM SIGCOMM Conf., Aug. 2016, pp. 511-524.
S. R. Chowdhury, Anthony, H. Bian, T. Bai, and R. Boutaba, "NF: A disaggregated packet processing architecture, " in Proc. IEEE Conf. Netw. Softwarization (NetSoft), Jun. 2019, pp. 342-350.
S. Palkar et al., "E2: A framework for NFV applications, " in Proc. 25th Symp. Operating Syst. Princ., Oct. 2015, pp. 121-136.
G. Liu, Y. Ren, M. Yurchenko, K. K. Ramakrishnan, and T. Wood, "Microboxes: High performance NFV with customizable, asynchronous TCP stacks and dynamic subscriptions, " in Proc. Conf. ACM Special Interest Group Data Commun., Aug. 2018, pp. 504-517.
S. Radhakrishnan, Y. Cheng, J. Chu, A. Jain, and B. Raghavan, "TCP fast open, " in Proc. 7th Conf. Emerg. Netw. Exp. Technol. (CoNEXT), 2011, p. 21.
A. Langley et al., "The QUIC transport protocol: Design and internet-scale deployment, " in Proc. Conf. ACM Special Interest Group Data Commun., Aug. 2017, pp. 183-196.
L. Foundation. (2015). Data Plane Development Kit (DPDK). [Online]. Available: Http://www.dpdk.org
L. Rizzo, "netmap: A novel framework for fast packet I/O, " in Proc. USENIX Annu. Tech. Conf. (ATC), 2012, pp. 101-112. [Online]. Available: Http://info.iet.unipi.it/~luigi/netmap/
S. Peter et al., "Arrakis: The operating system is the control plane, " in Proc. USENIX Symp. Operating Syst. Design Implement. (OSDI), Oct. 2014, pp. 44-47. [Online]. Available: Https://www.usenix.org/conference/osdi14/technical-sessions/presentatio%n/peter
A. Belay, G. Prekas, A. Klimovic, S. Grossman, C. Kozyrakis, and E. Bugnion, "Ix: A protected dataplane operating system for high throughput and low latency, " in Proc. USENIX Symp. Operating Syst. Design Implement. (OSDI), Oct. 2014, pp. 49-65. [Online]. Available: Https://www.usenix.org/conference/osdi14/technical-sessions/presentatio%n/belay
I. Marinos, R. N. M. Watson, and M. Handley, "Network stack specialization for performance, " in Proc. ACM Conf. (SIGCOMM), Aug. 2014, pp. 175-186.
R. Laufer, M. Gallo, D. Perino, and A. Nandugudi, "CliMB: Enabling network function composition with click middleboxes, " in Proc. Workshop Hot Topics Middleboxes Netw. Function Virtualization (HotMIddlebox), 2016, pp. 50-55.
E. Jeong et al., "mTCP: A highly scalable user-level TCP stack for multicore systems, " in Proc. USENIX Symp. Netw. Syst. Design Implement. (NSDI), 2014, pp. 489-502.
M. A. Jamshed, Y. Moon, D. Kim, D. Han, and K. Park, "mOS: A reusable networking stack for flow monitoring middleboxes, " in Proc. USENIX Symp. Netw. Syst. Design Implement. (NSDI), 2017, pp. 113-129.
B. Vamanan, G. Voskuilen, and T. Vijaykumar, "Efficuts: Optimizing packet classification for memory and throughput, " ACM SIGCOMM Comput. Commun. Rev., vol. 41, no. 4, pp. 207-218, Oct. 2011.
S. Singh, F. Baboescu, G. Varghese, and J. Wang, "Packet classification using multidimensional cutting, " in Proc. Conf. Appl., Technol., Architectures, Protocols Comput. Commun. (SIGCOMM), 2003, pp. 213-224.
B. Pfaff et al., "The design and implementation of open vSwitch, " in Proc. USENIX Symp. Networked Syst. Design Implement. (NSDI), 2015, pp. 117-130.
V. Tanyingyong, M. Hidell, and P. Sjodin, "Using hardware classification to improve PC-based OpenFlow switching, " in Proc. IEEE 12th Int. Conf. High Perform. Switching Routing, Jul. 2011, pp. 215-221.
T. Barbette, C. Soldani, and L. Mathy, "Fast userspace packet processing, " in Proc. ACM/IEEE Symp. Archit. Netw. Commun. Syst. (ANCS), May 2015, pp. 5-16.
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, "The click modular router, " ACM Trans. Comp. Syst., vol. 18, no. 3, pp. 263-297, Aug. 2000, doi: 10.1145/354871.354874.
S. Garzarella, G. Lettieri, and L. Rizzo, "Virtual device passthrough for high speed VM networking, " in Proc. ACM/IEEE Symp. Archit. Netw. Commun. Syst. (ANCS), May 2015, pp. 99-110.
R. Stoenescu, M. Popovici, L. Negreanu, and C. Raiciu, "SymNet: Static checking for stateful networks, " in Proc. Workshop Hot Topics Middleboxes Netw. Function Virtualization (HotMiddlebox), 2013, pp. 31-36.
J. Novak and S. Sturges, Target-Based TCP Stream Reassembly, vol. 3. Columbia, MD, USA: Sourcefire, Aug. 2007, pp. 1-23.
S. Woo and K. Park, "Scalable TCP session monitoring with symmetric receive-side scaling, " KAIST, Daejeon, South Korea, Tech. Rep., 2012. [Online]. Available: Https://citeseerx.ist.psu.edu/viewdoc/downloaddoi=10.1.1.716.1877&rep=rep1&type=pdf
CAIDA. The Caida Ucsd Passive Nyc Dataset. Accessed: Mar. 10, 2020. [Online]. Available: Http://www.caida.org/data/passive/trace_stats/
M. Bezahaf, A. Alim, and L. Mathy, "FlowOS: A flow-based platform for middleboxes, " in Proc. Workshop Hot Topics Middleboxes Netw. Function Virtualization (HotMiddlebox), 2013, pp. 19-24, doi: 10.1145/2535828.2535836.
Open Information Security Foundation. (2017). Suricata | Open Source IDS/IPS/NSM Engine. [Online]. Available: Https://suricata-ids.org/
W. Glozer. Wrk. Accessed: Mar. 10, 2020. [Online]. Available: Https://github.com/wg/wrk
NGINX Inc. (2017). NGINX | High Performance Load Balancer, Web Server & Reverse Proxy. [Online]. Available: Https://www.nginx.com/
T. Barbette. (2017). Npf. [Online]. Available: Https://github.com/tbarbette/npf
W. Tarreau. (2017). HAProxy: The Reliable, High Performance TCP/HTTP Load Balancer. [Online]. Available: Http://www.haproxy.org/
J. Iurman et al., "Master thesis: Fast service chaining, " M.S. thesis, Univ. Liège, Liège, Belgium, 2017.
W. Mula. Simd-Friendly Algorithms for Substring Searching. Accessed: Mar. 10, 2020. [Online]. Available: Http://0x80.pl/articles/simdstrfind. html#sse-avx2
X. Wang et al., "Hyperscan: A fast multi-pattern Regex matcher for modern cpus, " in Proc. 16th USENIX Symposium Netw. Syst. Design Implement. (NSDI, 2019, pp. 631-648.
M. Gallo and R. Laufer, "Clicknf: A modular stack for custom network functions, " in Proc. USENIX Annu. Tech. Conf. (ATC), vol. 2018, pp. 745-757.
A. Madhavapeddy et al., "Unikernels: Library operating systems for the cloud, " in Proc. 18th Int. Conf. Architectural support Program. Lang. Operating Syst. (ASPLOS), 2013, pp. 461-472, doi: 10.1145/2451116.2451167.
J. Hwang, K. K. Ramakrishnan, and T. Wood, "NetVM: High performance and flexible networking using virtualization on commodity platforms, " IEEE Trans. Netw. Service Manage., vol. 12, no. 1, pp. 34-47, Mar. 2015.
J. Martins et al., "Clickos and the art of network function virtualization, " in Proc. USENIX Netw. Syst. Design Implement. (NSDI), Apr. 2014, pp. 459-473.
Solarflare. Openonload. Accessed: Mar. 10, 2020. [Online]. Available: Http://www.openonload.org/
K. Yasukata, M. Honda, D. Santry, and L. Eggert, "Stackmap: Low-latency networking with the os stack and dedicated NICs, " in Proc. USENIX Annu. Tech. Conf., 2016, pp. 43-56.
J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat, "xOMB: Extensible open middleboxes with commodity servers, " in Proc. 8th ACM/IEEE Symp. Archit. Netw. Commun. Syst. (ANCS), 2012, pp. 49-60.
C. Sun, J. Bi, Z. Zheng, H. Yu, and H. Hu, "NFP: Enabling network function parallelism in NFV, " in Proc. Conf. ACM Special Interest Group Data Commun., Aug. 2017, pp. 43-56.
A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker, "NetBricks: Taking the V out of NFV, " in Proc. USENIX Symp. Operating Syst. Design Implement. (OSDI), 2016, pp. 203-216.
D. A. Maltz and P. Bhagwat, "TCP splice for application layer proxy performance, " J. High Speed Netw., vol. 8, no. 3, pp. 225-240, 1999.
