NetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI

Size: px

Start display at page:

Download "NetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI"

Erik Davidson
5 years ago
Views:

1 NetBricks: Taking the V out of NFV Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI

2 What the heck is NFV?

3 A Short Introduction to NFV

4 A Short Introduction to NFV Firewall IDS Cache LB

5 A Short Introduction to NFV Firewall IDS Cache LB Network Function Chain

6 Why NFV? Simplifies adding new functionality: Deploy new software.

7 Why NFV? Simplifies adding new functionality: Deploy new software. Simplifies developing new functionality: Write software vs design hardware

8 Why NFV? Simplifies adding new functionality: Deploy new software. Simplifies developing new functionality: Write software vs design hardware Reuse management tools from other domains.

9 Why NFV? Simplifies adding new functionality: Deploy new software. Simplifies developing new functionality: Write software vs design hardware Reuse management tools from other domains. Consolidation: Reduce number of hardware boxes in the network.

10 Challenges for NFV

11 Challenges for NFV Running NFs Isolation and Performance

12 Challenges for NFV Running NFs Isolation and Performance Building NFs High-Level Programming and Performance

13 Running NFs

14 Isolation Memory Isolation: Each NF s memory cannot be accessed by other NFs.

15 Isolation Memory Isolation: Each NF s memory cannot be accessed by other NFs. Packet Isolation: When chained, each NF processes packets in isolation.

16 Isolation Memory Isolation: Each NF s memory cannot be accessed by other NFs. Packet Isolation: When chained, each NF processes packets in isolation.

17 Isolation Memory Isolation: Each NF s memory cannot be accessed by other NFs. Packet Isolation: When chained, each NF processes packets in isolation. Performance Isolation: One NF does not affect another s performance.

18 Isolation Memory Isolation: Each NF s memory cannot be accessed by other NFs. Packet Isolation: When chained, each NF processes packets in isolation. Performance Isolation: One NF does not affect another s performance.

19 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

20 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

21 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

22 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

23 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

24 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

25 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

26 Current Solution Memory Isolation vswitch VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

27 Current Solution Memory Isolation vswitch Copy VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

28 Current Solution Memory Isolation vswitch Copy VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

29 Current Solution Memory Isolation vswitch Copy VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

30 Current Solution Memory Isolation vswitch Copy VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

31 Current Solution Memory Isolation vswitch Copy VM/Container VM/Container VM/Container Packet Isolation NIC... NIC Performance

32 Isolation Costs Performance

33 Isolation Costs Performance

34 Isolation Costs Performance

35 Isolation Costs Performance

36 Isolation Costs Performance

37 Isolation Costs Performance

38 NetBricks Runtime Architecture Single Process Space NF D NF D NF D NF C NF Z NF C NF Z NF C NF Z NF B NF Y NF B NF Y NF B NF Y NF A NF X NF A NF X NF A NF X ZCSI Scheduler DPDK Poll for I/O DPDK Poll for I/O DPDK Poll for I/O Poll for I/O NICs

39 NetBricks Runtime Architecture Single Process Space NF D NF D NF D NF C NF Z NF C NF Z NF C NF Z Function NF B NF Y Call NF B NF Y NF B NF Y NF A NF X NF A NF X NF A NF X ZCSI Scheduler DPDK Poll for I/O DPDK Poll for I/O DPDK Poll for I/O Poll for I/O NICs

40 NetBricks Runtime Architecture Single Process Space NF D NF D NF D NF C NF Z NF C NF Z NF C NF Z NF B NF Y NF B NF Y NF B NF Y NF A NF X NF A NF X NF A NF X ZCSI Scheduler DPDK Poll for I/O DPDK Poll for I/O DPDK Poll for I/O Poll for I/O NICs

41 NetBricks Runtime Architecture Single Process Space NF D NF D NF D NF C NF Z NF C Run NF Z NF C NF Z to NF B NF Y NF B Completion NF Y NF B NF Y Scheduling NF A NF X NF A NF X NF A NF X ZCSI Scheduler DPDK Poll for I/O DPDK Poll for I/O DPDK Poll for I/O Poll for I/O NICs

42 NetBricks Runtime Architecture Single Process Space NF D NF D NF D NF C NF B NF Z NF C Run NF Z NF C What about to Isolation? NF Y NF B Completion NF Y NF B Scheduling NF Z NF Y NF A NF X NF A NF X NF A NF X ZCSI Scheduler DPDK Poll for I/O DPDK Poll for I/O DPDK Poll for I/O Poll for I/O NICs

43 Provide Isolation through Software

44 ZCSI: Zero Copy Soft Isolation VMs and containers impose cost on packets crossing isolation boundaries. Frequent operation for many NFs which must support 10s of MPPS.

45 ZCSI: Zero Copy Soft Isolation VMs and containers impose cost on packets crossing isolation boundaries. Frequent operation for many NFs which must support 10s of MPPS. Insight: Use type checking (compile time) and runtime checks for isolation. Isolation costs largely paid at compile time (small runtime costs).

46 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages.

47 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation.

48 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation. Build on unique types for packet isolation.

49 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation. Build on unique types for packet isolation. Unique types ensure references destroyed after certain calls.

50 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation. Build on unique types for packet isolation. Unique types ensure references destroyed after certain calls. Ensure only one NF has a reference to a packet.

51 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation. Build on unique types for packet isolation. Unique types ensure references destroyed after certain calls. Ensure only one NF has a reference to a packet. Enables zero copy packet I/O.

52 Our Approach Disallow pointer arithmetic in NF code: use safe subset of languages. Type checks + array bounds checking provide memory isolation. Build on unique types for packet isolation. Unique types ensure references destroyed after certain calls. Ensure only one NF has a reference to a packet. Enables zero copy packet I/O. All of these features implemented on top of Rust.

53 Software can provide both Memory and Packet Isolation

54 Benefits of Software Isolation Enable better consolidation: multiple NFs can share a core.

55 Benefits of Software Isolation Enable better consolidation: multiple NFs can share a core. Normally hard because of context switch costs (~1µs).

56 Benefits of Software Isolation Enable better consolidation: multiple NFs can share a core. Normally hard because of context switch costs (~1µs). In our case just a function call (a few cycles at most).

57 Benefits of Software Isolation Enable better consolidation: multiple NFs can share a core. Normally hard because of context switch costs (~1µs). In our case just a function call (a few cycles at most). Reduce memory and cache pressure for NFV deployments.

58 Benefits of Software Isolation Enable better consolidation: multiple NFs can share a core. Normally hard because of context switch costs (~1µs). In our case just a function call (a few cycles at most). Reduce memory and cache pressure for NFV deployments. Zero copy I/O => do not need to copy packets around.

59 Challenges for NFV Running NFs Isolation and Performance Building NFs High-Level Programming and Performance

60 How to write NFs? Current: NF writers concerned about meeting performance targets

61 How to write NFs? Current: NF writers concerned about meeting performance targets Low level abstractions (I/O, cache aware data structures) and low level code.

62 How to write NFs? Current: NF writers concerned about meeting performance targets Low level abstractions (I/O, cache aware data structures) and low level code. Spend lots of time optimizing how abstractions are used to get performance.

63 How to write NFs? Current: NF writers concerned about meeting performance targets Low level abstractions (I/O, cache aware data structures) and low level code. Spend lots of time optimizing how abstractions are used to get performance. Observation: NFs exhibit common patterns: abstract and optimize these.

64 How to write NFs? Current: NF writers concerned about meeting performance targets Low level abstractions (I/O, cache aware data structures) and low level code. Spend lots of time optimizing how abstractions are used to get performance. Observation: NFs exhibit common patterns: abstract and optimize these. What happened in other areas

65 How to write NFs? Current: NF writers concerned about meeting performance targets Low level abstractions (I/O, cache aware data structures) and low level code. Spend lots of time optimizing how abstractions are used to get performance. Observation: NFs exhibit common patterns: abstract and optimize these. What happened in other areas MPI to Map Reduce, etc.

66 Abstractions Packet Processing Abstractions Parse/Deparse Transform Filter Parse (or undo parsing for) a header from the packet. Operate on the packet header and payload. Drop packet whose header or payload meet some criterion. Byte Stream Processing Abstractions Window Packetize Use a sliding window to gather packet payload and call a function. Segment a byte array into a sequence of packets, Control Flow Group By Shuffle Merge Branch control flow between abstractions. Shuffle packets across processing cores. Merge control from branches. State Abstractions Bounded Consistency State State store with tunable consistency specification. Schedulabe Abstractions Invoke Periodically execute a function.

67 Shuffle Abstraction Spread packets across cores for scaling + + Core 1 Core 2 + Core 3 + Counters Core 4 Input Mux Counter Demux Output

68 Shuffle Abstraction Spread packets across cores for scaling + + Might even use + hardware for this. Core 1 Core 2 Core 3 + Counters Core 4 Input Mux Counter Demux Output

69 Example NF: Maglev Maglev: Load balancer from Google (NSDI 16). Main contribution: a novel consistent hashing algorithm. Most of the work in common optimization: batching, scaling cross core. NetBricks implementation: 105 lines, 2 hours of grad student time. Comparable performance to optimized code

70 Managing NFs Building and Running NFs

71 Managing NFs Building and Running NFs E2 (SOSP 15) Stratos FTMB (SIGCOMM 15) FlowTags (NSDI 14)

72 Managing NFs Building and Running NFs No Isolation E2 (SOSP 15) CoMB (NSDI 12) xomb (ANCS 12) Stratos FTMB (SIGCOMM 15) FlowTags (NSDI 14)

73 Managing NFs Building and Running NFs No Isolation E2 (SOSP 15) CoMB (NSDI 12) xomb (ANCS 12) Stratos FTMB (SIGCOMM 15) FlowTags (NSDI 14) VM Isolation NetVM (IEEE TNSM) ClickOS (NSDI 14) HyperSwitch (ATC 13) mswitch (SOSR 15)

74 Managing NFs Building and Running NFs No Isolation E2 (SOSP 15) CoMB (NSDI 12) xomb (ANCS 12) Stratos FTMB (SIGCOMM 15) FlowTags (NSDI 14) VM Isolation NetVM (IEEE TNSM) ClickOS (NSDI 14) HyperSwitch (ATC 13) mswitch (SOSR 15) No Packet Isol.

75 Conclusion Performance demands for NFV require forwarding MPPS. Requires isolation for consolidation. Software isolation is necessary to meet performance requirements. Requires low level optimization, slowing down NF development. Abstract operators + UDF can simplify development without sacrificing performance.

76 Conclusion Performance demands for NFV require forwarding MPPS. Requires isolation for consolidation. Software isolation is necessary to meet performance requirements. Requires low level optimization, slowing down NF development. Abstract operators + UDF can simplify development without sacrificing performance. Code available at

77 Backup

78 Both Memory Isolation and I/O Induce Overheads

SafeBricks: Shielding Network Functions in the Cloud

SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley Network Functions (NFs) in the cloud Clients 2 Enterprise Destination Network