ABSTRACT
Existing software dataplanes that run network functions inside VMs or containers can provide either performance (by dedicating CPU cores) or multiplexing (by context switching), but not both at once. Function-based dataplane architectures by replacing VMs and containers with function calls promise to achieve multiplexing and performance at the same time. However, they compromise memory isolation between tenants by forcing them to use a shared memory address space.
In this paper, we show that an operating system-like management layer for modules in a function-based data plane can offer OS-like constructs such as performance and memory isolation. To provide memory isolation, we leverage new Intel CPU extensions (MPX) to create coarse-grained heap and stack protection even for legacy code written in unsafe native languages such as C. In addition, we use programmable NIC offloads to distribute load across cores as well as to prevent batch fragmentation when processing complex service graphs. Our preliminary evaluation shows the limitations of existing techniques that require heavy weight memory isolation or incur cross-core overheads.
- 2017. CAIDA Passive Monitor: equinix-chicago. (2017). http://www.caida.org/data/monitors/ http://www.caida.org/data/monitors/.Google Scholar
- Angela Chiu, Vijay Gopalakrishnan, Bo Han, Murad Kablan, Oliver Spatscheck, Chengwei Wang, and Yang Xu. 2015. EdgePlex: Decomposing the Provider Edge for Flexibilty and Reliability. In SOSR. Google ScholarDigital Library
- D. Dhurjati, S. Kowshik, and V. Adve. 2006. SAFECode: enforcing alias analysis for weakly typed languages. In PLDI. Google ScholarDigital Library
- DPDK. 2018. DPDK: Data Plane Development Kit. (2018).Google Scholar
- ETSI. 2016. NFV. (2016). http://www.etsi.org/.Google Scholar
- FD.io. 2016. VPP. https://fd.io/technology. (2016).Google Scholar
- S. Han and et al. 2017. BESS: Berkeley Extensible Software Switch. https://github.com/NetSys/bess. (2017).Google Scholar
- S. Han, K. Jang, A. Panda, S. Palkarand D. Han, and S. Ratnasamy. 2015. SoftNIC: A Software NIC to Augment Hardware. Technical Report. http://www.eecs.berkeley.edu/Pubs/TechRpts/2015/EECS-2015-155.htmlGoogle Scholar
- Dave Hansen. 2016. Intel MPX for Linux. https://01.org/blogs/2016/intel-mpx-linux. (2016).Google Scholar
- Ethan J. Jackson, Melvin Walls, Aurojit Panda, Justin Pettit, Ben Pfaff, Jarno Rajahalme, Teemu Koponen, and Scott Shenker. 2016. SoftFlow: A Middlebox Architecture for Open vSwitch. In USENIX ATC. Google ScholarDigital Library
- Antoine Kaufmann and et al. 2016. High Performance Packet Processing with FlexNIC. In ASPLOS. Google ScholarDigital Library
- James Litton, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. 2016. Light-Weight Contexts: An OS Abstraction for Safety and Performance.. In OSDI. Google ScholarDigital Library
- S. Nagarakatte, J. Zhao, M. Martin, and S. Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. ACM Sigplan Notices (2009). Google ScholarDigital Library
- Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches. CoRR abs/1702.00719 (2017). arXiv:1702.00719 http://arxiv.org/abs/1702.00719Google Scholar
- A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker. 2016. NetBricks: Taking the V out of NFV. In OSDI. Google ScholarDigital Library
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. 2012. AddressSanitizer: a fast address sanity checker. In USENIX ATC. Google ScholarDigital Library
- M. Shreedhar and G. Varghese. 1996. Efficient fair queuing using deficit round-robin. IEEE/ACM TON (1996). Google ScholarDigital Library
- VMWare. 2017. VMware NSX. https://code.vmware.com/nsx-for-vsphere/nsx-components. (2017).Google Scholar
Index Terms
- Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane
Recommendations
Quantifying the performance isolation properties of virtualization systems
ExpCS '07: Proceedings of the 2007 workshop on Experimental computer scienceIn this paper, we present the design of a performance isolation benchmark that quantifies the degree to which a virtualization system limits the impact of a misbehaving virtual machine on other well-behaving virtual machines running on the same physical ...
Batch scheduling of consolidated virtual machines based on their workload interference model
The use of virtualization technology (VT) has become widespread in modern datacenters and Clouds in recent years. In spite of their many advantages, such as provisioning of isolated execution environments and migration, current implementations of VT do ...
Comments