ABSTRACT
With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations.
This paper presents Oko, an extension of Open vSwitch that enables runtime integration of stateful filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs.
We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.
- 2005. The LuaJIT Project. (2005). Retrieved Feb. 16, 2017 from http://luajit.orgGoogle Scholar
- 2012. The CAIDA anonymized OC48 Internet traces 2002-2003 dataset. (2012). Retrieved Apr., 2017 from http://data.caida.org/datasets/passive/passive-oc48Google Scholar
- 2012. What is Open vSwitch (OVS)? (2012). Retrieved Feb. 9, 2018 from https://www.sdxcentral.com/cloud/open-source/definitions/what-is-open-vswitchGoogle Scholar
- 2013. OpenDaylight project. (Feb. 2013). Retrieved Feb. 9, 2018 from https://www.opendaylight.orgGoogle Scholar
- 2015. Linux native, HTTP aware network security for containers. (Dec. 2015). Retrieved Feb. 9, 2018 from https://github.com/cilium/ciliumGoogle Scholar
- G. Bertin. 2016. Introducing the p0f BPF compiler. (Aug. 2016). Retrieved Feb. 9, 2018 from https://blog.cloudflare.com/introducing-the-p0f-bpf-compilerGoogle Scholar
- D. Borkmann. 2018. net: add bpfilter. (Feb. 2018). Retrieved Feb. 27, 2018 from https://lwn.net/Articles/747504Google Scholar
- P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44, 3 (Jul. 2014). Google ScholarDigital Library
- B. M. Cantrill, M. W. Shapiro, and A. H. Leventhal. 2004. Dynamic instrumentation of production systems. In Proc. USENIX ATC. Google ScholarDigital Library
- J. Corbet. 2014. BPF: The universal in-kernel virtual machine. (May 2014). Retrieved Feb. 9, 2018 from https://lwn.net/Articles/599755Google Scholar
- J. Corbet. 2016. Early packet drop---and more---with BPF. (Apr. 2016). Retrieved Feb. 9, 2018 from https://lwn.net/Articles/682538Google Scholar
- P. Emmerich, S. Gallenmüller, D. Raumer, F. Wohlfart, and G. Carle. 2015. MoonGen: A scriptable high-speed packet generator. In Proc. ACM IMC. Google ScholarDigital Library
- M. Ghasemi, T. Benson, and J. Rexford. 2017. Dapper: Data plane performance diagnosis of TCP. In Proc. ACM SOSR. Google ScholarDigital Library
- B. Gregg. 2016. Linux 4.X tracing tools: Using BPF superpowers. USENIX LISA.Google Scholar
- S. Han, K. Jang, A. Panda, S. Palkar, D. Han, and S. Ratnasamy. 2015. SoftNIC: A software NIC to augment hardware. Technical Report UCB/EECS-2015-155. EECS Department, University of California, Berkeley. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2015/EECS-2015-155.htmlGoogle Scholar
- G. C. Hunt and J. R. Larus. 2007. Singularity: Rethinking the software stack. ACM SIGOPS Oper. Syst. Rev. 41, 2 (Apr. 2007). Google ScholarDigital Library
- J. Hwang, K. K. Ramakrishnan, and T. Wood. 2014. NetVM: High performance and flexible networking using virtualization on commodity platforms. In Proc. USENIX NSDI. Google ScholarDigital Library
- E. J. Jackson, M. Walls, A. Panda, J. Pettit, B. Pfaff, J. Rajahalme, T. Koponen, and S. Shenker. 2016. SoftFlow: A middlebox architecture for Open vSwitch. In Proc. USENIX ATC. Google ScholarDigital Library
- B. Jenkins. 2016. A hash function for hash table lookup. (2016). Retrieved Feb. 9, 2018 from http://burtleburtle.net/bob/hash/doobs.htmlGoogle Scholar
- S. Jouet, R. Cziva, and D. Pezaros. 2016. Programmable dataplane for next generation networks. (Mar. 2016). Retrieved Feb. 9, 2018 from https://netlab.dcs.gla.ac.uk/uploads/files/d99abd5bbadbed8c0f29808ee812bd26.pdfGoogle Scholar
- S. Jouet and D. P. Pezaros. 2017. BPFabric: Data plane programmability for software defined networks. In Proc. IEEE ANCS. Google ScholarDigital Library
- T. Koponen, K. Amidon, P. Balland, M. Casado, A. Chanda, B. Fulton, I. Ganichev, J. Gross, N. Gude, P. Ingram, E. Jackson, A. Lambeth, R. Lenglet, S.-H. Li, A. Padmanabhan, J. Pettit, B. Pfaff, R. Ramanathan, S. Shenker, A. Shieh, J. Stribling, P. Thakkar, D. Wendlandt, A. Yip, and R. Zhang. 2014. Network virtualization in multi-tenant datacenters. In Proc. USENIX NSDI. Google ScholarDigital Library
- R. Lane. 2015. Userspace eBPF VM. (Aug. 2015). Retrieved Feb. 9, 2018 from https://github.com/iovisor/ubpfGoogle Scholar
- S. Mccanne and V. Jacobson. 1993. The BSD packet filter: A new architecture for user-level packet capture. In Proc. USENIX Winter Conf. Google ScholarDigital Library
- H. Mekky, F. Hao, S. Mukherjee, T. V. Lakshman, and Z.-L. Zhang. 2017. Network function virtualization enablement within SDN data plane. In IEEE INFOCOM.Google Scholar
- H. Mekky, F. Hao, S. Mukherjee, Z.-L. Zhang, and T. V. Lakshman. 2014. Application-aware data plane processing in SDN. In Proc. ACM SIGCOMM HotSDN. Google ScholarDigital Library
- J. Meyer and T. Downing. 1997. Java Virtual Machine. O'Reilly & Associates, Inc. Google ScholarDigital Library
- R. Morris, E. Kohler, J. Jannotti, and M. F. Kaashoek. 1999. The Click modular router. In Proc. ACM SOSP. Google ScholarDigital Library
- A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker. 2016. NetBricks: Taking the V out of NFV. In Proc. USENIX OSDI. Google ScholarDigital Library
- B. Pfaff. 2016. Converging approaches in software switches. ACM APSys.Google Scholar
- B. Pfaff, J. Pettit, T. Koponen, E. Jackson, A. Zhou, J. Rajahalme, J. Gross, A. Wang, J. Stringer, P. Shelar, K. Amidon, and M. Casado. 2015. The design and implementation of Open vSwitch. In Proc. USENIX NSDI. Google ScholarDigital Library
- V. Puš, J. Kučera, M. Žádník, and J. Kořenek. 2016. FPGA-based 100 Gbps DDoS protector. TNC17. https://tnc17.geant.org/core/event/31Google Scholar
- L. Rizzo. 2012. Netmap: A novel framework for fast packet I/O. In Proc. USENIX ATC. Google ScholarDigital Library
- M. Shahbaz, S. Choi, B. Pfaff, C. Kim, N. Feamster, N. McKeown, and J. Rexford. 2016. PISCES: A programmable, protocol-independent software switch. In Proc. ACM SIGCOMM. Google ScholarDigital Library
- M. Sipser. 1996. Introduction to the Theory of Computation (1st ed.). International Thomson Publishing. Google ScholarDigital Library
- A. Sivaraman, A. Cheung, M. Budiu, C. Kim, M. Alizadeh, H. Balakrishnan, G. Varghese, N. McKeown, and S. Licking. 2016. Packet Transactions: High-level programming for line-rate switches. In Proc. ACM SIGCOMM. Google ScholarDigital Library
- V. Sivaraman, S. Narayana, O. Rottenstreich, S. Muthukrishnan, and J. Rexford. 2017. Heavy-hitter detection entirely in the data plane. In Proc. ACM SOSR. Google ScholarDigital Library
- J. Sonchack, J. M. Smith, A. J. Aviv, and E. Keller. 2016. Enabling practical software-defined networking security applications with OFX. In NDSS.Google Scholar
- C.-C. Tu, J. Stringer, and J. Pettit. 2017. Building an extensible Open vSwitch datapath. ACM SIGOPS Oper. Syst. Rev. 51, 1 (Aug. 2017). Google ScholarDigital Library
- X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, and Z. Tatlock. 2014. Jitk: A trustworthy in-kernel interpreter infrastructure. In Proc. USENIX OSDI. Google ScholarDigital Library
- M. Yu, L. Jose, and R. Miao. 2013. Software defined traffic measurement with OpenSketch. In Proc. USENIX NSDI. Google ScholarDigital Library
- M. Zalewski. 2012. p0f v3. (2012). Retrieved Feb. 9, 2018 from http://lcamtuf.coredump.cx/p0f3Google Scholar
Index Terms
- Oko: Extending Open vSwitch with Stateful Filters
Recommendations
Live migration of an entire network (and its hosts)
HotNets-XI: Proceedings of the 11th ACM Workshop on Hot Topics in NetworksLive virtual machine (VM) migration can move applications from one location to another without a disruption in service. However, applications often consist of multiple VMs and rely on the state of the underlying network for basic reachability, access ...
The InstaGENI initiative
In this paper, we describe InstaGENI, a distributed cloud based on programmable networks designed for the GENI Mesoscale deployment and large-scale distributed research projects. The InstaGENI architecture closely integrates a lightweight cluster design ...
AC/DC TCP: Virtual Congestion Control Enforcement for Datacenter Networks
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM ConferenceMulti-tenant datacenters are successful because tenants can seamlessly port their applications and services to the cloud. Virtual Machine (VM) technology plays an integral role in this success by enabling a diverse set of software to be run on a unified ...
Comments