By enabling the deployment of softwarelized network functions on commodity servers, Network Function Virtualization (NFV) brings many benefits such as rapid development and deployment, simplicity and ...flexibility in network operations and management. Monitoring the performance characteristics of Virtual Network Functions (VNFs), such as packet processing time, is crucial to achieving maximum benefit from NFV. In this paper, we present Packer Processing Time Monitoring (PPTMon) - a solution for real-time and lightweight VNF packet processing time monitoring. PPTMon embeds timestamp information directly into the packets. PPTMon is implemented using extended Berkeley Packet Filter (eBPF) - a new Linux framework that allows high-speed packet processing. Our experiments showed that PPTMon can monitor VNFs with high accuracy and low performance overhead.
A single CPU core is not fast enough to process packets arriving from the network on commodity NICs. Applications are therefore turning to application-level partitioning and NIC offload to exploit ...parallelism on multicore systems and relieve the CPU. Although NIC offload techniques are not new, programmable NICs have emerged as a way for custom packet processing offload. However, it is not clear what parts of the application should be offloaded to a programmable NIC for improving parallelism.
We propose an approach that combines application-level partitioning and packet steering with a programmable NIC. Applications partition data in DRAM between CPU cores, and steer requests to the correct core by parsing L7 packet headers on a programmable NIC. This approach improves request-level parallelism but keeps the partitioning scheme transparent to clients. We believe this approach can reduce latency and improve throughput because it utilizes multicore systems efficiently, and applications can improve partitioning scheme without impacting clients.
SNAPPY Bélair, Maxime; Laniepce, Sylvie; Menaud, Jean-Marc
Proceedings of the 36th Annual ACM Symposium on Applied Computing,
03/2021
Conference Proceeding
Odprti dostop
Compared to full virtualization, containerization reduces virtualization overhead and resource usage, offers reduced deployment latency and improves reusability. For these reasons, containerization ...is massively used in an increasing number of applications.
However, because containers share a full kernel with the host, they are more vulnerable to attacks that may compromise the host and the other containers on the system.
In this paper, we present SNAPPY (Safe Namespaceable And Programmable PolicY), a new framework that allows even unprivileged processes such as containers to safely and dynamically enforce in the kernel fine-grained, stackable and programmable eBPF security policies at runtime. This is done by making working coordinately a new LSM (Linux Security Module) Module, a new security Linux namespace abstraction (policy_NS) and eBPF policies enriched with 'dynamic helpers'. This design especially allows to minimize containers' attack surface. Our design may be applied to any processes but is particularly suitable for container-based use cases.
We show that SNAPPY can effectively increase the security level of containers for different use cases, can be easily integrated with the most relevant norms (OCI, Open Container Initiative) and containerization engines (Docker and runC) and has a performance overhead lower than 0.09% in realistic scenarios.
A reliable Wide Area Network (WAN) has become an imperative need for enterprises with Cloud-hosted applications and distributed branch offices. Software-Defined Wide Area Network (SD-WAN) has been ...regarded as the most promising technological solution for next generation enterprise networks capable of increasing network agility and reducing costs. In this paper, we present an experimental SD-WAN solution capable of running and optimizing delay-sensitive services, such as VoIP and video streaming, while minimizing downtime caused by network failures. We validate our solution thanks to two SD-WAN testbeds: the first one is deployed in a municipal network of an Italian city, while the other is emulated in our laboratory. The goal is to show the capability of SD-WAN of guaranteeing fast recovery and resilience in case of network failures, exploiting an innovative eBPF-based monitoring technique.
A proof-of-concept 5G mobile gateway with eBPF Parola, Federico; Miano, Sebastiano; Risso, Fulvio
Proceedings of the SIGCOMM '20 Poster and Demo Sessions,
08/2020
Conference Proceeding
In this poster we propose the first proof-of-concept open-source implementation of a 5G Mobile Gateway based on eBPF/XDP and present benchmarks that compare its performance with alternative ...technologies. We show how it outperforms other in-kernel solutions (e.g., OvS) and is comparable with DPDK-based platforms.
This paper presents Polycube, an open-source software framework based on eBPF, that enables the creation of arbitrary and complex network function chains. Each function can include an efficient ...in-kernel data plane and a flexible user-space control plane with strong characteristics of isolation, persistence (e.g., across server reboots)and composability. In addition, a generic model for the control and management plane of each network function simplifies the manageability and accelerates the development of new network services. We validate the framework by creating different network services and benchmarking their performance in a complex scenario, namely a network provider for Kubernetes. Results show that Polycube programs are about 20x shorter than equivalent programs implemented with vanilla-eBPF.
Network Function Virtualization (NFV) is the key to enable rapid development and deployment of network services as well as simplicity and flexibility in network operations and management. To achieve ...the maximum benefit of NFV, monitoring the performance characteristics of Virtual Network Functions (VNFs) is crucial. Packet processing time is one of the most important performance metrics when it comes to VNF monitoring. In this paper, we present Packet Processing Time Monitoring (PPTMon) - a real-time, end-to-end solution for VNF packet processing time monitoring. PPTMon can provide per-hop monitoring for a single VNF as well as end-to-end monitoring for multiple VNFs in service function chains. PPTMon works by embedding timestamp information directly into the packets. PPTMon is implemented on top of extended Berkeley Packet Filter (eBPF) - a new Linux framework that allows high-speed packet processing. Our experiment results showed that PPTMon can monitor VNF packet processing time with high accuracy and negligible performance impact.
Timeliness has become critical across industrial automation, AR/VR, robotics, and many other use cases. IEEE Time-sensitive networking (TSN) standards provide high-reliability & determinism across ...wired (Ethernet) networks. Time-critical hard/soft real-time applications typically run over these wired TSN links. However, TSN over-wired links lack the mobility and potential to meet all the needs of Industry 4.0. New generation wireless technologies such as Wi-Fi and 5G that are now introducing TSN supporting capabilities can fulfill this need. The 5G Release 16 from the 3rd Generation Partnership Project (3GPP) supports Ultra-Reliable Low-Latency Communications (URLLC), which brings the possibility of combining 5G with TSN to meet the stringent requirements of industry 4.0. 5G that comes with the support of both private and public networks is coupled with TSN to support the use cases with deterministic performance and required latency levels. The 5G-TSN networks must provide a low end-to-end (E2E) latency to support time-sensitive applications. The traffic steering delay within the User Equipment (UE) in edge compute devices is a critical component in addition to network latencies. This paper discusses the traffic steering aspects of UE and proposes a new use case of eXpress Data Path (XDP) programming over the 5G modem of UE to efficiently steer the traffic in 5G-TSN networks. Experiment results show that the proposed solution provides 100 times lower latency in traffic steering latency compared to a conventional Layer 2 (L2) software bridge.
The adoption of new Transport protocols on the Internet remains a critical challenge and their effective deployment is very slow. Till now, despite its known limitations and the plethora of existing ...alternatives like QUIC or DCTCP, almost 90% of applications transmissions are based on TCP. From this observation, we assert that redirecting TCP-connection to another Transport protocol may accelerate the deployment and the adoption of any new Transport protocols in the Internet. The selected Transport protocol towards which the redirection is performed may either already exist in the OS or dynamically be deployed on it. Recently introduced in the Linux kernel, eBPF technology provides the abilities to insert at runtime functionalities in the kernel from userspace programs. In this paper, we propose a preliminary design of a eBPF-based framework to perform our approach. Following this design, we implement a prototype that safely (1) perform transparent redirection of TCP connections either to the OS native UDP or to UDP-Lite; the later one is (2) dynamically deployed as eBPF programs. This first prototype, developed on Linux 5.0, has the worth to demonstrate our concept but suffer from performances issues to which we formulate some solutions and open up the associated research questions. Nevertheless, we believe that our approach may lead to innovation at the Internet Transport layer.
Segment Routing is a modern variant of source routing that is being gradually deployed by network operators. Large ISPs use it for traffic engineering and fast reroute purposes. Its IPv6 dataplane, ...named SRv6, goes beyond the initial MPLS dataplane, notably by enabling network programmability. With SRv6, it becomes possible to define transparent network functions on routers and endhosts. These functions are mapped to IPv6 addresses and their execution is scheduled by segments placed in the forwarded packets. We have recently extended the Linux SRv6 implementation to enable the execution of specific eBPF code upon reception of an SRv6 packet containing local segments. eBPF is a virtual machine that is included in the Linux kernel. We leverage this new feature of Linux 4.18 to propose and implement flexible eBPF-based fast-reroute and failure detection schemes. Our lab measurements confirm that they provide good performance and enable faster failure detections than existing BFD implementations on Linux routers and servers.