Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Customizing Data-Plane Processing in Edge Routers Fulvio Risso, Politecnico di Torino http://fulvio.frisso.net

1/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

My kids

2/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Francesco creates a Christmas card

3/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

How do my kids connect to the Internet?

Parental control Internet

4/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

A world of personal VMs in motion (1) WiFi vs. 3G

Parental Control Network Service Provider

5/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

A world of personal VMs in motion (2) Only parental control?

VM User1 VM User3

VM User2 VM User4

Network Service Provider

VM User5

6/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Let’s have a look at the POP of a NSP Edge network router

WAN accelerator CDN web cache

IDS/ Firewall Network Monitor

QoS

Internet

7/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

The edge router we have in mind (1) Private Execution Environment 1 (PEX1)

Private Execution Environment 2 (PEX2)

Web advertis. killer

Parental control

VPN

Personal firewall

WAN accelerator

Vertical slices MAC1 *, * MAC1: goto PEX1 MAC2 *, * MAC2: goto PEX2 Default: goto PEXDefault

QoS

Video streaming optimizer

Lawful interception Network monitor

(non overlapping slices) Network Node Virtualization Framework Switching path (hardware)

Web cache

Management server (user profiles, applications)

Network edge router 8/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

The edge router we have in mind (2) Private Execution Web Environment advertis.

Private Execution VPN Environment

Horizontal slices killer WAN Overlapping rules Parental accelerator control Priorities used to define thePersonal service order QoS

Web advertis. killer

Parental control

VPN

Personal firewall

firewall

Private Execution Environment 3 (PEX3)

Private Execution Environment 4 (PEX4) Private Execution Environment 5 (PEX5)

Network Node Virtualization Framework Switching path (hardware)

WAN accelerator

QoS

Video streaming optimizer Lawful interception Network monitor Web cache

Management server (user profiles, applications)

Network edge router 9/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

The system we have in mind

Network Service Provider

PEX1

...

PEXN PEXN+1

PEXM

Remote Storage Service

Netw. Virtualization Framework

Network traffic

Switching path (hardware)

Network traffic

Remote Execution Environment

Management server User authentication, applications, permissions…

10/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

We propose to

offload

from user terminals

data plane applications that operate on a

developed by

network slice

associated to a given enabling the customization of the

end users

processing

inside the

actor

of the traffic

network edge router.

User 1 User 2 Network Service Provider

User 3 11/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

We propose to

offload

Firewalls, IDS, etc. developed by

from user terminals

data plane applications

end users

that operate on a

Which apps?

Apps market

network slice

Multiple actors, different privileges, traffic hits multiple slides enabling the customization of the

We leave the core unchanged

Device independent, location independent, reduced load on mobile terminals

Java

Network and router virtualization

associated to a given

processing

of the traffic inside the

actor

We tranform data, we do not create paths

network edge router. 12/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Fog computing

Internet

Our approach is definitely Fog computing, although limited to data plane applications! 13/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

The current edge router PEX User 1

PEX User 2

App3

App5

App2

App4

App1

App1

PEX this node

PEX Default

App6

Default App

Web Node Manager Tomcat on port 80

Flowvisor

Network Hypervisor Controller plane Switching plane SoftSwitch Network gateway Host 1 User 1

Host 2 User 2

ARP  * : send to all ports *  ARP : send to all ports DHCP  *: send to all ports *  DHCP: send to all ports mcast, bcast: send to all ports Default : send to Controller

14/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

General architecture of the prototype Motherboard Mini-ITX, 4 GbE ports (Intel) + 1 GbE (on mainboard) WiFi USB Dongle CPU i5-3450S RAM 4 GB DDR3

Management server (DB + apps on disk)

Flowvisor

User Apps in VMs

Network gateway

OpenvSwitch

Internet L2 network

15/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Managing user applications

Create the custom application flow Install/Uninstall applications Users can install their own application by simply uploading their file. Application that are under the ownership of the selected user can also be uninstalled. Applications are stored in the management server and downloaded in the network node when a new user is recognized.

Applications can be selected from the list of available apps and copied to the list of the installed apps, started/stopped, and stacked in a different calling order.

http://config.pex 16/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Applications •

TimeLimiter – Allow people to use the Internet in specific time slots and/or no more than X hours/day

•

GSafe – Enables the “safe search” on Google search engine

•

DNSFilter – Does not resolve DNS names found in a specific black list

•

SkypeBlocker – Blocks Skype traffic

•

NetMon – Basic network statistics (traffic per IP/port, latest TCP sessions, etc.)

17/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Validation environment Debian 7, 32 bits Vanilla OpenvSwitch Modified FlowVisor

Two user VMs, three applications each • DNSFilter • Gsafe • NetMon

Flowvisor

User VMs FlowVisor OpenvSwitch

Network gateway

L2 network

Two large file transfers (350 Mbps each direction) 18/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

CPU load Core#1

Core#2 Idle 19%

OpenvSwitch 100%

FlowVisor 81%

Core#3

Core#4 OS 2%

Idle 18% VM Host1 VM Host2 41% 41%

Idle 100%

- Two user VMs

- Three applications each (DNSFilter, Gsafe, NetMon) - Two large file transfers between the two hosts (one per direction)

19/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Memory consumption - Two user VMs - Three applications each (DNSFilter, Gsafe, NetMon)

VM Host1: 165MB

- Two large file transfers between the two hosts (one per direction)

Operating System: 274MB VM Host2: 165MB Tomcat WebServer: 156MB

FlowVisor: 150MB OpenvSwitch: 8MB

VM Router: 60MB VM Default: 46MB

20/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Starting a new user VM Login request from user

User’s slice is created and mapped to the User’s PEX

User’s PEX is created

User’s PEX and his applications are running

User is authenticated

271 ms

1910 ms

1443 ms

1317 ms

TimeLimiter 5 ms

2 ms

Application downloaded Application installed Application started

4 ms

GSafe 3 ms

6 ms 1 ms DNSFilter 10 ms

184 ms 1 ms SkypeBlocker 9 ms 14 ms 1 ms

21/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

What about OpenFlow? • We use OpenFlow in our prototype – Exploited a lot of existing code (Beacon, FlowVisor, OpenvSwitch) – Although... ather protocols could be used for our purposes • E.g., Web Cache Control Protocol (WCCP)

• We like the OpenFlow idea – Open the network device and program it from the external

• Too limited in the current form

22/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

The OpenFlow abstraction Openflow-based software Probably OK for setting up network paths

Lookup table

Not OK for customizing the data plane processing

Flow 1 go port 2 Flow 2 go port 3 Flow 3 go port 2 ...

23/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Future work •

Improve memory and CPU consumption in VM

•

– Does all the traffic has to be sent to the VMs? And to all the apps inside the VM?

– Garbage collector?

– Explicit memory allocation/deallocation?

• •

Capability to exploit possible hardware speedup

•

Remote storage + Remote execution environment

•

Define an easy API for “occasional” developers

Scalability over thousands VMs

•

Improved VM isolation

•

Code safety (by design?)

•

Better support for “horizontal” slices

Filtering traffic

– Stream reassembly? – Easy way to access/modify selected fields in the packet?

•

Support for user mobility ... and much, much more 24/25

Fulvio Risso, Politecnico di Torino – Customizing Data Plane Processing in Edge Routers

Thanks for your attention!

25/25