CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf ·...

19
Network Function Virtualization CSCE 678

Transcript of CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf ·...

Page 1: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Network Function Virtualization

CSCE 678

Page 2: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Network Functions

2

Internet

Private IPhosts or services

Load balancerCarrier-grade

NATFirewall

IDS

WAN Accelerator Ad insertion

Page 3: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Middleboxes

3

High speedEthernet card

VariousCPUs and RAMs

Regular OSes

TrafficTraffic Traffic

FirewallNAT

Page 4: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Middleboxes Are Not Scalable

4

Firewall IDSSwitch

Application

Transport

Network

Datalink

Physical

Datalink

Physical

Application

Transport

Network

Datalink

Physical

Page 5: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Middleboxes Are Not Scalable

• Physical machines dedicated for specific purposes

➔ Hard to adjust resources

• Not all NFs have the same requirements

• Some don’t need the whole stack

• Some are more computation-intensive than others

• Various CPU/memory requirements

• Result: few NF becomes the bottleneck

5

Page 6: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Virtualizing Middleboxes

6

Firewall IDSSwitch

Physical NFs Virtual NFs

VMs VMs VMs

Firewall IDSSwitch

Page 7: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Virtualizing Middleboxes

• Legacy Support

• Elasticity

• Identical HWs

7

On-premisesNFV Cluster

Corporate SitesOn-premises NFV cluster gives flexibility

for managing middleboxes, but still has a

hard limit for physical resources.

Page 8: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Outsourcing VNFs to Cloud

8

Gateway

• Pros: Easy to maintain and expand. Selectively outsourcing.

• Cons: High network latency

1. “Bounce” Model

Page 9: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Outsourcing VNFs to Cloud

2. “Routing” Model

9

Gateway

• Pros: Reduced network latency

• Cons: The whole network route have to go through cloud provider, less flexible

Page 10: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Scaling VNFs in Cloud

10

PhysicalHost

vFirewall(Tenant A)

vFirewall(Tenant A)

vNAT(Tenant B)

PhysicalHost

vNAT(Tenant A)

vIDS(Tenant B)

PhysicalHost

vProxy(Tenant A)

vProxy(Tenant A)

vIDS(Tenant B)

vNAT(Tenant B)

Load balancer

Page 11: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

VNF Chaining

11

PhysicalHost

vFirewall(Tenant A)

vFirewall(Tenant A)

vNAT(Tenant B)

PhysicalHost

vNAT(Tenant A)

vIDS(Tenant B)

PhysicalHost

vProxy(Tenant A)

vProxy(Tenant A)

vIDS(Tenant B)

vNAT(Tenant B)

Load balancer

Page 12: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

VNF Chaining Concerns

• VNF-level scheduling:

• How many VNFs to allocate, scale up and down?

• Network latency between NFs

• Flow-level scheduling:

• For each network flow, send to which VNFs?

• For stateful VNFs (e.g., IDS, Proxy): keeping related flows to the same VNFs?

12

Difficult per-flow chaining decisions to made in the cloud(Still an open problem)

Page 13: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Reducing System Overheads

OS/hypervisor concerns:

• Expensive network stack & interrupts

• Latency for spinning up a VM

• Virtualization overheads for network devices

13

Page 14: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

ClickOS

• ClickOS is a virtualization solution for NFV

• Ultra-lightweight

• VMs are extremely small (5MB)

• Extremely quick to boot (30 ms)

• Minimal virtualization delay (45 μs / packet)

• Customized for NFs

• Network IO optimization

• Programming abstractions for NFs

14

Page 15: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

ClickOS Architecture

15

Xen Hypervisor

MiddleboxSoftware

netfrontdriver

netbackdriver

Page 16: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Network IO Optimization

• ClickOS turns netback (Dom0-side driver) to be

control plane-only

• Leveraging SR-IOV

• Only allocate the DMA buffer for VMs

• Not involved in packet transfer

16

MiddleboxSoftware

Directlymapped buffers

Page 17: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Directly Mapped NICs

User-space networking:

• PFQ

• PF-Ring

• Intel DPDK

• netmap

17

Bypassing kernel stack

Page 18: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

Directly Mapped NICs

18

Benefit 1:

Application-specific

optimization

Benefit 2:

Remove data copy from

critical path

Benefit 3:

No interrupt (no context

switches)

Page 19: CSCE678 - Network Function Virtualizationcourses.cse.tamu.edu/chiache/csce678/s19/slides/nfv.pdf · •“ClickOS and the Art of Network Function Virtualization”, by Martins et

References

• “ClickOS and the Art of Network Function

Virtualization”, by Martins et al. (2014)

• “Network Function Virtualization: State-of-the-art

and Research Challenges”, by Mijumbi et al. (2015)

• “Middleboxes as a Cloud Service”, by Justine Sherry

(2016)

19