Circuit Switched VM Networks for Zero-Copy IO Johannes Krude, Mirko Stofgers, Klaus Wehrle https://comsys.rwth-aachen.de/ KBNets18, 2018-08-20
VM Networks • VMs are used for Isolation • Isolation complicates Communication • Until now: Performance and Isolation are mutually exclusive Circuit Switched VM Networks enable Zero-Copy IO with Isolation 2 Krude et al. ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Networks Zero-Copy IO with Isolation 2 Database Server Application Proxy HTTP enable • VMs are used for Isolation Circuit Switched VM Networks are mutually exclusive • Until now: Performance and Isolation • Isolation complicates Communication Krude et al. ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Networks • VMs are used for Isolation 2 Database Server Application Proxy HTTP Zero-Copy IO with Isolation enable Circuit Switched VM Networks are mutually exclusive • Until now: Performance and Isolation • Isolation complicates Communication Krude et al. VM 1 VM 2 ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Networks • VMs are used for Isolation 2 NIC Database Server Application Proxy HTTP NIC Zero-Copy IO with Isolation enable Circuit Switched VM Networks are mutually exclusive • Until now: Performance and Isolation • Isolation complicates Communication Krude et al. VM 1 VM 2 ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Networks • VMs are used for Isolation 2 NIC Database Server Application Proxy HTTP NIC Zero-Copy IO with Isolation enable Circuit Switched VM Networks are mutually exclusive • Until now: Performance and Isolation • Isolation complicates Communication Krude et al. VM 1 VM 2 ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Networks • VMs are used for Isolation 2 NIC Database Server Application Proxy HTTP NIC Zero-Copy IO with Isolation enable Circuit Switched VM Networks are mutually exclusive • Until now: Performance and Isolation • Isolation complicates Communication Krude et al. VM 1 VM 2 ◮ Multiple Tenants on the same Host ◮ Compartmentalization ◮ Fault Isolation
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching (Copying) • Unnecessary Overhead Multiplexing Packetization Congestion Control Retransmissions Reordering Goals Proxy • Remove Overhead • Keep Application Compatibility • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching (Copying) • Unnecessary Overhead Multiplexing Packetization Congestion Control Retransmissions Reordering Goals Proxy • Remove Overhead • Keep Application Compatibility • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching Proxy • Unnecessary Overhead Congestion Control Retransmissions Reordering (Copying) Goals • Remove Overhead • Keep Application Compatibility • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2 ◮ Multiplexing ◮ Packetization
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching • Keep Application Compatibility • Unnecessary Overhead (Copying) Proxy • Remove Overhead Goals • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2 ◮ Multiplexing ◮ Packetization ◮ Congestion Control ◮ Retransmissions ◮ Reordering
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching • Keep Application Compatibility • Unnecessary Overhead Proxy • Remove Overhead Goals • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2 ◮ Multiplexing ◮ Packetization ◮ Congestion Control ◮ Retransmissions ◮ Reordering ◮ (Copying)
VM Packet Processing RX/TX Buf Socket Database Socket virtual NIC virtual NIC RX/TX Buf RX/TX Buf Application TCP/UDP Stack TCP/UDP Stack Packet Forwarding 3 Server Socket • Problem: Packet Switching • Keep Application Compatibility • Unnecessary Overhead Proxy • Remove Overhead Goals • Keep Network Isolation NIC HTTP Krude et al. VM 1 VM 2 ◮ Multiplexing ◮ Packetization ◮ Congestion Control ◮ Retransmissions ◮ Reordering ◮ (Copying)
Removing Overhead Server 4 Packet Forwarding Stack TCP/UDP Stack TCP/UDP RX/TX Buf RX/TX Buf RX/TX Buf virtual NIC virtual NIC Socket Database Socket Application • No Packet Processing in VM Kernels Socket • Keep Socket API Provides Access to Streams & Datagrams Required to Support Legacy Applications Provides Isolation between Applications • Provide Zero-Copy API As Optional Extension to Socket API NIC HTTP Proxy Krude et al. VM 1 VM 2 ◮ Move to Host if Still Needed ◮ Remove if Possible
Removing Overhead HTTP 4 TCP/UDP Proxy Stack Socket Database Socket Server Application Socket Proxy Krude et al. • No Packet Processing in VM Kernels NIC As Optional Extension to Socket API • Provide Zero-Copy API Provides Isolation between Applications Required to Support Legacy Applications Datagrams Provides Access to Streams & • Keep Socket API VM 1 VM 2 ◮ Move to Host if Still Needed ◮ Remove if Possible
Removing Overhead HTTP 4 TCP/UDP Proxy Stack Socket Database Socket Server Application Socket Proxy Krude et al. • No Packet Processing in VM Kernels NIC As Optional Extension to Socket API • Provide Zero-Copy API Datagrams • Keep Socket API VM 1 VM 2 ◮ Move to Host if Still Needed ◮ Remove if Possible ◮ Provides Access to Streams & ◮ Required to Support Legacy Applications ◮ Provides Isolation between Applications
Removing Overhead HTTP 4 TCP/UDP Proxy Stack Socket Database Socket Server Application Socket Proxy Krude et al. • No Packet Processing in VM Kernels NIC • Provide Zero-Copy API Datagrams • Keep Socket API VM 1 VM 2 ◮ Move to Host if Still Needed ◮ Remove if Possible ◮ Provides Access to Streams & ◮ Required to Support Legacy Applications ◮ Provides Isolation between Applications ◮ As Optional Extension to Socket API
Circuit Switched VM Networks Socket 5 Circuit Circuit TCP/UDP Proxy Stack Socket Database Socket Server Application Proxy • Separate Shared-Memory based Circuit HTTP NIC Enforces Connection Policies Mediates Connection Establishment • Switch Operator for each Connection Krude et al. VM 1 VM 2 ◮ from VM to Proxy Stack ◮ or Direct from VM to VM
Circuit Switched VM Networks Application 5 Operator Switch Circuit Circuit TCP/UDP Proxy Stack Socket Database Socket Server Socket • Separate Shared-Memory based Circuit Proxy HTTP NIC • Switch Operator for each Connection Krude et al. VM 1 VM 2 ◮ from VM to Proxy Stack ◮ or Direct from VM to VM ◮ Mediates Connection Establishment ◮ Enforces Connection Policies
Circuits Circuit 6 Compatible with Legacy Applications Optional Map Circuit Memory into Application • Zero-Copy Circuit • Protocol Features Socket Database Socket Server Application Control Area: Read & Write Pointers, Flags, … Ring Bufger B Ring Bufger A Krude et al. VM 1 VM 2 → → ← ← ◮ TCP Flow Control: Ring Bufgers ◮ UDP Datagrams: Prepend some kind of Header
Circuits Application 6 • Zero-Copy Circuit • Protocol Features Socket Database Socket Circuit Server Control Area: Read & Write Pointers, Flags, … Ring Bufger B Ring Bufger A Krude et al. VM 1 VM 2 → → ← ← ◮ TCP Flow Control: Ring Bufgers ◮ UDP Datagrams: Prepend some kind of Header ◮ Map Circuit Memory into Application ◮ Optional ⇒ Compatible with Legacy Applications
Network Isolation • No Access to Communication of other Applications • Connection Policies enforced on Connection Setup No Inspection of Individual Packets needed No Redundant State for Stateful Firewalls • Denying Raw Packet Access Same Level of Access as Containers No Crafting of Malicious Packet Headers No Unfair Congestion Control Algorithms 7 Krude et al. ◮ Keeps Socket Isolation ◮ Even when doing Zero-Copy IO
Network Isolation • No Access to Communication of other Applications • Connection Policies enforced on Connection Setup • Denying Raw Packet Access Same Level of Access as Containers No Crafting of Malicious Packet Headers No Unfair Congestion Control Algorithms 7 Krude et al. ◮ Keeps Socket Isolation ◮ Even when doing Zero-Copy IO ◮ No Inspection of Individual Packets needed ◮ No Redundant State for Stateful Firewalls
Recommend
More recommend