reflections on data plane
play

Reflections on data plane performance, iptables and ipsets Neil - PowerPoint PPT Presentation

Mar 18, 2024 •287 likes •534 views

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch & Project Calico @neiljerram www.projectcalico.org Who am I? Free software hacker since 1990s ; line+.el ; ; version 1.1 ; ; This has not (yet)

  1. Reflections on data plane performance, iptables and ipsets Neil Jerram – Metaswitch & Project Calico @neiljerram www.projectcalico.org

  2. Who am I? • Free software hacker since 1990s ; line+.el ; ; version 1.1 ; ; This has not (yet) been accepted by the Emacs Lisp archive, ; but if it is the archive entry will probably be something like this: ;; line+|Neil Jerram|nj...@cus.cam.ac.uk| ;; Line Numbering & Interrupt Driven Actions| ;; 1993-02-18|1.1|<archive pathname of line+.el>| ; Mished and mashed by Neil Jerram <nj...@cus.cam.ac.uk>, ; Monday 21 December 1992. • Metaswitch (previously Data Connection) since 1995

  3. Free software work • Emacs • Guile • Openmoko and GTA04 smartphones

  4. Metaswitch and Project Calico • 30+ year provider of high quality networking software, but mostly proprietary • Software -> hardware -> and now back again! • Now also leading projects as open source • Project Clearwater • Project Calico

  5. So, Calico? • Connectivity and security for workloads (aka endpoints, aka micro-services, aka containers or VMs) in an elastic computing environment • e.g. a data center • Emphasis on simplicity and scalability • Based on standard Linux features • routing, iptables • and Internet protocols (BGP) • Mainline case L3 only

  6. Old, zone-based security

  7. Services in an elastic environment

  8. Distributed firewall security

  9. Calico architecture

  10. Data plane performance questions • Can we get same bandwidth between endpoints as between those endpoints’ hosts? • What is CPU cost, and how does it compare with other networking approaches? • What are the effects of our iptables and ipset programming?

  11. Testing methodology • Two hosts, directly connected by 10Gb link • 8 core • 64Gb RAM • 3.13 kernel • No tuning • qperf, using TCP • Measure CPU usage, raw throughput and packet latency

  12. Configurations • Bare metal, i.e. host to host • Between OpenStack VMs • ‘TAP’ interface between VM and host • Between containers • veth pair between container namespace and host namespace • Between OpenStack VMs using Open vSwitch (OVS) and VXLAN • MTU 1500, send sizes 20000 and 500

  13. Data plane throughput • Saturation for 20k messages … (red bars) • … but not for 500 messages (blue bars) • Why? • OpenStack better than bare metal? • OVS case reaches >8Gb/s if MTU is increased to 9000

  14. CPU usage • CPU-limited for small messages • OpenStack cases can use more cores • Extra CPU cost for virtualization • Namespace • TAP or veth interface • Routing in guest as well as host

  15. CPU usage per throughput • CPU required to drive each Gb/s of throughput

  16. Latency • Tiny extra latency for containers • More for VMs • But acceptable • Note micro seconds • Not milli !

  17. Security rules

  18. iptables and ipsets -A felix-FORWARD -i tap+ -j felix-FROM-ENDPOINT -A felix-FORWARD -o tap+ -j felix-TO-ENDPOINT • iptables on a given host should be the composition of many logical -A felix-FORWARD -i tap+ -j ACCEPT -A felix-FORWARD -o tap+ -j ACCEPT security rules -A felix-FROM-ENDPOINT -i tap7f470881-51 -g felix-from-7f470881-51 -A felix-FROM-ENDPOINT -j DROP -A felix-INPUT -i tap+ -j felix-FROM-ENDPOINT -A felix-INPUT -i tap+ -j ACCEPT • Will this impact data plane performance? -A felix-TO-ENDPOINT -o tap7f470881-51 -g felix-to-7f470881-51 -A felix-TO-ENDPOINT -j DROP -A felix-from-7f470881-51 -m conntrack --ctstate INVALID -j DROP -A felix-from-7f470881-51 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN • Actually, no -A felix-from-7f470881-51 -p udp -m udp --sport 68 --dport 67 -j RETURN -A felix-from-7f470881-51 -s 10.28.0.40/32 -m mac --mac-source FA:16:3E:4E:7A:0E -g felix-p-_6b340324948a39b-o -A felix-from-7f470881-51 -m comment --comment "Anti-spoof DROP (endpoint 7f470881-5156-47ce-a67d-b971ef5e5cde):" -j DROP -A felix-p-_6b340324948a39b-i -p icmp -m set --match-set felix-v4-_6b340324948a39b src -j RETURN -A felix-p-_6b340324948a39b-i -s 172.18.203.20/32 -p tcp -m multiport --dports 22 -j RETURN -A felix-p-_6b340324948a39b-i -s 172.18.203.20/32 -p udp -m multiport --dports 5060 -j RETURN -A felix-p-_6b340324948a39b-i -s 172.18.203.20/32 -p tcp -m multiport --dports 80 -j RETURN -A felix-p-_6b340324948a39b-i -m comment --comment "Default DROP rule (72d696a9-f715-495f-9152-7f5e6a69fd0f):" -j DROP

  19. What saves us? • conntrack • ipsets scale well, thanks to hash table implementation • Nested design for source/destination interface mapping

  20. Arjan Schaaf’s measurements

  21. What is happening here? • http://www.slideshare.net/ArjanSchaaf/docker-network-performance-in- the-public-cloud • Various approaches to networking between containers on AWS hosts • For this case Calico uses IP-in-IP between the hosts • Calico bandwidth less than half of native • We set up the same system, got same results as Arjan • For t2.micro bandwidth = 65.3 MB/sec compared with native = 125 MB/sec. • For m4.xlarge bandwidth = 108 MB/sec compared with native = 267 MB/sec • Why?

  22. It’s all about the MTU • Calico in a public cloud uses IP-in-IP, with tunnel MTU = 1440 • 1440 was optimised for GCE, which has an MTU of 1460 on its VM interfaces • But AWS instances have an MTU = 9001! • So native tests were using jumbo frames, and the calico test was using 1440. • If Calico’s tunnel MTU is increased to 8980 • For t2.micro, Calico bandwidth = 114 MB/sec • For m4.xlarge, Calico bandwidth = 266 MB/sec • Problem solved – Calico throughput is now close to native

  23. So what have we learned? • With Calico connectivity, VMs or containers can saturate a 10Gb link between hosts, just as much as the hosts themselves could • There is a CPU cost to virtualization • But mostly inevitable if you want virtualization at all (non-accelerated) • Calico does not add any significant extra cost • Conntrack largely saves us from the effects of complex iptables • ipsets and clever programming design also help • Be humble about performance comparisons

  24. Further information, and thanks! • Project Calico • http://www.projectcalico.org/ • http://docs.projectcalico.org/en/latest/ • https://github.com/projectcalico • Blog on Calico data plane performance • http://www.projectcalico.org/calico-dataplane-performance/ • Thanks! • @neiljerram • @projectcalico • www.metaswitch.com

Recommend

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer d li delivers segments from s s ts f sending to receiving host application transport network sender encapsulates segments p g

912 views • 44 slides
1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

SPEED Resource-Ef+icient and High-Performance Deployment for Data Plane Programs Xiang Chen , Hongyan Liu, Qun Huang, Peiqiao Wang, Dong Zhang, Haifeng Zhou, Chunming Wu Control Plane Applications Monitor Security Routing Data Plane

826 views • 45 slides
Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol

396 views • 39 slides
Data Plane Programmability in SDN H. Farhady, H. Lee, A.

Data Plane Programmability in SDN H. Farhady, H. Lee, A.

Data Plane Programmability in SDN H. Farhady, H. Lee, A. Nakao The University of Tokyo CoolSDN14 Contents Current SDN The Gap: Data plane

382 views • 12 slides
Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane Broker Integration OSM Creation: Connection Points, Bandwidth Deletion: Service_Id DPB WIM Connector Modify: In development, Service_Id

241 views • 20 slides
SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane

SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane

SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Data Plane Overview Data plane: How to send packets [Chapter 2.2, Chapter 8] Path lookup Path combination Path encoding in packet 2 Path

387 views • 18 slides
Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol except data

751 views • 51 slides
2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The

2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The

2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The Details aged 16 to 18 interested in police work as a possible future career. Burnaby, Coquitlam, North Vancouver, Richmond and Surrey

395 views • 10 slides
Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of

Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of

UN EGM on Strengthening the Demographic Evidence Base For The Post-2015 Development Agenda, New York, 5-6 October 2015 Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of Population Science Emmanuel

811 views • 44 slides
Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari

Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari

Extending SDN to the Data Plane Anirudh Sivaraman, Keith Winstein, Suvinay Subramanian, Hari Balakrishnan M.I.T. http://web.mit.edu/anirudh/www/sdn-data-plane.html Switch Data Planes today Two key decisions on a per-packet basis:

682 views • 34 slides
Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk

Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk

Virtualization for NFV/Data Plane SDN Bob Lantz Open Networking Laboratory ONS 2016 Talk Outline - What is NFV? - One Way to Do It - A Better Way - Control Plane NFV/SDN - Data Plane SDN - VM Configuration - Container Configuration -

363 views • 17 slides
Reflections on Open EO (Data) A focus shift from data to services in global development Christoph

Reflections on Open EO (Data) A focus shift from data to services in global development Christoph

Reflections on Open EO (Data) A focus shift from data to services in global development Christoph Aubrecht Directorate of Earth Observation Programmes Science, Applications and Future Technologies Department European Space Agency ESA/ESRIN

430 views • 21 slides
4. Coordinate geometry A special kind of geometry where the position of points on the plane is

4. Coordinate geometry A special kind of geometry where the position of points on the plane is

D AY 107 A RECTANGLE AND A SQUARE ON THE X - Y PLANE I NTRODUCTION A plane figure in the x-y plane can resemble one of the common quadrilaterals we have come across, but that is not enough to show that the figure meets all the basic

1.45k views • 24 slides
If a plane cuts through a cone such that the plane is not parallel to the sliding side of the cone

If a plane cuts through a cone such that the plane is not parallel to the sliding side of the cone

D AY 138 E QUATION OF ELLIPSE I NTRODUCTION A plane cutting through a circular cone produces different shapes depending on the angle the plane makes with the circular cone. If the plane cuts across the cone such that it is not

811 views • 20 slides
Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with

Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with

Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with Programmable Hardware Programmable Hardware Bilal Anwer Nick Feamster 1 Network Virtualization Network Virtualization Network virtualization enables

299 views • 27 slides
States on a (Data) Plane Jennifer Rexford Traditional data planes are stateless 1 Software

States on a (Data) Plane Jennifer Rexford Traditional data planes are stateless 1 Software

States on a (Data) Plane Jennifer Rexford Traditional data planes are stateless 1 Software Defined Networks (SDN) Program your network from a logically central point! 2 OpenFlow Rule Tables action match Prio 1 dstip = 10.0.0.1 outport

665 views • 35 slides
The iPTF variability data and the iPTF Galactic Plane survey Thomas Kupfer California Institute

The iPTF variability data and the iPTF Galactic Plane survey Thomas Kupfer California Institute

The iPTF variability data and the iPTF Galactic Plane survey Thomas Kupfer California Institute of Technology Eric C. Bellm; Thomas A. Prince; Shrinivas R. Kulkarni; Frank J. Masci; Russ Laher; David L. Shupe The Northern Plane has little

352 views • 13 slides
On the Role of Routing in NDN Be ichua n Z ha ng T he U nive rsit y Of Arizona Control Plan

On the Role of Routing in NDN Be ichua n Z ha ng T he U nive rsit y Of Arizona Control Plan

On the Role of Routing in NDN Be ichua n Z ha ng T he U nive rsit y Of Arizona Control Plan and Data Plane Routing Routing RIB Protocol Updates Control Plane Data Table FIB Traffic Lookup Data Plane 1 IP Accept

375 views • 10 slides
Head to tail compositions Oleg Viro November 27, 2014 1 / 23 Plane Isometries Theorem. Any

Head to tail compositions Oleg Viro November 27, 2014 1 / 23 Plane Isometries Theorem. Any

Head to tail compositions Oleg Viro November 27, 2014 1 / 23 Plane Isometries Theorem. Any isometry of R 2 is a composition of 3 reflections in lines. 2 / 23 Plane Isometries Theorem. Any isometry of R 2 is a composition of 3

1.91k views • 177 slides
Presentation: Reflections on OTS D G Chaplow 8 May 2014, Waikato Introduction My reflections

Presentation: Reflections on OTS D G Chaplow 8 May 2014, Waikato Introduction My reflections

Presentation: Reflections on OTS D G Chaplow 8 May 2014, Waikato Introduction My reflections come from a 10-year involvement in the sector which included being part of the developing guidelines (2008) i . The presentation is a reflection on the

259 views • 5 slides
Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br Instituto de Informtica UFRGS Securing Networks in the Programmable Data Plane Era Network softwarization : the first wave P4 programs are

607 views • 12 slides
Large-Eddy Simulation of typical industrial bends In-plane and out-of- plane bend at Re =20000

Large-Eddy Simulation of typical industrial bends In-plane and out-of- plane bend at Re =20000

Products Solutions Services Large-Eddy Simulation of typical industrial bends In-plane and out-of- plane bend at Re =20000 by V. Kumar, B. Kissling*, P. Panathansiou and F. Aydin * Experimental data Slide 1 03/03/2014 V. Kumar Large-Eddy

825 views • 18 slides
Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could

Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could

Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could Realize a small, but super-fast DNS cache Perform TCP SYN authentication for billions of SYNs per sec Build a replicated key-value store ensuring

455 views • 44 slides
Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins

Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins

Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins Univ. of California, Los Angeles (UCLA) PHYSTAT- Workshop on Statistical Issues in Experimental Neutrino Physics, Fermilab September 21, 2016

690 views • 56 slides

More recommend