mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , - - PowerPoint PPT Presentation

mmb flexible high speed userspace middleboxes
SMART_READER_LITE
LIVE PREVIEW

mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , - - PowerPoint PPT Presentation

Sep 11, 2023 339 likes •626 views

mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , Justin Iurman, Cyril Soldani, Benoit Donnet Montefiore Institute, University of Lige Belgium A middleboxed Internet https://github.com/mami-project/roadshows 7/22/19 2 ANRW

slide-1
SLIDE 1

mmb: Flexible High-Speed Userspace Middleboxes

Korian Edeline, Justin Iurman, Cyril Soldani, Benoit Donnet Montefiore Institute, University of Liège Belgium

slide-2
SLIDE 2

ANRW 2019

A middleboxed Internet

7/22/19 2

https://github.com/mami-project/roadshows

slide-3
SLIDE 3

ANRW 2019

kernelspace vs userspace

3

Kernel: Userspace:

slide-4
SLIDE 4

ANRW 2019

kernelspace vs userspace

4

Kernel: ✗ T

  • o slow for high-speed forwarding

✗ Missing optimizations (batching, caching, etc) Userspace:

slide-5
SLIDE 5

ANRW 2019

kernelspace vs userspace

5

Kernel: ✗ T

  • o slow for high-speed forwarding

✗ Missing optimizations (batching, caching, etc) Userspace: ✗ No direct access to NIC (context switch, sk_bufg)

slide-6
SLIDE 6

ANRW 2019

kernelspace vs userspace

6

Kernel: ✗ T

  • o slow for high-speed forwarding

✗ Missing optimizations (batching, caching, etc) Userspace: ✗ No direct access to NIC (context switch, sk_bufg) ✔DPDK (DMA, I/O batching)

slide-7
SLIDE 7

ANRW 2019

kernelspace vs userspace

7

Kernel: ✗ T

  • o slow for high-speed forwarding

✗ Missing optimizations (batching, caching, etc) Userspace: ✗ No direct access to NIC (context switch, sk_bufg) ✔DPDK (DMA, I/O batching) ✔Software optimizations ✔Flexibility

slide-8
SLIDE 8

ANRW 2019

Kernel-Bypass Frameworks

8

slide-9
SLIDE 9

ANRW 2019

architecture

Vector Packet Processing (VPP)

  • DPDK
  • RSS queues, Zero-Copy and more
  • Packet vectors
  • Modular node-based processing
  • Low-level optimizations (caching, pipelining)
slide-10
SLIDE 10

ANRW 2019

architecture

VPP Dual-Loop

7/22/19 10

while (n_left_from >= 2) { /* prefetch next iteration */ if (PREDICT_TRUE(n_left_from >= 4)){ vlib_prefetch_bufger_header(b[2], STORE); vlib_prefetch_bufger_header(b[3], STORE); } process(b[0]); process(b[1]); b += 2; next += 2; n_left_from -= 2; } /* process remaining packets */ while(n_left_from > 0){ process(b[0]); b += 1; next += 1; n_left_from -= 1; }

slide-11
SLIDE 11

ANRW 2019

architecture

mmb: A VPP middlebox

11

Goals:

  • Various middlebox policies (fjrewall, NAT, traffjc

engineering)

  • Fast even with thousands rules
  • Intuitive CLI
slide-12
SLIDE 12

ANRW 2019

architecture

mmb: CLI grammar

7/22/19 12

slide-13
SLIDE 13

ANRW 2019

architecture

mmb: forwarding graph

7/22/19 13

slide-14
SLIDE 14

ANRW 2019

architecture

mmb: forwarding graph

7/22/19 14

  • Classifjcation:

(Packet & Mask) ⊕ Key

  • Rewrite

(Packet & Mask) | Key

slide-15
SLIDE 15

ANRW 2019

architecture

mmb: processing path

7/22/19 15

slide-16
SLIDE 16

ANRW 2019

measurement

Performance Analysis

  • FastClick:

– Fast (multi-queue, ZC forwarding, batching, DPDK) – Click

  • eXpress Data Path (XDP):

– In-Kernel – eBPF

  • iptables
slide-17
SLIDE 17

ANRW 2019

measurement

Performance Analysis: Testbed

7/22/19 17

Direct Indirect PCI Passthrough Bridged

slide-18
SLIDE 18

ANRW 2019

measurement

Performance Analysis: Baselines

7/22/19 18

  • VPP, FastClick, 4.15 > 99% of direct baseline
slide-19
SLIDE 19

ANRW 2019

measurement

Performance Analysis: 5-tuples fjrewall

7/22/19 19

  • Stateless matching on 5-tuples (saddr, daddr, sport, dport, proto)
slide-20
SLIDE 20

ANRW 2019

measurement

Performance Analysis: 5-tuples fjrewall

7/22/19 20

  • Stateless matching on 5-tuples (saddr, daddr, sport, dport, proto)
  • mmb & XDP at direct baseline
  • FastClick matching (IPFilter) has performance issues
  • Iptables 4.15 sustains direct baseline with up to 1,000 rules
slide-21
SLIDE 21

ANRW 2019

measurement

Performance Analysis: stateful fmow matching

7/22/19 21

  • Stateful matching on 5-tuples (saddr, daddr, sport, dport, proto)
slide-22
SLIDE 22

ANRW 2019

measurement

Performance Analysis: stateful fmow matching

7/22/19 22

  • Stateful matching on 5-tuples (saddr, daddr, sport, dport, proto)
  • mmb & XDP at direct baseline
  • FastClick at 85% direct baseline
  • Iptables stateful is similar to stateless (with few rules).
slide-23
SLIDE 23

ANRW 2019

measurement

Performance Analysis: TCP Options

7/22/19 23

  • Matching on TCP Options
  • Not applicable to iptables, FastClick & XDP
  • Stable until 78 rules
slide-24
SLIDE 24

ANRW 2019

measurement

Conclusion & Next steps

24

  • mmb sustains line rate for difgerent use cases
  • Next Step: Payload reconstruction
  • https://github.com/mami-project/vpp-mb
slide-25
SLIDE 25

ANRW 2019

measurement

Thanks !

7/22/19 25

slide-26
SLIDE 26

ANRW 2019

measurement

Performance Analysis: Testbed

26

  • Intel Xeon E5-2620 2.1GHz, 16 Threads, 32GB RAM
  • Intel XL710 2x40GB NICs
  • Huawei CE6800 switch
  • Debian 9
slide-27
SLIDE 27

ANRW 2019

measurement

Performance Analysis: RTT

7/22/19 27

slide-28
SLIDE 28

ANRW 2019

measurement

Performance Analysis: CPU time

7/22/19 28