Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks."— Presentation transcript:

1 Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks

2 Cloud datacenters: Benefits and obstacles Moving to the cloud has manageability, costs & elasticity benefits Selfish tenants can monopolize resources Compromised & malicious tenants can degrade system performance Problems already occur Spammers on AWS Bitbucket DoS attack Runaway client overloads storage

3 Goals Existing mechanisms are insufficient for cloud Isolate tenants to avoid collateral damage Control each tenant’s share of network Utilize all network capacity Constraints Cannot trust tenant code Minimize network reconfiguration during VM churn Minimize end host and network cost

4 In-network queuing and rate limiting Existing mechanisms are insufficient HV Guest HV Guest Not scalable. Can underutilize links.

5 Existing mechanisms are insufficient In-network queuing and rate limiting Network-to-source congestion control (Ethernet QCN) HV Guest HV Guest Throttle send rate Detect congestion HV Guest HV Guest Not scalable. Can underutilize links. Requires new hardware. Inflexible policy.

6 In-network queuing and rate limiting Network-to-source congestion control (Ethernet QCN) End-to-end congestion control (TCP) HV Guest HV Guest HV Guest HV Guest HV Guest HV Guest Throttle send rate Existing mechanisms are insufficient Detect congestion Not scalable. Can underutilize links. Requires new hardware. Inflexible policy. Poor control over allocation. Guests can change TCP stack.

7 Seawall = Congestion controlled, hypervisor-to-hypervisor tunnels Benefits Scales to # of tenants, flows, and churn Don’t need to trust tenant Works on commodity hardware Utilizes network links efficiently Achieves good performance (1 Gb/s line rate & low CPU overhead) HV Guest HV Guest

8 Components of Seawall Hypervisor kernel Guest Root Seawall rate controller allocates network resources for each output flow Goal: achieve utilization and division Seawall ports enforce decisions of rate controller Lie on forwarding path One per VM source/destination pair SW-port SW-rate controller

9 SW-port Seawall port Rate limit transmit traffic Rewrite and monitor traffic to support congestion control Exchanges congestion feedback and rate info with controller Congestion detector Guest Inspect packets Tx Rate limiter Rewrite packets New rate SW-rate controller Congestion info

10 Rate controller: Operation and control loop Algorithm divides network proportional to weights & is max/min fair Efficiency: AIMD with faster increase Traffic-agnostic allocation: Per-link share is same regardless of # of flows & destinations Source Reduce rate SW-rate controller SW-port Dest SW-rate controller SW-port Congestion info 1423 X 1,2,4 Rate controller adjusts rate limit based on presence and absence of loss Got 1,2,4 Congestion feedback

11 VM 1VM 2VM 3 (weight = 2) VM 2 flow 1 VM 2 flow 2 VM 2 flow 3 VM 3: ~50% VM 2: ~25% VM 1: ~25%

12 Improving SW-port performance How to add congestion control header to packets? Naïve approach: Use encapsulation, but poses problems More code in SW-Port Breaks hardware optimizations that depend on header format Packet ACLs: Filter on TCP 5-tuple Segmentation offload: Parse TCP header to split packets Load balancing: Hash on TCP 5-tuple to spray packets (e.g. RSS) Encapsulation

13 “Bit stealing” solution: Use spare bits from existing headers Constraints on header modifications Network can route & process packet Receiver can reconstruct for guest Other protocols: might need paravirtualization. IPIP-ID TCPTimestamp option 0x080x0aTSvalTSecr Improvement Throughput: 280 Mb/s => 843 Mb/s (due to reduced bookkeeping) CPU utilization: up to 2.75x reduction (due to segmentation offload) Improvement Throughput: 280 Mb/s => 843 Mb/s (due to reduced bookkeeping) CPU utilization: up to 2.75x reduction (due to segmentation offload) Seq # # packets Seq # Constant Unused

14 “Bit stealing” solution: Performance improvement Encapsulation Bit stealing Throughput: 280 Mb/s => 843 Mb/s

15 Supporting future networks Hypervisor vSwitch scales to 1 Gbps, but may be bottleneck for 10 Gbps Multiple approaches to scale to 10 Gbps Hypervisor & multi-core optimizations Bypass hypervisor with direct I/O (e.g. SR-IOV) Virtualization-aware physical switch (e.g. NIV, VEPA) While efficient, currently direct I/O loses policy control Future SR-IOV NICs support classifiers, filters, rate limiters

16 SW-port Congestion detector Guest Tx Rate limiter Inspect packets Rewrite packets SW-rate controller Guest I/O via HV SW-port Congestion detector DRR Tx counter Rx counter Direct I/O

17 Summary Without performance isolation, no protection in cloud against selfish, compromised & malicious tenants Hypervisor rate limiters + end-to-end rate controller provide isolation, control, and efficiency Prototype achieves performance and security on commodity hardware

18 Preserving performance isolation after hypervisor compromise Compromised hypervisor at source can flood network Solution: Use network filtering to isolate sources that violate congestion control Destinations act as detector BAD SW enforcer X Isolate is bad

19 Pitfall: If destination is compromised, danger of DoS from false accusations Refinement: Apply least privilege (i.e. fine-grained filtering) SW enforcer X Isolate is bad BAD Drop Preserving performance isolation after hypervisor compromise

Download ppt "Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks."

Similar presentations

Traffic Engineering with Forward Fault Correction (FFC)

Traffic Engineering with Forward Fault Correction (FFC)
CSE331: Introduction to Networks and Security Lecture 13 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 13 Fall 2002.
Performance Evaluation of Open Virtual Routers M.Siraj Rathore

Performance Evaluation of Open Virtual Routers M.Siraj Rathore
OpenFlow-Based Server Load Balancing GoneWild

OpenFlow-Based Server Load Balancing GoneWild
Router-assisted congestion control Lecture 8 CS 653, Fall 2010.

Router-assisted congestion control Lecture 8 CS 653, Fall 2010.
Alan Shieh Cornell University Srikanth Kandula Microsoft Research Emin Gün Sirer Cornell University Sidecar: Building Programmable Datacenter Networks.

Alan Shieh Cornell University Srikanth Kandula Microsoft Research Emin Gün Sirer Cornell University Sidecar: Building Programmable Datacenter Networks.
Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.
Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Bikas Saha Microsoft Research, Azure, Bing Sharing the Datacenter Network.

Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Bikas Saha Microsoft Research, Azure, Bing Sharing the Datacenter Network.
Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.

Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
Trusted End Host Monitors for Securing Cloud Datacenters Alan Shieh †‡ Srikanth Kandula ‡ Albert Greenberg ‡ †‡

Trusted End Host Monitors for Securing Cloud Datacenters Alan Shieh †‡ Srikanth Kandula ‡ Albert Greenberg ‡ †‡
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Comparing flow-oblivious and flow-aware adaptive routing Sara Oueslati and Jim Roberts France Telecom R&D CISS 2006 Princeton March 2006.

Comparing flow-oblivious and flow-aware adaptive routing Sara Oueslati and Jim Roberts France Telecom R&D CISS 2006 Princeton March 2006.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.
Congestion Control for High Bandwidth-Delay Product Environments Dina Katabi Mark Handley Charlie Rohrs.

Congestion Control for High Bandwidth-Delay Product Environments Dina Katabi Mark Handley Charlie Rohrs.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Wide-Area Traffic Management COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Wide-Area Traffic Management COS 597E: Software Defined Networking.
Didier Van Hoye Technical FGIA MVP – Virtual Machine Microsoft Extended Experts Team

Didier Van Hoye Technical FGIA MVP – Virtual Machine Microsoft Extended Experts Team
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi

Similar presentations

Ads by Google