Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks.

Slides:



Advertisements
Similar presentations
Traffic Engineering with Forward Fault Correction (FFC)
Advertisements

CSE331: Introduction to Networks and Security Lecture 13 Fall 2002.
Performance Evaluation of Open Virtual Routers M.Siraj Rathore
OpenFlow-Based Server Load Balancing GoneWild
Router-assisted congestion control Lecture 8 CS 653, Fall 2010.
Alan Shieh Cornell University Srikanth Kandula Microsoft Research Emin Gün Sirer Cornell University Sidecar: Building Programmable Datacenter Networks.
Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.
Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Bikas Saha Microsoft Research, Azure, Bing Sharing the Datacenter Network.
Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
Trusted End Host Monitors for Securing Cloud Datacenters Alan Shieh †‡ Srikanth Kandula ‡ Albert Greenberg ‡ †‡
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Comparing flow-oblivious and flow-aware adaptive routing Sara Oueslati and Jim Roberts France Telecom R&D CISS 2006 Princeton March 2006.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.
Congestion Control for High Bandwidth-Delay Product Environments Dina Katabi Mark Handley Charlie Rohrs.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Wide-Area Traffic Management COS 597E: Software Defined Networking.
Didier Van Hoye Technical FGIA MVP – Virtual Machine Microsoft Extended Experts Team
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Computer Networks Layering and Routing Dina Katabi
Practical TDMA for Datacenter Ethernet
Sharing the Data Center Network Alan Shieh, Srikanth Kandula, Albert Greenberg, Changhoon Kim, Bikas Saha Microsoft Research, Cornell University, Windows.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Software-Defined Networks Jennifer Rexford Princeton University.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 Liquid Software Larry Peterson Princeton University John Hartman University of Arizona
Penn State CSE “Optimizing Network Virtualization in Xen” Aravind Menon, Alan L. Cox, Willy Zwaenepoel Presented by : Arjun R. Nath.
MaxNet NetLab Presentation Hailey Lam Outline MaxNet as an alternative to TCP Linux implementation of MaxNet Demonstration of fairness, quick.
Srihari Makineni & Ravi Iyer Communications Technology Lab
VL2: A Scalable and Flexible Data Center Network Albert Greenberg, James R. Hamilton, Navendu Jain, Srikanth Kandula, Changhoon Kim, Parantap Lahiri, David.
Increasing Web Server Throughput with Network Interface Data Caching October 9, 2002 Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice Computer Architecture.
Hyper-V Performance, Scale & Architecture Changes Benjamin Armstrong Senior Program Manager Lead Microsoft Corporation VIR413.
SECURING SELF-VIRTUALIZING ETHERNET DEVICES IGOR SMOLYAR, MULI BEN-YEHUDA, AND DAN TSAFRIR PRESENTED BY LUREN WANG.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.
XCP: eXplicit Control Protocol Dina Katabi MIT Lab for Computer Science
TeXCP: Protecting Providers’ Networks from Unexpected Failures & Traffic Spikes Dina Katabi MIT - CSAIL nms.csail.mit.edu/~dina.
TCP Traffic Characteristics—Deep buffer Switch
4: DataLink Layer1 Hubs r Physical Layer devices: essentially repeaters operating at bit levels: repeat received bits on one interface to all other interfaces.
An Analysis of AIMD Algorithm with Decreasing Increases Yunhong Gu, Xinwei Hong, and Robert L. Grossman National Center for Data Mining.
Slide 1/20 "PerfSight: Performance Diagnosis for Software Dataplanes." Wu, Wenfei, Keqiang He, and Aditya Akella ACM ICM, Presented by: Ayush Patwari.
Chapter 10 Congestion Control in Data Networks and Internets 1 Chapter 10 Congestion Control in Data Networks and Internets.
Level 300 Windows Server 2012 Networking Marin Franković, Visoko učilište Algebra.
T3: TCP-based High-Performance and Congestion-aware Tunneling Protocol for Cloud Networking Satoshi Ogawa† Kazuki Yamazaki† Ryota Kawashima† Hiroshi Matsuo†
Ananta: Cloud Scale Load Balancing Presenter: Donghwi Kim 1.
Network Processing Systems Design
ICTCP: Incast Congestion Control for TCP in Data Center Networks By: Hilfi Alkaff.
Quality and Value for the Exam 100% Guarantee to Pass Your Exam Based on Real Exams Scenarios Verified Answers Researched by Industry.
VL2: A Scalable and Flexible Data Center Network
How I Learned to Stop Worrying About the Core and Love the Edge
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Advanced Computer Networks
HyGenICC: Hypervisor-based Generic IP Congestion Control for Virtualized Data Centers Conference Paper in Proceedings of ICC16 By Ahmed M. Abdelmoniem,
ECE 544: Traffic engineering (supplement)
Chapter 4 Data Link Layer Switching
TCP Congestion Control
Multi-PCIe socket network device
Multipath TCP Yifan Peng Oct 11, 2012
Aled Edwards, Anna Fischer, Antonio Lain HP Labs
TCP Congestion Control
Congestion-Aware Load Balancing at the Virtual Edge
Congestion Control, Internet transport protocols: udp
Network Virtualization
Open vSwitch HW offload over DPDK
EE 122: Lecture 7 Ion Stoica September 18, 2001.
Specialized Cloud Architectures
TCP Congestion Control
Congestion-Aware Load Balancing at the Virtual Edge
Review of Internet Protocols Transport Layer
Elmo Muhammad Shahbaz Lalith Suresh, Jennifer Rexford, Nick Feamster,
Presentation transcript:

Alan Shieh Cornell University Srikanth Kandula Albert Greenberg Changhoon Kim Microsoft Research Seawall: Performance Isolation for Cloud Datacenter Networks

Cloud datacenters: Benefits and obstacles Moving to the cloud has manageability, costs & elasticity benefits Selfish tenants can monopolize resources Compromised & malicious tenants can degrade system performance Problems already occur Spammers on AWS Bitbucket DoS attack Runaway client overloads storage

Goals Existing mechanisms are insufficient for cloud Isolate tenants to avoid collateral damage Control each tenant’s share of network Utilize all network capacity Constraints Cannot trust tenant code Minimize network reconfiguration during VM churn Minimize end host and network cost

In-network queuing and rate limiting Existing mechanisms are insufficient HV Guest HV Guest Not scalable. Can underutilize links.

Existing mechanisms are insufficient In-network queuing and rate limiting Network-to-source congestion control (Ethernet QCN) HV Guest HV Guest Throttle send rate Detect congestion HV Guest HV Guest Not scalable. Can underutilize links. Requires new hardware. Inflexible policy.

In-network queuing and rate limiting Network-to-source congestion control (Ethernet QCN) End-to-end congestion control (TCP) HV Guest HV Guest HV Guest HV Guest HV Guest HV Guest Throttle send rate Existing mechanisms are insufficient Detect congestion Not scalable. Can underutilize links. Requires new hardware. Inflexible policy. Poor control over allocation. Guests can change TCP stack.

Seawall = Congestion controlled, hypervisor-to-hypervisor tunnels Benefits Scales to # of tenants, flows, and churn Don’t need to trust tenant Works on commodity hardware Utilizes network links efficiently Achieves good performance (1 Gb/s line rate & low CPU overhead) HV Guest HV Guest

Components of Seawall Hypervisor kernel Guest Root Seawall rate controller allocates network resources for each output flow Goal: achieve utilization and division Seawall ports enforce decisions of rate controller Lie on forwarding path One per VM source/destination pair SW-port SW-rate controller

SW-port Seawall port Rate limit transmit traffic Rewrite and monitor traffic to support congestion control Exchanges congestion feedback and rate info with controller Congestion detector Guest Inspect packets Tx Rate limiter Rewrite packets New rate SW-rate controller Congestion info

Rate controller: Operation and control loop Algorithm divides network proportional to weights & is max/min fair Efficiency: AIMD with faster increase Traffic-agnostic allocation: Per-link share is same regardless of # of flows & destinations Source Reduce rate SW-rate controller SW-port Dest SW-rate controller SW-port Congestion info 1423 X 1,2,4 Rate controller adjusts rate limit based on presence and absence of loss Got 1,2,4 Congestion feedback

VM 1VM 2VM 3 (weight = 2) VM 2 flow 1 VM 2 flow 2 VM 2 flow 3 VM 3: ~50% VM 2: ~25% VM 1: ~25%

Improving SW-port performance How to add congestion control header to packets? Naïve approach: Use encapsulation, but poses problems More code in SW-Port Breaks hardware optimizations that depend on header format Packet ACLs: Filter on TCP 5-tuple Segmentation offload: Parse TCP header to split packets Load balancing: Hash on TCP 5-tuple to spray packets (e.g. RSS) Encapsulation

“Bit stealing” solution: Use spare bits from existing headers Constraints on header modifications Network can route & process packet Receiver can reconstruct for guest Other protocols: might need paravirtualization. IPIP-ID TCPTimestamp option 0x080x0aTSvalTSecr Improvement Throughput: 280 Mb/s => 843 Mb/s (due to reduced bookkeeping) CPU utilization: up to 2.75x reduction (due to segmentation offload) Improvement Throughput: 280 Mb/s => 843 Mb/s (due to reduced bookkeeping) CPU utilization: up to 2.75x reduction (due to segmentation offload) Seq # # packets Seq # Constant Unused

“Bit stealing” solution: Performance improvement Encapsulation Bit stealing Throughput: 280 Mb/s => 843 Mb/s

Supporting future networks Hypervisor vSwitch scales to 1 Gbps, but may be bottleneck for 10 Gbps Multiple approaches to scale to 10 Gbps Hypervisor & multi-core optimizations Bypass hypervisor with direct I/O (e.g. SR-IOV) Virtualization-aware physical switch (e.g. NIV, VEPA) While efficient, currently direct I/O loses policy control Future SR-IOV NICs support classifiers, filters, rate limiters

SW-port Congestion detector Guest Tx Rate limiter Inspect packets Rewrite packets SW-rate controller Guest I/O via HV SW-port Congestion detector DRR Tx counter Rx counter Direct I/O

Summary Without performance isolation, no protection in cloud against selfish, compromised & malicious tenants Hypervisor rate limiters + end-to-end rate controller provide isolation, control, and efficiency Prototype achieves performance and security on commodity hardware

Preserving performance isolation after hypervisor compromise Compromised hypervisor at source can flood network Solution: Use network filtering to isolate sources that violate congestion control Destinations act as detector BAD SW enforcer X Isolate is bad

Pitfall: If destination is compromised, danger of DoS from false accusations Refinement: Apply least privilege (i.e. fine-grained filtering) SW enforcer X Isolate is bad BAD Drop Preserving performance isolation after hypervisor compromise

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.