© 2010 IBM Corporation Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking Alex Landau, David Hadas, Muli Ben-Yehuda IBM Research –

Slides:



Advertisements
Similar presentations
Virtual Machine Queue Architecture Review Ali Dabagh Architect Windows Core Networking Don Stanwyck Sr. Program Manager NDIS Virtualization.
Advertisements

S4 C1 REVIEW. Review Topics Switching, VLANs, LAN Design, Routing Protocols (especially IGRP), ACLs, and IPX Why use LAN switching and VLANs Must gather.
DOT – Distributed OpenFlow Testbed
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 3 Ethernet Technologies/ Ethernet Switching/ TCP/IP Protocol Suite and IP Addressing.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.
Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
© 2010 IBM Corporation Virtualization Technologies Alex Landau IBM Haifa Research Lab 12 January 2010.
Communications in ISTORE Dan Hettena. Communication Goals Goals: Fault tolerance through redundancy Tolerate any single hardware failure High bandwidth.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
5-1 Data Link Layer r Today, we will study the data link layer… r This is the last layer in the network protocol stack we will study in this class…
1 CCNA 1 v3.1 Module 10 Review. 2 What is the address that is changed when a frame is received at a router interface? MAC address.
Networking Components
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Data Center Virtualization: VirtualWire Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Connecting LANs, Backbone Networks, and Virtual LANs
Building a massively scalable serverless VPN using Any Source Multicast Athanasios Douitsis Dimitrios Kalogeras National Technical University of Athens.
Virtual WiFi: Bring Virtualization from Wired to Wireless Lei Xia, Sanjay Kumar, Xue Yang Praveen Gopalakrishnan, York Liu, Sebastian Schoenberg, Xingang.
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.
The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.
Chapter 1 Overview Review Overview of demonstration network
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Achieving 10 Gb/s Using Xen Para-virtualized.
NUS.SOC.CS2105 Ooi Wei Tsang Application Transport Network Link Physical you are here.
Penn State CSE “Optimizing Network Virtualization in Xen” Aravind Menon, Alan L. Cox, Willy Zwaenepoel Presented by : Arjun R. Nath.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
A study of introduction of the virtualization technology into operator consoles T.Ohata, M.Ishii / SPring-8 ICALEPCS 2005, October 10-14, 2005 Geneva,
Module 8: Ethernet Switching
11 NETWORK CONNECTION HARDWARE Chapter 3. Chapter 3: NETWORK CONNECTION HARDWARE2 NETWORK INTERFACE ADAPTER  Provides the link between a computer and.
By: Aleksandr Movsesyan Advisor: Hugh Smith. OSI Model.
1 IP : Internet Protocol Computer Network System Sirak Kaewjamnong.
Srihari Makineni & Ravi Iyer Communications Technology Lab
CCNA 3 Week 4 Switching Concepts. Copyright © 2005 University of Bolton Introduction Lan design has moved away from using shared media, hubs and repeaters.
OSI Model. Switches point to point bridges two types store & forward = entire frame received the decision made, and can handle frames with errors cut-through.
1 CSCD 433 Network Programming Fall 2011 Lecture 5 VLAN's.
Sem1 - Module 8 Ethernet Switching. Shared media environments Shared media environment: –Occurs when multiple hosts have access to the same medium. –For.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
Stateless Transport Tunneling draft-davie-stt-01.txt Bruce Davie, Jesse Gross, Igor Gashinsky et al.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
Using Heterogeneous Paths for Inter-process Communication in a Distributed System Vimi Puthen Veetil Instructor: Pekka Heikkinen M.Sc.(Tech.) Nokia Siemens.
SECURING SELF-VIRTUALIZING ETHERNET DEVICES IGOR SMOLYAR, MULI BEN-YEHUDA, AND DAN TSAFRIR PRESENTED BY LUREN WANG.
Ethernet. Ethernet standards milestones 1973: Ethernet Invented 1983: 10Mbps Ethernet 1985: 10Mbps Repeater 1990: 10BASE-T 1995: 100Mbps Ethernet 1998:
Operating-System Structures
Local Area Networks Honolulu Community College
Network Communications Chapter 12
CISCO NETWORKING ACADEMY Chabot College ELEC Ethernet Switches.
Midterm Review Chapter 1: Introduction Chapter 2: Application Layer
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
CCNA3 Module 4 Brierley Module 4. CCNA3 Module 4 Brierley Topics LAN congestion and its effect on network performance Advantages of LAN segmentation in.
CHAPTER -II NETWORKING COMPONENTS CPIS 371 Computer Network 1 (Updated on 3/11/2013)
E Virtual Machines Lecture 5 Network Virtualization Scott Devine VMware, Inc.
1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.
Connectors, Repeaters, Hubs, Bridges, Switches, Routers, NIC’s
An open source user space fast path TCP/IP stack and more…
Virtualization Neependra Khare
Network Interface Virtualizaion: Challenges and Solutions Ryan Shea and Jiangchuan Liu, Simon Fraser University IEEE Network Park Sewon.
Network Virtualization Ben Pfaff Nicira Networks, Inc.
April, 2010Oren Laadan, Columbia University 1 Network Migration in Linux Oren Laadan
Virtual Networking Performance
New Approach to OVS Datapath Performance
Zero-copy Receive Path in Virtio
Local Area Networks Honolulu Community College
EE 122: Lecture 19 (Asynchronous Transfer Mode - ATM)
OSI Protocol Stack Given the post man exemple.
Final Review CS144 Review Session 9 June 4, 2008 Derrick Isaacson
Network Virtualization
NTHU CS5421 Cloud Computing
Open vSwitch HW offload over DPDK
Connectors, Repeaters, Hubs, Bridges, Switches, Routers, NIC’s
VLANS The Who, What Why, And Where's to using them
Presentation transcript:

© 2010 IBM Corporation Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking Alex Landau, David Hadas, Muli Ben-Yehuda IBM Research – Haifa Alex Landau 25 May 2010

© 2010 IBM Corporation2 Hypervisor leaks  Original goal of hypervisors – complete replica of physical hardware  Application running on host should be able to run in guest  Host details leaked to guest –Instruction set extensions –Bridged networking Leaked IP address, subnet mask, etc. –NAT Not suitable for many applications

© 2010 IBM Corporation3 Why leaks are bad?  Why is that a problem? –Checkpoint / restart –Cloning –Live migration  Example: –Guest acquires IP address from DHCP –Guest is live-migrated to different data center –Guest uses old IP address in new network  Current solution: –Defer problem to guests and network equipment –E.g., VLANs

© 2010 IBM Corporation4 QEMU Guest Kernel VIRTIO Frontend VIRTIO Backend QEMU Guest application Guest Kernel Network Adapter Driver Emulated Network Adapter Guest Network Stack Guest Network Stack Socket Interface Guest application Socket Interface Host Kernel Virtual Network Interface TAP Host Network Services (E.g. Bridge or VAN central services) Virtual Network Interface TAP Packet flow today (in KVM)

© 2010 IBM Corporation5 How to avoid leaks?  Hypervisor, not network, is responsible for avoiding leaks  Guests should be: –Offered an isolated virtual environment –Independent of physical network characteristics (e.g., topology) –Independent of physical location (e.g., IP addresses)  Example: –Guest should receive IP address independent of: Host running the guest Data center containing the host Network configuration of the host

© 2010 IBM Corporation6 Avoiding leaks – Encapsulation  Guest produces Layer-2 frame  Host encapsulates it in UDP packet  Host finds destination host –By peeking at destination (guest) MAC address –And “somehow” finding destination host  Host transmits UDP packet  Receiver host receives UDP packet  Receiver host decapsulates Layer-2 frame from UDP packet  Receiver host passes Layer-2 frame to guest

© 2010 IBM Corporation7 Proposed packet flow – Dual Stack Host Kernel QEMU Guest Kernel VIRTIO Frontend Driver VIRTIO Backend QEMU Guest application Guest Kernel Network Adapter Driver Emulated Network Adapter Guest Network Stack Guest Network Stack Traffic Encapsulation Traffic Encapsulation Host Network Stack Socket Interface Guest application Socket Interface Guest Stack (Glue) Host Stack App. DriverNet Driver Isolation

© 2010 IBM Corporation8 Performance  Path from guest to wire is long  Latencies are manifested in the form of: –Packet copies –VM exits and entries –User/Kernel mode switches –Host QEMU process scheduling

© 2010 IBM Corporation9 Large packets  Transport and Network layers capable of up to 64KB packets  Ethernet limit is 1500 bytes –Ignoring jumbo frames  But there is no Ethernet wire between guest and host!  Set MTU to 64KB in guest  64KB packets are transferred from guest to host –Inhibit TCP/UDP checksum calculation and verification

© 2010 IBM Corporation10 Large packets – Flow  Application writes 64KB to TCP socket  TCP, IP check MTU (=64KB) and create 1 TCP segment, 1 IP packet  Guest virtual NIC driver copies entire 64KB frame to host  Host writes 64KB frame into UDP socket  Host stack creates 1 64KB UDP packet  If packet destination = VM on local host –Transfer 64KB packet directly on the loopback interface  If packet destination = other host –Host NIC segments 64KB packet in hardware

© 2010 IBM Corporation11 CPU affinity and pinning  QEMU process contains 2 threads –CPU thread (actually, one CPU thread per guest vCPU) –IO thread  Linux process scheduler selects core(s) to run threads on  Many times scheduler made wrong decisions –Schedule both on same core –Constantly reschedule (core 0 -> 1 -> 0 -> 1 -> …)  Solution/workaround – pin CPU thread to core 0, IO thread to core 1

© 2010 IBM Corporation12 Flow control  Guest does not anticipate flow control at Layer-2  Thus, host should not provide flow control –Otherwise, bad effects similar to TCP-in-TCP encapsulation will happen  Lacking flow control, host should have large enough socket buffers  Example: –Guest uses TCP –Host buffers should be at least guest TCP’s bandwidth x delay

© 2010 IBM Corporation13 Performance results ThroughputReceiver CPU Utilization

© 2010 IBM Corporation14 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.