virtualizing network i/o on end-host os takashi “taka” okumura department of computer science...
TRANSCRIPT
![Page 1: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/1.jpg)
Virtualizing Network I/O on End-Host Virtualizing Network I/O on End-Host OS OS
Takashi “taka” Okumura
Department of Computer ScienceUniversity of Pittsburgh
![Page 2: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/2.jpg)
Who’s taka?
• A Ph.D. student
• Working with Dr. Mosse'• Semantics-aware Control of
Medical Network• Virtualization of network I/O o
n end-host OS
MD/Ph.D.
![Page 3: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/3.jpg)
![Page 4: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/4.jpg)
Network Control on End-host OS
Dummynet, IPFW, ALTQ, PF, netfilter, etc...
• Traffic Management tool for system administrators
– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure
• It is Traffic Management model for intermediate-nodes
![Page 5: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/5.jpg)
The Traffic Control model limitsnetwork control technology
• Why don’t we have a standard API even for bandwidth control??
• Why do we need to be a root, just to control its own traffic??
• Why can’t we realize access control per-application basis on Unix??
• Why can’t we use Extension Header of IPv6, for existing applications?Dummynet, IPFW, ALTQ,
PF, LARTC, etc...Dummynet, IPFW, ALTQ,
PF, LARTC, etc...
We cannot simply port the router model onto end-node...
![Page 6: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/6.jpg)
What can we do ?
![Page 7: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/7.jpg)
Fundamental Problem
Dissociation of Resource Management model and Network Control Model
![Page 8: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/8.jpg)
CPU Resource Management
Before AFTER
nice + renice
![Page 9: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/9.jpg)
Network Resource Management
Before AFTER
Virtualization of Network Interface!!
![Page 10: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/10.jpg)
Hierarchical Management
Flexible Control Granularity
![Page 11: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/11.jpg)
Example 1 : netnice
% netnice 1234 512Kbps
pid = 1234
512Kbps
![Page 12: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/12.jpg)
Example 2 : sh
% ftp ftp.freebsd.org @2Mbps
sh ftp
2Mbps
![Page 13: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/13.jpg)
Various Controls throughhierarchical virtualization
Independent Packet Schedulers
Fair Queuing
Packet shaping
Priority Queuing
![Page 14: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/14.jpg)
Integration of QoS and Security Control
libpcap
ctrl
BPF&libpcap Compatible
Netnice Packet Filter
Diverting Interface
Proxy
Packet Filter (Firewall)
![Page 15: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/15.jpg)
The almighty primitive for network control
• Various Controls in a single framework• Resource Protection• Sophisticated API• Integration of Network Control
– Bandwidth Management
– Queuing Control
– Firewall/Packet Filter
– Packet Capture
![Page 16: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/16.jpg)
Intermission
- Project Status -
![Page 17: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/17.jpg)
India Gate, Bombay (Mumbai)
![Page 18: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/18.jpg)
Why did Taka go to India?
• Loves Indian Food!• To collaborate with Indian
Hackers! Gate
Taka
![Page 19: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/19.jpg)
Netnice ORGan Opensource Project
• Kernel Development - Porting
• Application Development - Porting
• (Research Division; discussed later)
![Page 20: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/20.jpg)
Kernel Development
• FreeBSD 4 97%• Linux 50%• NetBSD 70%• OpenBSD 80%• FreeBSD 5 90%• MacOS X 5%• Windows 1%
We want Alpha/Beta testers!!!
![Page 21: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/21.jpg)
Applications
• Firewall Builder
• Netnice Daemon
• 3D-tcpdump
• Apache module
• inetd
![Page 22: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/22.jpg)
Firewall Builder for Netnice
• Firewall Rule Builder GUI
Root VIF
Rule BuilderRule Code
![Page 23: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/23.jpg)
netniced
JavaScript !!
Scripting Network Control
![Page 24: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/24.jpg)
The Netnice Daemon: netniced
Wireless Network11Mbps
n Hosts
11Mbps
n
var vif = system.get_root(“wi0”);var node = new Tupple(1);
function timer(){
vif.bandwidth = 11 * Mbps / node.size();}
![Page 25: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/25.jpg)
3D-TCPDUMP
• 3D Network Analysis/ Visualization Tool
libpcap
ctrl
![Page 26: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/26.jpg)
Apache: mod_netnice
![Page 27: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/27.jpg)
inetd
# cat /etc/inetd.confftp tcp ftpd -ltelnet tcp telnetd @32K/secshell tcp rshd @32K/sec
# inetd @1Mbps#
ftp
32Kbps
inetd telnet
1Mbps
Configuration of services and their resource should be integrated
![Page 28: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/28.jpg)
Got bored?
![Page 29: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/29.jpg)
Existing Primitives
Dummynet, IPFW, ALTQ, PF, LARTC, etc...
• Traffic Management tool for system administrators
– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure
• Each primitive has particular objective, and had control application just for that particular purpose
![Page 30: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/30.jpg)
Hierarchical Virtual Network Interface
• Generic OS service for end-host oriented network control
– Serves as a programming construct– Works for a variety of purposes– Extends the limit of end-host oriented network
control
• But, we need to extend the limit, much more...
![Page 31: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/31.jpg)
Research
![Page 32: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/32.jpg)
TOPICS• Architecture• Compiler• Algorithm• Operating System• Artificial Intelligence
![Page 33: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/33.jpg)
Architecture
Dynamic Extension of Protocol Stack by Virtual Machine technology
![Page 34: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/34.jpg)
Protocol Stack Virtualization
BSD Linux Windows
VM VM VM
Performance?
![Page 35: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/35.jpg)
Compiler
Compiler for High-performance Firewall
![Page 36: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/36.jpg)
Firewall Instrumentation
packetsNIC
Filter
IA32 code
BPF code
if (p[12:4] == 0xa209e081)return accept;
elsereturn reject;
Filter Rule
allow 192.9.200.123
![Page 37: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/37.jpg)
Algorithm
Distributed Caching and Traffic Control Algorithm for Fermi FS
![Page 38: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/38.jpg)
Distributed Caching and Traffic Control
Storage
n = 96
L1 Buffer
On-line Jobs
L2 worker
Off-line Jobs
1 job / 396ns
Distributed Hash Table (P2P) technology?
![Page 39: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/39.jpg)
Operating System
Coupled Scheduling Mechanism for CPU and Network
![Page 40: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/40.jpg)
CPU Scheduling + Network Control
• High Priority Jobs– Higher Network Priority
• Lower Priority Jobs– Lower Network Priority
High Low
![Page 41: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/41.jpg)
Artificial Intelligence
Traffic Control based on Semantics analysis of on-going communication
![Page 42: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/42.jpg)
Semantics-Aware Medical Network
• Needs for better fairness, safety, and security– ex) Resource contention between traffic for...
• Emergency Case (such as Acute MI)• Common cold
![Page 43: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/43.jpg)
Ambulance
Semantics Aware Medical Network
• Each node understands traffic semantics and controls packets accordingly
Hospital
Node
![Page 44: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/44.jpg)
Straightforward Approach
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
?
?
?
• What if we analyze the traffic semantics at the intermediate nodes?
![Page 45: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/45.jpg)
Cooperation of End-nodes and Intermediate-nodes
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
• What if the end-nodes attach semantics information they analyze onto each packet…?
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
![Page 46: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/46.jpg)
Fairness by Agent model
• What if we prepare “fair” agents, and let the end-users select one for semantics analysis?
We may realize “fair” and “efficient” semantics-aware network...
![Page 47: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/47.jpg)
To realize such a technology,
we need an end-node mechanism!
which allows analysis of flows at flexible granularity and active control of them just monitored.
![Page 48: Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh](https://reader034.vdocuments.us/reader034/viewer/2022042718/56649e895503460f94b8e6b0/html5/thumbnails/48.jpg)
? || /* */