virtualizing network i/o on end-host os
DESCRIPTION
Virtualizing Network I/O on End-Host OS. Takashi “taka” Okumura Department of Computer Science University of Pittsburgh. MD/Ph.D. Who’s taka?. A Ph.D. student. Working with Dr. Mosse' Semantics-aware Control of Medical Network Virtualization of network I/O on end-host OS. - PowerPoint PPT PresentationTRANSCRIPT
Virtualizing Network I/O on End-Host Virtualizing Network I/O on End-Host OS OS
Takashi “taka” Okumura
Department of Computer ScienceUniversity of Pittsburgh
Who’s taka?
• A Ph.D. student
• Working with Dr. Mosse'• Semantics-aware Control of
Medical Network• Virtualization of network I/O o
n end-host OS
MD/Ph.D.
Network Control on End-host OS
Dummynet, IPFW, ALTQ, PF, netfilter, etc...
• Traffic Management tool for system administrators
– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure
• It is Traffic Management model for intermediate-nodes
The Traffic Control model limitsnetwork control technology
• Why don’t we have a standard API even for bandwidth control??
• Why do we need to be a root, just to control its own traffic??
• Why can’t we realize access control per-application basis on Unix??
• Why can’t we use Extension Header of IPv6, for existing applications?Dummynet, IPFW, ALTQ,
PF, LARTC, etc...Dummynet, IPFW, ALTQ,
PF, LARTC, etc...
We cannot simply port the router model onto end-node...
What can we do ?
Fundamental Problem
Dissociation of Resource Management model and Network Control Model
CPU Resource Management
Before AFTER
nice + renice
Network Resource Management
Before AFTER
Virtualization of Network Interface!!
Hierarchical Management
Flexible Control Granularity
Example 1 : netnice
% netnice 1234 512Kbps
pid = 1234
512Kbps
Example 2 : sh
% ftp ftp.freebsd.org @2Mbps
sh ftp
2Mbps
Various Controls throughhierarchical virtualization
Independent Packet Schedulers
Fair Queuing
Packet shaping
Priority Queuing
Integration of QoS and Security Control
libpcap
ctrl
BPF&libpcap Compatible
Netnice Packet Filter
Diverting Interface
Proxy
Packet Filter (Firewall)
The almighty primitive for network control
• Various Controls in a single framework• Resource Protection• Sophisticated API• Integration of Network Control
– Bandwidth Management
– Queuing Control
– Firewall/Packet Filter
– Packet Capture
Intermission
- Project Status -
India Gate, Bombay (Mumbai)
Why did Taka go to India?
• Loves Indian Food!• To collaborate with Indian
Hackers! Gate
Taka
Netnice ORGan Opensource Project
• Kernel Development - Porting
• Application Development - Porting
• (Research Division; discussed later)
Kernel Development
• FreeBSD 4 97%• Linux 50%• NetBSD 70%• OpenBSD 80%• FreeBSD 5 90%• MacOS X 5%• Windows 1%
We want Alpha/Beta testers!!!
Applications
• Firewall Builder
• Netnice Daemon
• 3D-tcpdump
• Apache module
• inetd
Firewall Builder for Netnice
• Firewall Rule Builder GUI
Root VIF
Rule BuilderRule Code
netniced
JavaScript !!
Scripting Network Control
The Netnice Daemon: netniced
Wireless Network11Mbps
n Hosts
11Mbps
n
var vif = system.get_root(“wi0”);var node = new Tupple(1);
function timer(){
vif.bandwidth = 11 * Mbps / node.size();}
3D-TCPDUMP
• 3D Network Analysis/ Visualization Tool
libpcap
ctrl
Apache: mod_netnice
inetd
# cat /etc/inetd.confftp tcp ftpd -ltelnet tcp telnetd @32K/secshell tcp rshd @32K/sec
# inetd @1Mbps#
ftp
32Kbps
inetd telnet
1Mbps
Configuration of services and their resource should be integrated
Got bored?
Existing Primitives
Dummynet, IPFW, ALTQ, PF, LARTC, etc...
• Traffic Management tool for system administrators
– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure
• Each primitive has particular objective, and had control application just for that particular purpose
Hierarchical Virtual Network Interface
• Generic OS service for end-host oriented network control
– Serves as a programming construct– Works for a variety of purposes– Extends the limit of end-host oriented network
control
• But, we need to extend the limit, much more...
Research
TOPICS• Architecture• Compiler• Algorithm• Operating System• Artificial Intelligence
Architecture
Dynamic Extension of Protocol Stack by Virtual Machine technology
Protocol Stack Virtualization
BSD Linux Windows
VM VM VM
Performance?
Compiler
Compiler for High-performance Firewall
Firewall Instrumentation
packetsNIC
Filter
IA32 code
BPF code
if (p[12:4] == 0xa209e081)return accept;
elsereturn reject;
Filter Rule
allow 192.9.200.123
Algorithm
Distributed Caching and Traffic Control Algorithm for Fermi FS
Distributed Caching and Traffic Control
Storage
n = 96
L1 Buffer
On-line Jobs
L2 worker
Off-line Jobs
1 job / 396ns
Distributed Hash Table (P2P) technology?
Operating System
Coupled Scheduling Mechanism for CPU and Network
CPU Scheduling + Network Control
• High Priority Jobs– Higher Network Priority
• Lower Priority Jobs– Lower Network Priority
High Low
Artificial Intelligence
Traffic Control based on Semantics analysis of on-going communication
Semantics-Aware Medical Network
• Needs for better fairness, safety, and security– ex) Resource contention between traffic for...
• Emergency Case (such as Acute MI)• Common cold
Ambulance
Semantics Aware Medical Network
• Each node understands traffic semantics and controls packets accordingly
Hospital
Node
Straightforward Approach
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
?
?
?
• What if we analyze the traffic semantics at the intermediate nodes?
Cooperation of End-nodes and Intermediate-nodes
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
• What if the end-nodes attach semantics information they analyze onto each packet…?
• Hop-by-hop routing
• Packet Dropping
• Encripted Payload
• Stateful Inspection
Fairness by Agent model
• What if we prepare “fair” agents, and let the end-users select one for semantics analysis?
We may realize “fair” and “efficient” semantics-aware network...
To realize such a technology,
we need an end-node mechanism!
which allows analysis of flows at flexible granularity and active control of them just monitored.
? || /* */