Virtualizing Network I/O on End-Host Virtualizing Network I/O on End-Host OS OS

Takashi “taka” Okumura

Department of Computer ScienceUniversity of Pittsburgh

Who’s taka?

• A Ph.D. student

• Working with Dr. Mosse'• Semantics-aware Control of

Medical Network• Virtualization of network I/O o

n end-host OS

MD/Ph.D.

Network Control on End-host OS

Dummynet, IPFW, ALTQ, PF, netfilter, etc...

• Traffic Management tool for system administrators

– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure

• It is Traffic Management model for intermediate-nodes

The Traffic Control model limitsnetwork control technology

• Why don’t we have a standard API even for bandwidth control??

• Why do we need to be a root, just to control its own traffic??

• Why can’t we realize access control per-application basis on Unix??

• Why can’t we use Extension Header of IPv6, for existing applications?Dummynet, IPFW, ALTQ,

PF, LARTC, etc...Dummynet, IPFW, ALTQ,

PF, LARTC, etc...

We cannot simply port the router model onto end-node...

What can we do ?

Fundamental Problem

Dissociation of Resource Management model and Network Control Model

CPU Resource Management

Before AFTER

nice + renice

Network Resource Management

Before AFTER

Virtualization of Network Interface!!

Hierarchical Management

Flexible Control Granularity

Example 1 : netnice

% netnice 1234 512Kbps

pid = 1234

512Kbps

Example 2 : sh

% ftp ftp.freebsd.org @2Mbps

sh ftp

2Mbps

Various Controls throughhierarchical virtualization

Independent Packet Schedulers

Fair Queuing

Packet shaping

Priority Queuing

Integration of QoS and Security Control

libpcap

ctrl

BPF&libpcap Compatible

Netnice Packet Filter

Diverting Interface

Proxy

Packet Filter (Firewall)

The almighty primitive for network control

• Various Controls in a single framework• Resource Protection• Sophisticated API• Integration of Network Control

– Bandwidth Management

– Queuing Control

– Firewall/Packet Filter

– Packet Capture

Intermission

- Project Status -

India Gate, Bombay (Mumbai)

Why did Taka go to India?

• Loves Indian Food!• To collaborate with Indian

Hackers! Gate

Taka

Netnice ORGan Opensource Project

• Kernel Development - Porting

• Application Development - Porting

• (Research Division; discussed later)

Kernel Development

• FreeBSD 4 97%• Linux 50%• NetBSD 70%• OpenBSD 80%• FreeBSD 5 90%• MacOS X 5%• Windows 1%

We want Alpha/Beta testers!!!

Applications

• Firewall Builder

• Netnice Daemon

• 3D-tcpdump

• Apache module

• inetd

Firewall Builder for Netnice

• Firewall Rule Builder GUI

Root VIF

Rule BuilderRule Code

netniced

JavaScript !!

Scripting Network Control

The Netnice Daemon: netniced

Wireless Network11Mbps

n Hosts

11Mbps

n

var vif = system.get_root(“wi0”);var node = new Tupple(1);

function timer(){

vif.bandwidth = 11 * Mbps / node.size();}

3D-TCPDUMP

• 3D Network Analysis/ Visualization Tool

libpcap

ctrl

Apache: mod_netnice

inetd

# 　 cat /etc/inetd.confftp tcp ftpd -ltelnet tcp telnetd @32K/secshell tcp rshd @32K/sec

# 　 inetd @1Mbps#

ftp

32Kbps

inetd telnet

1Mbps

Configuration of services and their resource should be integrated

Got bored?

Existing Primitives

Dummynet, IPFW, ALTQ, PF, LARTC, etc...

• Traffic Management tool for system administrators

– Privileged Instructions– Lack of Resource Protection Model– Static Configuration– Flat Queue Structure

• Each primitive has particular objective, and had control application just for that particular purpose

Hierarchical Virtual Network Interface

• Generic OS service for end-host oriented network control

– Serves as a programming construct– Works for a variety of purposes– Extends the limit of end-host oriented network

control

• But, we need to extend the limit, much more...

Research

TOPICS• Architecture• Compiler• Algorithm• Operating System• Artificial Intelligence

Architecture

Dynamic Extension of Protocol Stack by Virtual Machine technology

Protocol Stack Virtualization

BSD Linux Windows

VM VM VM

Performance?

Compiler

Compiler for High-performance Firewall

Firewall Instrumentation

packetsNIC

Filter

IA32 code

BPF code

if (p[12:4] == 0xa209e081)return accept;

elsereturn reject;

Filter Rule

allow 192.9.200.123

Algorithm

Distributed Caching and Traffic Control Algorithm for Fermi FS

Distributed Caching and Traffic Control

Storage

n = 96

L1 Buffer

On-line Jobs

L2 worker

Off-line Jobs

1 job / 396ns

Distributed Hash Table (P2P) technology?

Operating System

Coupled Scheduling Mechanism for CPU and Network

CPU Scheduling + Network Control

• High Priority Jobs– Higher Network Priority

• Lower Priority Jobs– Lower Network Priority

High Low

Artificial Intelligence

Traffic Control based on Semantics analysis of on-going communication

Semantics-Aware Medical Network

• Needs for better fairness, safety, and security– ex) Resource contention between traffic for...

• Emergency Case (such as Acute MI)• Common cold

Ambulance

Semantics Aware Medical Network

• Each node understands traffic semantics and controls packets accordingly

Hospital

Node

Straightforward Approach

• Hop-by-hop routing

• Packet Dropping

• Encripted Payload

• Stateful Inspection

?

?

?

• What if we analyze the traffic semantics at the intermediate nodes?

Cooperation of End-nodes and Intermediate-nodes

• Hop-by-hop routing

• Packet Dropping

• Encripted Payload

• Stateful Inspection

• What if the end-nodes attach semantics information they analyze onto each packet…?

• Hop-by-hop routing

• Packet Dropping

• Encripted Payload

• Stateful Inspection

Fairness by Agent model

• What if we prepare “fair” agents, and let the end-users select one for semantics analysis?

We may realize “fair” and “efficient” semantics-aware network...

To realize such a technology,

we need an end-node mechanism!

which allows analysis of flows at flexible granularity and active control of them just monitored.

? || /* */