NFP Enabling Network Function Parallelism in NFV Chen
NFP: Enabling Network Function Parallelism in NFV Chen Sun Jun Bi Zhilong Zheng Hongxin Hu Heng Yu
NFV — Bright Side vs. Dark Side Dedicated NFV: Commodity Hardware Devices Service Chain VPN Monitor Firewall Load Balancer VM VM Virtualization Techniques Low Cost Flexibility Scalability …… High Latency 200 μs ~ 1 ms × 7 2
Recent Research on Reducing NFV Latency NF Acceleration DPDK Click. OS (NSDI’ 14) Packet Delivery Acceleration NF Modularization Click. NP Net. Bricks Open. Box (SIGCOMM’ 16) (OSDI’ 16) (SIGCOMM’ 16) Net. VM (NSDI’ 14) VPN Monitor Firewall Load Balancer Accelerate each component of the chain Horizontally 3
Key Observations Drop? Read 53. 8% NF pairs can work in parallel VPN Monitor Firewall Load Blancer 25% ↓ Firewall Drop? Vertical Acceleration VPN Load Balancer Monitor Read 4
NFP exploits Network Function Parallelism to reduce NFV latency
Challenge 1: Service Graph Description Service Chain Service Graph VPN Monitor Firewall LB (1) (2) (3) (4) NF → Position VPN Monitor Firewall LB → 1 → 2 → 3 → 4 Firewall VPN LB Monitor Sequential chaining intent Parallel orchestration intent Intuitive and Expressive 6
Challenge 2: Service Graph Construction Service Graph Service Chain ② ① NF Dependency Monitor Firewall 7
Challenge 3: Resource Overhead Optimization Service Chain Monitor VPN Firewall LB Firewall Service Graph VPN Extra Packet Copies Load Balancer Monitor 8
Challenge 4: Infrastructure for Parallelism Firewall VPN Load Balancer Monitor Copy Deliver with minimum overhead massive packet copies Merge final output 9
Challenge 4: Infrastructure for Parallelism Packet Dropping Firewall VPN Monitor Firewall LB VPN Load Balancer Monitor 10
NFP Design Overview • Policy Specification Scheme Policies NFP Compiler – C 1: Intuitive graph description • Orchestrator Service Graph Orchestrator Infrastructure – C 2: Service graph construction – C 3: Resource optimization • Infrastructure – C 4: Infrastructure for parallelism Firewall Load Balancer VPN Monitor Processing & Delivery In Parallel 11
Policy Specification Scheme • Order (NF 1, before, NF 2) Sequential chaining – Order (Monitor, before, FW) Monitor Firewall IPS • Priority (NF 2 > NF 1) – Priority (IPS > Firewall) Parallel orchestration Firewall • Position (NF, first/last) – Position (VPN, first) – Position (LB, last) … Position assignment VPN Load Balancer 12
Orchestrator Design Service Graph NFP Policy Position(VPN, first) Order(FW, before, LB) Order(Monitor, before, LB) NFP Orchestrator C 2: Service graph construction C 3: Resource overhead optimization 1. NF Dependency Identification 2. Resource Overhead Optimization Dependency Identification of Order (NF 1, before, NF 2) Parallelize NFs with low resource overhead 3. Service Graph Construction Service graph construction based on step 1 & 2 13
1. NF Dependency Identification NF Dependency NF Firewall NIDS Gateway (Conf /Voice/Media) Load Balance Caching VPN NAT Compression Action Dependency Read (R) Write (W) Add/Remove Drop % 26% 20% SIP R R DIP R R 19% R R 10% 7% R/W R R/W Payload Add/Rm Drop R R/W Add / Rm 14
1. Action Dependency Analysis Result correctness principle Action 1 Independent Read Write Dependent Write Read Action 2 Packet Action 1 State Action 2 Read Write 15
1. Action Dependency Analysis Result correctness principle Action 2 Action 1 Read Write Add/Rm Drop Parallelizable Read Write Not parallelizable Add/Rm Drop Actions_NF 1 [ ] Order (NF 1, before, NF 2) Actions_NF 2 [ ] Action Dependency NF Dependency 16
2. Resource Overhead Optimization • Dirty Memory Reusing Reduce Copying Necessity Read (SIP) Not Parallelizable 12, 30% Write (DIP) 46, 20% Write (DIP) 41, 50% Parallelizable without copying Parallelizable with copying • Header Only Copying – Very few (7%) NFs operate on payload – Packet header: 64 ÷ 724 = 8. 8% Reduce Copying Overhead 17
3. Service Graph Construction Position (NF 1, first) NF 1 NF 2 Order (NF 2, before, NF 3) (NF 2, before, NF 4) Individual Sequential NF 6 NF 7 Compile NF 5 NF 4 NF 1 NF 6 NF 5 Policy NF 3 NF 4 Priority (NF 5 > NF 6) (NF 6 > NF 7) NF 2 NF 7 Parallel Dependency & Merge Copying Necessity Final Graph 18
Infrastructure Design Challenges Packet Copying Solutions Resource Overhead Optimization Orchestrator Infrastructure Packet Delivery NF Runtime Packet Merging Merger Packet Dropping 19
NF Runtime for Packet Delivery Centralized v. Switch Distributed Packet Delivery R VNF 1 VM v. Switch T R T VNF 2 VNF 1 VNF 2 VM NF Runtime Container R Performance Bottleneck T R T VNF 3 VNF 4 NF Runtime Container 20
Packet Dropping in NF Runtime Drop NF NF Runtime nil Merger …… nil 21
Packet Merging c 1 c 2 Output c 3 Packet Dropping c 1 c 2 nil Dropped 22
Implementation and Evaluation • Implementation – 14, 000 Lo. C for the NFP framework prototype – L 3 Forwarder, Load Balancer, Firewall, IDS, VPN, Monitor – Evaluation target: Open. Net. VM (Hot. Middlebox’ 16) • Evaluation Setup DPDK-based Packet Generator NFP or – Linux kernel 4. 4. 0 -31 Open. Net. VM – DPDK version 16. 11 – Intel(R) Xeon(R) E 5 -2690 v 2 CPUs, 256 G RAM, 2× 10 G NICs 23
1. Sequential Service Chain Performance …… * Slightly higher latency: no separate CPU core for delivery * Improved rate: distributed packet delivery avoids bottleneck 24
2. Optimization Effect wrt NF Complexity it f e en B y c en Lat NF Complexity 25
3. Optimization Effect wrt Parallelism Degree t fi e n e B y c n Late …… Parallelism Degree 26
4. Optimization Effect wrt Graph Structure (1) (2) (3) (4) (5) Equivalent chain length (6) 27
5. Real World Service Chain Performance Service chain for north-south DC traffic VPN Monitor Firewall LB 241μs → 210μs (-12. 9%) Resource Overhead: 0% Firewall VPN LB Monitor Service chain for west-east DC traffic IDS Monitor LB y cop 220μs → 141μs (-35. 9%) Resource Overhead: 8. 8% IDS Monitor LB 28
Related Work • Orthogonal to NFP: – – Batch processing (e. g. Net. VM [NSDI’ 14], Intel DPDK) Parallel processing of NF building blocks (e. g. Click. NP [SIGCOMM’ 16]) Parallelism between match-action tables (e. g. P 4, RMT [SIGCOMM’ 13]) Module composition in parallel in SDN (e. g. Pyretic [NSDI’ 13]) • Similar motivation: – Parabox [SOSR’ 17]: direct NF dependency analysis, mirror & merge function • Only NFP provides a complete framework for NF parallelism in NFV – Policy Specification Scheme for service graph description – Orchestrator for action based NF dependency analysis and resource optimization – Infrastructure for light-weight copying, efficient delivery and merging 29
Conclusion • NFP: exploiting Network Function Parallelism to accelerate NFV – Policy Specification Scheme – Orchestrator – Infrastructure • 35. 9% Latency Reduction for real world service chains Policies NFP Compiler Service Graph Orchestrator Infrastructure Firewall – At most 8. 8% resource overhead VPN • Future work: inter-server parallelism policy conflict detection and resolution Load Balancer Monitor Processing & Delivery In Parallel 30
Thank you! netarchlab. tsinghua. edu. cn c-sun 14@mails. tsinghua. edu. cn
- Slides: 31
