Network Function Virtualization
CSCE 678
Network Functions
2
Internet
Private IPhosts or services
Load balancerCarrier-grade
NATFirewall
IDS
WAN Accelerator Ad insertion
Middleboxes
3
High speedEthernet card
VariousCPUs and RAMs
Regular OSes
TrafficTraffic Traffic
FirewallNAT
Middleboxes Are Not Scalable
4
Firewall IDSSwitch
Application
Transport
Network
Datalink
Physical
Datalink
Physical
Application
Transport
Network
Datalink
Physical
Middleboxes Are Not Scalable
• Physical machines dedicated for specific purposes
➔ Hard to adjust resources
• Not all NFs have the same requirements
• Some don’t need the whole stack
• Some are more computation-intensive than others
• Various CPU/memory requirements
• Result: few NF becomes the bottleneck
5
Virtualizing Middleboxes
6
Firewall IDSSwitch
Physical NFs Virtual NFs
VMs VMs VMs
Firewall IDSSwitch
Virtualizing Middleboxes
• Legacy Support
• Elasticity
• Identical HWs
7
On-premisesNFV Cluster
Corporate SitesOn-premises NFV cluster gives flexibility
for managing middleboxes, but still has a
hard limit for physical resources.
Outsourcing VNFs to Cloud
8
Gateway
• Pros: Easy to maintain and expand. Selectively outsourcing.
• Cons: High network latency
1. “Bounce” Model
Outsourcing VNFs to Cloud
2. “Routing” Model
9
Gateway
• Pros: Reduced network latency
• Cons: The whole network route have to go through cloud provider, less flexible
Scaling VNFs in Cloud
10
PhysicalHost
vFirewall(Tenant A)
vFirewall(Tenant A)
vNAT(Tenant B)
PhysicalHost
vNAT(Tenant A)
vIDS(Tenant B)
PhysicalHost
vProxy(Tenant A)
vProxy(Tenant A)
vIDS(Tenant B)
vNAT(Tenant B)
Load balancer
VNF Chaining
11
PhysicalHost
vFirewall(Tenant A)
vFirewall(Tenant A)
vNAT(Tenant B)
PhysicalHost
vNAT(Tenant A)
vIDS(Tenant B)
PhysicalHost
vProxy(Tenant A)
vProxy(Tenant A)
vIDS(Tenant B)
vNAT(Tenant B)
Load balancer
VNF Chaining Concerns
• VNF-level scheduling:
• How many VNFs to allocate, scale up and down?
• Network latency between NFs
• Flow-level scheduling:
• For each network flow, send to which VNFs?
• For stateful VNFs (e.g., IDS, Proxy): keeping related flows to the same VNFs?
12
Difficult per-flow chaining decisions to made in the cloud(Still an open problem)
Reducing System Overheads
OS/hypervisor concerns:
• Expensive network stack & interrupts
• Latency for spinning up a VM
• Virtualization overheads for network devices
13
ClickOS
• ClickOS is a virtualization solution for NFV
• Ultra-lightweight
• VMs are extremely small (5MB)
• Extremely quick to boot (30 ms)
• Minimal virtualization delay (45 μs / packet)
• Customized for NFs
• Network IO optimization
• Programming abstractions for NFs
14
ClickOS Architecture
15
Xen Hypervisor
MiddleboxSoftware
netfrontdriver
netbackdriver
Network IO Optimization
• ClickOS turns netback (Dom0-side driver) to be
control plane-only
• Leveraging SR-IOV
• Only allocate the DMA buffer for VMs
• Not involved in packet transfer
16
MiddleboxSoftware
Directlymapped buffers
Directly Mapped NICs
User-space networking:
• PFQ
• PF-Ring
• Intel DPDK
• netmap
17
Bypassing kernel stack
Directly Mapped NICs
18
Benefit 1:
Application-specific
optimization
Benefit 2:
Remove data copy from
critical path
Benefit 3:
No interrupt (no context
switches)
References
• “ClickOS and the Art of Network Function
Virtualization”, by Martins et al. (2014)
• “Network Function Virtualization: State-of-the-art
and Research Challenges”, by Mijumbi et al. (2015)
• “Middleboxes as a Cloud Service”, by Justine Sherry
(2016)
19