System Issues in Cloud Computing

Mini-course: Network Function Virtualization

KISHORE RAMACHANDRAN, PROFESSOR

School of Computer Science
College of Computing
Headshot
“Welcome to this mini-course on NFV. You have already been through
the first three legs of this journey in which we covered SDN, Systems
issues, and Application issues in Cloud computing. Now we take you
through the 4th leg of this journey. Simply put the purpose of Network
Function Virtualization is to decouple the network services needed for
any enterprise (such as firewall and malware inspection) from
proprietary hardware appliances often referred to as “Middleboxes” so
that such services can be run as software entities on standardized
servers using IT virtualization technologies. Thus the network services
become virtual network functions.
As has been true with the earlier legs of the journey, there are hands-
on workshops designed to go with the lectures plus a project to tie
 4 Modules

Software Defined Networking (SDN)

Cloud Applications (APP)

=>
 Organization of the mini
course
• Lecture 1: introduction to types of
network functions and the pathway
to virtualizing them
• Lecture 2: A concrete example of a
technology enabler for virtualizing
network functions
• Lecture 3: Synergy between SDN and
Lecture 1: Introduction
to Network Functions
Outline
● What are network functions?
● Middleboxes for realizing network functions as standalone services
● Network management and proliferation of middleboxes
● Network services as software entities
● Virtualization technology for hosting network services as software
entities
What are network functions?
● Firewall
○ Filters traffic based on pre-defined rules.
○ Rules are simple since filtering is in the critical path of packet flow
● Intrusion detection/prevention
○ Perform more complicated analysis of packet traffic
○ Identify complex patterns of network traffic belonging to an attack/suspicious activity
● Network Address Translation (NAT)
○ Translates private IP address space to public IP address space and vice versa
○ Useful for organizations that have limited a public IP network presence
● WAN Optimizers
○ Reduce WAN bandwidth consumption of an enterprise
○ Perform multiple techniques like caching, traffic compression, etc. for reducing traffic and latency
● Load balancer
○ Distribute traffic to a pool of backend services
● Virtual Private Network (VPN) Gateway
○ Provides abstraction of same IP address space for networks that are physically separate
○ Multiple sites communicate over WAN using tunnels between gateways
Why do enterprises need these network
functions?
User’s view of an enterprise

goog
le amazo
n
ebay
Why do enterprises need these network
functions?
Internal view of an
enterprise computing
environment
● Clusters of machines
serving many internal
functions
○ Sales, marketing,
inventory, purchasing,
etc.
○ Employees accessing
them on-premises, and
remotely
Why do enterprises need these network
functions? Region
Internal view of an al
enterprise computing office

environment
● Clusters of machines
serving many internal
functions interne
○ t
Sales, marketing,
inventory, purchasing,
etc. Region
○ Employees accessing al
office
them on-premises, and
remotely Head
● office
Enterprises may have
Why do enterprises need these network
functions?
Internal view of an
Microsoft
enterprise computing
environment
● Clusters of machines
serving many internal
functions interne
○ t
Sales, marketing,
inventory, purchasing,
Intel
etc.
○ Employees accessing
them on-premises, and
remotely
Samsung
● Enterprises may have
Why do enterprises need these network
functions?
● Network functions give the necessary safeguards and facilities for
enterprises
○ Intrusion Prevention: Performs inspection of packet payload to identify suspicious
traffic
○ Firewall: Filters packets based on their src, dst IPs, ports and protocol
○ Load balancer: Evenly distributes incoming connections to one of the backend
servers
○ WAN Accelerator: Reduces WAN bandwidth consumption by data deduplication and
compression
○ VPN: Provides illusion of same network address space across multiple sites. Provides
encryption for inter-site traffic.
Outline
● What are network functions?
● Middleboxes for realizing network functions as standalone services
● Network management and proliferation of middleboxes
● Network services as software entities
● Virtualization technology for hosting network services as software
entities
Middleboxes
● Standalone hardware boxes (aka
network appliances) providing specific
network functions (e.g., firewall)
Middleboxes
● Standalone hardware boxes (aka
network appliances) providing specific
network functions (e.g., firewall)
● Example of Middleboxes deployed in an
enterprise
Middleboxes
Consider the example of a retail organization
(like Walmart) that holds inventory information
● Standalone hardware boxes (aka on premises, but uses an enterprise
network appliances) providing specific datacenter for long-running batch processing
(demand prediction, etc.)
network functions (e.g., firewall)  End-clients communicate with on-premise

● Example of Middleboxes deployed in an application

 Needs to scale horizontally to handle
enterprise peak traffic => need for load balancer
 Limit ports for traffic => need for
firewall
 Detect/prevent suspicious activity =>
need for Intrusion Prevention
 Communication with enterprise datacenter
 Need for VPN for encryption of traffic
and illusion of continuous IP address
space
 Need for WAN accelerator to reduce
WAN bandwidth usage (reduce $$)
 Office personnel access content on the
Internet
Middleboxes (or network appliances)
● Computer networking devices
that analyze/modify packets
○ For purposes other than packet
forwarding
● Typically implemented as
specialized hardware
components
 An Example: Intrusion Prevention System (IPS)
● Security appliance
● Monitors all open connections to detect and block suspicious
traffic
● Sysadmin configures signatures in IPS box to detect
suspicious traffic
● Can work in inline mode (can filter out suspicious traffic) or Cisco IPS 4240 Sensor
passive mode (analyzes packets outside critical/data path) (source :
Table on the right shows the various traffic signatures that https://www.cisco.com/c/en/us/support/security/ip
Cisco’s IPS are pre-configured with. s-4240-sensor/model.html)

The system admin can select all or any of these

signatures to be searched for in packet traffic

This particular screenshot is for a search result for

“botnet” : showing 10 signatures that characterize botnet
attack traffic

Source: https://tools.cisco.com/security/center/ipshome.x
Another Example: HTTP Proxy
● Performance-improving
appliance
● Caches web content to reduce
page-load time
● Reduces bandwidth Cisco Web Security Appliance S170
consumption https://www.cisco.com/c/en/us/support/security/web-security-
appliance-s170/model.html
● Can filter out blocked websites
Middleboxes in core cellular networks
1. Serving Gateway (S-GW)
a. Responsible for routing/forwarding of packets
b. Executes handoff between neighbouring base stations
2. Packet Gateway (P-GW)
a. Acts as interface between cellular network and Internet
b. NAT between internal IP subnet and Internet
c. Traffic shaping
3. Mobility Management Entity (MME)
a. Key control node of LTE
b. Performs selection of S-GW and P-GW
c. Sets up connection when device is roaming
4. Home Subscriber Server
a. User identification and addressing using IMSI number
b. User profile info: service subscription rates and QoS

https://ccronline.sigcomm.org/wp-content/uploads/2019/05/acmdl19-289.pdf
How are middleboxes different from
router/switch?
Middleboxes are stateful

● Packet processing is dependent on fine-grained state

● Updated frequently (per packet/per flow/per connection)

Middleboxes perform complex and varied operations on packets

Outline
● What are network functions?
● Middleboxes for realizing network functions as standalone services
● Network management and proliferation of middleboxes
● Network services as software entities
● Virtualization technology for hosting network services as software
entities
 Network management and proliferation of middleboxes

Function Middleboxes
Security Firewall, IDS, IPS, ….
Performance- HTTP proxy, WAN
enhancement accelerator, Load
balancer, …
Cross-protocol NAT (IPv6 <-> IPv4),
interoperability VPN, …
Billing and usage …
monitoring
Network management and proliferation of
middleboxes
● Similar challenges that motivated shift of IT to cloud services
● Leads to lock-in to the hardware vendor of each specific middlebox
○ Difficult and expensive to migrate to a different solution
● Failures of middleboxes lead to network outages
● High Capital and Operational expenditure
○ Provisioning is done based on peak capacity
○ Management/maintenance cost is high
Outline
● What are network functions?
● Middleboxes for realizing network functions as standalone services
● Network management and proliferation of middleboxes
● Network services as software entities
● Virtualization technology for hosting network services as software
entities
Network functions as software entitites on
COTS servers
● Replace middleboxes by software
entities
● Run such network functions as an
“application” on general-purpose
servers
● Benefits
○ Low cost of deployment
○ Better resource utilization
○ Scaling is easily possible: lower CapEx
○ Can switch between vendors easily
○ Failures are easier to deal with
Examples of “software” middleboxes
● Linux iptables: provides NAT and
Firewall
● SoftEther VPN
● Squid HTTP proxy
● nginx load balancers
● Bro Intrusion Detection System (circa
1999)
Fundamental components of software
middleboxes
● Use Unix sockets → opening a socket creates a file descriptor
● Use system calls read() and write() calls to Linux kernel for reading
and writing to a socket
○ Raw Linux sockets enable developer to read/write raw bytes (MAC layer data)
from/to NIC
Architecture of a load balancer network
function Packet 5- Backend Service
● Distribute client connections to tuple Instance

a pool of backend service

instances
Update & Backend
○ For example HTTP Server
Lookup Instance 0
● Use packet’s 5-tuple to choose
Load Backend
backend instance Balance Instance 1
○ Provides connection-level affinity r
Backend
○ Same connection is sent to same Instance 2
backend instance
Backend Pool
Architecture of a load balancer network
function Packet 5- Backend Service
tuple Instance
Select
backend
instance and
add to table
If match
Extract not
Read Lookup
connection found
packe connection
info from
t info in table
header

If match
found Send packet
to backend
instance

sendto() call to send

recvfrom() system call packet out
for
reading packets into
buffer
What happens when a packet arrives ?
1. NIC uses Direct Memory Access
to write incoming packet to
memory
2. NIC generates an interrupt
3. CPU handles the interrupt,
allocates kernel buffer and
copies DMA’d packet into
buffer for IP and TCP
processing
4. After protocol processing,
packet payload is copied to
application buffer (user-space)
Outline
● What are network functions?
● Middleboxes for realizing network functions as standalone services
● Network management and proliferation of middleboxes
● Network services as software entities
● Virtualization technology for hosting network services as software
entities
Why virtualization for NF ?
Using a VM for hosting a NF (instead of running NF on bare metal
servers)

● Better portability because entire environment can be deployed

○ All dependencies are inside VM image
● Network management becomes easier
● Each NF instance is shielded from software faults from other
network services
How to virtualize?
● Traditionally two approaches
○ Full virtualization
○ Para virtualization
● Full virtualization is attractive since the VM on top of hypervisor can
run un modified
○ “trap-and-emulate” technique in the hypervisor to carry out privileged operations of
the VM which is running in user mode
○ Unfortunately, for network functions that are in the critical path of packet processing
this is bad news…
How “Trap-and-emulate” works
● I/O is performed via system calls
● When guest VM performs I/O operation
○ Executes system call
○ Guest kernel is context switched in
○ Privileged instructions are invoked for reading/writing to I/O
device
● But Guest kernel is actually running in user-
space !!
○ Guest VM is a user-space program from the host’s perspective
○ Execution of privileged instruction by user-space program
results in a trap
● Trap is caught by the hypervisor
○ Performs the I/O on behalf of the Guest VM
○ Notifies the Guest VM after I/O operation finishes
Downsides of “Trap-and-emulate” for NF
● Host kernel (e.g., Dom-0 in Xen) has to be
context switched in by the hypervisor to
activate the network device driver and
access the hardware NIC
● Duplication of work by the virtual device
driver in the Guest and the actual device
driver in the Host
● NF incurs the above overheads
○ For each packet that is sent to the NIC
○ For each packet received from the NIC
● NF is in the critical path of network
processing and such overheads are untenable
Eliminating the Overhead of Virtualization for
NF
● Fortunately, hardware vendors have been paying attention
● We will mention two approaches to eliminate I/O virtualization
overheads
○ Intel VT-d
○ Intel SR-IOV
 Enabling technologies for virtualized NFs
1) Intel® Virtualization Technology for
Directed I/O (VT-d)

● Allows efficient access to host I/O devices (e.g.,

NIC)
● Avoids overheads of trap-emulate for every I/O
access
● Allows remapping of DMA regions to guest
physical memory
● Allows interrupt remapping to guest’s interrupt
handlers
● Effectively direct access for guest machine to I/O
Benefits of VT-d
● Avoid overheads of trap-end-emulate
● DMA by NIC is performed to/from
memory belonging to Guest VM’s
buffers
● Interrupts are handled directly by the
Guest instead of hypervisor
● Effectively, the NIC is owned by the
Guest VM
Enabling technologies for virtualized NFs
(contd.)
2) Single Root I/O Virtualization (SR-IOV)
interface

● An extension to the PCIe specification

● Each PCIe device (Physical Function) is
presented as a collection of Virtual
Functions
● Practical deployments have 64 VFs per PF
● Each Virtual Function can be assigned to a
VM
● Allows higher multi-tenancy and
performance isolation
Benefits of SR-IOV
Allows same physical NIC to be
shared by multiple Guest VMs
without conflicts
Putting it all together
● Virtual Network Function
implementation
○ Host machine (NICs, etc.)
○ SR-IOV
○ VT-d direct access
○ Virtual Machine with DPDK driver
○ DPDK will be covered in the next
lecture
○ NFs implemented as a User-space
application running inside VM
○ DMA from SR-IOV VF directly into VM
buffers
Closing headshot
“In this lecture, we saw the important role played by network functions
in dealing with the vagaries of the wide-area Internet and the
dynamics of the evolving needs of an enterprise. Naturally, businesses
saw an opportunity to wrap such functions in special-purpose hardware
boxes which came to be referred to as middleboxes since they sat
between the enterprise computing and the wide-area Internet. The
proliferation of middleboxes and the ensuring network management
nightmare has rightly turned the attention towards realizing these
network functions as software entities. To make sure that the software
entities can run in a platform agnostic manner, it makes sense to have
the network functions execute on top of a virtualization layer. We
ended the lecture with a look at example technologies from vendors
Credits for Figures Used in this Presentation
● https://www.howtogeek.com/144269/htg-explains-what-firewalls-actually-do/
● http://ecomputernotes.com/computernetworkingnotes/security/virtual-private-network
● https://avinetworks.com/glossary/hardware-load-balancer/
● https://blogs.it.ox.ac.uk/networks/2014/06/05/linuxs-role-in-the-new-eduroam-infrastructure/
● https://slideplayer.com/slide/10419575/
● https://www.cisco.com/c/en/us/support/security/ips-4240-sensor/model.html
● https://www.cisco.com/c/en/us/support/security/web-security-appliance-s170/model.html
● http://www.artizanetworks.com/resources/tutorials/sae_tec.html
● https://portal.etsi.org/NFV/NFV_White_Paper.pdf
● https://myaut.github.io/dtrace-stap-book/kernel/net.html
● https://software.intel.com/en-us/articles/intel-virtualization-technology-for-directed-io-vt-d-enhancing-intel-platforms-for-efficient-virtualization-of-io-devices
● https://www.intel.sg/content/dam/doc/application-note/pci-sig-sr-iov-primer-sr-iov-technology-paper.pdf
● https://upload.wikimedia.org/wikipedia/commons/thumb/6/65/CPT-NAT-1.svg/660px-CPT-NAT-1.svg.png
Resources
● Network function virtualization: through the looking-glass
https://link.springer.com/article/10.1007/s12243-016-0540-9
● http://www.cs.princeton.edu/courses/archive/spr11/cos461/docs/lec11-middleboxes.pdf
● https://portal.etsi.org/NFV/NFV_White_Paper.pdf
● Comparison of Frameworks for High-Performance Packet IO
https://www.net.in.tum.de/publications/papers/gallenmueller_ancs2015.pdf
● VT-d : https://software.intel.com/en-us/articles/intel-virtualization-technology-for-directed-io-vt-d-enhancing-intel-
platforms-for-efficient-virtualization-of-io-devices
● VT-d : https://www.net.in.tum.de/fileadmin/bibtex/publications/papers/ixy_paper_short_draft1.pdf
● SRIOV : https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/sr-iov-nfv-tech-brief.pdf
● SRIOV : https://docs.microsoft.com/en-us/windows-hardware/drivers/network/sr-iov-architecture
● http://yuba.stanford.edu/~huangty/sigcomm15_preview/mbpreview.pdf
● https://www.iab.org/wp-content/IAB-uploads/2014/12/semi2015_edeline.pdf