Middleboxes are both crucial to today's networks and ubiquitous, but embed knowledge of today's protocols and applications to the detriment of those of tomorrow, making the network harder to evolve. While virtualization technologies like Xen have been around for a long time, it is only in recent years that they have started to be targeted as viable systems for implementing middlebox processing (e.g., firewalls, NATs).
Can they provide this functionality while yielding the high performance expected from hardware-based middlebox offerings? In this talk Joao Martins will introduce ClickOS, a tiny, MiniOS-based virtual machine tailored for network processing. In addition to the vm itself, this talk will hopefully help to clarify where some of the bottlenecks in Xen's network I/O pipe are, and describe performance improvements done to the entire system. Finally, Joao Martins will discuss an evaluation showing that ClickOS can be instantiated in 30 msecs, can process traffic at 10Gb/s for almost all packet sizes, introduces delay of only 40 microseconds and can run middleboxes at rates of 5 Mp/s. The audience is anyone interested in improving the network performance of Xen, including improvements to the MiniOS and Linux netfront drivers. In addition, the talk should interest people working towards running large numbers of small virtual machines for network processing, as well as those involved with the recent network function virtualization trend.
The outline of this talk and goals for this session:
- showing a new use-case for virtualization, targeting virtual machines
as replacement for hardware middleboxes
- requirements and our solution to this problem
- what is Click and how we program middleboxes in Click
- what is ClickOS and our contributions
- network processing under XEN, and bottlenecks in the I/O pipe
- how packet processing performance was improved
- initialization, memory usage and synchronization between
backend/frontend
- delay and throughput evaluation using high numbers of VMs
- performance of some middleboxes (load balancers, firewalls, intrusion
detection systems, etc)
- conclusions and remarks