480 likes | 572 Views
Virtualizing Network I/O on End-Host OS. Takashi “taka” Okumura Department of Computer Science University of Pittsburgh. MD/Ph.D. Who’s taka?. A Ph.D. student. Working with Dr. Mosse' Semantics-aware Control of Medical Network Virtualization of network I/O on end-host OS.
E N D
Virtualizing Network I/O on End-Host OS Takashi “taka” Okumura Department of Computer Science University of Pittsburgh
MD/Ph.D. Who’s taka? • A Ph.D. student • Working with Dr. Mosse' • Semantics-aware Control of Medical Network • Virtualization of network I/O on end-host OS
Dummynet, IPFW, ALTQ, PF, netfilter, etc... Network Control on End-host OS • Traffic Management tool for system administrators • Privileged Instructions • Lack of Resource Protection Model • Static Configuration • Flat Queue Structure • It is Traffic Management model for intermediate-nodes
We cannot simply port the router model onto end-node... The Traffic Control model limitsnetwork control technology • Why don’t we have a standard API even for bandwidth control?? • Why do we need to be a root, just to control its own traffic?? • Why can’t we realize access control per-application basis on Unix?? • Why can’t we use Extension Header of IPv6, for existing applications? Dummynet, IPFW, ALTQ, PF, LARTC, etc... Dummynet, IPFW, ALTQ, PF, LARTC, etc...
Fundamental Problem Dissociation of Resource Management model and Network Control Model
AFTER CPU Resource Management Before nice + renice
AFTER Network Resource Management Before Virtualization of Network Interface!!
Hierarchical Management Flexible Control Granularity
512Kbps Example 1 : netnice pid = 1234 % netnice 1234 512Kbps
ftp 2Mbps Example 2 : sh sh % ftp ftp.freebsd.org@2Mbps
Fair Queuing Packet shaping Various Controls throughhierarchical virtualization Priority Queuing Independent Packet Schedulers
Proxy libpcap Diverting Interface Netnice Packet Filter Packet Filter (Firewall) ctrl Integration of QoS and Security Control BPF&libpcap Compatible
The almighty primitive for network control • Various Controls in a single framework • Resource Protection • Sophisticated API • Integration of Network Control • Bandwidth Management • Queuing Control • Firewall/Packet Filter • Packet Capture
Intermission - Project Status -
Why did Taka go to India? Loves Indian Food! To collaborate with Indian Hackers! Gate Taka
Netnice ORGan Opensource Project • Kernel Development - Porting • Application Development - Porting • (Research Division; discussed later)
Kernel Development FreeBSD 4 97% Linux 50% NetBSD 70% OpenBSD 80% FreeBSD 5 90% MacOS X 5% Windows 1% We want Alpha/Beta testers!!!
Applications Firewall Builder Netnice Daemon 3D-tcpdump Apache module inetd
Rule Builder Rule Code Firewall Builder for Netnice • Firewall Rule Builder GUI Root VIF
JavaScript !! netniced Scripting Network Control
11Mbps n n Hosts 11Mbps var vif = system.get_root(“wi0”); var node = new Tupple(1); function timer() { vif.bandwidth = 11 * Mbps / node.size(); } The Netnice Daemon: netniced Wireless Network
libpcap ctrl 3D-TCPDUMP • 3D Network Analysis/ Visualization Tool
inetd ftp telnet 32Kbps 1Mbps inetd #cat /etc/inetd.conf ftp tcp ftpd -l telnet tcp telnetd @32K/sec shell tcp rshd @32K/sec #inetd @1Mbps # Configuration of services and their resource should be integrated
Dummynet, IPFW, ALTQ, PF, LARTC, etc... Existing Primitives • Traffic Management tool for system administrators • Privileged Instructions • Lack of Resource Protection Model • Static Configuration • Flat Queue Structure • Each primitive has particular objective, and had control application just for that particular purpose
Hierarchical Virtual Network Interface • Generic OS service for end-host oriented network control • Serves as a programming construct • Works for a variety of purposes • Extends the limit of end-host oriented network control • But, we need to extend the limit, much more...
TOPICS • Architecture • Compiler • Algorithm • Operating System • Artificial Intelligence
Architecture Dynamic Extension of Protocol Stack by Virtual Machine technology
Linux Windows VM VM VM Protocol Stack Virtualization BSD Performance?
Compiler Compiler for High-performance Firewall
allow 192.9.200.123 Filter Filter Rule BPF code if (p[12:4] == 0xa209e081) return accept; else return reject; IA32 code Firewall Instrumentation packets NIC
Algorithm Distributed Caching and Traffic Control Algorithm for Fermi FS
Off-line Jobs Distributed Caching and Traffic Control L2 worker L1 Buffer Storage On-line Jobs 1 job / 396ns n = 96 Distributed Hash Table (P2P) technology?
Operating System Coupled Scheduling Mechanism for CPU and Network
CPU Scheduling + Network Control • High Priority Jobs • Higher Network Priority • Lower Priority Jobs • Lower Network Priority High Low
Artificial Intelligence Traffic Control based on Semantics analysis of on-going communication
Semantics-Aware Medical Network • Needs for better fairness, safety, and security • ex) Resource contention between traffic for... • Emergency Case (such as Acute MI) • Common cold
Semantics Aware Medical Network • Each node understands traffic semantics and controls packets accordingly Hospital Ambulance Node
? ? ? Straightforward Approach • Hop-by-hop routing • Packet Dropping • Encripted Payload • Stateful Inspection • What if we analyze the traffic semantics at the intermediate nodes?
Cooperation of End-nodes and Intermediate-nodes • What if the end-nodes attach semantics information they analyze onto each packet…? • Hop-by-hop routing • Packet Dropping • Encripted Payload • Stateful Inspection • Hop-by-hop routing • Packet Dropping • Encripted Payload • Stateful Inspection
Fairness by Agent model We may realize “fair” and “efficient” semantics-aware network... • What if we prepare “fair” agents, and let the end-users select one for semantics analysis?
To realize such a technology,we need an end-node mechanism! which allows analysis of flows at flexible granularity and active control of them just monitored.