Virtualizing Network I/O on End-Host OS

Takashi taka Okumura

Department of Computer Science University of Pittsburgh

Whos taka?
A Ph.D. student
Working with Dr. Mosse' Semantics-aware Control of Medical Network Virtualization of network I/O on end-host OS

Network Control on End-host OS

Traffic Management tool for system administrators

Dummynet, IPFW, ALTQ, PF, netfilter, etc...

Privileged Instructions Lack of Resource Protection Model Static Configuration Flat Queue Structure

It is Traffic Management model for intermediate-nodes

The Traffic Control model limits network control technology

Why dont we have a standard API even for bandwidth control??
Why do we need to be a root, just to control its own traffic?? Why cant we realize access control per-application basis on Unix?? Why cant we use Extension Header of IPv6, for existing applications?

Dummynet, IPFW, ALTQ, PF, LARTC, etc...

We cannot simply port the router model onto end-node...

What can we do ?

Fundamental Problem

Dissociation of Resource Management model and Network Control Model

CPU Resource Management

Before

AFTER

nice + renice

Network Resource Management

Before

AFTER

Virtualization of Network Interface!!

Hierarchical Management

Flexible Control Granularity

Example 1 : netnice
pid = 1234

512Kbps

% netnice 1234 512Kbps

Example 2 : sh
sh ftp

2Mbps

% ftp ftp.freebsd.org @2Mbps

Various Controls through hierarchical virtualization

Fair Queuing Packet shaping Priority Queuing

Independent Packet Schedulers

Integration of QoS and Security Control

Proxy

libpcap

Diverting Interface

Netnice Packet Filter

ctrl

Packet Filter (Firewall)

BPF&libpcap Compatible

The almighty primitive for network control

Various Controls in a single framework Resource Protection Sophisticated API Integration of Network Control
Bandwidth Management Queuing Control Firewall/Packet Filter Packet Capture

Intermission
- Project Status -

India Gate, Bombay (Mumbai)

Why did Taka go to India?

Loves Indian Food! To collaborate with Indian Hackers!
Gate

Taka

Netnice ORG
an Opensource Project

Kernel Development - Porting

Application Development - Porting

(Research Division; discussed later)

Kernel Development
FreeBSD 4 Linux NetBSD OpenBSD FreeBSD 5 MacOS X Windows 97% 50% 70% 80% 90% 5% 1%

We want Alpha/Beta testers!!!

Applications
Firewall Builder Netnice Daemon 3D-tcpdump Apache module inetd

Firewall Builder for Netnice

Firewall Rule Builder GUI

Rule Code

Rule Builder

Root VIF

Scripting Network Control

netniced

The Netnice Daemon: netniced

11Mbps n n Hosts

11Mbps

Wireless Network

var vif = system.get_root(wi0); var node = new Tupple(1);

function timer() { vif.bandwidth = 11 * Mbps / node.size(); }

3D-TCPDUMP
3D Network Analysis/ Visualization Tool

libpcap

ctrl

Apache: mod_netnice

inetd
inetd # cat /etc/inetd.conf ftp tcp ftpd -l telnet tcp telnetd @32K/sec shell tcp rshd @32K/sec ftp telnet

# inetd @1Mbps #
1Mbps

32Kbps

Configuration of services and their resource should be integrated

Got bored?

Existing Primitives
Traffic Management tool for system administrators
Privileged Instructions Lack of Resource Protection Model Static Configuration Flat Queue Structure

Dummynet, IPFW, ALTQ, PF, LARTC, etc...

Each primitive has particular objective, and had control application just for that particular purpose

Hierarchical Virtual Network Interface

Generic OS service for end-host oriented network control
Serves as a programming construct Works for a variety of purposes Extends the limit of end-host oriented network control

But, we need to extend the limit, much more...

Research

TOPICS
Architecture Compiler Algorithm Operating System Artificial Intelligence

Architecture
Dynamic Extension of Protocol Stack by Virtual Machine technology

Protocol Stack Virtualization

BSD Linux Windows

VM

VM

VM

Performance?

Compiler
Compiler for High-performance Firewall

Firewall Instrumentation

allow 192.9.200.123 Filter

Filter Rule

BPF code IA32 code packets NIC if (p[12:4] == 0xa209e081) return accept; else return reject;

Algorithm
Distributed Caching and Traffic Control Algorithm for Fermi FS

Distributed Caching and Traffic Control

Off-line Jobs

L2 worker

Storage

L1 Buffer

On-line Jobs

1 job / 396ns

n = 96

Distributed Hash Table (P2P) technology?

Operating System
Coupled Scheduling Mechanism for CPU and Network

CPU Scheduling + Network Control

High Low

High Priority Jobs

Higher Network Priority

Lower Priority Jobs

Lower Network Priority

Artificial Intelligence
Traffic Control based on Semantics analysis of on-going communication

Semantics-Aware Medical Network

Needs for better fairness, safety, and security
ex) Resource contention between traffic for...
Emergency Case (such as Acute MI) Common cold

Semantics Aware Medical Network

Hospital
Ambulance

Node

Each node understands traffic semantics and controls packets accordingly

Straightforward Approach
? ?

Hop-by-hop routing Packet Dropping

Encripted Payload
Stateful Inspection

What if we analyze the traffic semantics at the intermediate nodes?

Cooperation of End-nodes and Intermediate-nodes

Hop-by-hop routing Packet Dropping

Encripted Payload
Stateful Inspection

What if the end-nodes attach semantics information they analyze onto each packet?

Fairness by Agent model

We may realize fair and efficient semantics-aware network...

What if we prepare fair agents, and let the end-users select one for semantics analysis?

To realize such a technology, we need an end-node mechanism!

which allows analysis of flows at flexible granularity and active control of them just monitored.

? || /* */