论文信息 - Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane

Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane

Existing software dataplanes that run network functions inside VMs or containers can provide either performance (by dedicating CPU cores) or multiplexing (by context switching), but not both at once. Function-based dataplane architectures by replacing VMs and containers with function calls promise to achieve multiplexing and performance at the same time. However, they compromise memory isolation between tenants by forcing them to use a shared memory address space. In this paper, we show that an operating system-like management layer for modules in a function-based data plane can offer OS-like constructs such as performance and memory isolation. To provide memory isolation, we leverage new Intel CPU extensions (MPX) to create coarse-grained heap and stack protection even for legacy code written in unsafe native languages such as C. In addition, we use programmable NIC offloads to distribute load across cores as well as to prevent batch fragmentation when processing complex service graphs. Our preliminary evaluation shows the limitations of existing techniques that require heavy weight memory isolation or incur cross-core overheads.

Wei Zhang | Timothy Wood | Kaustubh R. Joshi | Abhigyan Sharma

[1] George Varghese,et al. Efficient fair queueing using deficit round-robin , 1996, TNET.

[2] George Varghese,et al. Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[3] Sylvia Ratnasamy,et al. SoftNIC: A Software NIC to Augment Hardware , 2015 .

[4] Scott Shenker,et al. SoftFlow: A Middlebox Architecture for Open vSwitch , 2016, USENIX Annual Technical Conference.

[5] Peter Druschel,et al. Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[6] Christof Fetzer,et al. Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[7] Scott Shenker,et al. NetBricks: Taking the V out of NFV , 2016, OSDI.

[8] Vijay Gopalakrishnan,et al. EdgePlex: decomposing the provider edge for flexibilty and reliability , 2015, SOSR.

[9] Derek Bruening,et al. AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[10] Thomas E. Anderson,et al. High Performance Packet Processing with FlexNIC , 2016, ASPLOS.

[11] Dinakar Dhurjati,et al. SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[12] Milo M. K. Martin,et al. SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.