research-article

Oko: Extending Open vSwitch with Stateful Filters

Authors:

Jérôme François,

Thibault Delmas,

Olivier FestorAuthors Info & Claims

SOSR '18: Proceedings of the Symposium on SDN Research

Article No.: 13, Pages 1 - 13

https://doi.org/10.1145/3185467.3185496

Published: 28 March 2018 Publication History

Abstract

With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations.

This paper presents Oko, an extension of Open vSwitch that enables runtime integration of stateful filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs.

We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.

References

[1]

2005. The LuaJIT Project. (2005). Retrieved Feb. 16, 2017 from http://luajit.org

[2]

2012. The CAIDA anonymized OC48 Internet traces 2002-2003 dataset. (2012). Retrieved Apr., 2017 from http://data.caida.org/datasets/passive/passive-oc48

[3]

2012. What is Open vSwitch (OVS)? (2012). Retrieved Feb. 9, 2018 from https://www.sdxcentral.com/cloud/open-source/definitions/what-is-open-vswitch

[4]

2013. OpenDaylight project. (Feb. 2013). Retrieved Feb. 9, 2018 from https://www.opendaylight.org

[5]

2015. Linux native, HTTP aware network security for containers. (Dec. 2015). Retrieved Feb. 9, 2018 from https://github.com/cilium/cilium

[6]

G. Bertin. 2016. Introducing the p0f BPF compiler. (Aug. 2016). Retrieved Feb. 9, 2018 from https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler

[7]

D. Borkmann. 2018. net: add bpfilter. (Feb. 2018). Retrieved Feb. 27, 2018 from https://lwn.net/Articles/747504

[8]

P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44, 3 (Jul. 2014).

Digital Library

[9]

B. M. Cantrill, M. W. Shapiro, and A. H. Leventhal. 2004. Dynamic instrumentation of production systems. In Proc. USENIX ATC.

Digital Library

[10]

J. Corbet. 2014. BPF: The universal in-kernel virtual machine. (May 2014). Retrieved Feb. 9, 2018 from https://lwn.net/Articles/599755

[11]

J. Corbet. 2016. Early packet drop---and more---with BPF. (Apr. 2016). Retrieved Feb. 9, 2018 from https://lwn.net/Articles/682538

[12]

P. Emmerich, S. Gallenmüller, D. Raumer, F. Wohlfart, and G. Carle. 2015. MoonGen: A scriptable high-speed packet generator. In Proc. ACM IMC.

Digital Library

[13]

M. Ghasemi, T. Benson, and J. Rexford. 2017. Dapper: Data plane performance diagnosis of TCP. In Proc. ACM SOSR.

Digital Library

[14]

B. Gregg. 2016. Linux 4.X tracing tools: Using BPF superpowers. USENIX LISA.

[15]

S. Han, K. Jang, A. Panda, S. Palkar, D. Han, and S. Ratnasamy. 2015. SoftNIC: A software NIC to augment hardware. Technical Report UCB/EECS-2015-155. EECS Department, University of California, Berkeley. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2015/EECS-2015-155.html

[16]

G. C. Hunt and J. R. Larus. 2007. Singularity: Rethinking the software stack. ACM SIGOPS Oper. Syst. Rev. 41, 2 (Apr. 2007).

Digital Library

[17]

J. Hwang, K. K. Ramakrishnan, and T. Wood. 2014. NetVM: High performance and flexible networking using virtualization on commodity platforms. In Proc. USENIX NSDI.

Digital Library

[18]

E. J. Jackson, M. Walls, A. Panda, J. Pettit, B. Pfaff, J. Rajahalme, T. Koponen, and S. Shenker. 2016. SoftFlow: A middlebox architecture for Open vSwitch. In Proc. USENIX ATC.

Digital Library

[19]

B. Jenkins. 2016. A hash function for hash table lookup. (2016). Retrieved Feb. 9, 2018 from http://burtleburtle.net/bob/hash/doobs.html

[20]

S. Jouet, R. Cziva, and D. Pezaros. 2016. Programmable dataplane for next generation networks. (Mar. 2016). Retrieved Feb. 9, 2018 from https://netlab.dcs.gla.ac.uk/uploads/files/d99abd5bbadbed8c0f29808ee812bd26.pdf

[21]

S. Jouet and D. P. Pezaros. 2017. BPFabric: Data plane programmability for software defined networks. In Proc. IEEE ANCS.

Digital Library

[22]

T. Koponen, K. Amidon, P. Balland, M. Casado, A. Chanda, B. Fulton, I. Ganichev, J. Gross, N. Gude, P. Ingram, E. Jackson, A. Lambeth, R. Lenglet, S.-H. Li, A. Padmanabhan, J. Pettit, B. Pfaff, R. Ramanathan, S. Shenker, A. Shieh, J. Stribling, P. Thakkar, D. Wendlandt, A. Yip, and R. Zhang. 2014. Network virtualization in multi-tenant datacenters. In Proc. USENIX NSDI.

Digital Library

[23]

R. Lane. 2015. Userspace eBPF VM. (Aug. 2015). Retrieved Feb. 9, 2018 from https://github.com/iovisor/ubpf

[24]

S. Mccanne and V. Jacobson. 1993. The BSD packet filter: A new architecture for user-level packet capture. In Proc. USENIX Winter Conf.

Digital Library

[25]

H. Mekky, F. Hao, S. Mukherjee, T. V. Lakshman, and Z.-L. Zhang. 2017. Network function virtualization enablement within SDN data plane. In IEEE INFOCOM.

[26]

H. Mekky, F. Hao, S. Mukherjee, Z.-L. Zhang, and T. V. Lakshman. 2014. Application-aware data plane processing in SDN. In Proc. ACM SIGCOMM HotSDN.

Digital Library

[27]

J. Meyer and T. Downing. 1997. Java Virtual Machine. O'Reilly & Associates, Inc.

Digital Library

[28]

R. Morris, E. Kohler, J. Jannotti, and M. F. Kaashoek. 1999. The Click modular router. In Proc. ACM SOSP.

Digital Library

[29]

A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker. 2016. NetBricks: Taking the V out of NFV. In Proc. USENIX OSDI.

Digital Library

[30]

B. Pfaff. 2016. Converging approaches in software switches. ACM APSys.

[31]

B. Pfaff, J. Pettit, T. Koponen, E. Jackson, A. Zhou, J. Rajahalme, J. Gross, A. Wang, J. Stringer, P. Shelar, K. Amidon, and M. Casado. 2015. The design and implementation of Open vSwitch. In Proc. USENIX NSDI.

Digital Library

[32]

V. Puš, J. Kučera, M. Žádník, and J. Kořenek. 2016. FPGA-based 100 Gbps DDoS protector. TNC17. https://tnc17.geant.org/core/event/31

[33]

L. Rizzo. 2012. Netmap: A novel framework for fast packet I/O. In Proc. USENIX ATC.

Digital Library

[34]

M. Shahbaz, S. Choi, B. Pfaff, C. Kim, N. Feamster, N. McKeown, and J. Rexford. 2016. PISCES: A programmable, protocol-independent software switch. In Proc. ACM SIGCOMM.

Digital Library

[35]

M. Sipser. 1996. Introduction to the Theory of Computation (1st ed.). International Thomson Publishing.

Digital Library

[36]

A. Sivaraman, A. Cheung, M. Budiu, C. Kim, M. Alizadeh, H. Balakrishnan, G. Varghese, N. McKeown, and S. Licking. 2016. Packet Transactions: High-level programming for line-rate switches. In Proc. ACM SIGCOMM.

Digital Library

[37]

V. Sivaraman, S. Narayana, O. Rottenstreich, S. Muthukrishnan, and J. Rexford. 2017. Heavy-hitter detection entirely in the data plane. In Proc. ACM SOSR.

Digital Library

[38]

J. Sonchack, J. M. Smith, A. J. Aviv, and E. Keller. 2016. Enabling practical software-defined networking security applications with OFX. In NDSS.

[39]

C.-C. Tu, J. Stringer, and J. Pettit. 2017. Building an extensible Open vSwitch datapath. ACM SIGOPS Oper. Syst. Rev. 51, 1 (Aug. 2017).

Digital Library

[40]

X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, and Z. Tatlock. 2014. Jitk: A trustworthy in-kernel interpreter infrastructure. In Proc. USENIX OSDI.

Digital Library

[41]

M. Yu, L. Jose, and R. Miao. 2013. Software defined traffic measurement with OpenSketch. In Proc. USENIX NSDI.

Digital Library

[42]

M. Zalewski. 2012. p0f v3. (2012). Retrieved Feb. 9, 2018 from http://lcamtuf.coredump.cx/p0f3

Cited By

Rezvani MJahanshahi AWong D(2024)Characterizing In-Kernel Observability of Latency-Sensitive Request-Level Metrics with eBPF2024 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS)10.1109/ISPASS61541.2024.00013(24-35)Online publication date: 5-May-2024
https://doi.org/10.1109/ISPASS61541.2024.00013
Bose RSviridov GCardoso J(2023)Enabling Fine-Grained Packet Loss Monitoring in Cloud NetworksGLOBECOM 2023 - 2023 IEEE Global Communications Conference10.1109/GLOBECOM54140.2023.10436938(6789-6794)Online publication date: 4-Dec-2023
https://doi.org/10.1109/GLOBECOM54140.2023.10436938
Miguel-Alonso J(2023)A Research Review of OpenFlow for Datacenter NetworkingIEEE Access10.1109/ACCESS.2022.323346611(770-786)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2022.3233466
Show More Cited By

Index Terms

Oko: Extending Open vSwitch with Stateful Filters
1. Networks
  1. Network services
    1. Programmable networks

Recommendations

Live migration of an entire network (and its hosts)
HotNets-XI: Proceedings of the 11th ACM Workshop on Hot Topics in Networks

Live virtual machine (VM) migration can move applications from one location to another without a disruption in service. However, applications often consist of multiple VMs and rely on the state of the underlying network for basic reachability, access ...
The InstaGENI initiative

In this paper, we describe InstaGENI, a distributed cloud based on programmable networks designed for the GENI Mesoscale deployment and large-scale distributed research projects. The InstaGENI architecture closely integrates a lightweight cluster design ...
AC/DC TCP: Virtual Congestion Control Enforcement for Datacenter Networks
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM Conference

Multi-tenant datacenters are successful because tenants can seamlessly port their applications and services to the cloud. Virtual Machine (VM) technology plays an integral role in this success by enabling a diverse set of software to be run on a unified ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSR '18: Proceedings of the Symposium on SDN Research

March 2018

195 pages

ISBN:9781450356640

DOI:10.1145/3185467

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
ONS: Open Networking Summit

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SOSR '18

Sponsor:

SIGCOMM
ONS

SOSR '18: Symposium on SDN Research

March 28 - 29, 2018

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 7 of 43 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
429
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rezvani MJahanshahi AWong D(2024)Characterizing In-Kernel Observability of Latency-Sensitive Request-Level Metrics with eBPF2024 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS)10.1109/ISPASS61541.2024.00013(24-35)Online publication date: 5-May-2024
https://doi.org/10.1109/ISPASS61541.2024.00013
Bose RSviridov GCardoso J(2023)Enabling Fine-Grained Packet Loss Monitoring in Cloud NetworksGLOBECOM 2023 - 2023 IEEE Global Communications Conference10.1109/GLOBECOM54140.2023.10436938(6789-6794)Online publication date: 4-Dec-2023
https://doi.org/10.1109/GLOBECOM54140.2023.10436938
Miguel-Alonso J(2023)A Research Review of OpenFlow for Datacenter NetworkingIEEE Access10.1109/ACCESS.2022.323346611(770-786)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2022.3233466
Osiński TPalimąka JKossakowski MTran FBonfoh ETarasiuk HBianchi GMei A(2022)A novel programmable software datapath for software-defined networkingProceedings of the 18th International Conference on emerging Networking EXperiments and Technologies10.1145/3555050.3569117(245-260)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1145/3555050.3569117
Laraba AFrancois JChrisment IChowdhury SBoutaba R(2022)Detecting Multi-Step Attacks: A Modular Approach for Programmable Data PlaneNOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS54207.2022.9789931(1-9)Online publication date: 25-Apr-2022
https://doi.org/10.1109/NOMS54207.2022.9789931
Silva MDaniel SKumarapeli MMahadura SRupasinghe LLiyanapathirana C(2022)Anomaly Detection in Microservice Systems Using Autoencoders2022 4th International Conference on Advancements in Computing (ICAC)10.1109/ICAC57685.2022.10025259(488-493)Online publication date: 9-Dec-2022
https://doi.org/10.1109/ICAC57685.2022.10025259
Tu WWei YAntichi GPfaff BKuipers FCaesar M(2021)revisiting the open vSwitch dataplane ten years laterProceedings of the 2021 ACM SIGCOMM 2021 Conference10.1145/3452296.3472914(245-257)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3452296.3472914
Tupakula UVaradharajan VKarmakar K(2021)Techniques for Securing Control Systems from Attacks2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00053(281-288)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00053
Osinski TTarasiuk HChaignon PKossakowski M(2021)A Runtime-Enabled P4 Extension to the Open vSwitch Packet Processing PipelineIEEE Transactions on Network and Service Management10.1109/TNSM.2021.305590018:3(2832-2845)Online publication date: Sep-2021
https://doi.org/10.1109/TNSM.2021.3055900
Laraba AFrancois JChowdhury SChrisment IBoutaba R(2021)Mitigating TCP Protocol Misuse With Programmable Data PlanesIEEE Transactions on Network and Service Management10.1109/TNSM.2021.305452818:1(760-774)Online publication date: Mar-2021
https://doi.org/10.1109/TNSM.2021.3054528
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten