Network virtualization

Network virtualization works as an abstraction that hides complex underlying network re-sources, enables resource isolation and encourages resource sharing for multiple network and application services [31]. This is usually achieved by virtualizing active network equipment so that their resources could be shared between multiple isolated overlays. This way of operating the network provides many benefits, such as portability, flexibility, and scalability – when compared to traditional, physical network environments. A typical virtual network

2.1 Generalities on network virtualization and monitoring 15

architecture is presented in Fig. 2.1. As presented in Fig. 2.1, physical servers intercon-nected by means of traditional networking devices organize a traditional network. Each of those servers by means of virtualization can be virtualized into several virtual machines interconnected by the virtual switch, uniting into virtual networks among available hardware servers.

Virtual Network 2 Virtual Network 2 Virtual Network 1

Open vSwitch Server Hardware VM1 VM2 VM3 VM4

Open vSwitch Server Hardware

VM8 VM6 VM7 VM5

Physical network

Virtual realm Physical realm

Fig. 2.1 Virtual network: physical and virtual view.

One of the most prominent examples of such performance optimization is the issue of network throughput in virtualized network devices. Traditionally, virtualization and sharing of extension host devices (such as ones attached via PCI) between different VMs had to be implemented by means of the hypervisors themselves. This entailed compatibility and support difficulties, as well as (often) a decrease in the performance of those devices when accessed from a VM. Such an issue was especially problematic for virtualized network devices because their cornerstone component – Network Interface Cards (NICs) – are typically implemented as PCI/PCIe extension cards, and hypervisors were not always capable of providing their VMs with a line-rate NIC performance at high data rates. A substantial improvement in

16 Monitoring Virtualized Networks: State-of-the-art

this regard has been achieved by the introduction of Single-Root Input/Output Virtualization (SR-IOV).

Within SR-IOV specification, a PCIe device itself supports isolation of its resources for direct VM access, in a form of physical and virtual functions. A physical function (PF) presents itself as a full-featured PCIe device, supporting input/output as well as device configuration. Within a physical function, virtual functions (VF) can be defined, which provide virtualized devices supporting input/output only within their parent physical function configuration. When VMs perform I/O operations within these functions (that appear as PCIe devices), hypervisors move the data to and from the physical PCIe hardware directly, bypassing their own internal network abstractions (whenever such functionality is supported, of course). Such a standard specification with a resource sharing and isolation in mind has greatly promoted high-bandwidth I/O for network virtualization.

An important example of network virtualization (which is also heavily used in this thesis) is a software switch - an application to perform packet forwarding and other switch capabilities between virtual NICs (vNIC, that can be attached to VMs) and physical NICs of physical equipment. The most famous player in the domain is Open vSwitch [32], nevertheless, there are other non-hardware implementations of switches, e.g., snabb [33], BESS [34], PISCES [35], FastClick [36], Fr.io VPP [37], netmap VALE [38].

Open vSwitch was created as a simple flow based switch with a central controller and was released in 2009. It is a multilayer virtual switch implemented in software. It operates like a physical switch, e.g., OvS handles information about connected devices with MAC addresses, instances tap interfaces are connected to OvS bridge ports. It uses overlay (GRE/VXLAN) networking providing multi-tenancy in cloud environments.

Due to OvS architectural principles, switching is performed in the kernel module, the equivalent of the fast-path of physical switches/routers. Indeed, the kernel can directly copy frames from one interface to another without any context switching, which is the fastest option in an off-the-shelf computer¹. However, such an operation is not possible for every packet but only for those for which an entry exists in the associate array used by the kernel mode [39]. Other packets, typically the first packet of any new connection must be handled by ovs-switchd, which is executed in user space (hence slower, as some context switching will occur while processing this packet). Ovs-switchd will perform a set of hash lookups in

1note that OvS supports some kernel by-pass techniques like DPDK, which is out of the scope of this thesis.

2.1 Generalities on network virtualization and monitoring 17

its rule tables to find the rule matching the packet. The rule will next be installed in the kernel module path to speed up the processing of the next packets form the connection. Fig.2.2 vividly demonstrates the packet handling in OvS in kernel and user spaces.

With virtualization, a VM (or a container) has its own TCP/IP stack and virtual interface that is connected to a physical interface of the server. This complexity affects performance, especially for servers with high bandwidth requirements. This is typically the case of NVF [40] in the data centers of the telco ISPs, which are in general close to the mobile base stations.

While telcos want to benefit from the flexibility of virtualization, by virtualizing some of their network operations into so-called VNFs, they do not want to sacrifice performance. For these cases, hypervisor bypass solutions like DPDK have been invented [41, 42]. In such cases, a direct link is established between the user space in the VM and controller of the physical interface. This enables to achieve high performance, at the expense of a loss in terms of flexibility as these DPDK-enabled VNFs cannot be easily migrated from one server to another.

This type of solution is also offered in public/private clouds for users/applications with specific network requirements. In this thesis, we do not consider these niche cases but focus on the mainline case where the network traffic of the VM will be handled by the hypervisor.

Fig. 2.2 OvS data path²

2Source of the figure https://blog.sflow.com/2015/01/open-vswitch-performance-monitoring.html

18 Monitoring Virtualized Networks: State-of-the-art

The comparison and evaluation of 6 state-of-the-art software switches were conducted in [43]. The authors proposed a benchmarking methodology for understanding the switches’

performance baseline. A methodology implies 4 test scenarios to evaluate the performance of software switches. In this work OvS-DPDK, snabb, BESS, FastClick VPP and netmap VALE switches were compared and evaluated. The results of such comparison did not bring striking insights: no single switch prevails others. The performance depends on the switch implementation and investigated scenario, e.g., BESS prevails over others in the scenario where packets are forwarded from physical NIC to VNF, whereas snabb wins in the scenario of VNF to VNF. Performance characteristics of virtual switching were also described in [44]

and performance modeling in [45].