Rethinking Software Network Data Planes in the Era of Microservices

L'abstract è presente nell'allegato / the abstract is in the attachmen

A Framework for eBPF-Based Network Functions in an Era of Microservices

By moving network functionality from dedicated hardware to software running on end-hosts, Network Functions Virtualization (NFV) pledges the benefits of cloud computing to packet processing. While most of the NFV frameworks today rely on kernel-bypass approaches, no attention has been given to kernel packet processing, which has always proved hard to evolve and to program. In this article, we present Polycube, a software framework whose main goal is to bring the power of NFV to in-kernel packet processing applications, enabling a level of flexibility and customization that was unthinkable before. Polycube enables the creation of arbitrary and complex network function chains, where each function can include an efficient in-kernel data plane and a flexible user-space control plane with strong characteristics of isolation, persistence, and composability. Polycube network functions, called Cubes, can be dynamically generated and injected into the kernel networking stack, without requiring custom kernels or specific kernel modules, simplifying the debugging and introspection, which are two fundamental properties in recent cloud environments. We validate the framework by showing significant improvements over existing applications, and we prove the generality of the Polycube programming model through the implementation of complex use cases such as a network provider for Kubernetes

Creating Complex Network Services with eBPF: Experience and Lessons Learned

The extended Berkeley Packet Filter (eBPF) is a recent technology available in the Linux kernel that enables flexible data processing. However, so far the eBPF was mainly used for monitoring tasks such as memory, CPU, page faults, traffic, and more, with a few examples of traditional network services, e.g., that modify the data in transit. In fact, the creation of complex network functions that go beyond simple proof-of-concept data plane applications has proven to be challenging due to the several limitations of this technology, but at the same time very promising due to some characteristics (e.g., dynamic recompilation of the source code) that are not available elsewhere. Based on our experience, this paper presents the most promising characteristics of this technology and the main encountered limitations, and we envision some solutions that can mitigate the latter. We also summarize the most important lessons learned while exploiting eBPF to create complex network functions and, finally, we provide a quantitative characterization of the most significant aspects of this technology

Toward an eBPF-based clone of iptables

Iptables, which is currently the most common firewall on Linux, has shown several limitations over the years, with scalability as a big concern. This paper reports the first results of a project that aims at creating a (partial) clone of iptables, using the eBPF/XDP technology. This project assumes unmodified Linux kernel and guarantees the full compatibility (in terms of semantics and syntax) with current iptables

Securing Linux with a Faster and Scalable Iptables

The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers

State-Compute Replication: Parallelizing High-Speed Stateful Packet Processing

With the slowdown of Moore's law, CPU-oriented packet processing in software will be significantly outpaced by emerging line speeds of network interface cards (NICs). Single-core packet-processing throughput has saturated. We consider the problem of high-speed packet processing with multiple CPU cores. The key challenge is state--memory that multiple packets must read and update. The prevailing method to scale throughput with multiple cores involves state sharding, processing all packets that update the same state, i.e., flow, at the same core. However, given the heavy-tailed nature of realistic flow size distributions, this method will be untenable in the near future, since total throughput is severely limited by single core performance. This paper introduces state-compute replication, a principle to scale the throughput of a single stateful flow across multiple cores using replication. Our design leverages a packet history sequencer running on a NIC or top-of-the-rack switch to enable multiple cores to update state without explicit synchronization. Our experiments with realistic data center and wide-area Internet traces shows that state-compute replication can scale total packet-processing throughput linearly with cores, deterministically and independent of flow size distributions, across a range of realistic packet-processing programs

A glosa de créditos do ICMS como forma de retaliação na guerra fiscal : uma análise acerca da recepção do art. 8º, I, da LC nº 24/75 em face da Constituição Federal de 1988

Trabalho de conclusão de curso (graduação)—Universidade de Brasília, Faculdade de Direito, 2017.O presente trabalho tem como escopo analisar a compatibilidade do art. 8º, I, da LC nº 24/75, com a Constituição vigente, por meio de um juízo de recepção, em razão da préconstitucionalidade do dispositivo. Tal preceptivo institui a prática da glosa de créditos, como forma de retaliação efetuada pelos Estados e Distrito Federal na guerra fiscal, e vem sendo usado como arrimo para a edição de atos normativos das unidades políticas desde o fim do século passado até os dias atuais. A matéria, nas oportunidades em que foi levada a julgamento no Superior Tribunal de Justiça (STJ) e no Supremo Tribunal Federal (STF), apresentou soluções díspares, conquanto a tendência dos últimos julgados aponte para uma não recepção do preceito em pauta. Todos os correntes processos que envolvem a controvérsia encontram-se sobrestados, tendo em vista o reconhecimento de repercussão geral da matéria pelo STF no Recurso Extraordinário nº 628.075. Inserindo-a em um contexto do conflito federativo da guerra fiscal, buscou-se, por meio de pesquisa doutrinária e jurisprudencial, traçar as premissas para delimitar o que realmente deve ser visto como glosa de créditos para fins exclusivos do dispositivo analisado, além de vislumbrar se, sob os principais eixos de crítica ao dispositivo, subsistia sua conciliabilidade com a Carta Maior. Concluiu-se pela não recepção do art. 8º, I, da LC nº 24/75, por não passar pelo crivo das normas constitucionais da segurança jurídica, não cumulatividade, legalidade e razoabilidade.This study seeks to analyze the compatibility between art. 8, line I, of Supplementary Law (LC) nº 24/75, and the current Brazilian Constitution, to verify if the aforementioned legal device was received by new legal order instituted by the Constitution of 1988. The article provides the possibility of credits cancellation, as a form of retaliation by the States and by the Federal District in the tax war, and has been used as a support for the editing of normative acts by the federative units since the end of last century, until present day. On the occasions in which it was judged by the Brazilian Supreme Court (STF) and by the Brazilian Superior Court of Justice (STJ), the issue presented different solutions, although the last cases judged tend to follow the non-reception of art. 8, line I, of LC nº 24/75. All the current lawsuits involving the controversy are suspended, due to the recognition of the general repercussion of the matter by the STF, in Special Appeal (RE) n° 628.075. Taking into consideration a context of federative conflict, represented by the tax war, this study aimed to, through doctrinal and jurisprudential research, draw the premises for the definition of credits cancellation, as foreseen in the analyzed legal device. In addition, the study intends to verify if the compatibility between the article and the Constitution subsists after the analysis of the main points of criticism to the device. At last, it was observed that art. 8, line I, of LC nº 24/75, was not received by the current Constitution, since it was not supported by the constitutional norms of legal security, non-cumulativity, legality and reasonableness

Extended Berkeley Packet Filter

The extended Berkeley Packet Filter (eBPF) is an in-kernel virtual CPU for packet filtering that has been introduced in Linux in 2013. While originally made to capture and process network traffic, eBPF has introduced also the capability to trace and inspect any kernel function, which rapidly became one of the most successful features nowadays, curiously used even more used than traditional network processing capabilities. This Chapter will provide an architectural view of eBPF, it will give an insight on its tracing capabilities, then it will explore in more depth the case for eBPF technology applied to packet processing