Open vSwitch - Stateful Connection Tracking & Stateful NAT

Thomas Graf
Thomas GrafCTO & Co-Founder @ Isovalent à Isovalent
Stateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas Graf Noiro Networks, Cisco
Agenda ● Connection Tracking ● NAT ● Integration of other stateful services
We had a performance problem ● With some traffic patterns, performance of OVS could be quite bad ● Last week, we added a post to Network Heresy describing the changes we made to improve performance and the results ● Focus of past two years was on performance. Now that we feel good about the performance, we're back to looking at features ● Any addition to OVS must consider its implication on performance
Implementing a Firewall ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to implement a firewall in OVS – Match on TCP flags (Enforce policy on SYN, allow ACK|RST) ● Pro: Fast ● Con: Allows non-established flow through with ACK or RST set, only TCP – Use “learn” action to setup new flow in reverse direction ● Pro: More “correct” ● Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude – Neither approach supports “related” flows or TCP window enforcement
Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection
Netfilter Conntrack Integration Userspace Netlink API Recirculation 1 4
Conntrack Example Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1: Match Action in_port(1),tcp,conn_state=-tracked conntrack(zone=10),normal in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established output:1 in_port(2),tcp,conn_state=+new drop
Connection Tracking Zones
Flow Caching Works Open vSwitch Bridge 3 2.5 2 1.5 1 0.5 0 Pure Forwarding 1 FW Rule 100 FW Rules 1000 FW Rules ● Preliminary results are quite promising – OVS+conntrack uses a nearly consistent rate regardless of number of rules – Bridge+iptables uses more CPU as rule count increases Number of gigacycles per second required to saturate a 10Gbps link with netperf TCP_STREAM. (Lower is better)
Design Goals ● Performance implications must be thought through ● Thought needs to be put into API, since OVS and OpenFlow have traditionally been flow-based and stateless ● While this will only be supported on Linux initially, the API shouldn’t be Linux-specific ● New stateful features being discussed and leveraging kernel: – NAT – Load-balancing through IPVS – DPI
Release Plan ● Will ship with OVS 2.4 ● Will include: – connmark – IP fragment reassembly – Hide break in pipeline from userspace ● Available to try now: – https://github.com/justinpettit/ovs/tree/conntrack
Stateful NAT Overview ● SNAT and DNAT ● Based on connection tracking work ● Leverages stateful NAT mechanism of Netfilter ● Able to do port range and address range mappings to masquerade multiple IPs ● Mapping Modes – Persistent (across reboots) – Hash based – Fully random
Stateful NAT Flow
NAT Example SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2: Match Action in_port(1),tcp conntrack(zone=10), nat(type=src, min=10.0.0.1, max=10.0.0.255, type=hash) in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established nat(reverse) in_port(2),tcp,conn_state=+new drop
Stateful services integration: NFQUEUE action
NFQUEUE action ● Can reuse existing Netfilter queueing mechanism and libnfnetlink + libctnetlink ● Operational Modes: 1. Steal/Drop – Async verdict via CT template 2. Reinjection – Sync verdict via NFQA_MARK ● Needed netfilter modifications: – Reinjection routine for NFPROTO_BRIDGE back into netif_rx() ● OVS modifications – New nfqueue action
Q&A ● More Information: – http://openvswitch.org/ ● Code: – Conntrack (WIP): ● https://github.com/justinpettit/ovs/tree/conntrack – Stateful NAT (WIP): ● https://github.com/tgraf/ovs/tree/nat
1 sur 17

Open vSwitch - Stateful Connection Tracking & Stateful NAT

Télécharger pour lire hors ligne
Technologie

Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.

Thomas Graf
Thomas GrafCTO & Co-Founder @ Isovalent à Isovalent

Recommandé

Understanding DPDK par
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
102.5K vues42 diapositives
Linux Network Stack par
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
4.8K vues33 diapositives
LinuxCon 2015 Linux Kernel Networking Walkthrough par
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
26.3K vues20 diapositives
VLANs in the Linux Kernel par
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
11.5K vues33 diapositives
Linux Performance Analysis: New Tools and Old Secrets par
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
604K vues75 diapositives
BPF / XDP 8월 세미나 KossLab par
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
2.9K vues137 diapositives

Contenu connexe

Tendances

Dpdk applications par
Dpdk applicationsDpdk applications
Dpdk applicationsVipin Varghese
1.2K vues42 diapositives
Intel DPDK Step by Step instructions par
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
56.9K vues12 diapositives
Performance Wins with eBPF: Getting Started (2021) par
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
1.4K vues30 diapositives
Open vSwitch Offload: Conntrack and the Upstream Kernel par
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
987 vues10 diapositives
Ixgbe internals par
Ixgbe internalsIxgbe internals
Ixgbe internalsSUSE Labs Taipei
1.9K vues42 diapositives
Intel dpdk Tutorial par
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk TutorialSaifuddin Kaijar
10.5K vues27 diapositives

Tendances(20)

Dpdk applications par Vipin Varghese
Dpdk applicationsDpdk applications
Dpdk applications
Vipin Varghese1.2K vues
Intel DPDK Step by Step instructions par Hisaki Ohara
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
Hisaki Ohara56.9K vues
Performance Wins with eBPF: Getting Started (2021) par Brendan Gregg
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg1.4K vues
Open vSwitch Offload: Conntrack and the Upstream Kernel par Netronome
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome987 vues
Ixgbe internals par SUSE Labs Taipei
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei1.9K vues
Intel dpdk Tutorial par Saifuddin Kaijar
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk Tutorial
Saifuddin Kaijar10.5K vues
DPDK in Containers Hands-on Lab par Michelle Holley
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
Michelle Holley10.3K vues
DPDK: Multi Architecture High Performance Packet Processing par Michelle Holley
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley9.1K vues
BPF Internals (eBPF) par Brendan Gregg
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg15.3K vues
Fun with Network Interfaces par Kernel TLV
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV5K vues
Monitoring MySQL with DTrace/SystemTap par Padraig O'Sullivan
Monitoring MySQL with DTrace/SystemTapMonitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTap
Padraig O'Sullivan3.1K vues
Using eBPF for High-Performance Networking in Cilium par ScyllaDB
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB1.1K vues
Boost UDP Transaction Performance par LF Events
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
LF Events6.9K vues
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,... par The Linux Foundation
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
The Linux Foundation2.6K vues
The linux networking architecture par hugo lu
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu29.3K vues
Performance Analysis Tools for Linux Kernel par lcplcp1
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp11.6K vues
macvlan and ipvlan par Suraj Deshmukh
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlan
Suraj Deshmukh3.7K vues
Deeper Dive in Docker Overlay Networks par Docker, Inc.
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay Networks
Docker, Inc.2.6K vues
FD.IO Vector Packet Processing par Kernel TLV
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV4.4K vues
nftables - the evolution of Linux Firewall par Marian Marinov
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
Marian Marinov5.2K vues

En vedette

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015) par
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
4.3K vues44 diapositives
LinuxCon 2015 Stateful NAT with OVS par
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
4.1K vues13 diapositives
2015 FOSDEM - OVS Stateful Services par
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
5.2K vues22 diapositives
Cilium - Fast IPv6 Container Networking with BPF and XDP par
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
8.6K vues23 diapositives
Cilium - BPF & XDP for containers par
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containersThomas Graf
1.7K vues15 diapositives
Cilium - Container Networking with BPF & XDP par
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
4.8K vues15 diapositives

En vedette(20)

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015) par Thomas Graf
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf4.3K vues
LinuxCon 2015 Stateful NAT with OVS par Thomas Graf
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf4.1K vues
2015 FOSDEM - OVS Stateful Services par Thomas Graf
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
Thomas Graf5.2K vues
Cilium - Fast IPv6 Container Networking with BPF and XDP par Thomas Graf
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf8.6K vues
Cilium - BPF & XDP for containers par Thomas Graf
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
Thomas Graf1.7K vues
Cilium - Container Networking with BPF & XDP par Thomas Graf
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf4.8K vues
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC par Thomas Graf
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf11.4K vues
BPF: Next Generation of Programmable Datapath par Thomas Graf
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
Thomas Graf3K vues
SDN & NFV Introduction - Open Source Data Center Networking par Thomas Graf
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf8K vues
DevConf 2014 Kernel Networking Walkthrough par Thomas Graf
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf8.3K vues
Linux Networking Explained par Thomas Graf
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf25.6K vues
Netfilter: Making large iptables rulesets scale par brouer
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
brouer13.7K vues
OpenvSwitch Deep Dive par rajdeep
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep63.9K vues
The 100 - {dive} : event par IRT b-com
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : event
IRT b-com296 vues
Red Hat demo of OpenStack and ODL at ODL summit 2016 par RedHatTelco
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
RedHatTelco888 vues
Why is PHP Awesome par Jeremy Coates
Why is PHP AwesomeWhy is PHP Awesome
Why is PHP Awesome
Jeremy Coates7.5K vues
Pipework: Software-Defined Network for Containers and Docker par Jérôme Petazzoni
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
Jérôme Petazzoni9.1K vues
Firewall y nat par kristianfilipp
Firewall y natFirewall y nat
Firewall y nat
kristianfilipp203 vues
Firewall par Dani Sasmoko
FirewallFirewall
Firewall
Dani Sasmoko5K vues
IP Tables Primer - Part 1 par n|u - The Open Security Community
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
n|u - The Open Security Community1.9K vues

Similaire à Open vSwitch - Stateful Connection Tracking & Stateful NAT

Space Communication Protocol-By Nilesh,Pravin par
Space Communication Protocol-By Nilesh,PravinSpace Communication Protocol-By Nilesh,Pravin
Space Communication Protocol-By Nilesh,PravinNileshAawale
175 vues28 diapositives
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases par
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OpenvSwitch
1.8K vues20 diapositives
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network par
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkThe Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkOpen Networking Summits
1.2K vues30 diapositives
Computer network (11) par
Computer network (11)Computer network (11)
Computer network (11)NYversity
353 vues38 diapositives
Stacks and Layers: Integrating P4, C, OVS and OpenStack par
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStackOpen-NFP
1.6K vues25 diapositives
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up par
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
1.6K vues56 diapositives

Similaire à Open vSwitch - Stateful Connection Tracking & Stateful NAT(20)

Space Communication Protocol-By Nilesh,Pravin par NileshAawale
Space Communication Protocol-By Nilesh,PravinSpace Communication Protocol-By Nilesh,Pravin
Space Communication Protocol-By Nilesh,Pravin
NileshAawale175 vues
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases par LF_OpenvSwitch
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch1.8K vues
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network par Open Networking Summits
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkThe Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
Open Networking Summits1.2K vues
Computer network (11) par NYversity
Computer network (11)Computer network (11)
Computer network (11)
NYversity353 vues
Stacks and Layers: Integrating P4, C, OVS and OpenStack par Open-NFP
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Open-NFP1.6K vues
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up par James Denton
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
James Denton1.6K vues
Network and TCP performance relationship workshop par Kae Hsu
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshop
Kae Hsu776 vues
SDN approach.pptx par TrongMinhHoang1
SDN approach.pptxSDN approach.pptx
SDN approach.pptx
TrongMinhHoang14 vues
IP Infusion Application Note for 4G LTE Fixed Wireless Access par Dhiman Chowdhury
IP Infusion Application Note for 4G LTE Fixed Wireless AccessIP Infusion Application Note for 4G LTE Fixed Wireless Access
IP Infusion Application Note for 4G LTE Fixed Wireless Access
Dhiman Chowdhury105 vues
Link Capacity Estimation in SDN-based End-hosts par Farzaneh Pakzad
Link Capacity Estimation in SDN-based End-hostsLink Capacity Estimation in SDN-based End-hosts
Link Capacity Estimation in SDN-based End-hosts
Farzaneh Pakzad334 vues
Making our networking stack truly extensible par Olivier Bonaventure
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
Olivier Bonaventure768 vues
Design and Performance Characteristics of Tap-as-a-Service par soichi shigeta
Design and Performance Characteristics of Tap-as-a-ServiceDesign and Performance Characteristics of Tap-as-a-Service
Design and Performance Characteristics of Tap-as-a-Service
soichi shigeta309 vues
Osnug meetup-tungsten fabric - overview.pptx par M.Qasim Arham
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham607 vues
Computer network (13) par NYversity
Computer network (13)Computer network (13)
Computer network (13)
NYversity369 vues
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or... par Cloud Native Day Tel Aviv
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Cloud Native Day Tel Aviv825 vues
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter par Anne Nicolas
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Anne Nicolas2.3K vues
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf par JunZhao68
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
JunZhao686 vues
Accelerate Service Function Chaining Vertical Solution with DPDK par OPNFV
Accelerate Service Function Chaining Vertical Solution with DPDKAccelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDK
OPNFV1.5K vues
Using Agilio SmartNICs for OpenStack Networking Acceleration par Netronome
Using Agilio SmartNICs for OpenStack Networking AccelerationUsing Agilio SmartNICs for OpenStack Networking Acceleration
Using Agilio SmartNICs for OpenStack Networking Acceleration
Netronome2.1K vues
Aceleracion TCP Mikrotik.pdf par WifiCren
Aceleracion TCP Mikrotik.pdfAceleracion TCP Mikrotik.pdf
Aceleracion TCP Mikrotik.pdf
WifiCren128 vues

Plus de Thomas Graf

eBPF - Rethinking the Linux Kernel par
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
1.2K vues24 diapositives
BPF & Cilium - Turning Linux into a Microservices-aware Operating System par
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
2.9K vues27 diapositives
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security par
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
2.6K vues32 diapositives
Accelerating Envoy and Istio with Cilium and the Linux Kernel par
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
7.5K vues39 diapositives
Cilium - API-aware Networking and Security for Containers based on BPF par
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
1.1K vues46 diapositives
Cilium - Network security for microservices par
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
2.6K vues62 diapositives

Plus de Thomas Graf(8)

eBPF - Rethinking the Linux Kernel par Thomas Graf
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf1.2K vues
BPF & Cilium - Turning Linux into a Microservices-aware Operating System par Thomas Graf
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf2.9K vues
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security par Thomas Graf
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf2.6K vues
Accelerating Envoy and Istio with Cilium and the Linux Kernel par Thomas Graf
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf7.5K vues
Cilium - API-aware Networking and Security for Containers based on BPF par Thomas Graf
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf1.1K vues
Cilium - Network security for microservices par Thomas Graf
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
Thomas Graf2.6K vues
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP par Thomas Graf
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf10.1K vues
Linux Native, HTTP Aware Network Security par Thomas Graf
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
Thomas Graf2.3K vues

Dernier

Discover Aura Workshop (12.5.23).pdf par
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdfNeo4j
20 vues55 diapositives
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... par
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...ShapeBlue
120 vues12 diapositives
Cencora Executive Symposium par
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
174 vues14 diapositives
Generative AI: Shifting the AI Landscape par
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI LandscapeDeakin University
78 vues55 diapositives
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... par
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...The Digital Insurer
98 vues52 diapositives
LLMs in Production: Tooling, Process, and Team Structure par
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team StructureAggregage
65 vues77 diapositives

Dernier(20)

Discover Aura Workshop (12.5.23).pdf par Neo4j
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdf
Neo4j20 vues
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... par ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue120 vues
Cencora Executive Symposium par marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21174 vues
Generative AI: Shifting the AI Landscape par Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University78 vues
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... par The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer98 vues
LLMs in Production: Tooling, Process, and Team Structure par Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage65 vues
Deep Tech and the Amplified Organisation: Core Concepts par Holonomics
Deep Tech and the Amplified Organisation: Core ConceptsDeep Tech and the Amplified Organisation: Core Concepts
Deep Tech and the Amplified Organisation: Core Concepts
Holonomics17 vues
Netmera Presentation.pdf par Mustafa Kuğu
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdf
Mustafa Kuğu22 vues
Innovation & Entrepreneurship strategies in Dairy Industry par PervaizDar1
Innovation & Entrepreneurship strategies in Dairy IndustryInnovation & Entrepreneurship strategies in Dairy Industry
Innovation & Entrepreneurship strategies in Dairy Industry
PervaizDar139 vues
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf par ThomasBronack
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdfBronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
ThomasBronack31 vues
Cocktail of Environments. How to Mix Test and Development Environments and St... par Aleksandr Tarasov
Cocktail of Environments. How to Mix Test and Development Environments and St...Cocktail of Environments. How to Mix Test and Development Environments and St...
Cocktail of Environments. How to Mix Test and Development Environments and St...
Aleksandr Tarasov26 vues
Business Analyst Series 2023 - Week 4 Session 8 par DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10180 vues
This talk was not generated with ChatGPT: how AI is changing science par Elena Simperl
This talk was not generated with ChatGPT: how AI is changing scienceThis talk was not generated with ChatGPT: how AI is changing science
This talk was not generated with ChatGPT: how AI is changing science
Elena Simperl34 vues
Inawisdom IDP par PhilipBasford
Inawisdom IDPInawisdom IDP
Inawisdom IDP
PhilipBasford17 vues
CryptoBotsAI par chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 vues
"Running students' code in isolation. The hard way", Yurii Holiuk par Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays38 vues
Measurecamp Brussels - Synthetic data.pdf par Human37
Measurecamp Brussels - Synthetic data.pdfMeasurecamp Brussels - Synthetic data.pdf
Measurecamp Brussels - Synthetic data.pdf
Human37 27 vues
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... par Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro38 vues
What is Authentication Active Directory_.pptx par HeenaMehta35
What is Authentication Active Directory_.pptxWhat is Authentication Active Directory_.pptx
What is Authentication Active Directory_.pptx
HeenaMehta3515 vues
MVP and prioritization.pdf par rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14140 vues

Open vSwitch - Stateful Connection Tracking & Stateful NAT

  • 1. Stateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas Graf Noiro Networks, Cisco
  • 2. Agenda ● Connection Tracking ● NAT ● Integration of other stateful services
  • 3. We had a performance problem ● With some traffic patterns, performance of OVS could be quite bad ● Last week, we added a post to Network Heresy describing the changes we made to improve performance and the results ● Focus of past two years was on performance. Now that we feel good about the performance, we're back to looking at features ● Any addition to OVS must consider its implication on performance
  • 4. Implementing a Firewall ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to implement a firewall in OVS – Match on TCP flags (Enforce policy on SYN, allow ACK|RST) ● Pro: Fast ● Con: Allows non-established flow through with ACK or RST set, only TCP – Use “learn” action to setup new flow in reverse direction ● Pro: More “correct” ● Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude – Neither approach supports “related” flows or TCP window enforcement
  • 5. Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection
  • 6. Netfilter Conntrack Integration Userspace Netlink API Recirculation 1 4
  • 7. Conntrack Example Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1: Match Action in_port(1),tcp,conn_state=-tracked conntrack(zone=10),normal in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established output:1 in_port(2),tcp,conn_state=+new drop
  • 9. Flow Caching Works Open vSwitch Bridge 3 2.5 2 1.5 1 0.5 0 Pure Forwarding 1 FW Rule 100 FW Rules 1000 FW Rules ● Preliminary results are quite promising – OVS+conntrack uses a nearly consistent rate regardless of number of rules – Bridge+iptables uses more CPU as rule count increases Number of gigacycles per second required to saturate a 10Gbps link with netperf TCP_STREAM. (Lower is better)
  • 10. Design Goals ● Performance implications must be thought through ● Thought needs to be put into API, since OVS and OpenFlow have traditionally been flow-based and stateless ● While this will only be supported on Linux initially, the API shouldn’t be Linux-specific ● New stateful features being discussed and leveraging kernel: – NAT – Load-balancing through IPVS – DPI
  • 11. Release Plan ● Will ship with OVS 2.4 ● Will include: – connmark – IP fragment reassembly – Hide break in pipeline from userspace ● Available to try now: – https://github.com/justinpettit/ovs/tree/conntrack
  • 12. Stateful NAT Overview ● SNAT and DNAT ● Based on connection tracking work ● Leverages stateful NAT mechanism of Netfilter ● Able to do port range and address range mappings to masquerade multiple IPs ● Mapping Modes – Persistent (across reboots) – Hash based – Fully random
  • 14. NAT Example SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2: Match Action in_port(1),tcp conntrack(zone=10), nat(type=src, min=10.0.0.1, max=10.0.0.255, type=hash) in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established nat(reverse) in_port(2),tcp,conn_state=+new drop
  • 16. NFQUEUE action ● Can reuse existing Netfilter queueing mechanism and libnfnetlink + libctnetlink ● Operational Modes: 1. Steal/Drop – Async verdict via CT template 2. Reinjection – Sync verdict via NFQA_MARK ● Needed netfilter modifications: – Reinjection routine for NFPROTO_BRIDGE back into netif_rx() ● OVS modifications – New nfqueue action
  • 17. Q&A ● More Information: – http://openvswitch.org/ ● Code: – Conntrack (WIP): ● https://github.com/justinpettit/ovs/tree/conntrack – Stateful NAT (WIP): ● https://github.com/tgraf/ovs/tree/nat