用户模式下虚拟路由器的优化

网络虚拟化体系实现了在同一共享底层架构之上同时运行多个虚拟网络。然而,构建多异构网络并存的、可灵活配置的虚拟网络平台具有一定的挑战性,不仅需要减少虚拟网络之间的交互,还需要提供高速传输的网络特性。对此,提出了一种传统软件虚拟路由器优化方法,实现了用户模式中有效的数据包处理方式,以支持高速、灵活的虚拟网络。采用操作系统层虚拟化过程将物理主机分成多个虚拟机,虚拟路由的数据处理过程在独立的虚拟机中运行,以确保路由处理的安全配置;同时,采用一种优化的用户模式中数据包处理机制,实现了虚拟路由器的高速传输。实验结果证明,该设计中的虚拟路由与传统用户模式中的软件路由器相比,其传输速率提高了3倍以上。     

基于超融合云网络环境的持续丢包主动探测系统

业务上云在近些年已经成为趋势,而新冠疫情也加速了这一趋势.然而公有云并不适用于所有用户.尤其是出于数据隐私的考虑,很多用户尤其是政府用户更希望在后疫情时代建设他们自己的私有云或者混合云.超融合设备(HCI)是达到这一目标的有效手段.在超融合设备中,计算、网络、存储等资源都被完全虚拟化,传统的物理网络设备单元也被一段段代码所替代.此外为了获得高性能的网络转发能力,很多创新技术应运而生,其中DPDK技术是其中翘楚而被广泛应用.开发者可以利用DPDK技术实现多种多样地、定制化地网络转发应用.虚拟化技术和DPDK技术可以大大提升设备资源的利用率以及网络转发性能,降低大中小企业或者机构的数据中心或者私有云的构建难度和成本.但同时高度的虚拟化也给网络运维人员带来了巨大的挑战.这些虚拟网元对网络运维人员而言是没有实体的,虚拟网络在运维人员看来就像一个“黑盒”.当网络出现故障时(如丢包),传统的针对物理网络设备的排障手段在虚拟网络中变得不可用,这就大大增加了网络排障的时间,进而对业务的持续运行造成影响.针对这种问题,设计了一种虚拟网络持续性丢包探测系统Flowprobe,该系统旨在解决基于DPDK用户...     

计算系统虚拟化平台的研究及实现

虚拟化技术是高性能计算系统规模化的关键技术。高能所计算资源虚拟实验床采用 OpenStack 云平台搭建环境。本文讨论了实现虚拟计算资源与计算系统相互融合的三个关键因素：网络架构设计、环境匹配和系统总体规划。本文首先讨论了虚拟网络架构。虚拟化平台通过部署 neutron 组件、OVS以及 802.1Q 协议来实现虚拟网络和物理网络的二层直连,通过配置物理交换机实现三层转发,避免了数据经过 OpenStack 网络节点转发的瓶颈。其次,虚拟计算资源要融入计算系统,需要与计算系统的各个组件进行信息的动态同步,以满足域名分配、自动化配置以及监视等系统的需要。文章介绍了自主开发的 NETDB 组件,该组件负责实现包括虚拟机与域名系统 (DNS)、自动化安装和管理系统 (puppet) 以及监视系统的信息动态同步等功能;最后,在系统总体规划中,文章讨论了包括统一认证、共享存储、自动化部署、规模扩展和镜像等内容。     

Improved parallelism and scheduling in multi-core software routers

Recent technological advances in commodity server architectures, with multiple multi-core CPUs, integrated memory controllers, high-speed interconnects, and enhanced network interface cards, provide substantial computational capacity, and thus an attractive platform for packet forwarding. However, to exploit this available capacity, we need a suitable software platform that allows effective parallel packet processing and resource management. In this paper, we at first introduce an improved forwarding architecture for software routers that enhances parallelism by exploiting hardware classification and multi-queue support, already available in recent commodity network interface cards. After evaluating the original scheduling algorithm of the widely-used Click modular router, we propose solutions for extending this scheduler for improved fairness, throughput, and more precise resource management. To illustrate the potential benefits of our proposal, we implement and evaluate a few key elements of our overall design. Finally, we discuss how our improved forwarding architecture and resource management might be applied in virtualized software routers.     

Packet aggregation based network I/O virtualization for cloud computing

Virtualization is a key technology to enable cloud computing. Driver domain based model for network virtualization offers isolation and high levels of flexibility. However, it suffers from poor performance and lacks scalability. In this paper, we evaluate networking performance of virtual machines within Xen. The I/O channel transferring packets between the driver domain and the virtual machines is shown to be the bottleneck. To overcome this limitation, we proposed a packet aggregation based mechanism to transfer packets from the driver domain to the virtual machines. Packet aggregation, combined with an efficient core allocation, allows virtual machines throughput to scale up by 700%, while minimizing both memory and CPU consumption. Besides, aggregation impact on packets delay and jitter remains acceptable. Hence, the proposed I/O virtualization model satisfies infrastructure providers to offer Cloud computing services.     

嵌入式虚拟化技术

计算机系统虚拟化技术是IT领域近几年的热点技术。虚拟化技术的下一步发展方向是嵌入式系统。嵌入式系统进行虚拟化是在嵌入式硬件平台和操作系统之间加入一层叫做虚拟机管理器的软件,由后者构造出可运行多种操作系统的虚拟机。国外多家公司和大学已对嵌入式虚拟化技术展开研究。嵌入式虚拟化的好处包括减少嵌入式系统开发成本、缩短产品上市周期、利于整合功能、减少功耗、软件资产保值和增强安全性与可靠性。嵌入式虚拟化技术面临的问题包括实时调度问题、嵌入式硬件平台多样性问题、电源管理问题以及跨虚拟机通信问题。嵌入式虚拟化技术将给嵌入式领域带来重大变化,值得关注。     

基于FPGA的软件定义协议无关解析器

随着信息技术的繁荣发展,各种功能的异构网络层出不穷,异构融合网络成为下一代网络发展的必然趋势。实现异构网络之间的通信,网络转发设备必不可少。传统的转发设备仅支持固定的协议配置,缺乏可扩展性,无法支持新的网络协议。针对这种情况,提出了一种基于FPGA的软件定义协议无关解析器,通过软件定义解析流程,给予解析器灵活可编程的特性,无须对硬件设备进行更改即可完成对多种协议数据包的解析并提取出数据包转发所需的关键信息。通过高性能FPGA平台对解析器进行了实现,并进行了硬件资源开销和性能的评估。实验结果表明,可以完成多种异构网络协议的快速解析,得到完整的解析数据。     

基于OpenFlow的软件定义网络虚拟化方案

软件定义网络(SDN)可以将网络控制平面与数据平面分离开来,为网络虚拟化提供了良好的平台。为了解决SDN中多租户下的虚拟化,提出了一种基于OpenFlow的网络虚拟化方案。通过一个中间代理来转换并匹配物理MAC地址与虚拟MAC地址,以及物理流表项和虚拟流表项,以此实现流量空间的虚拟化。其中,根据实际数据包的惰性计算,使用前缀或通配符来精确匹配流表项。另外,为了保障物理OpenFlow网络上不同租户之间的隔离,将单个虚拟MAC-通配符流表项映射为多个具有精确MAC地址的物理流表项。实验结果表明,该方案成功的实现了网络虚拟化,且虚拟化开销较小,具有可行性。     

基于自描述缓冲区的网络处理开发环境

随着通用多核技术的发展,多核处理器在网络核心设备能够提供较高的I/O吞吐能力,并支持更复杂的网络处理,为网络处理与转发带来了前所未有的灵活性和普适性.但是,在核心网络中,多核处理器的处理与转发性能仍然面临着巨大的挑战.首先,随着网络带宽的不断提升,多核处理器需要提供越来越高的处理能力.其次,随着网络业务复杂度的提高,在网络报文处理与转发中,应用对报文的处理开销越来越大,对设备的I/O裸转发能力提出了更高的要求.提出了一种硬件缓冲区管理机制Self-Described Buffer（SDB),具有硬件低开销、软件高性能等优点.基于SDB的机制,设计并实现了一个通用的网络处理开发环境NPDK.NPDK采用零中断、零拷贝方式,提供内核与用户驱动,适用于通用多核CPU系统.不但具有简单、灵活、易开发等特点,而且在内核态下支持用户对每个CPU核上进行异构报文处理编程和在用户态下支持独占式多线程编程与共享式多进程并行编程.测试结果表明,基于SDB的网络处理开发环境在10G速率报文I/O转发性能接近线速,特别是64字节小报文可达到7.49Gbps.目前,NPDK已经在click路由器、OpenFlow交换机和网络探针等方面得到应用.     

基于标签的POF网络虚拟化技术研究

针对SDN新一代转发控制分离技术——协议无感知转发(POF),提出了协议字段全开放的SDN网络虚拟化架构。该架构提出了基于标签的网络虚拟化技术和POF物理交换机流表分配技术,通过网络虚拟化中间件将POF交换机与POF控制器之间传递的消息进行转换,对物理网络中传输的数据进行标签封装,从而区分不同网络切片与虚拟链路的流量信息。与已有的虚拟化中间件Flow Visor、Open Virtex、Co Visor等相比,该虚拟化中间件全面支持POF协议,通过物理网络中的数据的标签化处理,实现了SDN转发平面全字段开放的网络虚拟化。同时,基于该套架构,实现了POF网络虚拟化中间件系统POFHyper Visor,并验证了该POF网络虚拟化中间件系统的功能与性能,经测试,虚拟化消息处理能力损失在17.1%~29.9%。     

基于XenDesktop桌面虚拟化网络平台的研究

Citrix公司推出的XenDesktop桌面虚拟化软件囊括了从虚拟底层硬件到虚拟应用程序的全部软件,它能将操作系统、应用程序和数据与底层的硬件系统分隔开。利用XenDesktop构建的整体虚拟化网络平台,解决了传统网络平台的软硬件费用高,架构复杂利用率低,管理、维护、升级困难,灾难和数据保护不足等缺陷。此外,其客户端可以通过局域网、互联网和无线网络进行访问,而且客户端本身也不再局限于传统X86 PC,MAC、平板电脑、手机都可作为客户端,实现了在任何位置、任何设备上进行访问的能力。     

Accelerator Virtualization Framework Based on Inter-VM Exitless Communication

The increasing deployment of artificial intelligence has placed unprecedent requirements on the computing power of cloud computing. Cloud service providers have integrated accelerators with massive parallel computing units in the data center. These accelerators need to be combined with existing virtualization platforms to partition the computing resources. The current mainstream accelerator virtualization solution is through the PCI passthrough approach, which however does not support fine-grained resource provisioning. Some manufacturers also start to provide time-sliced multiplexing schemes and use drivers to cooperate with specific hardware to divide resources and time slices to different virtual machines, which unfortunately suffer from poor portability and flexibility. One alternative but promising approach is based on API forwarding, which forwards the virtual machine''s request to the back-end driver for processing through a separate driver model. Yet, the communication due to API forwarding can easily become the performance bottleneck. This paper proposes Wormhole, an accelerator virtualization framework based on the C/S architecture that supports rapid delegated execution across virtual machines. It aims to provide upper-level users with an efficient and transparent way to accelerate the virtualization of accelerators with API forwarding while ensuring strong isolation between multiple users. By leveraging hardware virtualization feature, the framework minimizes performance degradation through exitless inter-VM control flow switch. Experimental results show that Wormhole''s prototype system can achieve up to 5 times performance improvement over the traditional open-source virtualization solution such as GVirtuS in the training test of the classic model.     

基于容器的安全接入虚拟化

面对电力系统中信息网络、互联网边界海量电力物联网终端的访问需求,针对传统安全接入边界各类装置实现方法资源分配不均、兼容性差、扩展性差以及性能瓶颈等问题,提出一种基于容器的安全接入虚拟化模型。该模型采用DPDK高性能数据包处理框架、成熟容器集群管理框架、服务计算节点编排等关键技术,将数据平面与控制平面完全分离,构建独立的数据虚拟化转发平面,并采用SR-IOV技术实现硬件资源的虚拟化和统一调度管理,将安全接入能力服务化。基于该模型的安全接入装置集群具有高性能、高可用、灵活编排、可扩展性强等优势。实验结果表明,该模型方法能够高效合理利用硬件资源,大幅提升电力系统边界安全接入的效率。     

IXP1200在IP加密机的应用研究

随着因特网的迅速发展,数据包的处理和加密应用成为公共网络上安全通信的一个研究热点。目前,传统的基地PC的IP加密机实现存在着功能不能灵活扩展的弱点以及对数据包的处理速度达不到线速的缺点。本文采用IXP1200网络处理器作为硬件平台来开展对IP加密机进行研究。通过主动计算元素来灵活地扩展新的网络服务功能,并且通过对IXP1200网络处理器的微引擎的分工与加密卡的协作来提高数据包的处理速度和加密处理速率,以满足安全通讯中高吞吐量的要求。     

Attacking network routers

One of the more critical components to computer networks is the router. Routers are used for many protocols to provide packet forwarding services between networks and geographic locations. Many vendors, for some time now, have been creating what are called multiprotocol routers which are capable of forwarding packets for a range of protocols over a variety of network hardware selections.     

基于FPGA可扩展的Mapreduce架构设计与实现

在基于机群的Mapreduce架构模型基础上,提出了一种基于CPU和FPGA环境、可扩展的Mapreduce架构。通过网络连接和驱动模块,实现了计算机软件与可编程硬件之间的通信,其中,CPU主机主要完成于文件系统的通行,将复杂耗时的运算过程转移到FPGA平台中处理,并引入内部流水线处理过程,大幅度加速了系统运算过程。同时,该架构可将更多的任务扩展到多个FPGA平台,弥补了器件内部存储资源的局限性,提高了系统的性能。此外,软硬件之间的命令、状态等信息交互为管理在FPGA中扩展任务提供了有效途径。实验证明,此架构在大幅提高运算速度的同时,提供了较好的底层设备可扩展性和管理的灵活性。     

基于网卡虚拟化的高性能容器网络设计

单根I/O虚拟化技术为传统数据中心提供高效的服务器整合能力和灵活的应用部署能力,通过将多个网卡直通到虚拟机,减少额外包复制带来的性能损失,使得网络I/O具有接近主机的性能。然而,在网络功能虚拟化场景下单独使用单根I/O虚拟化技术会降低传统数据中心的网络I/O虚拟化性能。针对网络功能虚拟化长链场景,结合单根I/O虚拟化技术和软件虚拟化技术,设计基于网卡虚拟化的高性能容器网络。通过转发模块判断网络流量的目的地址,寻找最优的流量转发路径,实现流量的灵活转发。利用基于脚本程序的自动化部署模块,对每个节点业务进行支持动态增删服务的配置,便于用户对网络进行管理和修改。实验结果表明,在网络功能虚拟化长链场景下,相比单根I/O虚拟化技术,该网络延迟降低约20%,同时能够有效提高网络吞吐量,解决数据中心的网络I/O虚拟化问题。     

A tool for tracing network data plane via SDN/OpenFlow

SDN provides an approach to create desired network forwarding plane by programming applications. For a large-scale SDN network comprised of multiple domains and running multiple controller applications, it is difficult to measure and diagnose the problems of flow tables in data plane. Tracing the forwarding path of SDN is one of effective way for data plane state measurement. Previously proposed methods for debugging SDN were applied to a single administrative domain. There is less effort to trace the flow entries of the data plane in large-scale multi-domain SDN networks. In this paper, we propose a method of software defined data plane tracing in large-scale multi-domain SDN networks. Our method can trace forwarding paths, and get the matched flow entries and other customized trace information. We present the designs compatible with OpenFlow 1.0 and 1.3 switches. The performance and deployment effect are evaluated by simulation test and analysis. It shows that our method has better performance than traditional IP traceroute, and its deployment at about 20% of AS nodes can enable 70% of AS paths to be traceable.     

基于I/O前后端模型的密码卡软件虚拟化

密码技术是云计算安全的基础,支持SR-IOV虚拟化的高性能密码卡适用于云密码机,可以为云计算环境提供虚拟化数据加密保护服务,满足安全需求.针对该类密码卡在云密码机使用过程中存在的兼容性不好、扩充性受限、迁移性差以及性价比低等问题,本文提出了基于I/O前后端模型的密码卡软件虚拟化方法,利用共享内存或者VIRTIO作为通信...     

Intel virtualization technology

A virtualized system includes a new layer of software, the virtual machine monitor. The VMM's principal role is to arbitrate accesses to the underlying physical host platform's resources so that multiple operating systems (which are guests of the VMM) can share them. The VMM presents to each guest OS a set of virtual platform interfaces that constitute a virtual machine (VM). Once confined to specialized, proprietary, high-end server and mainframe systems, virtualization is now becoming more broadly available and is supported in off-the-shelf systems based on Intel architecture (IA) hardware. This development is due in part to the steady performance improvements of IA-based systems, which mitigates traditional virtualization performance overheads. Intel virtualization technology provides hardware support for processor virtualization, enabling simplifications of virtual machine monitor software. Resulting VMMs can support a wider range of legacy and future operating systems while maintaining high performance.