Nicola Bonelli

On multi---gigabit packet capturing with multi---core commodity hardware

Nowadays commodity hardware is offering an ever increasing degree of parallelism (CPUs with more and more cores, NICs with parallel queues). However, most of the existing network monitoring software has not yet been designed with high parallelism in mind. Therefore we designed a novel packet capturing engine, named PFQ, that allows efficient capturing and in---kernel aggregation, as well as connection---aware load balancing. Such an engine is based on a novel lockless queue and allows parallel packet capturing to let the user---space application arbitrarily define its degree of parallelism. Therefore, both legacy applications and natively parallel ones can benefit from such a capturing engine. In addition, PFQ outperforms its competitors both in terms of captured packets and CPU consumption.

Flexible high performance traffic generation on commodity multi---core platforms

Generating high-volume and accurate test traffic is crucial for assessing the performance of network devices in a reliable way and under different stress conditions. However, traffic generation still relies mostly on special purpose hardware. In fact, available software generators are able to reproduce rich and involved traffic patterns, but do not meet the performance requirements that are needed for effectively challenging the device under test. Nevertheless, hardware devices usually provide limited flexibility with respect to the traffic patterns that they can generate. The aim of this work is to design a traffic generator which can both achieve good performance and provide a flexible framework for supporting arbitrary traffic models. The key factor that enables our system to meet both requirements is parallelism, which is increasingly provided by modern commodity hardware: indeed our generator, which includes both kernel and user space components, can efficiently scale with multiple cores and multi---queue commodity network cards. By leveraging such a design, our generator is able to produce close-to-line-rate traffic on a 10Gbps link, while accommodating multiple traffic models and providing good accuracy.

A purely functional approach to packet processing

Todays rapidly evolving network ecosystem, characterized by increasing traffic volumes, service heterogeneity and mutating cyber-threats, calls for new approaches to packet processing to address key issues such as scalability, flexibility, programmability and fast deployment. To this aim, this paper explores a new direction to packet processing by pushing forward functional programming principles in the definition of a “software defined networking” paradigm. This result is achieved by introducing PFQ-Lang, an extensible functional language which can be used to process, analyze and forward packets captured on modern multi-queue NICs (for example, it allows to quickly develop the early stage of monitoring applications). An implementation of PFQ-Lang, embedded into high level programming languages as an eDSL (embedded Domain Specific Language) is also presented. The proposed approach allows an easy development by leveraging the intuitive functional composition and, at the same time, allows to exploit multi-queue NICs and multi-core architectures to process high-speed network traffic. Experimental results are provided to prove that the presented implementation reaches line rate performance on a 10Gb line card. To demonstrate the effectiveness and expressiveness of PFQ-Lang, the paper also presents a few use-cases ranging from forwarding, firewalling and monitoring of real traffic.

Network Traffic Processing With PFQ

This paper presents Packet Family Queue (PFQ), a high-performance framework for packet processing designed to flexibly handle network applications parallelism and making traffic processing safe and easy. PFQ is an open-source module for the Linux kernel that combines software-accelerated packet I/O to in-kernel early stage packet processing and fine-grained distribution to network applications and physical devices. PFQ does not require any modification to network device drivers and exposes programming interfaces to multi-threaded applications natively designed to run on top of it, as well as to legacy monitoring tools using the pcap library. The results show that the flexibility and the backward compatibility provided by PFQ do not impact its processing performance that, in fact, reaches line rate figures in the cases of pure speed tests and real practical monitoring use cases on 10+ Gb/s links.

Toward composable network traffic measurement

As the growth of Internet traffic volume and diversity continues, passive monitoring and data analysis, crucial to the correct operation of networks and the systems that rely on them, has become an increasingly difficult task. We present the design and implementation of Blockmon, a flexible, high performance system for network monitoring and analysis. We present experimental results demonstrating Blockmons performance, running simple analyses at 10Gb/s line rate on commodity hardware; and compare its performance with that of existing programmable measurement systems, showing significant improvement (as much as twice as fast) especially for small packet sizes. We further demonstrate Blockmons applicability to measurement and data analysis by implementing and evaluating three sample applications: a flow meter, a TCP SYN flood detector, and a VoIP anomaly-detection system.

Packet capturing on parallel architectures

Nowadays commodity hardware is offering an ever increasing degree of parallelism: CPUs are equipped with more and more cores and a new generation of NICs can dispatch packets across multiple queues. Software based network monitoring can leverage the opportunity offered by this new trend in order to target a level of performance which was unattainable with single core technologies. In this paper, which is the result of a thorough measurement campaign, we explore the potential of parallelism when coupled with existing packet capturing technologies and show how, by accurately tuning configurations, a huge performance gain can be obtained. We also show how minimal configuration changes can dramatically affect the overall throughput.

A Bloom Filter Bank Based Hash Table for High Speed Packet Processing

The use of hash tables in high speed packet processing applications is widely adopted and many different variants of such structures have been proposed in the literature. Nonetheless, the extremely variegated scenarios of application call for new specialized solutions, to best satisfy their possibly peculiar requirements. In this paper, we propose a randomized approach to the design of compact hash tables for network applications that need to frequently store and access short valued data. The approach is based on the use of a bank of Bloom filters and proves to be very effective both in terms of space occupancy and complexity, at the obvious cost of a non zero error probability.

Randomized Packet Filtering through Specialized Partitioning of Rulesets

A key issue in high speed traffic processing is to immediately detect potentially interesting packets. At very high speed, this operation is particularly crucial as filtering packets close to the wire relieves real applications from handling large volumes of (uninteresting) data. This paper proposes a fast and randomized approach to packet filtering based on partitioning rule databases for their storage in fast and compact Bloom filters that can be placed in fast cache memory. Database partitioning is obtained by a specially tailored clustering algorithm and the results show that even large rulesets can be divided into a limited number of partitions and accommodated in reasonably small Bloom filters.

Scaling Regular Expression Matching Performance in Parallel Systems through Sampling Techniques

Modern network devices need to perform deep packet inspection at high speed for security and application- specific services. For this purpose, regular expressions are used, due to their high expressive power, and Deterministic Finite Automata (DFAs) are adopted to match them. Many works have been proposed to improve DFAs, especially in terms of memory consumption and speed. Instead, we address another issue: the scalability of DFAs to parallel systems and their buffer requirements. To our knowledge, a single attempt to parallelize DFA walk on regular multicore systems (which ex- ploits speculation with limited efficiency) has been proposed in literature. We propose a solution in which a number of processing units are committed to walk in parallel a DFA for the same packet; at this aim, sampling techniques on both text and regular expressions are adopted. This scheme is the first in literature that proposes effective parallelization of DFA walk, hence allowing for packet processing time reduction and less memory for reordering buffers. The result is that speed scales as the number of processing units.

Enif-Lang: A Specialized Language for Programming Network Functions on Commodity Hardware

The maturity level reached by today’s commodity platforms makes even low-cost PCs viable alternatives to dedicated hardware to implement real network functions without sacrificing performance. Indeed, the availability of multi-core processing packages and multi-queue network interfaces that can be managed by accelerated I/O frameworks, provides off-the-shelf servers with the necessary power capability for running a broad variety of network applications with near hardware-class performance. At the same time, the introduction of the Software Defined Networks (SDN) and the Network Functions Virtualization (NFV) paradigms call for new programming abstractions and tools to allow this new class of network devices to be flexibly configured and functionally repurposed from the network control plane. The paper presents the ongoing work towards Enif-Lang (Enhanced Network processIng Functional Language), a functional language for programming network functions over generic middleboxes running the Linux operating system. The language addresses concurrent programming by design and is targeted at developing simple stand-alone applications as well as pre-processing stages of packet elaborations. Enif-Lang is implemented as a Domain Specific Language embedded in the Haskell language and inherits the main principles of its ancestor, including the strong typedness and the concept of function compositions. Complex network functions are implemented by composing a set of elementary operations (primitives) by means of a compact yet expressive language grammar. Throughout the paper, the description of the design principles and features of Enif-Lang are accompanied by examples and use cases. In addition, a preliminary performance assessment is carried out to prove the effectiveness of the language for developing practical applications with the performance level required by 5G systems and the Tactile Internet.