Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MiddleNet: A Unified, High-Performance NFV and Middlebox Framework with eBPF and DPDK

Shixiong Qi, Ziteng Zeng, Leslie Monis, K. K. Ramakrishnan

TL;DR

MiddleNet addresses the challenge of simultaneously supporting L2/L3 NFV and L4/L7 middleboxes on a single platform with minimal data-plane overhead. It simultaneously employs a DPDK-based, kernel-bypass path for L2/L3 NFs and an eBPF-based, event-driven path for L4/L7 middleboxes, connected through a unified shared-memory data plane and SR-IOV-enabled NICs. The design is complemented by thorough overhead auditing and two paired implementations (DPDK and eBPF) for both NFV and middlebox roles, demonstrating near line-rate performance for L2/L3 and substantially lower CPU usage for L4/L7 under realistic loads. By enabling co-existence and isolation of diverse function chains on the same host, MiddleNet offers a flexible, high-performance platform for heterogeneous service chains with practical deployment implications.

Abstract

Traditional network resident functions (e.g., firewalls, network address translation) and middleboxes (caches, load balancers) have moved from purpose-built appliances to software-based components. However, L2/L3 network functions (NFs) are being implemented on Network Function Virtualization (NFV) platforms that extensively exploit kernel-bypass technology. They often use DPDK for zero-copy delivery and high performance. On the other hand, L4/L7 middleboxes, which have a greater emphasis on functionality, take advantage of a full-fledged kernel-based system. L2/L3 NFs and L4/L7 middleboxes continue to be handled by distinct platforms on different nodes. This paper proposes MiddleNet that develops a unified network resident function framework that supports L2/L3 NFs and L4/L7 middleboxes. MiddleNet supports function chains that are essential in both NFV and middlebox environments. MiddleNet uses the Data Plane Development Kit (DPDK) library for zero-copy packet delivery without interrupt-based processing, to enable the "bump-in-the-wire" L2/L3 processing performance required of NFV. To support L4/L7 middlebox functionality, MiddleNet utilizes a consolidated, kernel-based protocol stack for processing, avoiding a dedicated protocol stack for each function. MiddleNet fully exploits the event-driven capabilities of the extended Berkeley Packet Filter (eBPF) and seamlessly integrates it with shared memory for high-performance communication in L4/L7 middlebox function chains. The overheads for MiddleNet in L4/L7 are strictly load-proportional, without needing the dedicated CPU cores of DPDK-based approaches. MiddleNet supports flow-dependent packet processing by leveraging Single Root I/O Virtualization (SR-IOV) to dynamically select the packet processing needed (Layers 2 - 7). Our experimental results show that MiddleNet achieves high performance in such a unified environment.

MiddleNet: A Unified, High-Performance NFV and Middlebox Framework with eBPF and DPDK

TL;DR

MiddleNet addresses the challenge of simultaneously supporting L2/L3 NFV and L4/L7 middleboxes on a single platform with minimal data-plane overhead. It simultaneously employs a DPDK-based, kernel-bypass path for L2/L3 NFs and an eBPF-based, event-driven path for L4/L7 middleboxes, connected through a unified shared-memory data plane and SR-IOV-enabled NICs. The design is complemented by thorough overhead auditing and two paired implementations (DPDK and eBPF) for both NFV and middlebox roles, demonstrating near line-rate performance for L2/L3 and substantially lower CPU usage for L4/L7 under realistic loads. By enabling co-existence and isolation of diverse function chains on the same host, MiddleNet offers a flexible, high-performance platform for heterogeneous service chains with practical deployment implications.

Abstract

Traditional network resident functions (e.g., firewalls, network address translation) and middleboxes (caches, load balancers) have moved from purpose-built appliances to software-based components. However, L2/L3 network functions (NFs) are being implemented on Network Function Virtualization (NFV) platforms that extensively exploit kernel-bypass technology. They often use DPDK for zero-copy delivery and high performance. On the other hand, L4/L7 middleboxes, which have a greater emphasis on functionality, take advantage of a full-fledged kernel-based system. L2/L3 NFs and L4/L7 middleboxes continue to be handled by distinct platforms on different nodes. This paper proposes MiddleNet that develops a unified network resident function framework that supports L2/L3 NFs and L4/L7 middleboxes. MiddleNet supports function chains that are essential in both NFV and middlebox environments. MiddleNet uses the Data Plane Development Kit (DPDK) library for zero-copy packet delivery without interrupt-based processing, to enable the "bump-in-the-wire" L2/L3 processing performance required of NFV. To support L4/L7 middlebox functionality, MiddleNet utilizes a consolidated, kernel-based protocol stack for processing, avoiding a dedicated protocol stack for each function. MiddleNet fully exploits the event-driven capabilities of the extended Berkeley Packet Filter (eBPF) and seamlessly integrates it with shared memory for high-performance communication in L4/L7 middlebox function chains. The overheads for MiddleNet in L4/L7 are strictly load-proportional, without needing the dedicated CPU cores of DPDK-based approaches. MiddleNet supports flow-dependent packet processing by leveraging Single Root I/O Virtualization (SR-IOV) to dynamically select the packet processing needed (Layers 2 - 7). Our experimental results show that MiddleNet achieves high performance in such a unified environment.
Paper Structure (27 sections, 13 figures, 5 tables)

This paper contains 27 sections, 13 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Basic elements in supporting network resident functions
  4. Usability analysis of data plane models
  5. Auditing Overheads of data plane models
  6. Shared memory communication in MiddleNet
  7. NIC-shared memory packet exchange
  8. Zero-copy I/O for function chaining
  9. Shared memory support
  10. Design of MiddleNet: L2/L3 NFV
  11. Overview
  12. The DPDK-based L2/L3 NFV design
  13. The eBPF-based L2/L3 NFV design
  14. Performance evaluation
  15. Design of MiddleNet: L4/L7 Middlebox
  16. ...and 12 more sections

Figures (13)

  • Figure 1: Distinct data plane models for NFV and Middlebox, with different vSwitch options, virtual device interfaces, and virtualization frameworks: (a) kernel-based vSwitch + virtio-user/vhost-net & TUN/TAP + VM; (b) kernel-based vSwitch + virtio-user/vhost-net & TUN/TAP + container; (c) kernel-based vSwitch + virtio-net/vhost-net & TUN/TAP + VM; (d) kernel-based vSwitch + veth + container; (e) userspace vSwitch + virtio-user/vhost-user + VM; (f) userspace vSwitch + virtio-user/vhost-user + Container; (g) userspace vSwitch + virtio-net/vhost-user + VM; (h) userspace vSwitch + virtio-user/vhost-net & TUN/TAP + veth + container. We assess (f) as the best solution for L2/L3 NFs and (d) as the best solution for L4/L7 middleboxes (§\ref{['sec:auditing']}).
  • Figure 2: A generalized data pipeline for an NFV/Middlebox chain. Note: we only show the client-to-server datapath; protocol processing is only available for L4/L7 middlebox.
  • Figure 3: A generalized shared memory communication data pipeline for a function chain in MiddleNet. Note: we only show the client-to-server datapath
  • Figure 4: Packet processing flow for DPDK-based L2/L3 NFV: RX and TX
  • Figure 5: Packet processing flow for eBPF-based L2/L3 NFV: RX and TX
  • ...and 8 more figures