introduction

Free access

Bringing Platform Harmony to VMware NSX

Authors:

Brenden Blanco,

Alex TessmerAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 52, Issue 1

Pages 123 - 128

https://doi.org/10.1145/3273982.3273994

Published: 28 August 2018 Publication History

Abstract

VMware NSX virtualizes network functionality in a manner anal- ogous to how hypervisors virtualize compute resources. To do this, NSX must faithfully recreate virtual versions of network compo- nents, such as switches, routers, and firewalls. As this functionality becomes commoditized, NSX must move "up the stack" to provide more advanced features, such as load-balancers, IDS/IPS (intrusion detection and prevention systems), and DPI (deep packet inspec- tion) for classification. NSX is designed to work in all types of deployments-even those without any other VMware software. It integrates with ESXi, Linux KVM, and Hyper-V hypervisors; it is even being made to work on systems without a hypervisor, such as containers and third- party clouds. Each of these platforms has its own native forwarding plane. For the best user experience, all of the forwarding planes should provide the same behavior, but the disparate implemen- tations make this difficult in practice. As network functions be- come more complex and as NSX supports more forwarding planes, both duplication of effort and undesirable diversity of behavior in- creases. We propose a new approach to building advanced network func- tions in NSX. Under this approach, identical code runs on all of NSX's supported platforms. Applications will run at or near native performance, but with better security and identical cross-platform behavior. We demonstrate this by writing a single application to provide DPI functionality that runs in the fast paths of each of NSX's primary platforms: ESXi, Linux, and Edge gateway appli- ance. We evaluate the performance and correctness of our imple- mentation on the three platforms.

References

[1]

Deep packet inspection. https://en.wikipedia.org/wiki/ Deep_packet_inspection.

[2]

VMware NSX with next-generation security from Palo Alto Networks. https://www.paloaltonetworks.com/resources/ techbriefs/vmware-nsx-solution-brief.

[3]

Use cases: IO Visor project. https://www.iovisor.org/ technology/use-cases, May 2017.

[4]

Brenden Blanco, Brendan Gregg, Sasha Goldshtein, et al. BPF com- piler collection (BCC). https://github.com/iovisor/bcc.

[5]

Jonathan Corbet. Extending extended BPF. http://lwn.net/ Articles/603983/, 2014.

[6]

Free Software Foundation. GNU general public license, version 2. https://www.gnu.org/licenses/old-licenses/gpl-2.0. en.html, June 1991.

[7]

Intel et al. DPDK: Data plane development kit. http://dpdk.org/.

[8]

Ethan J Jackson, MelvinWalls, Aurojit Panda, Justin Pettit, Ben Pfaff, Jarno Rajahalme, Teemu Koponen, and Scott Shenker. SoftFlow: A middlebox architecture for Open vSwitch. In 2016 Usenix Annual Technical Conference (USENIX ATC 16), pages 15-28. USENIX As- sociation, 2016.

Digital Library

[9]

Steven McCanne and Van Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In USENIX Winter, vol- ume 46, 1993.

Digital Library

[10]

David Miller. {GIT net-next} Open vSwitch. https://www. spinics.net/lists/netdev/msg291696.html, August 2014.

[11]

David Miller. net: Add STT support. https://www.spinics.net/ lists/netdev/msg314619.html, January 2015.

[12]

Quentin Monnet et al. rbpf: Rust (user-space) virtual machine for eBPF. https://github.com/qmonnet/rbpf.

[13]

Ben Pfaff. CVE-2016-2074: MPLS buffer overflow vulnerabilities in Open vSwitch. https://mail.openvswitch.org/pipermail/ ovs-announce/2016-March/000222.html, March 2016.

[14]

Julien Tinnes. Introducing Chrome's next-generation Linux sandbox. http://blog.cr0.org/2012/09/ introducing-chromes-next-generation.html, September 2012

[15]

Cheng-Chun Tu, Joe Stringer, and Justin Pettit. Building an extensible Open vSwitch datapath. In ACM SIGOPS Operating Systems Review, 2017.

Digital Library

Cited By

Saleh FKarmoshi SChen SYang FYang J(2023)vTopology: Virtual MAC Address Aided Network Slicing in Multi-Tenant Data CentersIEEE Network: The Magazine of Global Internetworking10.1109/MNET.106.210061737:2(214-221)Online publication date: 5-Sep-2023
https://dl.acm.org/doi/10.1109/MNET.106.2100617
Zaidenberg NKiperberg MElinav YMoshinky ASiag L(2023)HERO vs Zombie: Destroying Zombie Guests in Virtual Machine EnvironmentsModel-Driven Engineering and Software Development10.1007/978-3-031-38821-7_3(48-59)Online publication date: 4-Aug-2023
https://doi.org/10.1007/978-3-031-38821-7_3
Nelson LVan Geffen JTorlak EWang XLu SHowell J(2020)Specification and verification in the fieldProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488769(41-61)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.5555/3488766.3488769
Show More Cited By

Recommendations

VMware NSX Cookbook: Over 70 recipes to master the network virtualization skills to implement, validate, operate, upgrade, and automate VMware NSX for vSphere
VMware NSX for vSphere Essentials: A practical guide to implementing Network Virtualization
Bringing Virtualization to the x86 Architecture with the Original VMware Workstation

This article describes the historical context, technical challenges, and main implementation techniques used by VMware Workstation to bring virtualization to the x86 architecture in 1999. Although virtual machine monitors (VMMs) had been around for ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review

ACM SIGOPS Operating Systems Review Volume 52, Issue 1

Special Topics

July 2018

133 pages

ISSN:0163-5980

DOI:10.1145/3273982

Editors:
Mark Silberstein
Technion, Hafia, Israel
,
Christopher J. Rossbach
Stop D9500, Austin, TX

Issue’s Table of Contents

Copyright © 2018 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 August 2018

Published in SIGOPS Volume 52, Issue 1

Check for updates

Qualifiers

Introduction

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
249
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)6

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Saleh FKarmoshi SChen SYang FYang J(2023)vTopology: Virtual MAC Address Aided Network Slicing in Multi-Tenant Data CentersIEEE Network: The Magazine of Global Internetworking10.1109/MNET.106.210061737:2(214-221)Online publication date: 5-Sep-2023
https://dl.acm.org/doi/10.1109/MNET.106.2100617
Zaidenberg NKiperberg MElinav YMoshinky ASiag L(2023)HERO vs Zombie: Destroying Zombie Guests in Virtual Machine EnvironmentsModel-Driven Engineering and Software Development10.1007/978-3-031-38821-7_3(48-59)Online publication date: 4-Aug-2023
https://doi.org/10.1007/978-3-031-38821-7_3
Nelson LVan Geffen JTorlak EWang XLu SHowell J(2020)Specification and verification in the fieldProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488769(41-61)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.5555/3488766.3488769
Hypolite JSonchack JHershkop SDautenhahn NDeHon ASmith JHan DFeldmann A(2020)DeepMatchProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431290(336-350)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431290
Thimmaraju KHermak SRétvári GSchmid SDan TDahlia M(2019)MTSProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358851(521-536)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.5555/3358807.3358851
Tu CStringer JPettit J(2017)Building an Extensible Open vSwitch DatapathACM SIGOPS Operating Systems Review10.1145/3139645.313965751:1(72-77)Online publication date: 11-Sep-2017
https://dl.acm.org/doi/10.1145/3139645.3139657

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Issue’s Table of Contents