Bringing Platform Harmony to VMware NSX

J. Pettit, Ben Pfaff, Joe Stringer, Cheng-Chun Tu, B. Blanco, Alex Tessmer
{"title":"Bringing Platform Harmony to VMware NSX","authors":"J. Pettit, Ben Pfaff, Joe Stringer, Cheng-Chun Tu, B. Blanco, Alex Tessmer","doi":"10.1145/3273982.3273994","DOIUrl":null,"url":null,"abstract":"VMware NSX virtualizes network functionality in a manner anal- ogous to how hypervisors virtualize compute resources. To do this, NSX must faithfully recreate virtual versions of network compo- nents, such as switches, routers, and firewalls. As this functionality becomes commoditized, NSX must move \"up the stack\" to provide more advanced features, such as load-balancers, IDS/IPS (intrusion detection and prevention systems), and DPI (deep packet inspec- tion) for classification. NSX is designed to work in all types of deployments-even those without any other VMware software. It integrates with ESXi, Linux KVM, and Hyper-V hypervisors; it is even being made to work on systems without a hypervisor, such as containers and third- party clouds. Each of these platforms has its own native forwarding plane. For the best user experience, all of the forwarding planes should provide the same behavior, but the disparate implemen- tations make this difficult in practice. As network functions be- come more complex and as NSX supports more forwarding planes, both duplication of effort and undesirable diversity of behavior in- creases. We propose a new approach to building advanced network func- tions in NSX. Under this approach, identical code runs on all of NSX's supported platforms. Applications will run at or near native performance, but with better security and identical cross-platform behavior. We demonstrate this by writing a single application to provide DPI functionality that runs in the fast paths of each of NSX's primary platforms: ESXi, Linux, and Edge gateway appli- ance. We evaluate the performance and correctness of our imple- mentation on the three platforms.","PeriodicalId":7046,"journal":{"name":"ACM SIGOPS Oper. Syst. Rev.","volume":"38 1","pages":"123-128"},"PeriodicalIF":0.0000,"publicationDate":"2018-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM SIGOPS Oper. Syst. Rev.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3273982.3273994","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10

Abstract

VMware NSX virtualizes network functionality in a manner anal- ogous to how hypervisors virtualize compute resources. To do this, NSX must faithfully recreate virtual versions of network compo- nents, such as switches, routers, and firewalls. As this functionality becomes commoditized, NSX must move "up the stack" to provide more advanced features, such as load-balancers, IDS/IPS (intrusion detection and prevention systems), and DPI (deep packet inspec- tion) for classification. NSX is designed to work in all types of deployments-even those without any other VMware software. It integrates with ESXi, Linux KVM, and Hyper-V hypervisors; it is even being made to work on systems without a hypervisor, such as containers and third- party clouds. Each of these platforms has its own native forwarding plane. For the best user experience, all of the forwarding planes should provide the same behavior, but the disparate implemen- tations make this difficult in practice. As network functions be- come more complex and as NSX supports more forwarding planes, both duplication of effort and undesirable diversity of behavior in- creases. We propose a new approach to building advanced network func- tions in NSX. Under this approach, identical code runs on all of NSX's supported platforms. Applications will run at or near native performance, but with better security and identical cross-platform behavior. We demonstrate this by writing a single application to provide DPI functionality that runs in the fast paths of each of NSX's primary platforms: ESXi, Linux, and Edge gateway appli- ance. We evaluate the performance and correctness of our imple- mentation on the three platforms.
将平台和谐带入VMware NSX
VMware NSX以一种类似于管理程序虚拟化计算资源的方式虚拟化网络功能。为此,NSX必须忠实地重新创建网络组件的虚拟版本,如交换机、路由器和防火墙。随着这种功能变得商品化,NSX必须“向上移动”以提供更高级的功能,例如负载平衡器、IDS/IPS(入侵检测和防御系统)和DPI(深度包检测)用于分类。NSX被设计成可以在所有类型的部署中工作——甚至是那些没有任何其他VMware软件的部署。它集成了ESXi、Linux KVM和Hyper-V hypervisor;它甚至可以在没有管理程序的系统上工作,比如容器和第三方云。这些平台都有自己的本地转发平面。为了获得最佳的用户体验,所有的转发平面都应该提供相同的行为,但是不同的实现使这在实践中变得困难。随着网络功能变得越来越复杂,NSX支持更多的转发平面,重复的工作和不受欢迎的行为多样性都增加了。我们提出了一种在NSX中构建高级网络功能的新方法。在这种方法下,相同的代码可以在所有NSX支持的平台上运行。应用程序将以或接近本机性能运行,但具有更好的安全性和相同的跨平台行为。我们通过编写一个应用程序来演示这一点,该应用程序提供DPI功能,该功能在每个NSX的主要平台(ESXi, Linux和Edge网关设备)的快速路径中运行。我们在三个平台上评估了我们的实现的性能和正确性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信