---------------------------------------------------- ---------------- Paper review Debadatta Mishra Roll No: 114050005 ---------------------------------------------------- ---------------- Paper title: Crossbow: From hardware virtualized NICs to Virtualized networks Summary: This paper makes use of the hardware virtualization features provided by the recent NIC advancements to provide isolated Virtual NICs to be used by different guest OS. If the hardware features are not available or insufficient, software methods are used as fall back mechanism. The separation of VNICs provides benefits of security,isolation,fairness in resource sharing and seemless migration, but that comes at the cost of more memory and dedicated CPU resources. As an additional feature this paper presents virtual wire and virtual switch for communication between guests running on the same VM. The paper also presents ideas how to efficiently build different communication groups consisting of VMs running on multiple physical machines in a LAN by doing proper VLAN tagging. Detailed Notes: 1) NIC hardware changes for high speed network cards were originally done for multiprocessor packet processing from a same NIC for better device utilization. Multiple receive/transmit queues, multiple DMA locations, MSI-X interrupts, Receive side scaling are facilities provided by the NIC for multiple CPU involvement in data transfer with less overheads. These features are extended (As these are obviously useful for virtualization) to support virtualization and guest direct access for data transfers without compromising the isolation. 2) The paper presents a completely isolated virtual network by separating the software processing along with the NIC hardware separations to provide a isolated network interface to the guest OS.Hardware based lanes are created by taking advantage of NIC capabilities to support multiple receive queues, multiple MAC address etc. In absence of HW support, a software based per VNIC implementation is done by separating the device queues and managing them individually. 3) Each VNIC functionality is implemented by 3 threads (requiring atleast 2 CPUs). A polling thread does chunk packet receive (To avoid interrupts), A worker thread does receive protocol processing and packet hand over and a transmit thread does the transmit of packets. 4) Performance setup is done on machines having total 8 cores to provide 4 different hardware lanes. One particular machine is loaded with uperf traffic from other machines. The comparison shows that the load is equally shared across 8 CPUs. 5) Bandwidth scheduling, policing and fire-walling rules can be provided for each VNIC through administrative interface provided by crossbow. 6) Virtual switch helps in inter VM communication, restrict multicast and broadcast domains using VLAN tags. 7) A virtual wire implementation helps grouping of communication between different guests running on different physical hosts using VLAN tags. Positives: 1) Avoids promiscuous mode NIC operations whenever possible by assigning MAC addresses to different Virtual Functions and letting the hardware do the receive side filtering based on the MAC address. 2) Have a hybrid and self adjusting implementation of Virtual NIC abstraction that makes live migration easier compared to dedicated PCI device assignment through pci direct etc. 3) Provides a single point policy enforcement (security,B/W scheduling etc) at the hyperviser level to have control over the guest network resource usage. 4) Makes a VLAN aware VSwicth implementation that makes the deployment and network configuration easy in a typical data center. Two guests in two different physical machine can have a VLAN separated from other communicating hosts. Negatives: 1) Many stated points does not hold true in a generic sense. For example 'MAC based firewall rules are not handled by IOV', 'Fair sharing of network resource is not enforced' by hyperviser based VM's. 2) The performance test setup does not reflect a real world scenario where multiple VM's are using different hardware lanes. The comparison is not done with any VMM platform that supports PCI direct I/O. Also the CPU utilization in the implementation is not explicitly mentioned(They say that load across CPU's are evenly distributed). 3) No discussion on the CPU usage accounting for each guest. As threads running per VNIC are in hyperviser context, there should be some mechanism of taking the CPU usage into account for fair guest CPU scheduling. 4) The claimed fairness is heavily dependant on the available CPU resources and the schedulling algorithms. A lot of dedicated CPU resource is required for fairness makes the solution not scalable. 5) Gives performance numbers in a best case scenario (where h/w features are available, enough CPU resource available). Doesn't try an experiment with hybrid setup of hardware and software lanes and the performance numbers. 6) The Virtual Wire technology works only when there is h/w support for multiple VLAN is present. 7) Most of the techniques proposed as novel are not actually novel. For example polling is already implemented as NAPI in linux kernel driver, VSwitch and bandwidth partitioning is already implemented by VMWare etc. Possible Extensions: 1) Intel 10G cards support MAC and VLAN anti spoofing in their SR-IOV capable NICs. Also a lot of control is given to the physical function driver to control the overall behaviour of the virtual functions.This can be used to come over the limitation of security stated in the paper and a low overhead solution can be provided when there is a requirement of high speed network virtualization. 2) CPU utilization of the threads per hardware lanes can be combined with the CPU scheduling in the hyperviser to account for the guest CPU share when executing a thread for a particular VNIC assigned to that guest. This will ensure fair CPU sharing