deri at ntop
Aug 14, 2012, 1:49 AM
Post #6 of 6
(362 views)
Permalink
|
Robert,
the project looks interesting, very interesting. As soon as Alfredo is
back from vacations, we will sit down and see if we can do something in
the direction you are following.
Regards Luca
On 08/13/2012 09:48 PM, Robert Vineyard wrote:
> Luca,
>
> Yes, that's essentially what I'm looking to do, although preferably
> without having to modify existing libpcap applications. That's the
> reason I was intrigued by the recent patch to enable symmetric RSS
> within the PF_RING libpcap without having to use libzero natively.
>
> My end goal is to make this work:
>
> http://www.vinsec.net/2012/07/security-garlic-preview-of-coming.html
>
> I want to be able to run (unmodified) network monitoring software in
> load-balanced VMs like this - in the case of SecurityOnion, there are
> several libpcap-based applications active simultaneously.
>
> Yes, I know that this approach is sub-optimal in terms of raw
> performance, but I'm more interested in making vertical scalability
> for traditionally low-bandwidth monitoring tools a reality for the
> masses. I also now realize that many of the assumptions I made in that
> article are invalid, and that this may be a much more difficult task
> than I had hoped.
>
> To that end, I've been taking a look at some related work,
> particularly the recent efforts to implement native zero-copy for
> various compnents of KVM (especially in the virtio and macvtap
> modules). Ideally, I'd like to find a way to combine these efforts
> with a symmetric RSS implementation, such that I could do all of the
> load-balancing in hardware.
>
> Not sure if you're familiar with this work, but it appears to be very
> similar to what you've done with PF_RING and the DNA drivers. However,
> since these researchers have only released a portion of their code,
> and the DNA drivers are closed-source, I don't have a good way to
> compare the two approaches.
>
> http://www.ndsl.kaist.edu/~shinae/papers/TR-symRSS.pdf
>
> Hopefully that helps clarify what I'm trying to accomplish. I would
> happily welcome any advice that you may have to offer.
>
> Thanks,
> Robert
>
>
> On 08/13/2012 01:56 PM, Luca Deri wrote:
>> Robert,
>> I am not sure I understand where you want to go in the long run. Is
>> vPF_RING over libzero (i.e. a KVM VM that can receive packets as a
>> libzero client) what you are looking for perhaps?
>>
>> Regards Luca
>>
>> On Aug 8, 2012, at 4:21 AM, Robert Vineyard <vineyard [at] tuffmail>
>> wrote:
>>
>>> Still reading... it definitely sounds like vPF_RING is what I want.
>>>
>>> I am finding that many of my questions are answered in Alfredo's
>>> paper. Is this the latest version?
>>>
>>> http://luca.ntop.org/Teaching/Cardigliano.pdf
>>>
>>> I found this one, and in the author comments at the end, a revised
>>> version is mentioned:
>>>
>>> http://conferences.sigcomm.org/imc/2011/docs/p533.pdf
>>>
>>> This work is very much in line with my own research, and I would be
>>> happy to contribute whatever resources I am able toward the further
>>> development of vPF_RING for more recent versions of KVM. It
>>> definitely sounds like you have encountered (and solved) many of the
>>> same problems that I have.
>>>
>>> Cheers,
>>> Robert Vineyard
>>>
>>>
>>> On 08/07/2012 09:11 PM, Robert Vineyard wrote:
>>>> After poring over hundreds of pages of datasheets and driver
>>>> documentation, it appears that what I was hoping to do is not
>>>> possible.
>>>> I've run in to the problem that appears to be at least partially
>>>> solved
>>>> by PF_RING's symmetric RSS hashing mode.
>>>>
>>>> Originally, I was hoping to be able to leverage the hardware RSS and
>>>> Flow Director features of the 82599 in combination with SR-IOV Virtual
>>>> Functions mapped to load-balanced virtualized IDS sensors. Since the
>>>> default hardware RSS implementation is not flow-symmetrical, my
>>>> sensors
>>>> would not be able to see both sides of a bi-directional connection.
>>>> Worse, the Flow Director filtering mechanism is unable to handle
>>>> fragmented packets.
>>>>
>>>> Digging deeper into the PF_RING User's Guide (and the nTop blog), I
>>>> see
>>>> that the DNA drivers now offer a PF_RING_DNA_SYMMETRIC_RSS flag to
>>>> correct this behavior and employ a 5-tuple symmetric hash, which is in
>>>> fact what I need for my sensors.
>>>>
>>>> My question is in regard to the implementation of this new
>>>> functionality. Is it in the DNA driver itself, in the PF_RING kernel
>>>> module, or in the PF_RING user-space libraries? I ask because this
>>>> post
>>>> would seem to imply that this option is configurable from within a
>>>> PF_RING-enabled application such as tcpdump:
>>>>
>>>> http://listgateway.unipi.it/pipermail/ntop-misc/2012-July/003037.html
>>>>
>>>> Since my SR-IOV Virtual Function mapping plan isn't going to work out,
>>>> can I leverage vPF_RING in combination with DNA drivers and the
>>>> PF_RING_DNA_SYMMETRIC_RSS flag on the host to accomplish the same
>>>> thing?
>>>>
>>>> If so, would I still be limited to a single libpcap/libpfring
>>>> application per queue on my DNA cluster?
>>>>
>>>> Thanks,
>>>> Robert Vineyard
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
|
