Alena Davis

IO Visor Project is an IO engine with set of development tools that resides between the Linux OS and hardware, along with a set of development tools. It is an in-kernel virtual machine for IO instructions, somewhat like Java virtual machines. You see apps and a runtime engine atop a host and hardware layer. Being software defined, it has the flexibility for modern IO infrastructure and can become a foundation for new generation of Linux virtualization and networking.

Extended Berkeley Packet Filter (eBPF), the technology that underpins IO Visor, is not new but being a project hosted by the Linux Foundation will enable proliferation. It’s general purpose enough to build storage systems, distributed virtual networks or security sandboxes, but let us examine networking uses.

Don’t we have IO virtualization such as SR-IOV (Single Root I/O virtualization?) Don’t dataplane libraries such as DPDK (data plane development kit) and projects such as P4 provide flexible packet processing too? They may seem to overlap, but are actually complementary. IO Visor combines kernel-space performance with extensibility via plug ins to low level functions (e.g. DPDK or directly to hardware) so you can run IO Visor modules implemented atop DPDK.

With support of Broadcom, Cavium, Cisco, Huawei and Intel we may see plug-ins to support a variety of hardware devices. Networking endpoints have increasingly moved into virtual switches, so it is makes sense to provide IO extensibility within the kernel and not rely solely on physical switches. But physical switches are also important, and with hardware vendor support for this project, we may see IO Visor apps that span from software and hardware devices.

Linux portability gives this project a potentially large footprint. Since Linux is the basis for many network switch OSs – including those from Arista, Cisco Systems, Dell Networking, Cumulus Networks, Extreme Networks, Open Networking Linux (basis for Big Switch Networks’ Switch Light) — on the long-term, many vendors may choose to examine IO Visor.

Since IO Visor is platform independent, it can be hosted on different CPU or hardware network processing units.  SuSE and Ubuntu, as founding members, may jumpstart support for the commercial Linux community to support a variety of platforms and devices.

Here are some practical business use cases.

• Security. Performance requirements traditionally requires I/O to run in the kernel but updates were hard to make creating a tradeoff between speed and security functionality. IO Visor reduces this limitation, so I foresee the development of high performance IO security functions that can be updated with new capabilities, just like anti virus programs updating with signatures.Security use cases have used BPF for years. The popular OpenSSH utilities use it to sandbox privileges and Google’s Chrome browser on Linux and Chrome OS use it to sandbox Adobe Flash. Having it in upstream Linux should enable it find more uses.

• Cloud building blocks. Converged systems integrate storage, compute and virtualization, and will benefit from a universal IO layer. Systems like VMware vSphere distributed switches provides networking devices that spans multi hosts, but don’t offer platform independent extensibility. IO Visor enables creation of distributed virtual networks.  PLUMgrid, which contributed the initial IO Visor code, based their Open Networking Suite on this technology, so it’s known to work commercially.

• Carrier networking. Carriers support NFV in the pursuit of reducing opex, capex and increasing agility, but performance demands have been a concern. IO Visor can provide the performance with dynamic changes. Since IO Visor does not require physical or virtual appliances to create distributed networks, it can drive high density and reduced capex for carriers uses such as vCPE. Some founding member companies provide technologies to carriers, and through collaboration OPNFV, I expect carrier networking requirements will influence IO Visor development in new ways.

Foundational software systems, regardless of technical soundness, cannot succeed unless there are applications. Since the project founding members provide a wide range of solutions, we expect their contributions to build applications, tools and IO Modules and not focus solely on the IO Visor engine.

End-users won’t directly interact with IO Visor but they will instead see improvements in performance, flexibility and security and being introduced to new classes of Linux based tools and devices.

Given that Linux is used widely, we feel this project can have widespread affects throughout the Linux virtualization and networking space. With this project, another layer of the IT infrastructure may get transformed to provided more flexibility in a portable, open manner.

—
About the author of this post

Dan Conde

In recent years, with the advent of virtualization, private and public clouds, the nature of application development and deployment has changed significantly. The demands on today’s businesses require applications to be deployed at scale in minutes, and not days, months or years. The need for agility and scale extends to the infrastructure functions needed to support these applications, like networking, storage, security and load balancing.

The advent of software defined functions, like Software-defined Networking (SDN) and Software-defined Storage (SDS), and Software-defined Security (SD-Sec), attempt to deliver on the promise of just-in-time provisioning, auto-scaling and fine grained policy control. A logical way to scale some of these IO functions is to allow them to be implemented in the host OS stack.

The IO Visor project attempts to add the ability to programmatically insert IO functions into the data plane of the Linux kernel to allow for software defined control of infrastructure needed to support modern day applications.  IO Visor requires that clearly specified data plane functions be compiled into a format that can be inserted into data plane of the Linux kernel.

Barefoot Networks has contributed to the development of P4, an open, domain specific language, that is designed to specify and program networking data planes. P4 is an imperative language that allows one to describe the data plane behavior in an intuitive manner.

P4 is the perfect high-level language to specify IO functions in IO Visor. P4 allows for concise, unambiguous, and human readable specification of IO behavior, especially when compared to alternate forms of specification using procedural languages like C. IO functions specified in P4 can be compiled into the extended Berkeley Packet Filter (eBPF) format and pushed into the data plane of the Linux kernel.

Barefoot Networks has prototyped a compiler that compiles P4 programs into LLVM IR. This LLVM IR is further compiled into eBPF using the LLVM compiler. We will contribute this compiler and the supporting tool chain to the IO Visor project by open sourcing the implementation under a permissive license. We believe that this contribution will significantly accelerate the specification of IO functions in the IO Visor project.

We look forward to a world where IO functions can be programmed easily and quickly on both virtual and physical networking infrastructures to adapt to the needs of the applications.

—
About the author of this post

Chaitanya (CK) Kodeboyina

Firewalls as intermediary networking devices have played an important role in protecting a company or organization’s internal servers and hosts, but with networking functionality virtualized (NFV), more and more company applications are moved to the public cloud and the traditional security perimeter now becomes obscure. Before the advent of virtualized firewalls, physical firewalls continued to provide security for public cloud in a similar way to traditional network design. Usually the firewall is placed in the aggregation layer and all traffic from different tenants is routed to physical firewall and the firewall obviously needs multi-tenants support (figure 1 left).

Figure 1. Physical firewall and NVF-like firewall solution in data center

With this solution the traffic between servers in two different security zones will be routed to the aggregation layer router and the firewall enforces the security policy the same way as it used to in enterprise environment. The drawback of this solution is obvious: all traffic even all internal traffic between VMs will be routed to aggregation layer that makes the system less scalable. When the traffic increases to some point that the physical firewall cannot handle, then the physical firewall has to upgraded or a load balance device added for traffic distribution.

An alternative solution to address this issue is to move the physical firewall function to NFV-like deployment, i.e. firewall running in a VM. If VMs hosting different applications need separation, they connect to the firewall NFV and the security policy will be enforced inside the VM. When there is more need, a new firewall NFV can be instantiated along with the application VMs (illustrated as figure 1 right). With NFV each tenant can be thought of as one virtual domain and security can be enforced within each tenant domain, and the traffic within one virtual domain can be optimized e.g. if all VMs are hosted in one rack, the traffic even will not go out of the rack.

When a firewall is deployed as a VM there are some challenges:

– The networking security perimeter shouldn’t change with dynamic VM migration;

– Security information should be carried along the data path within the tenant domain

– The Virtual Appliance may need to migrate to maximize the networking performance

It is non-trivial to implement all those goals with the existing infrastructure because existing configuration-based networking controllers lack the ability to distribute the traffic in a dynamic way. Controller plugins can provide some levels of programmability but the overall networking scalability issue still exists.

IO Visor creates a run-time extensible data plane that allows NFV vendors or customers to define their packet processing logic dynamically. IO visor provides the ability to create a module running in the hypervisor of each data center server and to create a virtual Fabric Overlay on top of it. By overlaying the networking dynamically and logically IO visor can keep the application VMs protected. The firewall can run either in a static networking environment or in a dynamic networking environment with IO visor platform running underneath. Additionally with IO visor’s programmability users can carry and interpret security information in their own way without NFV’s awareness, building up another layer of networking transparency to deploy the virtual security devices like NFV firewall. Finally IO visor can help optimizing the network performance, e.g. In the above example if there is a VM migration in a tenant domain and that lead to sub-optimal networking performance, the user can create its own NFV by describing networking functionality (optimization algorithm) in IO visor framework and load it run-time without waiting for the delivery from NFV vendor or any 3-rd party. This will significantly reduce the NFV delivery time.

In summary IO visor can help security via NFV-based architectures to be deployed in data center transparently and allows for more extensibility with the ability to add security features quickly.

—
About the author of this post

Jianwen Pi

Immersed in the technology world, we tend to think of networking as linking machines, especially computers, to operate interactively. Before there were computers though, we might have said that networking refers to how people come together intelligently to get things done. In our hyper-connected world, open source software development is an excellent example of the latter, and increasingly a driving force behind innovation of the former.

With the announcement today at LinuxCon, SUSE is excited to be a founding member of IO Visor, an open source project and a community of developers to accelerate the innovation, development, and sharing of new IO and networking functions.

As an enterprise Linux company, our job is to produce the most reliable, secure, stable and enterprise-ready Linux on which our customers can base their entire physical and virtual infrastructure, whether they’re running their workloads in the data center, public or private cloud, or some combination of all of them.

The hybrid nature of our customers’ infrastructures is putting new pressures on the networking stack in particular. Since the physical network interface protocols vary across vendors and evolve over time, a handy thing would be to provide a “network hypervisor” that abstracts away the physical network interface thereby accommodating new requirements more easily. This would help accelerate innovation and enable enterprises to more easily deploy software defined network infrastructures.

This is what IO Visor does. Through a module that is upstream in the Linux kernel, Linux distributions like SUSE Linux Enterprise Server will be able to provide a programmable environment in which network function data planes can be loaded and instantiated at runtime, giving developers the ability to create applications, publish them, and deploy them in live systems without having to recompile. And the IO Visor solution is agnostic, not bound to any particular vendor’s hardware or software solution.

Open source software development is now the new normal for business IT, and projects like OpenStack, Open Container Initiative and Cloud Foundry are where the innovation is happening today. With the increased frequency that new open source projects are forming, we have to be judicious about which ones we elect to participate in, and we put a high priority on those that will help to solve challenges that our customers have today. IO Visor is such a project.

—
About the author of this post

Frank Rego