Masaryk University Faculty}w¡¢£¤¥¦§¨ of Informatics !"#$%&'()+,-./012345<yA| DiProNN: Distributed Programmable Network Node Ph.D. Thesis RNDr. Tomáš Rebok Supervisor: doc. RNDr. LudˇekMatyska, CSc. Brno, June 2009 Except where indicated otherwise, this thesis is my own original work. Tomáš Rebok Brno, June 2009 iii Acknowledgments I would like to express my deep and sincere gratitude to my supervisor, prof. Ludˇek Matyska, for his guidance during my research—for his detailed and constructive com- ments, valuable advice, and important support throughout this work. Further, I wish to express my warm and sincere thanks to Eva Hladká, head of the Lab- oratory of Advanced Networking Technologies (known as Sitola as well), who introduced me to the field of active/programmable networks, and who gave me an opportunity to become a member of both the Sitola laboratory and the “Multimedia transmissions and collaborative environment” research group of the Cesnet association. Moreover, I would like to thank her for the patience with me throught the tough times and her ability to keep me motivated during periods of self-doubt. My deep and sincere thanks also go to Petr Holub for his help with the starting ideas in the beginning of my work, and for all of his assistance, which he has kindly provided to me in numerous ways during my research. During my studies, I have worked with a great number of people, whose contribution in assorted ways to my research deserves special mention. I would like to thank Jiˇrí Denemark, Lukáš Hejtmánek, Miloš Liška, Igor Peterlík, Dalibor Klusáˇcek,David Antoš, and other fellows of the Sitola laboratory, who helped me a lot with various things during my research. I would also like to convey my gratitude to all my friends for all their support and help I have received from them, as well as for all the enjoyable times we have spent. My special thanks go to Honza Petrželka, Tomáš Rybka, ZdenˇekVrbka, Michal Procházka, Mojmír Strakoš, Jaroslav Škára, and Terezka Obšilová. It is my pleasure to be your friend. Furthermore, my deepest gratitude goes to my parents, grandparents, parents-in- law, and other members of my family for their unflagging love, patience, and support throughout my life: this thesis would be simply impossible without them. “Mum, Daddy, there are no words I can thank you enough with. ” Last but not least, I would like to give my special thanks to my wife Lenka, whose patient love enabled me to complete this work. In the recent years, she has been greatly helping and encouraging me in all the moments I was feeling down. “Leniˇcko,I am grateful to You for more than I could ever express. ” And finally, my sincere thanks go to everybody that has been a part of my life, but whom I have failed to mention: “Thank you very much!” This work has been supported by the research intent Integrated Approach to Education of PhD Students in the Area of Parallel and Distributed Systems, No. GD102/05/H050, funded by Grant Agency of the Czech Republic, and by the research intent Optical Network of National Research and Its New Applications, MŠM 6383917201, funded by the Ministry of Education, Youth and Sports of the Czech Republic. Tomáš Rebok Abstract The Active/Programmable networks allow the end users to inject customized programs into special network nodes, making them able to let their data being processed (in the way they want) directly in the network as it passes through. This approach has been presented as a reaction to a certain fossilization of the traditional computer networks, which on the one hand behave as a simple and extremely fast forwarding infrastructure, but which on the other have not been designed for fast and dynamic reconfigurations and novel services’ deployment. Multimedia application processing (e.g., videoconferencing, video transcoding, video on demand, etc.), security services (data encryption over untrusted links, secure and reliable multicast, etc.), intrusion detection systems, and dynamically adapting intranet firewalls are just a few possible services, which could be provided. Thanks to an amazing functional flexibility, the active/programmable networks be- came very popular in a short time and have been studied by many research teams. Vari- ous architectures have been proposed, from the integrated ones based on the active pack- ets containing a program code (so-called capsules) to the discrete ones, where the pro- gram injection is separated from the processing of the data packets, all of them including software-only as well as software-hardware architectures. The fundamental issues, which have to be addressed by all the architectures, are: • Execution Environment Flexibility – the active/programmable nodes have to provide an execution environment (EE), inside which all the user active programs (APs) are processed. Ideally, the nodes should be able to accept and run the user-supplied APs designed for an arbitrary EE, which will provide the highest flexibility possi- ble. However, the existing solutions usually restrict the users to provide the APs designed just for a single and specific EE, ordinarily represented by a Unix/Linux- based OS, Java Runtime Environment, or a specialized proprietary one. • Resource Isolation and Security – for security purposes, the running APs have to be strongly isolated from each other, so that a malicious/compromised AP cannot af- fect another APs sharing the same HW/SW resource(s) nor it can directly affect the simultaneously running APs themselves. Such an isolation has to further elimi- nate a hidden influence among the APs (e.g., through swapping of virtual memory pages) as well. Most of the architectures, which have been presented so far, more or less omit such security mechanisms at all, or provide proprietary mechanisms, which are externally enforcing defined security policies, but which do not address the fundamentals of the problem. We claim, that instead of proposing novel and hopefully “more perfect” proprietary solutions, these issues could be generally addressed by making use of the virtualization techniques, which have revived in the recent years. And even further, besides helping to cope with these mentioned issues, the virtualization could also provide another useful benefits, which are discussed in this thesis as well. iv v The main goal of this thesis is to study and present the benefits of employing the vir- tualization principles in the active/programmable networks area. To illustrate them, we propose a novel programmable network node architecture, named DiProNN (Distributed Programmable Network Node), that employs the virtualization techniques and makes use of their discussed features. The employed virtualization, properly combined with the other desirable concepts, enables us to propose a flexible and powerful programmable node, which allows its users to develop their active programs for arbitrary execution environments and com- fortably compose them into complex processing applications. Besides the execution en- vironments’ flexibility, the employed virtualization makes the proposed node further able to provide higher security and strong isolation capabilities, additionally enhanced by ro- bust resource reservations and guarantees. Contents 1 Introduction 1 1.1 Contributions . 3 1.2 Thesis Structure . 4 2 State of the Art 6 2.1 Active/Programmable Networks . 6 2.1.1 Integrated Active Network Solutions . 8 2.1.2 Discrete Active Network Solutions . 11 2.1.3 Operating Systems for Active Networks . 15 2.1.4 Distributed/Parallel Active Nodes Architectures . 17 2.2 Virtualization Systems . 19 2.2.1 Platform-level Virtual Machines . 20 2.2.2 OS-level Virtualization Systems . 24 2.2.3 Process-level Virtualization Systems . 26 2.2.4 Virtualization in Current Computer Networks/Systems . 29 3 Motivation and Objectives 35 3.1 Programmable Networks and Virtualization . 35 3.2 DiProNN Objectives . 38 3.2.1 VM-aware Execution Environment Architecture . 38 3.2.2 Component-based Programming . 40 3.2.3 Possibilities of Parallel/Distributed Processing . 42 3.2.4 Fine-grained Resource Management System . 43 3.2.5 Flexible Data Transmission Protocol Architecture . 45 3.3 Comparison with Existing Approaches . 46 4 DiProNN: Distributed Programmable Network Node 48 4.1 Distribution Unit . 49 4.2 Processing Units . 50 4.3 Control Unit . 53 4.4 Aggregation Unit . 56 4.5 Storage Unit . 56 4.6 Data and Control Interconnections . 57 4.7 DiProNN’s Architecture Modifications . 59 5 Data and Control Communication Protocols 62 5.1 Data Transmission Protocols . 62 5.1.1 UDP (User Datagram Protocol)...................... 63 5.1.2 DCCP (Datagram Congestion Control Protocol) . 63 vi CONTENTS vii 5.1.3 ARTP (Active Router Transport Protocol) . 64 5.1.4 TCP (Transmission Control Protocol)................... 64 5.1.5 DiProNN’s Data Protocols Summary . 65 5.2 Control Transmission Protocols . 66 5.2.1 Internal Control Transmission Protocols . 66 5.2.2 DiProNN Control Protocol . 67 6 DiProNN Programming Model 70 6.1 DiProNN Sessions . 71 6.2 DiProNN Programs . 71 6.2.1 (Standalone) APs’ definition . 72 6.2.2 VMs’ definition . 74 6.2.3 Data Interfaces’ and Channels’ Definition . 74 6.2.4 Control Interfaces and Channels’ Definition . 76 6.3 Example: Video Streams’ Composition in DiProNN . 77 7 DiProNN Operational Overview 79 7.1 Initialization . 79 7.1.1 Units Registration Process . 81 7.1.2 Units’ Resources Discovery Process . 81 7.2 Users’ Requests . 82 7.3 Session Establishment . 82 7.3.1 APs/VMs Mapping Process . 85 7.3.2 Session Establishment Process . 86 7.4 Data Flow and Processing . 87 7.4.1 Parallel Processing . 88 7.4.2 VMs’ Migrations for Efficient Resources Utilization . 89 7.5 Session Termination . 90 8 Distributed Sessions’ Processing 93 8.1 Problem Description . 94 8.1.1 DiProNN Session . 94 8.1.2 DiProNN node . 95 8.1.3 Constraints . 96 8.2 DSP Complexity Analysis .