Since its introduction in November 2015, Open-NFP has hosted 20 open research and development projects from academia and industry. Relevant software and sample datapath libraries are hosted on GitHub, enabling collaborative development across distributed teams. The organization’s website is designed to be a common repository of open source networking datapath P4/C application code and research papers.
The project is to provide a high-performance and scalable name-based data plane for future Internet architecture, like named data networking (NDN) and ADN (application driven network). The data plane is implemented on Netronome 4000 or 6000 series platform, aiming to achieve 40-100Gbp wire speed performance. The group is one of key contributors to an open source project of NDN project, namely NDN forwarding daemon (NFD), and now moves forward to port NFD to Netronome for high performance. We try to show that the data plane of further Internet architectures can be efficiently supported by current IP-spired accelerators.
We will explore a portable and dynamic solution for virtualizing a P4-programmable data plane. We develop a P4 program that can emulate other P4 programs, permitting runtime-reconfigurable network functions, function composition and network slicing.
For the purpose of scale in/out operations or instance relocation, state migration mechanisms for virtualized network functions (VNFs) are required. Besides the naive "stop-transfer-start" approach, which commonly leads to serious service interruption, techniques for "seamless" state migration like VM memory delta transmission are in use for a while now, and recently, mechanisms like deterministic replay or packet duplication have been proposed to cope with the commonly high I/O load of VNFs.
In this project, we have designed and now evaluate a novel mechanism that only transfers "statelets", byte vectors that only carry the information in a packet relevant for state change, instead of duplicated packets with unnecessary payload. The statelets allow a full deterministic replay at the destination, but reduce the dataplane utilization for state synchronization by up to 96%.
With the network processors, we plan to evaluate state migration and elastic redistribution between heterogeneous NF instance types (e.g. x86-based PCs and network processors), depending on the current performance demand. In a related sub-project, we also evaluate if and how devices (cards/switches) with NPUs could be also used to pre-split flows into their simple (accelerated) or complex (x86/ARM) part on the dataplane.
Demand to define dataplane behavior to accelerate various workloads specific to each use case is growing. The purpose of this project is to elaborate different approaches of datapath acceleration (such as OVS, SmartNIC programmability, P4), and check feasibility of each approach from various point of views such as datapath flexibility, ease to program, ease to operate.
In this project, we aim at detecting abnormal, and potentially malicious behavior in large-scale data centers by monitoring traffic patterns. The scope of this work is not restricted to network failures, instead, we aim at detecting anomalous behavior caused by distributed applications, hardware failures, and potential misconfigurations. Our ultimate goal is to identify the root cause of detected threats and confine their damage to the network by using various mitigation techniques.
To evaluate our design we are building a testbed with tens of X86-based servers connected to commodity switches and we rely on smart NICs to monitor the traffic and detect potential abnormal patterns.
The project will research on using the Netronome Agilio NIC as the packet forwarding engine for the Earth Computing Link Protocol, a new link layer protocol for cloud data centers. More detail on the Earth Computing Link Protocol is presented at the Stanford E380 Forum : https://www.youtube.com/watch?v=IPTlTmH-YvQ
We will explore scalable and portable network function virtualization solutions that can boost the performance of next-generation data centers. We will utilize the capability of P4 to reconfigure the data plane and explore a wide range of security, monitoring and optimization algorithms for the data path at the network edge.
To cope with the increasing complexity in cloud data centers induced by novel services and increasing traffic demands, new mechanism for network management have emerged. Especially the concepts of software-defined networking (SDN), which separates the data from the control plane and Network Function Virtualization, which replaces classic middle box devices like firewalls with softwarized solutions are enjoying an increasing popularity.
Despite the increased flexibility and the lowered maintenance costs provided by these concepts, both approaches suffer from the main drawback of adding additional delay to every connection as the packets are processed in software.
In this project we investigate how hardware-accelerated approaches are able to mitigate this drawback. For this we conduct performance evaluations in varying scenarios with a focus on security applications and NFV placement.
The project is a PoC where we want to authenticate user traffic on a per packet basis and forward (or drop) the packet based on the authentication header. A client application (similar to e.g. an OpenVPN client app) adds an authentication encapsulation header (similar to IPSEC AH) to each outgoing packet. It contains a Hash Message Authentication Code (HMAC). When the packet arrives at a P4 capable PE device of the service provider, the authentication header is parsed and the HMAC is verified (using a shared key that is negotiated at session start). When the integrity and authenticity of the packet is verified, the packet is forwarded to the associated service (L2 circuit, L3 VPN, etc). When the verification fails, the packet is dropped.
The project will research the possible use of a Netronome ISA to perform packet processing at line rates. This will result in increased Internet bandwidth through the telecom access network over existing physical infrastructure.
Flange a tool for configuring complex networks declaratively. A Flange program states the goals a user has for the network. Flange programs must be compiled to a concrete network layer, much like C must be compiled to concrete hardware instructions. P4 is one compilation target.
Software Defined Networks (SDNs) are an appealing platform for network security applications. However, existing approaches to building security applications on SDNs are not practical because of performance and deployment challenges. Network security applications often need to analyze and process traffic in more advanced ways than SDN data plane implementations, such as OpenFlow, allow. Much of an application ends up running on the centralized controller, which forms an inherent bottleneck. We are researching frameworks that allow security applications to dynamically push parts of their logic down to switches, where application-dependent processing and monitoring can execute closer to the data plane at a rate much closer to line speed. We built a system that leverages switch CPUs (Enabling Practical Software-defined Networking Security Applications with OFX, NDSS 2016), and are now extending our work to support next-generation P4 platforms, such as the Netronome Agilio NFPs.
The increasing amount of over-the-top (OTT) live streams and the lack of global network layer multicast support poses challenges for a scalable and efficient streaming over the Internet. Content Delivery Networks (CDNs) help by delivering the streams to the edge of almost every Internet Service Provider (ISP) network of the world but usually also end there. From there on, the streams are to be delivered to the clients using IP unicast, although an IP multicast functionality would be desirable to reduce the load on CDN nodes, transit links, and the ISP infrastructure. IP multicast is usually not available due to missing control and management features of the protocol. To tackle this problem, we developed Software-Defined Networking-based cross-layer approach, called Software-Defined Multicast (SDM). SDM is a one-to-many network service with multicast efficiency and unicast packet semantics. SDM has been investigated using OpenFlow-based implementations. We will explore how the P4 protocol can be used to increase the efficiency and flexibility of SDM.
Mimir Networks is investigating methods in Software Defined Networking (SDN) to advance the state of the art for proactive network based security. Distributed Denial of Service (DDoS) and Advanced Persistent Threats (APT) have evolved past the point of traditional mitigation and need to be pushed deeper into the network layers to allow for scalability to keep pace with the rapid development of attack vectors.
We believe that benefits of adapting best practices around flow telemetry creation and attack mitigation into the SDN model will provide industry the ability to accelerate the response to ever evolving attacks techniques.
The Government of Canada contributes to the research at Mimir.
NFV performance is a key for NFV to be deployed successfully in the Telco network. The purpose of the project is to check the feasibility of offloading some NFV functionalities such as firewall to the smart NIC with a focus on latency, throughput and programmability.
This project will explore the feasibility of realizing information-centric networking (ICN) protocols using the P4 framework on programmable data planes such as Netronome. ICN data planes, e.g. CCN/NDN and MobilityFirst, realizes a new network layer with several desirable features like name based routing, caching, security, multicasting and mobility features. These forwarders generally have multiple data structures to index cached content, aggregate requests and forwarding based on FIB rules. Depending on the protocol, these data structures also requires packet buffering feature during the resolution process, line rate buffer read/write and update to the forwarding data structures to realize ICN features. Through this project we will research to create an end-to-end application scenario where the network would contain both software based and P4 based ICN forwarders.
Institution: NTT Communications
Purpose of this project is to confirm off load feasibility for some of telco use cases, which helps wider use of software components in telco environment with better programmability.
http://www.cam.ac.uk/Effectively combining performance with flexibility requires support in both hardware and software. Matching the capabilities of both is hard, and engineering solutions commonly rely on well-established interfaces and APIs such as a microprocessor's assembly language, an FPGA's bitstream format, or a network processor's API. We are exploring ways to unify these interfaces, in particular to make it straightforward to build data center services that exploit programmable hardware as easily as traditional hardware, interoperating with existing services running on a range of platforms. Work supported by EPSRC grant references EP/K031724/2 and EP/K034723/1.
At Carnegie Mellon, we are exploring a broad theme called "software-defined network security" investigating how recent advances in SDN and NFV can help dramatically improve the status quo in network security. This Open-NFP community-driven web portal may be useful with respect to several research threads we are currently exploring.
One such thread is to tackle the recent spate of advanced DDoS attacks. We are developing a system for flexible and elastic DDoS mitigation where the defenses can be adaptively changed as the attack strategies change. The goal will be to investigate the potential benefits of hardware-accelerated NFV functions in the context of DDoS defense.
This work is supported by funding from the Department of the Navy, Office of Naval Research, Intel Corporation and the National Science Foundation.
Reprinted with permission. © Carnegie Mellon University, 2015
The purpose of the project is to check the feasibility of offloading fast path packet processing of traditional telco protocols to hardware using P4 protocol, with a focus on latency and performance in 5G networks. P4 serves as an alternative to more used OpenFlow which does not have support for the specific telco protocols. Additionally due to its flexibility, P4 paves path for future research and development of new datapath protocols, which have been a rarity since the lack of such standardized programmable hardware. This would promote the absolute white box concept in telco infrastructure and the openness towards a variety of protocols which was not possible in the proprietary hardware environment. A proof of concept will be implemented using the Fraunhofer FOKUS Open5GCore, a comprehensive mobile core network addressing the R&D towards future 5G network environments, through this providing a first prototype of deep programmable data path without requiring specific protocol support from the network card for offloading.
SENSS - software-defined security service, is a framework that enables a victim network to request services from remote ISPs for traffic that carries source IPs or destination IPs from this network's address space. These services range from statistics gathering, to filtering or quality of service guarantees, to route reports or modifications. The SENSS service has very simple, yet powerful, interfaces. This enables it to handle a variety of data plane and control plane attacks, while being easily implementable in today's ISP. The project will create a network of nodes with large fanout, allowing larger variety of network architectures for SDN experiments to explore features needed in the dataplane on NFPs to support SENSS.
In high-volume network environments, the sheer packet load will often by far exceed what monitoring software running on commodity hardware can handle. We strive to solve this problem by extending networking hardware with new primitives which can be used by network monitoring software. We will create a feedback protocol allowing network hardware to signal information about the network state back to the monitoring system. Furthermore, we will create several mechanisms using this protocol, e.g., to push connection tracking and L4 protocol parsing into the SDN. We will explore the implementation of these primitives and signaling mechanisms on programmable network components built on Netronome Agilio ISAs.
At JHU APL, we are working to improve the security and performance of networks by leveraging the tremendous traffic steering capability of SDN. By throwing out current routing and switching protocols and taking a clean sheet approach to redesigning how flows are assigned to forwarding paths, we aim to create a system that uses network resources much more efficiently and is significantly more responsive to feedback from network security analytics.
Reprinted with permission. © 2016 The Johns Hopkins University Applied Physics Lab LLC
We investigate the hardware/software co-design of a TCP-compatible protocol and network stack that can be hardware-accelerated by programmable NICs. In particular, we are interested in NICs based on the reconfigurable match table (RMT) programming model. Our goal is to offer all the same features of TCP, but design the protocol such that accelerated packet processing using minimal per-connection state on the NIC is possible. We require a kernel-bypass infrastructure and use Netronome's DPDK support to realize it. On top of this infrastructure, the software portion of this network stack executes at user-level unhindered by kernel-level packet processing overheads.
We propose to investigate flexible packet processing functionality on NICs and switches and their potential for optimizing high performance networked systems inside the data center. Our work is motivated by two trends. On one hand, the recent surge of network I/O performance has put enormous pressure on software I/O processing components running on end-hosts. At the same time, recent hardware innovations have resulted in technologies that provide flexible, albeit limited, packet processing functionality in NICs and switches. Thus, our research project is to consider implementing on the NICs and switches some of the packet processing traditionally done in end-host software as well as develop new in-network primitives that can significantly optimize the end-host software. We will show how and by how much flexible packet processing can benefit widely used data center server applications and also provide guidance on what features that future iterations of the hardware should provide in order to significantly improve application performance.
Reprinted with permission. © 2015 Netronome.
Description: At UW-Madison, we are developing new packet scheduling algorithms for multi-queue NICs. In particular, we are motivated by two trends. First, in order to keep up with increases in the number of cores, VMs, and active flows on a single server, the number of queue pairs on NICs is also increasing. Second, in order to enable servers to drive current line rates, NICs provide offload functions to reduce CPU load, and, as line rates increase, the importance of reducing the CPU load of networking increases as well. Unfortunately, current offload functions can lead to increased latency, unfair packet schedules, and network congestion, and these problems are exacerbated by increases in the number of queue pairs provided by a NIC. Our aim is to develop new scheduling algorithms and abstractions to eliminate these problems.
The advent of flexible hardware and expressive data plane programming languages will have a profound impact on networks. One possible use of this emerging technology is to move logic traditionally associated with the application layer into the network itself. We propose to investigate a new set of optimized consensus protocols that will leverage these recent advances in network programmability and hardware design. These protocols have the potential to dramatically improve the performance of the storage and replication systems that form the fundamental infrastructure for distributed and cloud computing services. In the long term, we imagine that consensus could someday be offered as a network service, just as point-to-point communication is provided today.
Network measurement has been facing big challenges from the following aspects (1) the ever increasing line rate; (2) the changing measurement metrics and varying details; and (3) the privacy of measurement data. To address these challenges, we propose AMIS: Advanced Measurement Instrument and Services to achieve flow-granularity network measurement, sustain scalable line rate, meet evolving measurement objectives and derive knowledge for network advancement. The scalable hardware architecture Advanced Measurement Appliance (AMA) and software-defined measurement framework are key advantages of AMIS. We plan to use Netronome’s FlowNIC as the primary packet processing engine for measurement tasks. In the software stack of AMIS, we provide a set of APIs for defining measurement tasks and experiment with different privacy preserving techniques on the obtained measurement data. We also intend to provide statistical analytics of the measurement data to effectively provision the network resources at exchange points.
In managing a large-scale data center, real-time root cause analysis of system events is a difficult task, as it requires vast measurement and processing resources. This project focuses on packet-level data collection from the data plane. The project will build on the recently proposed P4’s Inband Network Telemetry (“INT”) capability is promising for network management. We explore the relationship between CPU utilization and data from network telemetry with machine learning. The goal is to enable the creation of various policies for devising dynamic network resource provisioning and adaptive failure predictions.
The project focuses on edge intelligence for predictive load balancing within an optically switched data center network. Large multi-tenant multi-application data centers tend to run at utilizations that are below 20%. This is due to the network not being able to predict where hotspots will develop. Our aim is to use the NFP to predict where hotspots will happen and pre-emptively shape the network to adapt. We optimize flow placement for a hybrid network implementing an adaptive neural network classifier. We predict elephant flows with high accuracy on anonymized university network traffic. Using the NFP we demonstrate 40Gbps capability.
We strive towards developing foundations for measuring and validating the system behavior, dynamic interactions between components, and end-to-end properties of the Internet. We are interested in exploring measurement primitives that can be mapped onto the flow processor. We will explore the feasibility of dynamically re-configuring multi-resolution flow processing rules at line rate. These rules may be adapted based on online learning and/or sequential hypothesis testing performed at the SDN controller or other middleboxes.
If successful, this project will contribute towards defining new measurement primitives (software and hardware) for SDN or hybrid-SDN networks.
Reprinted with permission. © 2015 Netronome.
Please fill in the form below to submit your project.
Please register to access tools and firmware, contribute to discussions, share projects and commit code to the repository. Registration will also allow remote access to hardware.Sign up now