Improving security and flexibility within Windows DPDK
Transcript of Improving security and flexibility within Windows DPDK
x
Improving security and flexibility
within Windows DPDK
networking stacksRANJIT MENON – INTEL
OMAR CARDONA – MICROSOFT
2
Agenda
• The story so far…
• Windows DPDK Architecture
• Proposing a change to the architecture
• Benefits of new architecture
• “Secure” API Interface
• Multi-process/multi-user security
• Multi-tenancy security
• Availability
• Further areas of investigation
3
The story so far…
• Support for DPDK on Windows announced a year ago at this summit
• Code available in a draft repo (dpdk-draft-windows)
• dpdk.org – compatible with release 18.08
• Many of the core libraries available on Windows
• librte_eal, librte_ethdev, librte_mbuf, librte_mempool etc.
• Seeing increasing interest with some key industry partners
• video / media processing
4
Windows DPDK architecture
• Similar to the architecture on Linux and other OS
• Uses UIO driver to allow user-space access to
networking hardware
• UIO driver required to allocate physically
contiguous memory
App
DPDK
PMD
User
Kernel
NIC
Kernel
HW
UIO
Resource
Allocation
Path
Data
Path
IHV-specific
5
Not ideal…
• UIO driver takes over the whole networking device – inefficient use of
network resources
• Will not work with Live Migration when using a single device
• Not multi-user/multi-process secure
• Networking device cannot be shared with kernel Ethernet driver
• UIO driver needs to be certified and signed independently by DPDK
consumers on Windows leading to complicated ecosystem deployment
• Need a solution that provides the ability to “share” NIC with
multiple DPDK VNFs and hypervisor/host in a secure manner
6
Proposing a change to the architecture
App-A App-B App-C
App-1
DPDK
“Secure” API
PMD
App-N
DPDK
“Secure” API
PMD
. . .
TCPIP
NDIS
Driver
Proxy
Filter-0 Filter-1 Filter-N. . .NIC
User
Kernel
Kernel
HW
• Extend kernel Ethernet (NDIS)
driver to provide a secure,
multi-consumer interface to
networking device
• “Secure API” interface would
be used to initialize networking
resources for DPDK
• Network device can be shared
with host and other DPDK
consumersIHV-specific Resource Allocation and Configuration Path
Data Path
7
Benefits of new architecture
• Memory/resource allocation in Kernel driver
• Security enforced with proxy in the kernel driver
• Can filter flows to a particular filter through existing mechanisms – mac,
VLAN, mac-VLAN, IP filtering etc.
• Kernel driver can be fully certified as it is done today
• No UIO driver required
8
“Secure” API interface
• Device-agnostic interface
• OS-agnostic interface
• Per user/process configuration
• Compartmentalize resources
App-A App-B App-C
App-1
DPDK
“Secure” API
PMD
App-N
DPDK
“Secure” API
PMD
. . .
TCPIP
NDIS
Driver
Proxy
Filter-0 Filter-1 Filter-N. . .NIC
User
Kernel
Kernel
HW
IHV-specific Resource Allocation and Configuration Path
Data Path
9
Scope of Trust
Physical Machine Scope
NIC
AppDPDK
userspacekernelspace
PMD
10
Scope of Trust
Physical Machine Scope Virtual Machine Scope
NIC
Host
NIC
VM
userspacekernelspace
AppDPDK
userspacekernelspace
PMD
AppDPDKPMD
NIC
…
11
Scope of Trust
Physical Machine Scope Virtual Machine Scope Application Instance Scope
NIC
Host
NIC
VM
userspacekernelspace
Host
NIC
VM
userspacekernelspace
…
AppDPDK
userspacekernelspace
PMD
AppDPDKPMD
App
Secure PMDDPDK
NIC
…
NIC
App
Secure PMDDPDK
12
Multi-process / Multi-user security
• User space registered memory • Address, Length, Key - *MMU enforced
• HW Agnostic Kernel space Control Path visibility• Challenges with low-end vs high-end device and capabilities
• IOT vs Server
• Per user/process resource caps and reservations• Shape and control QP, CQ, MR, and associated HW
resource consumption
• Kernel space Network Diagnostics and Monitoring• Operationalize!
• Target First Failure Data Capture
Application Instance Scope
Host
NIC
VM
userspacekernelspace
…
App
Secure PMDDPDK
NIC
App
Secure PMDDPDK
13
Multi-tenancy security
Native
NIC
App
DPDK
userspacekernelspace
PMD
TCPIP
NIC
14
Multi-tenancy security
Native DDA – Direct Device Assignment
NIC
Host
NIC
NicSwitch
VM
userspacekernelspace
vSwitch
App
DPDK
userspacekernelspace
PMD
TCPIP
NIC
vmNIC
NetVSC
TCPIP
NIC
App
DPDK
PMD
15
Multi-tenancy security
Native DDA – Direct Device Assignment Multi-Tenancy
NIC
Host
NIC
NicSwitch
VM
userspacekernelspace
vSwitch
Host
NIC+IOV
NicSwitch
VM
vmNIC
userspacekernelspace …
GFT
QoS
vSwitch
Guest DCB
App
DPDK
userspacekernelspace
PMD
TCPIP
NIC
vmNIC
NetVSC
TCPIP
NIC
App
DPDK
PMD
TCPIP
NetVSC
VF
App
“Secure” DPSW DP
NetVSC PMD
DPDK
16
Multi-tenancy security
• Performance and Security conflict
• VFs bypass security… Fabric compromised…
• Acceptable for trusted Guests
Multi-Tenancy
Host
NIC+IOV
NicSwitch
VM
vmNIC
userspacekernelspace …
GFT
QoS
vSwitch
Tenant DCB
TCPIP
NetVSC
VF
App
Secure DPSW DP
NetVSC PMD
DPDK
17
Multi-tenancy security
• Performance and Security conflict• VFs bypass security… Fabric compromised…
• Acceptable for trusted Guests
• How can we secure tenants?• (1) Control what tenant places on the fabric
➢ GFT – Generic Flow Tables• Parse, Push/Pop, Transpose…
➢ Tenant DCB• VF level conversion• Automatic DCB correction
• (2) Control how much tenant places on the fabric➢ Per-TC HW QoS➢ Send: Caps/Reservations. Recv: Caps
• (3) Control what HW resources tenant consumes➢ VF Resource Caps (QP, CQ, PD, MR, etc.)
Multi-Tenancy
Host
NIC+IOV
NicSwitch
VM
vmNIC
userspacekernelspace …
GFT
QoS
vSwitch
Tenant DCB
TCPIP
NetVSC
VF
App
Secure DPSW DP
NetVSC PMD
DPDK
18
Availability
VM
userspace
kernelspace
vmNIC
TCPIP
NetVSC
No VF
App
DPDK
SW DP
NetVSC PMD
19
Availability
VM
userspace
kernelspace
VM
vmNIC
NetVSC
userspace
kernelspace
TCPIP
VF
VF Add
vmNIC
TCPIP
NetVSC
No VF Dynamically Add VF
App
DPDK
“Secure” DPSW DP
NetVSC PMD
App
DPDK
SW DP
NetVSC PMD
“Secure” Proxy
20
Availability
VM
userspace
kernelspace
VM
vmNIC
NetVSC
userspace
kernelspace
TCPIP
VM
userspace
kernelspace
VF
VF Add
VF Remove
vmNIC
TCPIP
NetVSC
vmNIC
NetVSC
TCPIP
No VF Dynamically Add VF Dynamically Remove VF
App
DPDK
“Secure” DPSW DP
NetVSC PMD
App
DPDK
SW DP
NetVSC PMD
“Secure” Proxy
App
DPDK
SW DP
NetVSC PMD
21
Areas of investigation
• AF_XDP
• Interesting approach for flexible SW -> HW flow steering and user space DMA
• Potential simplification to synthetic slow path at Socket vs Device
• eBPF
• Required to control what is placed on wire
• Can potentially be used to offload GFT rules/transpositions (Secure IOV)
• Virtual IOMMU
• Implementation feasibility vs leveraging the existing/supported ND security model
Call to Action
• Provide feedback on new model
• Download and use existing Windows support code from draft repo
• How to contribute:
• https://core.dpdk.org/contribute/
• Reference “dpdk-draft-windows” in contribution
• Help us make it better!