x

Improving security and flexibility

within Windows DPDK

networking stacksRANJIT MENON – INTEL

OMAR CARDONA – MICROSOFT

2

Agenda

• The story so far…

• Windows DPDK Architecture

• Proposing a change to the architecture

• Benefits of new architecture

• “Secure” API Interface

• Multi-process/multi-user security

• Multi-tenancy security

• Availability

• Further areas of investigation

3

The story so far…

• Support for DPDK on Windows announced a year ago at this summit

• Code available in a draft repo (dpdk-draft-windows)

• dpdk.org – compatible with release 18.08

• Many of the core libraries available on Windows

• librte_eal, librte_ethdev, librte_mbuf, librte_mempool etc.

• Seeing increasing interest with some key industry partners

• video / media processing

4

Windows DPDK architecture

• Similar to the architecture on Linux and other OS

• Uses UIO driver to allow user-space access to

networking hardware

• UIO driver required to allocate physically

contiguous memory

App

DPDK

PMD

User

Kernel

NIC

Kernel

HW

UIO

Resource

Allocation

Path

Data

Path

IHV-specific

5

Not ideal…

• UIO driver takes over the whole networking device – inefficient use of

network resources

• Will not work with Live Migration when using a single device

• Not multi-user/multi-process secure

• Networking device cannot be shared with kernel Ethernet driver

• UIO driver needs to be certified and signed independently by DPDK

consumers on Windows leading to complicated ecosystem deployment

• Need a solution that provides the ability to “share” NIC with

multiple DPDK VNFs and hypervisor/host in a secure manner

6

Proposing a change to the architecture

App-A App-B App-C

App-1

DPDK

“Secure” API

PMD

App-N

DPDK

“Secure” API

PMD

. . .

TCPIP

NDIS

Driver

Proxy

Filter-0 Filter-1 Filter-N. . .NIC

User

Kernel

Kernel

HW

• Extend kernel Ethernet (NDIS)

driver to provide a secure,

multi-consumer interface to

networking device

• “Secure API” interface would

be used to initialize networking

resources for DPDK

• Network device can be shared

with host and other DPDK

consumersIHV-specific Resource Allocation and Configuration Path

Data Path

7

Benefits of new architecture

• Memory/resource allocation in Kernel driver

• Security enforced with proxy in the kernel driver

• Can filter flows to a particular filter through existing mechanisms – mac,

VLAN, mac-VLAN, IP filtering etc.

• Kernel driver can be fully certified as it is done today

• No UIO driver required

8

“Secure” API interface

• Device-agnostic interface

• OS-agnostic interface

• Per user/process configuration

• Compartmentalize resources

App-A App-B App-C

App-1

DPDK

“Secure” API

PMD

App-N

DPDK

“Secure” API

PMD

. . .

TCPIP

NDIS

Driver

Proxy

Filter-0 Filter-1 Filter-N. . .NIC

User

Kernel

Kernel

HW

IHV-specific Resource Allocation and Configuration Path

Data Path

9

Scope of Trust

Physical Machine Scope

NIC

AppDPDK

userspacekernelspace

PMD

10

Scope of Trust

Physical Machine Scope Virtual Machine Scope

NIC

Host

NIC

VM

userspacekernelspace

AppDPDK

userspacekernelspace

PMD

AppDPDKPMD

NIC

…

11

Scope of Trust

Physical Machine Scope Virtual Machine Scope Application Instance Scope

NIC

Host

NIC

VM

userspacekernelspace

Host

NIC

VM

userspacekernelspace

…

AppDPDK

userspacekernelspace

PMD

AppDPDKPMD

App

Secure PMDDPDK

NIC

…

NIC

App

Secure PMDDPDK

12

Multi-process / Multi-user security

• User space registered memory • Address, Length, Key - *MMU enforced

• HW Agnostic Kernel space Control Path visibility• Challenges with low-end vs high-end device and capabilities

• IOT vs Server

• Per user/process resource caps and reservations• Shape and control QP, CQ, MR, and associated HW

resource consumption

• Kernel space Network Diagnostics and Monitoring• Operationalize!

• Target First Failure Data Capture

Application Instance Scope

Host

NIC

VM

userspacekernelspace

…

App

Secure PMDDPDK

NIC

App

Secure PMDDPDK

13

Multi-tenancy security

Native

NIC

App

DPDK

userspacekernelspace

PMD

TCPIP

NIC

14

Multi-tenancy security

Native DDA – Direct Device Assignment

NIC

Host

NIC

NicSwitch

VM

userspacekernelspace

vSwitch

App

DPDK

userspacekernelspace

PMD

TCPIP

NIC

vmNIC

NetVSC

TCPIP

NIC

App

DPDK

PMD

15

Multi-tenancy security

Native DDA – Direct Device Assignment Multi-Tenancy

NIC

Host

NIC

NicSwitch

VM

userspacekernelspace

vSwitch

Host

NIC+IOV

NicSwitch

VM

vmNIC

userspacekernelspace …

GFT

QoS

vSwitch

Guest DCB

App

DPDK

userspacekernelspace

PMD

TCPIP

NIC

vmNIC

NetVSC

TCPIP

NIC

App

DPDK

PMD

TCPIP

NetVSC

VF

App

“Secure” DPSW DP

NetVSC PMD

DPDK

16

Multi-tenancy security

• Performance and Security conflict

• VFs bypass security… Fabric compromised…

• Acceptable for trusted Guests

Multi-Tenancy

Host

NIC+IOV

NicSwitch

VM

vmNIC

userspacekernelspace …

GFT

QoS

vSwitch

Tenant DCB

TCPIP

NetVSC

VF

App

Secure DPSW DP

NetVSC PMD

DPDK

17

Multi-tenancy security

• Performance and Security conflict• VFs bypass security… Fabric compromised…

• Acceptable for trusted Guests

• How can we secure tenants?• (1) Control what tenant places on the fabric

➢ GFT – Generic Flow Tables• Parse, Push/Pop, Transpose…

➢ Tenant DCB• VF level conversion• Automatic DCB correction

• (2) Control how much tenant places on the fabric➢ Per-TC HW QoS➢ Send: Caps/Reservations. Recv: Caps

• (3) Control what HW resources tenant consumes➢ VF Resource Caps (QP, CQ, PD, MR, etc.)

Multi-Tenancy

Host

NIC+IOV

NicSwitch

VM

vmNIC

userspacekernelspace …

GFT

QoS

vSwitch

Tenant DCB

TCPIP

NetVSC

VF

App

Secure DPSW DP

NetVSC PMD

DPDK

18

Availability

VM

userspace

kernelspace

vmNIC

TCPIP

NetVSC

No VF

App

DPDK

SW DP

NetVSC PMD

19

Availability

VM

userspace

kernelspace

VM

vmNIC

NetVSC

userspace

kernelspace

TCPIP

VF

VF Add

vmNIC

TCPIP

NetVSC

No VF Dynamically Add VF

App

DPDK

“Secure” DPSW DP

NetVSC PMD

App

DPDK

SW DP

NetVSC PMD

“Secure” Proxy

20

Availability

VM

userspace

kernelspace

VM

vmNIC

NetVSC

userspace

kernelspace

TCPIP

VM

userspace

kernelspace

VF

VF Add

VF Remove

vmNIC

TCPIP

NetVSC

vmNIC

NetVSC

TCPIP

No VF Dynamically Add VF Dynamically Remove VF

App

DPDK

“Secure” DPSW DP

NetVSC PMD

App

DPDK

SW DP

NetVSC PMD

“Secure” Proxy

App

DPDK

SW DP

NetVSC PMD

21

Areas of investigation

• AF_XDP

• Interesting approach for flexible SW -> HW flow steering and user space DMA

• Potential simplification to synthetic slow path at Socket vs Device

• eBPF

• Required to control what is placed on wire

• Can potentially be used to offload GFT rules/transpositions (Secure IOV)

• Virtual IOMMU

• Implementation feasibility vs leveraging the existing/supported ND security model

Call to Action

• Provide feedback on new model

• Download and use existing Windows support code from draft repo

• How to contribute:

• https://core.dpdk.org/contribute/

• Reference “dpdk-draft-windows” in contribution

• Help us make it better!