Isolation mechanisms for high-speed packet-processing pipelines
share
Data-plane programmability is now mainstream, both in the form of programmable switches and smart network-interface cards (SmartNICs). As the number of use cases for programmable network devices grows, each device will need to support multiple packet-processing modules simultaneously. These modules are likely to be independently developed, e.g., measurement and security modules developed by different teams, or cloud tenants offloading packet processing to a NIC. Hence, we need isolation mechanisms to ensure that modules on the same device do not interfere with each other. This paper presents a system, Menshen, for inter-module isolation on programmable packet-processing pipelines similar to the RMT/PISA architecture. Menshen consists of a set of lightweight hardware primitives that can be added to an RMT pipeline and a compiler to take advantage of these primitives. We prototype the Menshen hardware using the NetFPGA switch and Corundum FPGA NIC platforms and the Menshen software using the open-source P4-16 reference compiler. We show that Menshen supports multiple modules simultaneously, allows one module to be quickly updated without disrupting other modules, and consumes a modest amount of additional hardware resources relative to an RMT pipeline. We have open sourced the code for Menshen's hardware and software at https://github.com/anonymous-submission-855. Although we do not have an ASIC implementation of Menshen, we believe its primitives are simple enough that they can be added to an ASIC realization of RMT as well.
READ FULL TEXT