6WINDGate 5.0 is now available with major design improvements based on 15 years of customer success, feedback and support. This blog is the first in a series and describes 6WINDGate 5.0’s architecture with complete integration between our Fast Path and Linux, and new benefits from the latest Linux kernel improvements.
The 6WINDGate architecture is based on a Fast Path implementation that accelerates the Linux Networking Stack. 6WIND’s Fast Path is high-performance packet processing software available in source code form factor for multicore processor platforms. Our Fast Path is isolated from Linux, running on dedicated cores in userland on top of DPDK (Data Plane Development Kit), to ensure deterministic performance.
6WINDGate Fast Path Integrates with Linux Networking Stack
Selecting A Fast Path: 6WINDGate Vs. VPP
An isolated Fast Path is mandatory for high performance networking, but not enough. It has to be integrated with Control and Management Planes. There are two ways to achieve this integration:
- Stand-alone – The VPP Approach: This approach consists of developing a complete Fast Path that doesn’t directly interact with Linux. It requires a significant amount of work to redesign how the stand-alone Fast Path interacts with Linux-based Control and Management Planes, adapting and validating a very large number of complex protocols. Standard Linux networking tools must be adapted to work with the Fast Path. This approach has been selected by the fd.io / VPP open source project.
- Integrated – The 6WINDGate Approach: This approach consists of developing an efficient Fast Path focused on simple processing and high performance. It cooperates with the Linux Networking Stack to provide the complete networking layer. This approach requires the design of a synchronized Data Plane that works transparently with Linux to be reused by Linux-based Control and Management Planes. This approach has been successfully implemented in 6WINDGate.
6WIND Integrated Fast Path Advantage: eBPF and Linux Kernel Improvements
6WIND’s integrated Fast Path approach is superior for several reasons. First, Linux is the de facto standard for developing high performance network equipment and software appliances. Linux is backed by an enormous community of users and developers and a large number of commercially available distributions.
With regards to networking, the successive versions of Linux kernels keep improving performance and extension capabilities. A solution based on an integrated Fast Path directly benefits from all these improvements. The recent availability of eBPF (extended Berkeley Packet Filter) in the latest Linux kernel versions is a perfect example of such improvement.
eBPF (extended Berkeley Packet Filter) is an extension of BPF that was initially designed for BSD systems to filter packets early in the Linux kernel to avoid useless copies to userspace applications like “tcpdump”. Thanks to networking hooks like Traffic Control (TC) and eXpress Data Path (XDP), eBPF extends BPF to network filtering, for example to implement anti-DDoS, or to model hardware components.
An eBPF program is a C-like program using the uapi/linux/bpf.h Linux kernel API. A compiler translates this program into eBPF assembly instructions. This binary can then be loaded into the kernel, verified by the kernel to make sure there is no loop or non-authorized memory access, and finally executed.
How 6WIND Uses eBPF
6WIND uses eBPF to implement 6WINDGate’s exception strategy and transparently integrate 6WINDGate’s Fast Path with the Linux Networking Stack.
With 6WINDGate, all packets are received and transmitted by the Fast Path through DPDK. The 6WINDGate Fast Path modules (IP forwarding, IPsec, NAT, VLAN, GRE, MPLS, OVS…) process packets efficiently according to local information stored in a Shared Memory.
When local information is missing to process a packet (ARP, IPsec SA…) in the Fast Path, when a packet type is not supported by the Fast Path, or when a packet is destined to the local Control Plane, it is diverted to the Linux Networking Stack. These packets are known as exception packets and this mechanism is called the exception strategy.
Two kinds of exceptions are defined according to the process to be applied on the packet:
- The first type of exception is called “Basic Exception”. For this type of exception, the Fast Path can provide the original incoming packet to the Linux Networking Path, where it is processed as incoming on a standard network interface. For example, a Basic Exception is raised when the route lookup fails during simple IP forwarding.
- The second type of exception is called “Special Exception”. This type of exception is raised when the original packet cannot be restored and sent by the Fast Path to the Linux Networking Stack. The exception packet needs to be injected in a specific location in the Linux Networking Stack packet processing path.The processing of Special Exceptions can rely on an eBPF program. The role of this program is to drive the packets to the right hook inside the Linux Networking Stack for further processing aligned with the work already done by the Fast Path. For example, if a GRE packet is processed by the Fast Path and the inner packet is intended for local delivery to a routing daemon, the inner packet is sent to the Linux GRE interface thanks to the eBPF redirect function. This way, the inner packet is received on the Linux GRE interface as expected by the routing daemon.
6WIND’s Integrated Fast Path Accelerates Linux: No Kernel Patching! No Kernel Modules!
Combined with the synchronization mechanism that will be described in the second blog of this series, implementing 6WINDGate’s exception strategy has very valuable benefits.
eBPF is a fully-standardized framework that is very well-suited to integrate either software or hardware network accelerators. Developing an eBPF program for network acceleration does not require patching the Linux kernel or using specific kernel modules that need to be recompiled. Integration, software support and maintenance are greatly simplified as the interactions between the Linux kernel and the accelerated Fast Path go through the standardized eBPF framework.
The integration of 6WINDGate’s accelerated Fast Path through eBPF makes the support of containers easier. We will describe in the third blog of this series how 6WINDGate now extends bare metal and virtual machine support to containers.
Beyond eBPF, 6WINDGate 5.0 leverages interesting features provided by the most recent Linux kernels such as XFRM for implementing IPsec, or nftables for filtering.
Integrating the Fast Path with Linux brings performance that a Linux Networking Stack cannot achieve on its own while keeping Linux flexibility and ubiquity. All existing Linux-based applications, control plane and management plane can be reused easily. As networks are becoming more and more complex, network equipment and appliances need to be integrated with a large number of platforms (OpenStack, Kubernetes…), orchestrators and management tools. In the fourth blog post of this series, we will describe how 6WINDGate management architecture based on NETCONF / YANG benefits from an integrated Fast Path synchronized with Linux.
Stay tuned for the next 6WINDGate 5.0 blog in this series. In the meantime, please Contact Us for any questions.
Eric Carmès is 6WIND’s Founder and CEO.