![Overview of DPDK Membership Library
Set
Summary
Is X in set?
No
Is X in set?
Very
probable yes
Get X
Summary of items in Probabilistic data structure
• Handle membership test questions
• Much smaller storage
• Much faster than huge set lookup
• [Multi-Set]: Returns X is not found or which set it
belongs to (with high probability)
Huge Set
[Millions of
Entries]
1- Too Much Storage
2- Slow Lookup
Bloom Filter
Vector Bloom
Filter
Hash Table Set
Summary
Cuckoo
Distributor
Membership Library](https://image.slidesharecdn.com/17-171118042114/85/LF_DPDK17_DPDK-Membership-Library-5-320.jpg)
LF_DPDK17_DPDK Membership Library
- 1. Membership Library in DPDK 17.11 Sameh Gobriel & Charlie Tai - Intel DPDK US Summit - San Jose - 2017
- 2. Contributors u Yipeng Wang [email protected] u Ren Wang [email protected] u John Mcnamara [email protected] u Pablo De Lara Guarch [email protected] u Antonio Fischetti [email protected]
- 3. Agenda u Membership Library in DPDK 17.11 u Membership Library Usages u API Overview u Research Proof of Concept: using Membership Library with OVS
- 4. Membership Test Usage (example) Blacklisted Flow 1 Blacklisted Flow 2 Blacklisted Flow 3 Blacklisted Flow N Clients Incoming Flows Legitimate Flows are Forwarded to Backend Server Build Set {..} Set of Blacklisted Flows to be Dropped Membership Test ? Check if Flow Belongs to Blacklisted Set SN S2 S1 Set Summary A Summary Instead Of Storing Original ListMembership Library is a DPDK Library to Provide Users the Functionality to Create Different Types of Set-Summaries
- 5. Overview of DPDK Membership Library Set Summary Is X in set? No Is X in set? Very probable yes Get X Summary of items in Probabilistic data structure • Handle membership test questions • Much smaller storage • Much faster than huge set lookup • [Multi-Set]: Returns X is not found or which set it belongs to (with high probability) Huge Set [Millions of Entries] 1- Too Much Storage 2- Slow Lookup Bloom Filter Vector Bloom Filter Hash Table Set Summary Cuckoo Distributor Membership Library
- 6. 6 Library Usages? 100’s of usages for Membership Library in Wide Range of Applications Safe Browsing TCP Connection Tracker Wildcard Classification Database Semi-join operations Distributed web caching P2P Overlay Networks = Object Indexing Detecting loops in unicast and multicast routes Set intersections and keyword searches Heavy Hitters Flows Detection Network Statistics and summaries Signature Matching and packet inspection
- 7. 7 Library Usages? 100’s too many to list Distributed Web Cache Set Summary Clients Distributed Web Cache Web Servers • Web proxies consult set summaries for each http request. • Element membership in the set-summary will determine response location. • For element hits, requests directed to a near cache and misses are forwarded to backend web servers. Routing Loop Detection and/or Network Statistics SET Packet SET Packet Encode ID • Node ID’s encoded in embedded set-summaries in the packet header • Instead of waiting for slow TTL, node checks membership in set- summaries. Misses indicate loop-free routing. • Idea can be generalized (for e.g. heavy hitters detection, ..etc.) to wide range of network stats.
- 8. 8 Library Usages? 100’s too many to list Safe Browsing and/or Signature Matching • URLs membership checked against suspicious set-summary and misses indicate safe. • Same idea is applied in many signature matching IDS and deep packet inspection. Set Summary Lookup xyz.com? xyz.com suspicious? NO Probably Yes TCP Connection Tracker • Flow keys membership tested and misses indicate new flows. • Hits are forwarded to worker thread for in-order processing. Set Summary Flow Key New Flow = New Assignment Old Flow = forward to specific thread
- 9. 9 Library Usages? 100’s too many to list ACL & Wild Card Flow Classification • Flow keys membership results are used to optimize search for wild card match Later Slides: Results of applying concept to OvS Set Summary Flow Key forward to specific sub-table Mask 1 Subtable Mask x Subtable New?
- 10. Membership Library API Set-Summary Create Set-Summary Element Insertion Set-Summary Element Lookup Set-Summary Element Delete Reference: http://dpdk.org/doc/api/rte__member_8h_source.html Function shown is just for high-level description & not in accurate Syntax rte_member_create(rte_member_parameters); Parameters: Type, num_of_keys, key_length, number_of_sets, max_fp_rate, ..etc. rte_member_add (*set_sum, *key, set_id); A single key or a bulk of key lookup, return the first match or up to max matches per key 1. rte_member_lookup(*setsum, *key,*set_id) 2. rte_member_lookup_bulk(*setsum,*keys, *set_ids) 3. rte_member_lookup_multi(*setsum,*key, max_match_per_key, ..) 4. rte_member_lookup_multi_bulk(*setsum,*keys,..); Insert a key into a set_summary data structure and the value is pointing to a specific set_id. rte_member_delete(*setsum,*key,set_id) Delete a single key from a given set. Not all modes (e.g. vBF) support delete in current implementation.
- 11. 11 POC: Open vSwitch Flow Lookup Mask N 1xxx xxxx 0xxx xxxx Flow Mask Mask L 01xx xxxx 10xx xxxx 1110 0000 110x xxxx 101x xxxx 111x xxxx 011x xxxx 1111 0000 1010 xxxx 0011 xxxx 1011 xxxx Rules Match Packet Header 1. Set of disjoint sub-table 2. Rule is only inserted into one sub-table (lookup terminates after first match) 3. Lookup is done by sequentially search each sub-table until a match is found
- 12. 12 OVS with Two Layer Lookup using Membership Library Mask N 1xxx xxxx 0xxx xxxx Flow Mask Mask L 01xx xxxx 10xx xxxx 1110 0000 110x xxxx 101x xxxx 111x xxxx 011x xxxx 1111 0000 1010 xxxx 0011 xxxx 1011 xxxx Rules Match Packet Header 1st Level of Indirection Set Summary Provided by Membership Library 2X-3X Throughput Improvement for OvS using DPDK Membership Library Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz Hyper-Threading: disabled 0 1 2 3 4 5 6 MaxForwardingRate(MPPS) 20 Sub-Tables – 10K Flows – Uniform Traffic Orig OvS-DPDK OvS-DPDK + ML Library 2.7X • Membership library used to create a 1st level set- summary indirection • Flow Keys are looked up in set-summaries: • Hits: directs to the correct sub-table for searching (correct 97%) • Misses: “New” flow default sequential search & upcall if needed
- 13. 13 Future Work • Applying Membership Library Optimization to other workloads. • Any Partners with huge list of Object ?? • Currently Working on ACL Library with high update rate based on tuple- search algorithm
- 14. Legal Disclaimers No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. © 2017 Intel Corporation. Intel, the Intel logo, Intel. Experience What’s Inside, and the Intel. Experience What’s Inside logo are trademarks of Intel. Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others.