Ally: OS-Transparent Packet Inspection using Sequestered Cores
Huang, Jen-Cheng; Monchiero, Matteo; Turner, Yoshio; Lee, Hsien-Hsin S.
Keyword(s): multicore; packet inspection; isolation; computer architecture; multicore partitioning
Abstract: This paper presents Ally, a server platform architecture that supports compute-intensive management services on multicore processors. Ally introduces simple hardware mechanisms to sequester cores to run a separate software environment dedicated to management tasks, including packet processing software appliances (e.g. for Deep Packet Inspection, DPI) with efficient mechanisms to safely and transparently intercept network packets. Ally enables distributed deployment of compute-intensive management services throughout a datacenter. Importantly, it uniquely allows these services to be deployed independent of the arbitrary OSs and/or hypervisor that users may choose to run on the remaining cores, with hardware isolation preventing the host environment from tampering with the management environment. Experiments using full system emulation and a Linux-based prototype validate Ally functionality and demonstrate low overhead packet interception; e.g., using Ally to host the well-known Snort packet inspection software incurs less overhead than deploying Snort as a Xen virtual machine appliance, resulting in up to 2x improvement in throughput for some workloads.
External Posting Date: August 21, 2011 [Fulltext]. Approved for External Publication
Internal Posting Date: August 21, 2011 [Fulltext]