Oko: Extending Open vSwitch with Stateful Filters, with Paul Chaignon from Orange Labs and Inria Nancy

08.17.2018 - By Ben Pfaff Play

Paul Chaignon is a grad student at Orange and Inria. In this episode,

Paul talks about Oko: Extending Open

vSwitch with Stateful Filters, a paper written with co-authors Kahina

Lazri, Jérôme François, Thibault Delmas, and Olivier Festor. Paul

presented this research at SOSR '18 in March

2018. The paper has the following abstract:

With the Software-Defined Networking paradigm, software switches

emerged as the new edge of datacenter networks. The widely adopted Open

vSwitch implements the OpenFlow forwarding model; its simple

match-action abstraction eases network management, while providing

enough flexibility to define complex forwarding pipelines. OpenFlow,

however, cannot express the many packets processing algorithms required

for traffic measurement, network security, or congestion diagnosis, as

it lacks a persistent state and basic arithmetic and logic operations.

This paper presents Oko, an extension of Open vSwitch that enables

runtime integration of stateful filtering and monitoring

functionalities based on Berkeley Packet Filter (BPF) programs into the

OpenFlow pipeline. BPF programs attached to OpenFlow rules act as

intelligent filters over packets, while leaving the packets

unmodified. This approach enables the transparent extension of Open

vSwitch's flow caching architecture, retaining its high-performance

benefits. Furthermore, the use of BPF allows for safe runtime extension

and prevention of switch failures due to faulty programs.

We compare our implementation based on Open vSwitch-DPDK to existing

approaches with comparable isolation properties and measure a near 2x

improvement of performance.

You can contact Paul on Twitter as @pchaigno.

OVS Orbit is produced by Ben Pfaff. The

intro music in this episode is Drive,

music is Yeah Ant

music is Space

content is licensed under a Creative Commons Attribution 3.0

Unported (CC BY 3.0) license.