KR20110103889A - Apparatus and method for virtualizing of network device - Google Patents

Abstract

The virtualization apparatus of the network equipment virtualizes the network equipment to provide at least one virtualized network equipment, and schedules the virtualized network equipment to execute the corresponding program. At this time, the virtualization apparatus performs context switching on a time basis of context switching according to the scheduling and switches to another program.

Description

APAPATUS AND METHOD FOR VIRTUALIZING OF NETWORK DEVICE}

The present invention relates to an apparatus and method for virtualizing network equipment, and more particularly, to a method for supporting network virtualization by virtualizing network equipment that performs high-speed packet processing.

Network virtualization is a technology that supports multiple virtual networks by virtualizing each element of the network. Network virtualization requires virtualization of network equipment, which constitutes a network.

Virtualization of network equipment is a technology that supports multiple virtual routers by virtualizing a device that processes packets at high speed such as a router. A virtual network may be composed of a set of virtual routers connected to each other.

The virtualization of network equipment can be divided into hardware-based virtualization technology and software-based router virtualization technology.

The hardware based virtual router is typically an OpenFlow Switch based router. Openflow-based routers consist of an openflow switch that forwards packets based on a flow table, and a controller that controls the flow table. The flow table may be changed by the controller, and traffic of the virtual networks may be physically separated according to a path determined by the flow table to operate the virtual networks.

Hardware-based virtual routers, such as open flow, can handle traffic quickly with the help of dedicated forwarding hardware, so there is little performance degradation compared to conventional routers. However, since all necessary functions must be implemented in hardware, it is inflexible and, in terms of the function of virtual router, supports new network structure or protocol that may be different for each network, and new packet header is added. In other words, it is difficult to apply various network policies and quickly cope with user demands.

Software-based virtual routers, on the other hand, provide virtualization of router software through virtualization software at higher hardware levels. Virtualization software is software that creates and manages a number of virtual machines, each of which can act as a complete machine. Software-based virtual routers have the advantage of being able to programmatically support many functional requirements that were difficult to support in hardware-based virtual routers, but the packet processing performance is limited due to the overhead of virtualization software and virtual machines. In addition, currently supported virtualization software has insufficient support for monitoring and dynamic control and allocation of physical resources, and has limitations in dynamically allocating and controlling physical resources to each virtual network.

On the other hand, there is a type of device that properly combines the advantages of hardware-based routers and soft-based routers, such as NP (Network processor) such as Octeon.

In the case of NP such as Octeon, the router program can be run directly on the CPU without O / S to run the program at high speed, and parallel processing using multiple cores can be processed at high speed. Octeon II also offers technology to virtualize Octeon NP through the EM visor.

However, with the EM visor, you can dynamically load / run a program of your choice on multiple cores.However, since the user program does not support cross-platform independence at the binary level, it is not easy to run the user program on other types of NPs. However, there is a disadvantage that complete isolation between programs is impossible, so that an error or abnormal operation of one program may affect other programs.

The technical problem to be solved by the present invention is to provide a virtualization apparatus and method for network equipment that can support high-speed packet processing in a virtualized state, ensure isolation between different user programs and support platform independence for user programs. To provide.

The virtualization apparatus according to an embodiment of the present invention includes network equipment and a network virtualization management module. The network virtualization management module virtualizes the network equipment to provide at least one virtualized network equipment, and encapsulates and transmits the packet when the non-virtualized network equipment is between the virtualized network equipment and a packet destination. do.

According to another embodiment of the present invention, a method for virtualizing network equipment in a virtualization apparatus is provided. The virtualization method may further include: virtualizing the network equipment to provide at least one virtualized network equipment, scheduling the at least one virtualized network equipment, and programming the at least one virtualized network equipment according to the scheduling. Executing and performing context switching on a predetermined time basis.

According to an embodiment of the present invention, the context switching cost can be reduced by using the characteristics of the network equipment mainly for packet processing, and a virtual network between the network devices in a remote location can be configured.

In addition, according to an embodiment of the present invention, by virtualizing the network equipment using a platform-independent high-level machine language, the process of dividing the memory area for each user program and copying the packet data to the area can be omitted, thereby improving packet processing efficiency. Can be. In addition, when a plurality of user programs are shared by dividing one core, the hardware for memory protection may not be used, thereby reducing information required for context switching. In addition, when the same high-level machine language is processed in the virtualized network equipment, the user program can be run on various platforms, and since the user program is distributed in a compiled state, key information such as source code of the user program can be protected. In addition, since the user program can be run on a network device that is directly accessible to the user, such as a personal computer, it is easy to develop and test and can also be run on a terminal network device such as a user computer. You can create a packet of type and send it.

1 is a diagram schematically illustrating a virtualization structure of network equipment according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating the hypervisor illustrated in FIG. 1. 3 is a diagram illustrating an example of a virtualized processor operation according to an embodiment of the present invention.
4 is a diagram illustrating a packet processing model of octeon.
5 and 6 are diagrams illustrating an example of a memory virtualization method according to an embodiment of the present invention.
7 is a diagram illustrating an example of a virtual network configuration method according to an embodiment of the present invention.
8 is a schematic diagram of a virtualization apparatus of network equipment according to another embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification and claims, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise.

A virtual device and method for network equipment according to an embodiment of the present invention will now be described in detail with reference to the accompanying drawings.

1 is a diagram schematically illustrating a virtualization structure of network equipment according to an embodiment of the present invention.

Referring to FIG. 1, a virtual device of a network device includes a network device 100 and a hypervisor 200 that is a network virtualization management module.

The hypervisor 200 creates and manages a plurality of virtual machines VM0 to VMn by virtualizing the network device 100 on the upper part of the network device 100, and hypervisor managers on the virtual machines VM0 to VMn. HM) and a plurality of user programs can be mounted to drive the hypervisor manager HM and a plurality of user programs UP1 to UPn on the virtual machines VM0 to VMn. These user programs UP1 to UPn perform the functions of the network equipment 100. For example, when the network device 100 is a device that performs packet processing, at least one of the user programs UP1 to UPn has a function of generating and processing a packet.

The network equipment 100 may include a processor 110, a memory 120, and a network interface 130. The processor 110 may be implemented as a central processing unit (CPU) or other chipset, microprocessor, or the like, and the memory 120 may include dynamic random access memory (DRAM) and rambus DRAM (rambus DRAM). DRAM, RDRAM), synchronous DRAM (synchronous DRAM, SDRAM), static RAM (RAM, etc.) may be implemented as a medium such as RAM. The network interface 130 allows the processor 110 and / or the memory 120 to access the network.

The hypervisor 200 schedules the virtual machines VM0 to VMn so that the virtual machines VM0 to VMn share one CPU core, and the user programs UP1 to UPn each access only the allocated memory areas. It manages the memory 120 and processes the packets inputted and outputted through the virtual network interface through the physical network interface.

The virtual machines VM0 to VMn are network devices virtualized by the hypervisor 200, and may include virtual processors, virtual memories, virtual network interfaces, and the like. Virtual machines (VM0 ~ VMn) cannot access resources other than the resources allocated to them. This is because the hypervisor 200 supports isolation of resources.

The hypervisor manager HM is a management program that runs on the virtual machine VM0 and provides an interface for controlling the hypervisor 200. When the monitor and the keyboard is attached, the hypervisor 200 may be controlled through the keyboard input and the monitor output, and the packet communication when the keyboard / monitor is not attached.

The user programs UP1 to UPn are programs running on the virtual machines VM1 to VMn, respectively, and provide platform independence. For example, if a virtualized network device supports the same kind of high-level machine language, users can run it on multiple platforms with just one compilation, without having to recompile the user program. In addition, the user programs UP1 to UPn may access virtual resources allocated to the virtual machines VM0 to VMn through an application programming interface (API) provided by the hypervisor 200.

FIG. 2 is a diagram illustrating the hypervisor illustrated in FIG. 1.

Referring to FIG. 2, the hypervisor 200 includes a virtualization unit 210 and a control unit 220.

The virtualization unit 210 provides a virtualized network device by generating virtual machines VM0 to VMn by virtualizing the processor 110, the memory 120, and the network interface 130 of the network device 100.

The controller 220 controls the virtualization unit 210 and controls the connection between the virtualized network equipment or the non-virtualized network equipment to configure the virtual network.

 The virtualization unit 210 performs virtualization by providing virtually isolated virtual hardware to the virtual machines VM0 to VMn directly on the network device 100 that is hardware. Therefore, the virtual machines VM0 to VMn can provide their own services in a completely separated virtualization environment without affecting each other.

It also provides a completely separate virtualization environment, allowing different user programs to be used on virtual machines and providing different policies or different network protocols.

3 is a diagram illustrating an example of a virtualized processor operation according to an embodiment of the present invention.

Referring to FIG. 3, the virtualization unit 210 performs process scheduling for the user programs UP1 to UPn of the virtual machines VM0 to VMn. The processors of the virtual machines (VM0 to VMn) can execute one process, save the state of the running process, and instantly switch to another process for execution.

When the plurality of user programs UP1 to UPn are driven by sharing one processor, the virtualization unit 210 converts the user programs UP1 to UPn into a predetermined time unit M, and the user programs UP1 to UPn. ), Context switching is performed. At the moment when a processor of the virtual machines VM0 to VMn switches a process, storing the state information of the running process and restoring the state information of the process to be switched is called context switching. In this case, as the amount of state information to be stored decreases, the cost of context switching decreases in proportion to it.

For example, when the user program UP1 ends packet processing in the time unit M, context switching can be performed at low cost, and the user program UP2 does not end packet processing in the time unit M. If not, expensive context switching can be performed.

In the case of network equipment mainly for packet processing, a transaction unit is often a packet unit. For example, in the case of UDP packet processing, the network equipment modifies and transmits the packet every time the UDP packet comes in, and there is no need to store state information after the packet processing. On the other hand, in the case of TCP packets, there is state information to be maintained even after processing one packet, but the same is true of state information to be stored after packet processing rather than state information to be stored during packet processing. That is, in the case of network equipment, there is a point where context switching can be performed at a low cost on a packet basis. Accordingly, the virtualization unit 210 may set a time unit for context switching using a packet unit to perform a low cost context switching.

4 is a diagram illustrating a packet processing model of octeon.

Referring to FIG. 4, the Octeon network processor manages packet queues Q0 to Qn in memory for high speed packet processing. Since the method of copying packet data from the network interface for each input / output of the packet data is inefficient, the network interface stores the packet data directly in the processor, ie, the kernel space accessible from the CPU. I / O time is reduced.

In such an Octeon network processor, only one user program is run on one CPU, so the user program can access the entire area of the memory and access the packet data stored in the Octeon network processor.

Unlike the Octeon network processor, as shown in FIG. 1, there is a need for a method of protecting a packet for each user program when a plurality of user programs are driven by one CPU.

5 and 6 are diagrams illustrating an example of a memory virtualization method according to an embodiment of the present invention.

5 is a method used in a general operating system, the virtualization unit 210 generates a virtual memory by virtualizing the memory 120. The virtualization unit 210 may divide the virtual memory area into a memory area (Kernel space) where packet data is stored and an area (User space) used by the user programs UP1 and UP2. In addition, the user space may be divided into an area of the user program UP1 and an area of the user program UP2. In this case, copying of packet data is essential in the user space. Copying 1500 octets of packet data consumes 9.26us on an Octeon 5860 network processor operating at 750MHz, and one memory copy reduces packet processing efficiency because 4.3us is consumed when simple forwarding the same packet data. Reduce by 315%.

In particular, if the user programs UP1 and UP2 are written in a language such as C or assembler, it is essential to protect the area by user programs UP1 and UP2 because the user can access various areas of the hardware using a pointer. . However, if the user programs UP1 and UP2 are written in a language that does not use pointers such as Java and C #, the user programs UP1 and UP2 can access only the allocated memory. Therefore, as shown in FIG. 6, since the user programs UP1 and UP2 written in a language that does not use a pointer do not have a pointer, it is not possible to access a memory outside the allocated area, and thus the virtualization unit 210 may not be used. There is no need to protect the memory area.

A feature of languages that do not use pointers is that they provide high-level machine language. This high-level machine language, also called bytecode and intermediate code, is usually platform-independent, so user programs (UP1-UPm) are platform-independent at the binary level.

As described above, since the user programs UP1 to UPm are platform independent, the user program can be driven on a PC if the same type of high-level machine language is supported by a personal computer (PC) which is one of the terminal network equipment. Therefore, the user can compile the user program using the development tool, load it into the hypervisor running on the PC, and execute it. Unlike a network processor, a PC is difficult to process high-speed packets, so it is not easy to process a high-speed packet on a PC using a user program.However, after debugging and testing that a user program works properly on a PC, the compiled user program is not converted into a network. Can be loaded on the processor for high-speed packet processing.

A hypervisor running on a PC can also be used as a terminal network device. In the case of a PC, only standardized packets such as TCP / IP and UDP / IP can be transmitted by default, but when using a hypervisor according to an exemplary embodiment of the present invention, it is possible to easily transmit a packet of a desired type from a user's PC. Become.

The user can also distribute the user program to a hypervisor running on a network processor using a deployment tool. A user can configure a virtual network that performs packet processing at high speed by allowing a user program to run on a network processor. For example, when different users have placed user programs UP1 and UP2 in their respective network equipment, each user can configure a virtual network that shares physical network resources but is logically separated.

In general, in order to construct a virtual network, all network equipment constituting the network must be virtualized. For example, if network A and network B are connected, and network B is not virtualized in the network where network B and network C are connected, network A and network C cannot communicate. Do. A typical case is to generate and transmit a nonstandard packet in a virtual network. A network device and C network device are running a user program capable of processing non-standard packets, while the B network device cannot process non-standard packets, making it impossible to construct a virtual network between A, B, and C network devices.

7 is a diagram illustrating an example of a virtual network configuration method according to an embodiment of the present invention.

Referring to FIG. 7, if a user program is mounted on two adjacent virtualized network devices 10 and 20 and then a packet other than the standard is to be transmitted, Ethernet communication between the two virtual network devices 10 and 20 may be performed. It does nothing to send and receive packets at all. However, non-virtualized non-virtualized packets can be sent directly to non-standard packets if there is a network device 30 between them. In this case, the controller 220 uses a method of transmitting a non-standard packet in a standard packet by using a tunnel.

That is, the controller 220 of the virtualized network device 20 transmits the non-standard packet as it is, and transmits the non-standard packet as it is to the adjacent virtualized network device 10, and the network device 30 or the network device 30. In the case of communicating with the remote virtualized network device 40 in between, the user's non-standard packet is encapsulated in a standard packet such as IP (Internet Protocol) and transmitted.

On the other hand, the control unit 220 of the virtualized network equipment 20, when receiving the encapsulated packet decapsulation (delivery) and delivers only the non-standard packet portion in the standard packet to the user program. This enables communication between adjacent and remote programs without modification of the user program.

At least some of the functions of the hypervisor according to the embodiment of the present invention described above may be implemented in hardware or software coupled to the hardware. Hereinafter, an embodiment in which a hypervisor is coupled to a network device will be described in detail with reference to FIG. 8.

FIG. 8 is a schematic diagram of a virtualization apparatus of network equipment according to another embodiment of the present disclosure, which performs at least some of the functions of the virtualization unit 210 and the control unit 220 described with reference to FIGS. 2 to 7. Represents a system that can be used to The system may also be the network equipment 100 of FIG. 1.

Referring to FIG. 8, the virtualization apparatus includes a processor 810, a memory 820, a storage device 830, an input / output (I / O) interface 840, and a network interface 850.

The processor 810 may be implemented as a CPU or other chipset, a microprocessor, or the like, and the memory 820 may be implemented as a medium such as RAM such as DRAM, RDRAM, SDRAM, or SRAM. The storage device 830 may include a hard disk, a compact disk read only memory (CD-ROM), a CD rewritable (CD-RW), a digital video disk ROM (DVD-ROM), a DVD-RAM, and a DVD-RW disk. The optical disk may be implemented as a permanent or volatile storage device such as an optical disk such as a blu-ray disk, a flash memory, or various types of RAM. In addition, I / O interface 840 allows processor 810 and / or memory 820 to access storage 830, and network interface 850 provides processor 810 and / or memory 820. ) Can access the network.

In this case, the processor 810 loads a program command for implementing at least some functions of the functions of the virtualization unit 210 and the control unit 220 into the memory 820 to perform the operation described with reference to FIGS. 1 to 7. Can be controlled to be performed. The program command may be stored in the storage device 830 or may be stored in another system connected to a network.

An embodiment of the present invention is not implemented only through the above-described apparatus and / or method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Such an implementation can be easily implemented by those skilled in the art to which the present invention pertains based on the description of the above-described embodiments.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (10)

Network equipment, and
A network virtualization management module for providing at least one virtualized network device by virtualizing the network device, and encapsulating and transmitting the packet when a non-virtualized network device is between the virtualized network device and a destination of a packet.
Virtualization device comprising a. The method of claim 1,
The virtualized network device includes a user program written in a language that does not use a pointer and compiled in machine language. The method of claim 1,
The network virtualization management module performs context switching on a predetermined time unit, and sets the time unit on a packet basis. 4. The method according to any one of claims 1 to 3,
The network device includes a router for packet processing. In a method for virtualizing network equipment in a virtualization device,
Virtualizing the network equipment to provide at least one virtualized network equipment;
Scheduling the at least one virtualized network device,
Executing a program of the at least one virtualized network device in accordance with the scheduling, and
Virtualization method comprising the step of performing context switching in a set time unit. The method of claim 5,
The program performs packet processing,
The step of performing,
And setting the time unit in packet units. The method of claim 5,
Wherein said program is written in a language that does not use pointers and is compiled in machine language. The method of claim 5,
The program performs packet processing,
Encapsulating the processed packet and transmitting it
Virtualization method further comprising. The method of claim 8,
The transmitting step,
Encapsulating the packet when communicating with a non-virtualized network device. The method of claim 8,
Decapsulating the received packet and forwarding the received packet to the program when the encapsulated packet is received.
Virtualization method further comprising.

Images