The disclosed teachings relate to directing of packets in a network device to one of a plurality of processing queues, and more specifically to a network device operating in a receive-side scaling architecture.
Receive-Side Scaling (RSS) was introduced by Microsoft® in order to resolve the single-processor bottleneck. It allows the receive side network load from a network adapter to be shared across many processors, thereby enabling the scaling of the packet receive-processing. This is particularly beneficial with the more modern multi-core processor architectures, whether integrated or distributed. The features of RSS are described in a paper published by Microsoft® in November 2008, entitled “Receive-Side Scaling Enhancements in Windows™ Server 2008”, hereinafter referred to as the Specification, and included herein by reference. According to RSS the hardware unit is supposed to put each packet through a hash function, and the result determines, using a lookup table, which RX queue handles the packet. The hash function is fixed and fully described by Microsoft®, and it further includes a ‘secret key’. The secret key is a number chosen at random, i.e., different at each boot of the hardware. This makes the hash result unpredictable to an external entity. This secrecy is useful because, otherwise, if the hash is known to an external entity, that external entity could maliciously craft multiple different packets that are targeted to arrive at the same queue, thus flooding a single queue instead of the packets being spread over all available queues.
This RSS technique is good for end-machines, which only receive packets coming from the other side of the connection. However, when a network entity is considered, that receives both sides of a connection, e.g., a firewall, also referred to as a bump-in-the-network device, a problem arises as there is no guarantee under the RSS solution that packets that have the same tuple will be mapped to the same queue, regardless of the direction the packets came from.
This issue is further described in US patent application 20080077792, entitled “Bidirectional Receive Side Scaling” by Eric K. Mann. Mann solves the problem of mapping the tuples of both sides of a connection to the same RX queue by changing the hash function, and proposing two methods for creating a hash function that yields the same output both for (A1,A2) and for (A2,A1), for any pair of network addresses A1 and A2 that correspond, for example to N1 and Ni respectively. Mann refers to this as a commutative hash function. However, the commercially available network cards have been manufactured to meet the Microsoft® RSS specification, and most of them contain only the hash function specified by Microsoft®. While the RSS specification allows the offering of additional hash functions, in practice it is likely that existing commodity hardware supports only the Microsoft® hash function.
It would be advantageous to overcome the deficiencies of the prior art, and especially the asymmetric behavior of the RSS technique when operating a network device that is a bump-in-the-network device. It would be further advantageous if the solution avoids security breaches by not exposing the secret key. It would be further advantageous to allow the implementation on readily available hardware and further preferably without the need to change the hash functions embedded therein.
To realize some of the advantages described above, there is provided a method for symmetric receive-side scaling (RSS) in a network device having an ingress side RRS router and an egress side RSS router and a plurality of queues for handling packets. The method comprises identifying an internet protocol (IP) version being used for the network. The transport layer headers (TLHs) existence status is identified. A secret key by each of the egress side RSS router and the ingress side RSS router is identified. The key is based on the identification of the IP version and the TLHs existence status. The secret key ensures that packets sent from a source to a destination and packets sent from the destination to the source are routed by the egress side RSS router and the ingress side RSS router to a common queue among the plurality of queues. The secret key is stored at a storage in the network device. The secret key is used by the ingress side RSS router and the egress side RSS router for routing packets.
In a specific enhancement, the IP versions is IPv4 or IPv6.
More specifically, the TLHs existence status is one of existent and nonexistent.
More specifically, the secret key is generated based on a seed.
More specifically, the generation of the secret key further comprises choosing the seed to be a random 32-bit number and repeating it four times thereby creating a 128-bit secret key for a case of IPv4 and nonexistent status of the TLHs. For a case of IPv4 and existent status of the TLHs choosing the seed to be a random 16-bit number and repeating it eight times thereby creating a 128-bit secret key. For a case of IPv6 and nonexistent status of the TLHs by choosing the seed to be a random 32-bit number and repeating it ten times thereby creating a 320-bit secret key. For a case of IPv6 and existent status of the TLHs choosing the seed to be a random 16-bit number and repeating it twenty times thereby creating a 320-bit secret key.
More specifically, the method further comprises initializing the network device periodically by generation of a new seed.
More specifically, the TLHs correspond to at least one of: transport control protocol (TCP), User Datagram Protocol (UDP).
Another aspect of the disclosed teachings is an apparatus operative as a symmetric receive-side scaling (RSS) network device, the apparatus comprises a plurality of queues for handling network packets. An ingress RSS router is connected to the plurality of queues, the ingress RSS router routing packets to a queue from the plurality of queues using a secret key. An egress RSS router is connected to the plurality of queues, the egress RSS router routing packets to a queue from the plurality of queues using the secret key. A generator generates the secret key based on identification of an internet protocol (IP) version and existence status of transport layer headers (TLHs). The secret key ensures that packets sent from a source to a destination and packets sent from the destination to the source are routed by the egress side RSS router and the ingress side RSS router to a common queue from the plurality of queues.
Another aspect of the disclosed teachings is a computer software product embodied in a tangible and non-transitory medium readable by a computing device that contains a series of instructions that when executed by the computing device executes a method for symmetric receive-side scaling (RSS) in a network device having an ingress side RRS router and an egress side RSS router and a plurality of queues for handling packets. The instructions are required to implement the above techniques on the computing device.
The above discussed advantages of the disclosed teachings will become more apparent by describing in detail some exemplary implementations thereof with reference to the attached drawings in which:
FIG. 1—is a system with a network device handling packets received from nodes on two sides of the network in accordance with the prior art
FIG. 2—is a system with a network device handling packets received from nodes on two sides of the network in accordance with the principles of the invention
FIG. 3—is a flowchart describing the generation of a secret key in accordance with the principles of the invention
A solution that resolves the issues of receive-side scaling (RSS) is provided. The network device that receives packets from both sides of a network directs the packets for processing in one of a plurality of queues for processing such that packets having the same tuple are assured to be directed to the same queue regardless of their direction flow. This is done by creating a symmetric RSS architecture.
According to the invention a creation of a proper secret key that yields a symmetrical RSS generated from the Microsoft hash function is possible. The creation depends on the specific mode used by the hash function and is described in the Specification. One parameter is the version of the internet protocol (IP) which can be version 4 or 6, and generally referred to as IPv4 and IPv6 respectively. The other parameter is the existence or lack thereof of Transport Layer Headers (TLHs) of, for example, a Transmission Control Protocol (TCP) or a User Datagram Protocol (UDP). hence, there are four different possible cases for which an appropriate secret key is to be created. For IPv4 without TLHs a choice of a random 32-bit number is made, which is then repeated four times to create a 128-bit secret key. For IPv4 with TLHs a choice of a random 16-bit number is made, which is then repeated eight times to create a 128-bit secret key. For IPv6 without TLHs a choice of a random 32-bit number is made, which is then repeated ten times to create a 320-bit secret key. For IPv6 with TLHs a choice of a random 16-bit number is made, which is then repeated twenty times to create a 320-bit secret key. While the secret key is shorter than the regular key that would be otherwise generated it is still advantageous over the prior art because of the assurance the proper routing of packets as discussed above. In order to overcome malicious attempts to block the queues the network device 220 may periodically regenerate a random number and then the secret key for the network device 220 thereby significantly reducing the risk.
The principles of the invention are implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or non-transitory computer readable medium or a non-transitory machine-readable storage medium that can be in a form of a digital circuit, an analogy circuit, a magnetic medium, or combination thereof. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
Number | Name | Date | Kind |
---|---|---|---|
6609224 | Jonsson | Aug 2003 | B1 |
7194766 | Noehring et al. | Mar 2007 | B2 |
7548513 | Tran | Jun 2009 | B2 |
7715428 | Basso et al. | May 2010 | B2 |
7765405 | Pinkerton et al. | Jul 2010 | B2 |
7826614 | Kaniz et al. | Nov 2010 | B1 |
7836195 | Veal et al. | Nov 2010 | B2 |
8102880 | Charpentier et al. | Jan 2012 | B2 |
8160089 | Padiyar et al. | Apr 2012 | B1 |
20040141524 | Lee et al. | Jul 2004 | A1 |
20040246964 | Grimminger et al. | Dec 2004 | A1 |
20050198509 | Kaniyar et al. | Sep 2005 | A1 |
20050213603 | Karighattam et al. | Sep 2005 | A1 |
20050238009 | Bell | Oct 2005 | A1 |
20060004782 | Eldar | Jan 2006 | A1 |
20070153770 | Goyal et al. | Jul 2007 | A1 |
20080077792 | Mann | Mar 2008 | A1 |
20100083259 | Veal et al. | Apr 2010 | A1 |
20110019756 | Chun et al. | Jan 2011 | A1 |
20110153861 | Chauhan | Jun 2011 | A1 |
20110154488 | Rajan et al. | Jun 2011 | A1 |
20110162062 | Kumar et al. | Jun 2011 | A1 |
20120033680 | Gopinath et al. | Feb 2012 | A1 |
20120036244 | Ramachandra et al. | Feb 2012 | A1 |
20120087309 | Charpentier et al. | Apr 2012 | A1 |
20120136999 | Roitshtein et al. | May 2012 | A1 |
Entry |
---|
Woo et al., “Scalable TCP Session Monitoring with Symmetric Receive-side Scaling”, 2012. |
Microsoft Corporation, “Receive-Side Scaling Enhancements in Windows Server 2008”, Nov. 2008. |
Stallings, “IPv6: The New Internet Protocol”, 1996. |
Metzger et al., “IP Authentication using Keyed MD5”, 1995. |
Postel, “DARPA Internet Program Protocol Specification”, RFC 791, 1991. |
Conta et al., “Internet Control Message Protocol (ICMPv-6) for the Internet Protocol Version 6 (IPv6) Specification”, RFC 1885, 1995. |
Nichols et al., “Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers”, RFC 2474, 1998. |
Kent et al., “Security Architecture for the Internet Protocol”, RFC 2401, 1998. |
Deering et al., “Internet Protocol, Version 6 (IPv6) Specification”, RFC 1883, 1995. |
Kent et al., “IP Authentication Header”, RFC 2402, 1998. |
Microsoft Corporation, “Receive-Side Scaling Enhancements in Windows Server 2008”, 2008. |
Number | Date | Country | |
---|---|---|---|
20120215932 A1 | Aug 2012 | US |