Okay, thus far what we've done is we've talked about network functions. The middleboxes that were catering to these network functions, and why it causes a management nightmare from the point of view of network administration. And that gave us an opportunity to think about, network services implemented as software entities. And these network services, network functions as software entities can run on bare metal. And these are for instance Linux boxes that do the work for you, that may be one way to do that. But we can also think about virtualizing, the hosting services and software entities. Then the next thing that we'll talk about is how virtualization technology can be used for hosting network services as software entities. We can ask the question, why do we need virtualization for the network functions? Why not just run it on bare metal? Well, the obvious advantage is that if you use a virtual machine for hosting a network function, instead of using a bare metal server. You get better portability because entire environment of a particular network function can be deployed, and all the dependencies for a particular network function is contained within a particular VM image. So that's the advantage that you get, which means that you have portability for a network function. And network management becomes easier because you can take these network functions which are encapsulated within a VM image and run it on any server. So only it is a virtualized server and each network function instance is shielded from software faults from other network services. So network outages become less when you have virtualization technology incorporated into the use of, or implementation of network functions. Since virtualizing network functions is a good idea, the next thing we wanna talk about is, how do we virtualize these network functions? As part of this entire course, we've looked at virtualization technology. And particular, we've talked about full virtualization, para virtualization early on when we talked about the system services for cloud computing. And we've also talked about the pros and cons of each of these approaches both the full virtualization and para virtualization. And full virtualization is attractive since the virtual machine on top of the hypervisor can run unmodified. Meaning that you don't have to do anything to run a virtual machine on top of the hypervisor if the technology that we're using is full virtualization. And full virtualization users a technique called trap-and-emulate in order to provide the services that is needed by the virtual machine. And because the services that is needed by a virtual machine may be privileged operations and they may not be something that a virtual machine which is running in user mode can directly do. And that's the reason you have this trap and emulate idea. And unfortunately, network functions that are in the critical path of packet processing is really a bad news to say we'll do trap and emulate. And let me elaborate how trap-and-emulate works. So that it refreshes your memory if in case you forgotten. Basically what is going on is that a virtual machine is performing an I/O in the form of a system call. And system calls, are privileged operation. And therefore, when a guest VM performs an I/O operation, it is executing a system call it doesn't know that it is a privileged operation because unmodified binary, running in user space. And therefore when that system call is invoked the guest kernel is context switched in, and it tries to execute the system call. It's a privileged instruction for reading an I/O device. And that's not something that the guest kernel can do. And so since the guest kernel is actually running in user space, the guest VM is a user space programs from the host perspective. And so the execution of a privileged instruction or user space program results in a trap into the hypervisor. And so from the virtual machine, you slip into the virtual machine monitor or the hypervisor, and that is emulating the function that is needed by the guest operating system. So the trap is caught by the hypervisor and it does the appropriate I/O operation on behalf of the guest virtual machine. And once their operation is complete, then it get inform the guest VM once the operation is complete. So the actual device manipulation can only be done by the hypervisor. And so the virtual machine even though it is running unmodified binary, and it has device driver for a particular device that's similar to a driver. And that driver cannot directed on the device so it goes through the actual physical device driver that is meant for this particular device that is in the virtual machine monitor. And that's how trap-and-emulate works in order to deliver the functionality that is needed in the virtual machine. So I've given you how trap-and-emulator works, and in particular how I/O is performed when you're doing trap-and-emulate. And this is a generic description, irregardless of what is the device that you're trying to access. Now let's talk about network functions in particular, and talk about the downsides of trap-and-emulate for implementing network function. Now the host kernel, for example, in Xen, there is something called Dom-0 that is serving as the host kernel. And that has to be context switched in by the hypervisor to activate the network device driver, and access the hardware NIC. The hardware NIC is down here, and there's a device driver that is in Dom-0 that has to access this NIC. And so basically what you're doing is a duplication of work done by the virtual device driver that is part of the guest operating system. And also the actual device driver that is part of the host operating system Dom-0 in the case of Zen. And so the network function that is being used in order to do some particular functionality, let's say if I want service, a load balancer service, or VPN. Now this networks function is incurring the above overheads for each packet that is being sent to the NIC. And each packet that is being received from the NIC is gonna incur this overhead. And we know that this network function is in the critical path of network processing and therefore, such network overheads are untenable in order to implement network functions. It has to be done really well.
