MTPSA: Multi Tenant Portable Switch Architecture

A project developed by Radostin Stoyanov and supervised by Noa Zilberman

The introduction of programmable switches has changed the way we think about network devices. These are no longer the fixed-function devices we have grown used to for decades, but powerful packet processing beasts that can be used to run network services, caching, load balancing, and many other applications. 

With programmable network devices being used in data centre networks, what would it mean to virtualize switches? can we provide processing on a switch as a service?
This has been an enticing prospect for the networking community for a few years now. 

Virtualizing a network device is not an easy feat. How do you allow multiple users to share a physical network device? 
Ideally, a user running on a switch should be completely invisible to all other users. Users' resources should be isolated, and one user's program must not affect the program of another's. Furthermore, there are significant security concerns where multiple users share the same network device. 

MTPSA, a Multi-Tenant Portable Switch Architecture, is our first step toward virtualized programmable switches while providing:

• Resource isolation
• Performance isolation
• Security

The usage model envisioned by MTPSA takes on virtualized computing services: every user sees only his own traffic, and does not see any of the "management" aspects handled by the cloud provider. In networking terms, it means that traffic reaching a switch is encapsulated (as is usually the case). A cloud provider program decapsulates incoming packets, and passes them to a user program. Users can only see "their" traffic. Packets leaving a user program are encapsulated again, before being sent to the network, as shown in the figure below.

To realise this usage model we need to introduce new concepts to programmable switches: roles and permissions. Yes, like the roles and permissions that we know and love on CPUs - only that switches are not familiar of the concept.

We define two types of roles: a superuser (the equivalent of "root" or "admin") and users. The superuser is the network operator or cloud service provider. Users are everyone else. Some users can have custom roles defined by the superuser. 

The second part is permissions, the approval of mode of access to a resource. This may be as simple as a read access to a table, or cover more network-y operations such as packet cloning and recirculation.

In practice, we enable multi-tenancy by extending PSA, P4's Portable Switch Architecture, creating MTPSA - Multi Tenancy Portable Switch Architecture. MTPSA uses Superuser pipelines in the Ingress at the Egress, and implements user programs (e.g. pipelines) at the Egress. Virtualized users can observe only packets destined to them, and have no access or visibility into other users' programs. The operations that users can do are also limited (in purpose!), and they cannot affect the performance of other users' programs. A simplified drawing of the architecture is shown below.

MTPSA is implemented both on the software level, with changes made to the PSA compiler, and as a prototype on NetFPGA SUME. Our hardware prototype supports 8 concurrent user programs (think about it as running on an 8-core CPU), supporting line rate traffic, and user's program latency oblivious to the addition of more user programs. 

The MTPSA paper was published in EuroP4 2020, and is open for the community.