Annual Haifa Experimental Systems Conference 2010
Conference paper

Plugging the hypervisor abstraction leaks caused by virtual networking

View publication


Virtual machines are of very little use if they cannot access the underlying physical network. Virtualizing the network has traditionally been considered a challenge best met by such network-centric measures as VLANs, implemented by switches. We begin by arguing that network virtualization is best done by hypervisors, not switches. We then show that modern hypervisors do a poor job in virtualizing the network, leaking details of the physical network into virtual machines. For example, IP addresses used across the host's physical network, are exposed to guest virtual machines. We then propose a method for plugging the network-related leaks by ensuring that the virtual network traffic is encapsulated inside a host envelope prior to transmission across the underlying physical network. In order to overcome the performance hit related to traffic encapsulation, we analyze the unique case of virtual machine traffic encapsulation, exploring the problems arising from dual networking stacks - the guest's and the host's. Using a number of simple optimizations, we show how an unmodified guest under the KVM hypervisor can reach throughput of 5.5Gbps for TCP and 6.6Gbps for UDP for encapsulated traffic, compared to 280Mbps and 510Mbps respectively when using the default guest and host networking stacks. Copyright 2010 ACM.