Performance Study of Service Function Chain with SGX-based Containers

• Main Authors: HUNG, CHONG-YOU, 洪崇祐
• Other Authors: LIN, PO-CHING
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/76jxz9

碩士 === 國立中正大學 === 資訊工程研究所 === 107 === Network function virtualization (NFV) is a new architecture that implements network functions in a virtialized environment. However, the platform for deploying network functions may be insecure. To eliminate the threat, network functions can be deployed with a trusted execution environment (TEE) mechanism such as Intel Software Guard Extension (SGX) in a secure region called enclave. In existing studies, all the network functions in a service chain are deployed in one enclave, but the enclave size is limited (up to 128MB in our investigation). In addition, the network functions need to be re-implemented from scratch to meet the requirements. In this work, we propose an approach, a service function chain with SGX-based containers, and study the performance issues on it. We deploy the network functions in several situations: on the same host, in the same container or on different hosts. We estimate the performance of packet transmission between the network functions in the same container with the shared memory mechanism (emulated by RAMdisk). In the other situations, the packets are transmitted via a switch and/or the virtual network interface controller (NIC). We also build two open-source network functions in SGX-based containers with few modifications for demonstration. In the experiments, we evaluate our system and find the throughput in shared memory can be as high as 400MB/s in packet transmission. We also find the encryption operation (AES in our experiments) and the receiving buffer size also have an impact on the throughput.