Workload Estimation for Firewall Rule Processing on Network Functions Virtualization

Dai SUZUKI  Satoshi IMAI  Toru KATAGIRI  

Publication
IEICE TRANSACTIONS on Communications   Vol.E101-B   No.2   pp.528-537
Publication Date: 2018/02/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.2017EBT0002
Type of Manuscript: PAPER
Category: Network
Keyword: 
Network Functions Virtualization,  Virtualized Network Functions,  firewall,  access control list,  workload,  

Full Text: PDF(1.7MB)
>>Buy this Article


Summary: 
Network Functions Virtualization (NFV) is expected to provide network systems that offer significantly lower cost and greatly flexibility to network service providers and their users. Unfortunately, it is extremely difficult to implement Virtualized Network Functions (VNFs) that can equal the performance of Physical Network Functions. To realize NFV systems that have adequate performance, it is critical to accurately grasp VNF workload. In this paper, we focus on the virtual firewall as a representative VNF. The workload of the virtual firewall is mostly determined by firewall rule processing and the Access Control List (ACL) configurations. Therefore, we first reveal the major factors influencing the workload of the virtual firewall and some issues of monitoring CPU load as a traditional way of understanding the workload of virtual firewalls through preliminary experiments. Additionally, we propose a new workload metric for the virtual firewall that is derived by mathematical models of the firewall workload in consideration of the packet processing in each rule and the ACL configurations. Furthermore, we show the effectiveness of the proposed workload metric through various experiments.