Abstract
In today's digital world cloud computing is key and it is growing. At the same time we are trying to maximize resource utilization. Running big, old general-purpose operating systems on virtual machines in the cloud is not a good way to do this. Using for instance Linux and iptables for firewalling can very much limit throughput and latency on a network. Using unikernels instead can revolutionize cloud computing, saving a huge amount of resources while providing better performance and security. In this thesis, we look at unikernels for enhancing network performance in router- and firewall-VMs, while greatly minimizing resource usage compared to Linux' and iptables, ipset, and the newer nftables. Using a server running VMware's ESXi hypervisor, we set up a network of VMs consisting of a client and a target running Ubuntu and firewalls running Ubuntu Server, IncludeOS and Alpine Linux. Iperf, Netperf and hping3 was used to measure network performance. Using only a fraction of the resources of the Linux VMs, the IncludeOS unikernel showed that it can manage large traffic volumes while blocking thousands of ports or IPs without negatively affecting throughput. In fact, our IncludeOS image of just over 3 MB in size managed 15 times the throughput of Ubuntu Server (850 MB image size) when running an iptables firewall with 50 000 blocked IP addresses. Nftables and ipset were quite closely matched, but they are still slower than IncludeOS. Iptables severely limits throughput when handling large sets of filter rules. Using unikernels like the tiny but powerful IncludeOS can very much help cut costs in data centers running thousands or more single-purpose VMs like firewalls by providing better network performance and security while imposing almost no overhead.