Hide metadata

dc.contributor.authorTambs, Tobias
dc.date.accessioned2018-08-28T22:01:25Z
dc.date.available2018-08-28T22:01:25Z
dc.date.issued2018
dc.identifier.citationTambs, Tobias. Unikernel Firewall Performance Evaluation: IncludeOS vs. Linux. Master thesis, University of Oslo, 2018
dc.identifier.urihttp://hdl.handle.net/10852/63891
dc.description.abstractIn today's digital world cloud computing is key and it is growing. At the same time we are trying to maximize resource utilization. Running big, old general-purpose operating systems on virtual machines in the cloud is not a good way to do this. Using for instance Linux and iptables for firewalling can very much limit throughput and latency on a network. Using unikernels instead can revolutionize cloud computing, saving a huge amount of resources while providing better performance and security. In this thesis, we look at unikernels for enhancing network performance in router- and firewall-VMs, while greatly minimizing resource usage compared to Linux' and iptables, ipset, and the newer nftables. Using a server running VMware's ESXi hypervisor, we set up a network of VMs consisting of a client and a target running Ubuntu and firewalls running Ubuntu Server, IncludeOS and Alpine Linux. Iperf, Netperf and hping3 was used to measure network performance. Using only a fraction of the resources of the Linux VMs, the IncludeOS unikernel showed that it can manage large traffic volumes while blocking thousands of ports or IPs without negatively affecting throughput. In fact, our IncludeOS image of just over 3 MB in size managed 15 times the throughput of Ubuntu Server (850 MB image size) when running an iptables firewall with 50 000 blocked IP addresses. Nftables and ipset were quite closely matched, but they are still slower than IncludeOS. Iptables severely limits throughput when handling large sets of filter rules. Using unikernels like the tiny but powerful IncludeOS can very much help cut costs in data centers running thousands or more single-purpose VMs like firewalls by providing better network performance and security while imposing almost no overhead.eng
dc.language.isoeng
dc.subjectiptables
dc.subjectUbuntu
dc.subjectVMware
dc.subjectping
dc.subjectipset
dc.subjectlatency
dc.subjectnftables
dc.subjectAlpine
dc.subjecthping3
dc.subjectiperf
dc.subjectnetfilter
dc.subjectsecurity
dc.subjectperformance
dc.subjectIncludeOS
dc.subjectLinux
dc.subjectfirewall
dc.subjectVM
dc.subjectnetperf
dc.subjectthroughput
dc.subjectunikernel
dc.subjectESXi
dc.titleUnikernel Firewall Performance Evaluation: IncludeOS vs. Linuxeng
dc.typeMaster thesis
dc.date.updated2018-08-28T22:01:25Z
dc.creator.authorTambs, Tobias
dc.identifier.urnURN:NBN:no-66429
dc.type.documentMasteroppgave
dc.identifier.fulltextFulltext https://www.duo.uio.no/bitstream/handle/10852/63891/1/Unikernel-Firewall-Performance-Evaluation--IncludeOS-vs--Linux_Tambs-pdf.pdf


Files in this item

Appears in the following Collection

Hide metadata