Fietz, JonasWhitlock, Sam DavidIoannidis, GeorgeArgyraki, KaterinaBugnion, Edouard2016-08-272016-08-272016-08-27201610.1145/2987550.2987582https://infoscience.epfl.ch/handle/20.500.14299/128906Cloud providers typically implement abstractions for net- work virtualization on the server, within the operating sys- tem that hosts the tenant virtual machines or containers. Despite being flexible and convenient, this approach has funda- mental problems: incompatibility with bare-metal support, unnecessary performance overhead, and susceptibility to hypervisor breakouts. To solve these, we propose to offload the implementation of network-virtualization abstractions to the top-of-rack switch (ToR). To show that this is feasible and beneficial, we present VNToR, a ToR that takes over the implementation of the security-group abstraction. Our prototype combines commodity switching hardware with a custom software stack and is integrated in OpenStack Neutron. We show that VNToR can store tens of thousands of access rules, adapts to traffic-pattern changes in less than a millisecond, and significantly outperforms the state of the art.Network virtualizationsecurity groupsSR- IOVtop-of-rack switchtext::conference output::conference proceedings::conference paper