Title: Fornax: A Hardware-Centric Session Management in Large Public Cloud Networks
Authors: Heng Yu (Zhongguancun Laboratory); Jian Wang, Jian Zhao, Kai Ren (Tencent); Guozhi Lin (Zhongguancun Laboratory); Baozeng Zhang, Yunpeng Guan, Xin Li, Hao Yin, Jiajun Liang, Liang Wang, Chao Pei, Yachen Wang (Tencent); Xin Jin (Peking University), Jilong Wang (Tsinghua University & Zhongguancun Laboratory); Congcong Miao (Tencent)
Introduction
SmartNICs are increasingly used to accelerate cloud networking components, and the effectiveness and correctness of such hardware acceleration largely depend on the management plane. Traditional SmartNIC management follows a software-centric design that treats flows as the basic management unit and relies solely on one-way commands to program flow tables. This makes it difficult to support diverse cloud networking scenarios while scaling to very large tables . This paper proposes a hardware-centric mechanism that shifts the management paradigm from software to hardware, adopts the session as the fundamental management unit, and designs bidirectional protocols to simplify the management process.
Key idea and contribution
Fornax shifts from a software-centric architecture to a hardware-centric one and uses sessions as the basic unit of management. Its core designs include:
-
Session-Empowered Hardware Engine. The key insight is that the lifecycle of flow-table entries is tied to both data-plane connection state (e.g., aging) and control-plane policies (e.g., change detection). Fornax introduces a session-based abstraction: a session entry represents a connection together with contextual state (e.g., TCP state) and matches packets in both directions. The hardware session engine also exposes fine-grained interfaces for event notification and entry operations.
-
Light-Weight Software Manager. To accommodate ultra-large tables, Fornax employs a lightweight software manager. The key observation is that most management information is needed only in rare cases (e.g., when the hardware session engine encounters errors), so software need not maintain a complete, constantly updated context. Fornax classifies management information at fine granularity*and distributes context across multiple stores. Concretely, management information is divided by where it resides:
(1) Forward and reverse flow entries. Because actions can be regenerated in software from keys, actions need not be stored and are produced on demand.
(2) Runtime information, including statistics (e.g., packet counters) and private state (e.g., gateway addresses). Since software is no longer on the packet critical path, statistics are kept in hardware and fetched to software only when needed.
(3) Metadata (e.g., entry IDs) used to maintain the structure of the information tables. Apart from a small set of indispensable metadata, most metadata can be elided. The software manager retains only hard-to-reconstruct state, thereby reducing software storage overhead. -
Hardware-Driven Management Protocol. To execute management workflows efficiently without heavy involvement from software, Fornax adopts a model where hardware proactively triggers events and software reacts. Because hardware sits close to session entries, it can promptly and accurately detect changes in the session table. Based on this, Fornax introduces three bidirectional management protocols—an aging protocol, a change-detection protocol, and a fault-tolerance protocol—to enable timely and accurate adjustments to session entries.
Evaluation
At large production scale, Fornax manages up to 16 million session entries while reducing CPU overhead by 79% compared with existing approaches.
Q&A
Q1: Could you explain what “in context state” means and how it is used?
A1: “Context state” refers to session information such as TCP state. In Fornax, it is primarily consumed by the three bidirectional management protocols—aging, change detection, and fault tolerance—to support their operations.
Q2: Have you evaluated session-management mechanisms on other commercial NICs instead of using your own session manager?
A2: Because several prior systems are not open-sourced, we reproduced the mechanisms described in their papers and used those reproductions for comparison.
Personal thoughts
Allowing hardware to participate deeply in management offers greater flexibility and lower resource overhead than software-only designs, suggesting a new path for efficient HW/SW co-design and offering practical lessons for SmartNIC-accelerated systems. It is worth exploring how Fornax can be ported to a broader range of SmartNICs (e.g., with limited programmability) and how to manage sessions efficiently across multiple network functions (e.g., NAT, load balancing).