Fast-path allows efficient access to network traffic as it is being forwarded by the vSwitch. Running in the kernel context, we get packets with minimum overhead, no context switching, and no memory copies. So, it is the ideal location to enforce network security within the hypervisor without impacting normal ESX performance and scaling expectations. But, it is operating in kernel space, which limits the type of processing we can do here. Fast-path processing must be efficient, so as to not interfere with the rest of the hypervisor functions.

This is where slow-path comes in. Running in a VM, slow-path has access to all the standard services and libraries of a full operating system, making it a much easier place to work. The simplest VMsafe implementation would be to push new connections attempts to the slow-path for a decision, get the connection record back, and cut through any subsequent packets via the fast-path. But, we found this structure to be insufficient. The overhead associated with servicing new connections was too high, causing system overhead and performance to be unacceptable.

In the Altor VF VMsafe implementation, in order to ensure the highest performance and lowest overhead,all packet processing is done in the fast-path. This includes the initial security policy decision, packet inspection, and forwarding of approved packets.

The net effect of this structure is that the Altor virtual firewall is implemented with absolute minimum overhead. This allows us to embed security into the virtual infrastructure with a small fraction of the overhead associated with a firewall in the slow-path or within a VM-bridge firewall. What this means from a deployment perspective is that we can implement secure virtualization at a lower cost, using fewer ESX hosts, and maintaining the ESX scaling/clustering behavior we expect.