This document discusses using Containernet as an environment for fast prototyping of network functions using DPDK and eBPF. Containernet allows creating virtual networks using Docker containers as hosts, providing scalability and access to debug tools. DPDK enables fast packet processing, while eBPF allows in-kernel packet processing without modifying the kernel. The document proposes demonstrating a prototype network in Containernet using DPDK to forward traffic to an application server, and eBPF filters on the server to process packets.

1. [Unfinished Draft] Fast Prototyping with DPDK &
eBPF in Containernet
July 18, 2018

2. Containernet
• Containernet is a fork of the mininet project, which supports using Docker containers as hosts in
emulated networks.
- https://containernet.github.io/
• How does it work?
- Uses network namespaces to simulate multiple networking stacks (i.e., hosts) in a single machine
- Uses veth to connect hosts
- Written mostly in Python that wraps all the network namespace and veth setup and configuration
- Exports an API that can be used to create a network on the fly
- Supports executing commands in the individual hosts
• In a nutshell:
- Containernet creates a virtual network on which we can deploy our applications
- Easily scalable (think how many containers can run in a host, as opposed to how many same
spec’ed VMs can coexist in a host)
- Access to all hosts in the virtual network
- Ability to change network conditions to trigger failures/testing scenarios
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet2

3. eBPF in Containernet
• eBPF stands for extended Berkely Packet Filter. It allows a user defined program to process
packets inside the kernel without having to stop or recompile the kernel.
• How does it work?
- Linux kernel since 3.15, more features added to later kernel versions
- Small VM inside the kernel that can load and execute compiled code from user space
- Verifier and loop free requirements to guarantee program will finish
- Has multiple helper functions that can actually modify the packets in kernel
- Programs can be attached to multiple points. We will examine 2 points:
- Ingress at a node at XDP (Express Data Path)
- Egress at tc (traffic controller in kernel)
- iovisor/bcc project https://github.com/iovisor/bcc facilitates loading and setup of programs. We will
show how it can be setup to load filters at the 2 points mentioned above
• In a nutshell
- Supports in-kernel packet filtering at a running server without having to modify the kernel
(assuming certain conditions are met)
- Transparent to applications, have access to packets before and after applications have processed
them, so one ideal place where we can apply network function
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet3

4. DPDK & eBPF in Containernet
• DPDK stands for Data Plane Development Kit. It is an open source project managed by the Linux
Foundation and supports fast packet processing via a set of libraries and drivers for NICs.
• How does it work?
- DPDK provides an Environmental Abstraction Layer (EAL) that lets DPDK work in different
hardware and operating systems.
- Devices in the host are released from the kernel and bound directly to the DPDK application via
EAL’s drivers and libraries (there is a kernel module just to initialize the device and assign the PCI
interface only).
- Techniques to improve speed:
- Packets arriving are processed directly by the DPDK app, without going through kernel
processing
- Use of Poll Mode Driver (instead of interrupts)
- …
• In a nutshell:
- Fast packet processing achieves high throughput so we can use commodity hardware to perform
specialized network functions
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet4

5. Fast Prototyping with DPDK & eBPF in Containernet
• DPDK and eBPF are great tools for developing network functions
- DPDK can be used where we want to use commodity hardware to perform specialized network
functions
- eBPF can be used to support functionality needed on application server without disrupting the
host
• Prototyping with the 2 of them require a testbed where to run the functions written
- Multiple VMs on a single server can quickly exhaust the resources in the server
- Lab environment can be slow and/or hard to scale for testing purposes
- Production networks are (understandably) fiercely guarded by network operators to prevent
disruptions
• Containernet is the ideal environment to prototype network functions
- Scales much better than the VM scenario
- DPDK has PMD that supports running applications in Containernet (so we can verify correct
functionality of the functions we write)
- eBPF filters can be deployed in Containernet
- Access to all hosts in the network and most tools needed for debugging (wireshark, tcpdump,
dropwatch on the host, etc)
- Easily verify outcome of the functions written, rewrite fast and re-verify fast
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet5

6. Demo Proposed
• Create a network in Containernet, go through steps of the python script and show how the network
is setup and configured
• Run GoBGP containers and show how routes can be altered (truly emulate a real network)
• Run client DPDK application generating traffic
• Run network function developed in DPDK to forward traffic to application server
• Run eBPF filters in the application server responsible for processing incoming traffic and return
traffic directly to client
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet6