The document discusses how BPF and XDP are revolutionizing network security and performance for microservices. BPF allows profiling, tracing, and running programs at the network driver level. It also enables highly performant networking functions like DDoS mitigation using XDP. Cilium uses BPF to provide layer 3-7 network security for microservices with policies based on endpoints, identities, and HTTP protocols. It integrates with Kubernetes to define network policies and secure microservice communication and APIs using eBPF programs for filtering and proxying.

1. Cilium
L7 Aware Network Security for
Microservices using BPF & XDP
Thomas Graf
Covalent

2. BPF - The
Superpowers
inside Linux

3. BPF is revolutionizing…

4. BPF is revolutionizing…
• Tracing / Profiling

5. BPF Revolution #1: Tracing / Profiling
bcc – Tools for BPF-based Linux IO analysis, networking, monitoring, and more

6. BPF is revolutionizing…
• Tracing / Profiling
• Networking

7. BPF Revolution #2: XDP - DDoS mitigation
Metric iptables / ipset XDP
DDoS rate [packets/s] 11.6M 11.6M
Drop rate [packets/s] 7.1M 11.6M
Time to load rules [time] 3 min 20 sec 31 sec
Latency under load [ms] 2.3ms 0.1ms
Throughput under DDoS [Gbit/s] 0.014 6.5
Requests/s under DDoS [kReq/s] 0.28 82.8
Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible
Source: Daniel Borkmann’s presentation yesterday:
http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf

8. Facebook published BPF/XDP numbers
for L3/L4 LB at Netdev 2.1
ECMP L7 LBL3/L4 LB App

9. Source: https://www.netdevconf.org/2.1/slides/apr6/zhou-netdev-xdp-2017.pdf
Facebook published BPF/XDP numbers
for L3/L4 LB at Netdev 2.1
BPF/XDP throughput
IPVS throughput

10. BPF Revolution #2: XDP
Running BPF programs at the Network driver level
https://netdevconf.org/2.1/slides/apr7/miller-XDP-MythBusters.pdf
Netdev 2.1 Keynote by David S. Miller

11. BPF Revolution #2: XDP
Running BPF programs at the Network driver level
https://netdevconf.org/2.1/slides/apr7/miller-XDP-MythBusters.pdf
Netdev 2.1 Keynote by David S. Miller

12. BPF is revolutionizing…
• Tracing / Profiling
• Networking
• Security

13. Source: https://lwn.net/Articles/703876/
BPF Revolution #3: Security

14. Network Security for
Microservices using BPF

15. Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Evolution of Application Design & Delivery Frequency

16. Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
3-Tier App
Monthly
Moderate
Evolution of Application Design & Delivery Frequency

17. Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Distributed
Microservices
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate
Evolution of Application Design & Delivery Frequency

18. Network Security
has barely evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:

19. Your HTTP ports be like …

20. Network Security
for Microservices
Gordon the intern
has a brilliant
idea…

21. Gordon wants to build a service
to tweet out all job offerings.
We’re Hiring!
Tweet
Service

22. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/{id}
Jobs API
Service
Tweet
Service
The Jobs API service has all the
data Gordon needs.

23. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
Jobs API
Service
Tweet
Service
Gordon uses the GET /jobs/ API call

24. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
Developer etiquette.
Super simple stuff.
Gordon uses mutual TLS Auth
Good thinking Gordon

25. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
The security team has L3/L4 network
security in place for all services
GET /jobs/{id}
Jobs API
Service
Tweet
Service
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT

26. Jobs API
Service
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Large parts of the API are still exposed
unnecessarily
Tweet
Service
GET /jobs/{id}
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT

27. Not exactly
least privilege
Security

28. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Back to the drawing board…
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service

29. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Least privilege security for microservices
GET /jobs/{id}
FROM “TurtleTweets”
ALLOW “GET /jobs/”
TLS Jobs API
Service
Tweet
Service

30. We demand
a demo

32. Kubernetes Integration

33. Kubernetes Integration
NetworkPolicy
Standard Resources
L3, L4 policy (ingress only in k8s 1.7)

34. Kubernetes Integration
NetworkPolicy
Services
Standard Resources
L3, L4 policy (ingress only in k8s 1.7)
ClusterIP, NodePort, LoadBalancer

35. Kubernetes Integration
NetworkPolicy
Services
Standard Resources
L3, L4 policy (ingress only in k8s 1.7)
Pods Pod Labels to specify policy on
ClusterIP, NodePort, LoadBalancer

36. Kubernetes Integration
NetworkPolicy
Services
Standard Resources
L3, L4 policy (ingress only in k8s 1.7)
Nodes
Pods Pod Labels to specify policy on
ClusterIP, NodePort, LoadBalancer
NodeIP to Node CIDR mapping

37. Kubernetes Integration
NetworkPolicy
CiliumNetworkPolicy
Services
Standard Resources
Custom Resource Definitions (CRD)
L3, L4 policy (ingress only in k8s 1.7)
L3 (Labels/CIDR), L4, L7 (ingress & egress)
Nodes
Pods Pod Labels to specify policy on
ClusterIP, NodePort, LoadBalancer
NodeIP to Node CIDR mapping

38. Should I encapsulate or not?
Node 1
Node 2
Node 3
Mode I: Overlay

39. Should I encapsulate or not?
Node 1
Node 2
Node 3
Mode I: Overlay
Name NodeIP Node CIDR
Node 1 192.168.10.1 10.0.1.0/24
Node 2 192.168.10.8 10.0.2.0/24
Node 3 192.168.10.9 10.0.3.0/24
Kubernetes Node resources table:
Installation
Run the kube-controller-
manager with the --allocate-
node-cidrs option

40. Should I encapsulate or not?
Mode I: Overlay Mode II: Native Routing
Node 1
Node 2
Node 3
L3
Network
Use case:
• Run your own routing daemon
• Use the cloud provider’s router
Use case:
• Simple
• “Just works” on Kubernetes
Node 1
Node 2
Node 3

41. L3 Policy (Labels Based)
Metadata
Allow from
pods
Pods the policy
applies to…
From Pod
To Pod

42. L3 Policy (CIDR)
Metadata
Allow to
IP 8.8.8.8/32
Pods the policy
applies to…
To CIDR
From Pod

43. L4 Policy
Metadata
Policy applies
to pods …
Allow incoming
on port 80
Pod
To Port

44. L7 Policy – Only allow “GET /v1/”
L4 Policy
Rule 1:
Allow “GET /v/1”
Rule 2:
Allow PUT
If header is set
Allowed
API
Calls

45. How are these policies enforced?

46. How are these policies enforced?
• L3 & L4: BPF in the kernel

47. How are these policies enforced?
• L3 & L4: BPF in the kernel
• L7: Sidecar proxy or KProxy / BPF

48. Node 2Node 1
ServiceService HTTP Request
What is a sidecar proxy?

49. Node 1
Service
Sidecar
Proxy
What is a sidecar proxy?
Node 2
Service
Sidecar
Proxy

50. Node 1
Service
Sidecar
Proxy
What is a sidecar proxy?
Node 2
Service
Sidecar
Proxy

51. Node 2Node 1
ServiceService
HTTP RequestSidecar
Proxy
Sidecar
Proxy
What is a sidecar proxy?

52. Node 2Node 1
ServiceService
HTTP RequestSidecar
Proxy
Sidecar
Proxy
What is a sidecar proxy?
Provides L7 functionality
• Routing / Load balancing
• Retries
• Circuit breaking
• Metrics
More info? Google is your friend “sidecar” / “services mesh”

53. Node 2Node 1
Service
Operating
System
Service
Network
Sidecar
Proxy
Sidecar
Proxy
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
• 3x Socket memory requirement
• 3x TCP/IP stack traversals
• 3x Context switches
• Complexity
Networking Path with a Sidecar
Network

54. Can we turn
the sidecar
into a racecar?

55. Node 2Node 1
Task
Operating
System
Kernel Proxy
Task
Network
Socket
KProxy
with
BPF
TCP/IP
Socket
TCP/IP
KProxy
with
BPF
kTLS kTLS
Sidecar
Proxy
Sidecar
Proxy
Network

56. Socket Redirect
Task
Socket Socket
Task
TCP/IP TCP/IP
Loopback

57. Socket Redirect
Task
Socket Socket
Task
TCP/IP TCP/IP
Loopback

58. Socket Redirect – Performance?

59. Node 2Node 1
Service
Operating
System
Service
Network
Sidecar
Proxy
Sidecar
Proxy
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
The Before and After
Network

60. Node 1 Node 2
Service
Operating
System
Service
Network
Socket
TCP/IP
The Before and After
KProxy
Socket
TCP/IP
KProxy
Network

61. Cilium Summary
• Kubernetes, Mesos, Docker
• CNI / libnetwork
• Networking: Overlay or Native Routing
• Network Security (ingress/egress)
• L3 (Identity or CIDR), L4
• L7: HTTP (0.11), gRPC (0.12), Mongo (0.12)
• Load Balancing (XDP / BPF)
• Dependencies: kvstore (etcd / consul)

62. @ciliumproject
http://github.com/cilium/cilium
Thank You! Questions?
Tutorial / Getting Started:
http://cilium.io/try