The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.
In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.
In this session you’ll:
Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.
In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.
In this session you’ll:
Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
As containers are being deployed as part of multi tenant clusters, virtual multi layer switches become essential to interconnect containers while providing isolation guarantees. Assigning tenants their own private networks requires stateful network address translation (NAT) implemented in a scalable architecture to expose containers to public networks. Existing virtual switches integrated into the Linux kernel did not support stateful NAT so far. This presentation introduces a new virtual NAT service deployable as container built using existing kernel functionality such as network namespaces, routing rules and Netfilter to provide NAT services to existing virtual switches such as Open vSwitch and the Linux bridge but also the core L3 layer of Linux.
Linux Native, HTTP Aware Network SecurityThomas Graf
Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
Protecting the Privacy of the Network – Using P4 to Prototype and Extend Netw...Open-NFP
o protect the privacy of sensitive application data, we encrypt it before sending it over networks. However, we do not treat sensitive information about the network in the same way. Instead, headers are sent in plain text and leak sensitive information about the network – especially valid host addresses, type of service markings. In our research, we are developing a protocol to also encrypt Layer 3 headers. Using P4, we are able to rapidly stand up and prototype our proposed solution in real code running across real devices. In this webinar, I will introduce our approach and how we used and extended P4 functionality to stand up a prototype.
Mark Matties
The Johns Hopkins University Applied Physics Lab
Mark Matties is the Chief Scientist in the Communication and Networking Systems group at JHU APL, where he develops and evaluates SDN solutions to improve network security and performance. He holds a B.S. in Chemistry and a Ph.D. in Polymer Science and has worked for over 20 years in computing, networking, and security.
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos.
How to build and use GTPing to generate GTP traffic for testing without eNB, SPGW etc. This work was done as part of the preparation of SRv6 mobile user plane POC at SRv6 Consortium, Data plane Study Group, which is a group of people interested in SRv6.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
P4-based VNF and Micro-VNF Chaining for Servers With Intelligent Server AdaptersOpen-NFP
Commodity servers equipped with intelligent server adapters (ISAs) are being used as platforms for Network Functions Virtualization (NFV). The network traffic processing required by a specific use case is frequently expressed by forming a chain of Virtual Network Functions (VNFs). This demonstration illustrates that VNFs in the chain can be hosted on the server CPU or on the ISA. It furthermore illustrates that VNFs can be decomposed into components called Micro-VNFs, with the components again being hosted on the server CPU and/or the ISA. A P4 program (compiled to native code running on the ISA) defines the overall semantics of the datapath within an ISA equipped server and expresses how VNFs and Micro-VNFs should be composed within this platform. We show how mechanisms like tunnels and service headers programmed using P4 are employed to establish the VNF service chain across multiple network nodes.
David George
Lead Engineer, Netronome
David George is a lead engineer on the Netronome SDK team and is primarily responsible for Netronome's P4 data plane. He has previously been worked on the SDK simulator and x86 data plane components. He holds a Masters of Electrical Engineering from the University of Cape Town.
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
As containers are being deployed as part of multi tenant clusters, virtual multi layer switches become essential to interconnect containers while providing isolation guarantees. Assigning tenants their own private networks requires stateful network address translation (NAT) implemented in a scalable architecture to expose containers to public networks. Existing virtual switches integrated into the Linux kernel did not support stateful NAT so far. This presentation introduces a new virtual NAT service deployable as container built using existing kernel functionality such as network namespaces, routing rules and Netfilter to provide NAT services to existing virtual switches such as Open vSwitch and the Linux bridge but also the core L3 layer of Linux.
Linux Native, HTTP Aware Network SecurityThomas Graf
Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
Protecting the Privacy of the Network – Using P4 to Prototype and Extend Netw...Open-NFP
o protect the privacy of sensitive application data, we encrypt it before sending it over networks. However, we do not treat sensitive information about the network in the same way. Instead, headers are sent in plain text and leak sensitive information about the network – especially valid host addresses, type of service markings. In our research, we are developing a protocol to also encrypt Layer 3 headers. Using P4, we are able to rapidly stand up and prototype our proposed solution in real code running across real devices. In this webinar, I will introduce our approach and how we used and extended P4 functionality to stand up a prototype.
Mark Matties
The Johns Hopkins University Applied Physics Lab
Mark Matties is the Chief Scientist in the Communication and Networking Systems group at JHU APL, where he develops and evaluates SDN solutions to improve network security and performance. He holds a B.S. in Chemistry and a Ph.D. in Polymer Science and has worked for over 20 years in computing, networking, and security.
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos.
How to build and use GTPing to generate GTP traffic for testing without eNB, SPGW etc. This work was done as part of the preparation of SRv6 mobile user plane POC at SRv6 Consortium, Data plane Study Group, which is a group of people interested in SRv6.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
P4-based VNF and Micro-VNF Chaining for Servers With Intelligent Server AdaptersOpen-NFP
Commodity servers equipped with intelligent server adapters (ISAs) are being used as platforms for Network Functions Virtualization (NFV). The network traffic processing required by a specific use case is frequently expressed by forming a chain of Virtual Network Functions (VNFs). This demonstration illustrates that VNFs in the chain can be hosted on the server CPU or on the ISA. It furthermore illustrates that VNFs can be decomposed into components called Micro-VNFs, with the components again being hosted on the server CPU and/or the ISA. A P4 program (compiled to native code running on the ISA) defines the overall semantics of the datapath within an ISA equipped server and expresses how VNFs and Micro-VNFs should be composed within this platform. We show how mechanisms like tunnels and service headers programmed using P4 are employed to establish the VNF service chain across multiple network nodes.
David George
Lead Engineer, Netronome
David George is a lead engineer on the Netronome SDK team and is primarily responsible for Netronome's P4 data plane. He has previously been worked on the SDK simulator and x86 data plane components. He holds a Masters of Electrical Engineering from the University of Cape Town.
In this talk we discuss the mechanisms of utilizing the eBPF language to perform hardware accelerated network packet manipulation and filtering. P4 programs can be compiled into eBPF scripts for offload in the Linux kernel using the Traffic Classifier (TC) subsystem. We demonstrate how, using eBPF as an intermediate language, it has been possible to extend the TC to either Just In Time (JIT) compile eBPF code to x86 assembler for software offload or to IXP byte code for execution in a trusted hardware environment within the Netronome Agilio intelligent server adapter. We finish by encouraging the audience to experiment with their own eBPF applications within the TC hardware accelerated system. The TC kernel patches are available on the Linux Kernel Networking mailing list as a Request For Comment (RFC) contribution.
Dinan Gunawardena, Director, Software Engineering, Netronome
Dinan Gunawardena is a Software Director focusing on running the driver team at Netronome. Previously, Dinan founded a software startup and was a Senior Research Engineer within the Operating Systems and Networking Group at Microsoft Research for 12 years, shipping technology in several versions of Microsoft Windows and the Bing Search Engine. Dinan has received over 20 patents and is a Chartered Software Engineer. Dinan has a Masters in Computer Science from University of Cambridge and a M.B.A. from WBS.
Jakub Kicinski, Software Engineering, Netronome
Jakub Kicinski is a Software Engineer specializing in the Linux Kernel drivers for Netronome SmartNICs. Jakub has previously worked as an intern for Intel Corporation. Jakub is also a researcher with expertise in Linux kernel. Experience in application development on complex multi-CPU and FPGA platforms. He is interested in high-performance software exploiting hardware capabilities and is passionate about networking. Jakub has a Masters in Computer Science from Gdansk University of Technology.
This lesson describes the concept of VPN and introduces some VPN terminology.
Importance
This lesson is the foundation lesson for the MPLS VPN Curriculum.
Objectives
Upon completion of this lesson, the learner will be able to perform the following
tasks:
■ Describe the concept of VPN
■ Explain VPN terminology as defined by MPLS VPN architecture
The presentation from Joseph Muli and Rajesh Dutta from Xebia on "How eBPF boost up Kubernetes service networking performance" - as presented on the 13th of April, 2023 at the Site Reliability Engineering NL MeetUp.
NPV and NPIV feature in MDS switches on SAN networkTanay Chakraborty
This presentation talks about the feature of NPV/NPIV feature in MDS switch.
A little introduction about the SAN network and detail information about NPV/NPIV feature.
NFV is "network function virtualization" and is a hot topic in virtualization and cloud infrastructure. This presentation walks through what NFV is and how the ManageIQ community could potentially integrate with various NFV implementations.
For more on ManageIQ, see http://manageiq.org/
OpenStack Gluon is a model-driven, extensible framework that enables telecom network operators to provide customers with NFV networking services on-demand by generating APIs from a YAML file which models the NFV Networking Service. We’ll give an overview of Gluon and share a demonstration that will show how Gluon enables quick development and accelerates deployment of new networking service APIs (a.k.a. Protons). We’ll also provide an overview of the OPNFV NetReady project, whose goal is to investigate how the current OpenStack networking architecture needs to be evolved in order to ensure that NFV-related use cases can be flexibly and efficiently supported.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
7. 2.2 nFAPI Procedures
• The nFAPI P5 interface configures the PNF device at the PNF device level and at the static PHY level.
• The nFAPI P7 interface operates the PHY for the subframe procedures.
2.2.1 nFAPI PNF configuration procedure
2.2.2 nFAPI P5 PHY configuration procedure
2.2.3. nFAPI p7 subframe procedure
8. 2.2.1 nFAPI PNF Configuration Procedures
1. Inizialitation
2. Reset
3. Restart
4. Reconfigure
• See next slide for detail of
PNF Inizialitation
Procedure & PNF PARAM
message exchange.
*) See the full spec
documents for other
procedure and message
exchange
17. • 2.2.2 nFAPI P7 Subframe Procedures
The nFAPI P7 interface configures the PNF PHYs every subframe.
Procedures Purpose
1. PHY Synchronization estimation and compensation of timing differences between the VNF
and the PHY instance
2. API message order The L1 API has constraints on when certain subframe messages can be
sent, or will be
received, by the L2/L3 software.
3. API message timing nFAPI P7 messages sent from the VNF to PNF must arrive at the PNF a
minimum time before the subframe they configure starts transmission
on the air interface
4. Semi-static information create periodic transmission patterns on the uplink
5. Uplink HARQ signalling ACK or NACK downlink
data transmissions sent to a UE.
6. Downlink BCH, PCH, DLSCH, MCH, PRS, CSI
7. Uplink RACH, ULSCH, SRS, CQI, SR
8. RNTI Measurement SNR, Timing advance, Doppler estimation
18. • 2.3 nFAPI messages
• 2.3.1 nFAPI Transport Layer
23. nFAPI Implementation – P5
• Source Code:
https://gitlab.com/changshengliusamuel/openairinterface5g/blob/dev
elop-nb-iot/openair2/LAYER2/MAC/config_NB_IoT.c
• For the explanation of the flowchart please refer to:
http://bit.ly/nfapi-implementation-p5