Cilium - Network security for microservices

FOSDEM15 SDN developer room talk DPDK performance How to not just do a demo with DPDK The Intel DPDK provides a platform for building high performance Network Function Virtualization applications. But it is hard to get high performance unless certain design tradeoffs are made. This talk focuses on the lessons learned in creating the Brocade vRouter using DPDK. It covers some of the architecture, locking and low level issues that all have to be dealt with to achieve 80 Million packets per second forwarding.

This talk demonstrates that programmability and performance does not require user space networking, it can be achieved in the kernel by generating BPF programs and leveraging the existing kernel subsystems. We will demo an early prototype which provides fast IPv6 & IPv4 connectivity to containers, container labels based security policy with avg cost O(1), and debugging and monitoring based on the per-cpu perf ring buffer. We encourage a lively discussion on the approach taken and next steps.

In this session, we’ll review how previous efforts, including Netfilter, Berkley Packet Filter (BPF), Open vSwitch (OVS), and TC, approached the problem of extensibility. We’ll show you an open source solution available within the Red Hat Enterprise Linux kernel, where extending and merging some of the existing concepts leads to an extensible framework that satisfies the networking needs of datacenter and cloud virtualization.

- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF. - It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level. - Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.

eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.

Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.

The document discusses Cilium and Istio with Gloo Mesh. It provides an overview of Gloo Mesh, an enterprise service mesh for multi-cluster, cross-cluster and hybrid environments based on upstream Istio. Gloo Mesh focuses on ease of use, powerful best practices built in, security, and extensibility. It allows for consistent API for multi-cluster north-south and east-west policy, team tenancy with service mesh as a service, and driving everything through GitOps.

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Cilium is the next generation, eBPF powered open-source Cloud Native Networking solution, providing security, observability, scalability, and superior performance. Cilium is an incubating project under CNCF and the leading CNI for Kubernetes. In this session we will introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security. We will discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections. Using the Network Policy Editor we will be able to demonstrate how a Cilium Network Policy looks like and what they mean on a given Kubernetes cluster. Additionally, we will walk through different examples and demonstrate how application traffic can be observed with Hubble and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads. Finally, we’ll demonstrate how Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement.

USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.

This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.

BPF of Berkeley Packet Filter mechanism was first introduced in linux in 1997 in version 2.1.75. It has seen a number of extensions of the years. Recently in versions 3.15 - 3.19 it received a major overhaul which drastically expanded it's applicability. This talk will cover how the instruction set looks today and why. It's architecture, capabilities, interface, just-in-time compilers. We will also talk about how it's being used in different areas of the kernel like tracing and networking and future plans.

Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible. Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.

The document provides an overview of Kubernetes networking concepts including single pod networking, pod to pod communication, service discovery and load balancing, external access patterns, network policies, Istio service mesh, multi-cluster networking, and best practices. It covers topics such as pod IP addressing, communication approaches like L2, L3, overlays, services, ingress controllers, network policies, multi-cluster use cases and deployment options.

Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.

BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.

This document provides an overview of cBPF and eBPF. It discusses the history and implementation of cBPF, including how it was originally used for packet filtering. It then covers eBPF in more depth, explaining what it is, its history, implementation including different program types and maps. It also discusses several uses of eBPF including networking, firewalls, DDoS mitigation, profiling, security, and chaos engineering. Finally, it introduces XDP and DPDK, comparing XDP's benefits over DPDK.

In the Cloud Native community, eBPF is gaining popularity, which can often be the best solution for solving different challenges with deep observability of system. Currently, eBPF is being embraced by major players. Mydbops co-Founder, Kabilesh P.R (MySQL and Mongo Consultant) illustrates on debugging linux issues with eBPF. A brief about BPF & eBPF, BPF internals and the tools in actions for faster resolution.

Intro to Cilium Microservices Security with Kubernetes Integration Open Source Cilium website: cilium.io GH: github.com/cilium/cilium Join our Slack! cilium.herokuapp.com Follow us on Twitter! @ciliumproject @_techcet_

Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.

BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient. This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.

F5 provides comprehensive application security and DDoS protection solutions. It uses a full proxy security architecture with hardware-based mitigation of DDoS attacks. The document describes F5's security architecture which includes perimeter network firewall services, DNS security, web application firewall, and DDoS protection across layers 3 to 7 using scrubbing centers and global points of presence. It also summarizes F5's routed and proxy configuration options for DDoS protection and provides details on its AttackView portal for attack visibility and mitigation configuration.

This talk will start with a deep dive and hands-on examples of BPF, possibly the most promising low-level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.

Krzysztof Mazepa (Cisco Systems Poland) – architekt sieci / konsultant pracujący z najwiekszymi polskimi operatorami przewodowymi i kablowymi. Jego misją jest „tłumaczenie” wymogów businessowych klientów na oferowane rozwiązania technologiczne. Jego duże doświadczenie, 16 lat pracy w środowisku operatorskim, pozwala mu dostrzeć specyficzne wymagania tego rynku i zaproponować oczekiwane rozwiązanie. Krzysztof jest częstym prelegentem na konferencjach PLNOG (Polish Network Operator Group), Cisco Forum, EURONOG (European Network Operator’s Group) oraz Cisco Live. Posiada certyfikaty CCIE (Cisco Certified Internetwork Expert) #18 662, JNCIE (Juniper Networks Certified Internet Expert) #137, VMware Certified Professional 4 #99432 i wiele innych. Krzysztof jest mieszkańcem Warszawy, w wolnym czasie ćwiczy biegi długodystansowe oraz gra w tenisa. Temat prezentacji: BGP FlowSpec Język prezentacji: Polski Abstrakt: Celem sesji jest pokazanie podstaw działania BGP FlowSpec. Przedstawione zostaną podstawy teoretyczne oraz sposób wykorzystania przez operatorów SP do eliminowania ataków DDoS. Działanie rozwiązania zostanie zaprezentowane w wirtualnym środowisku korzystając z oprogramowania IOS XRv.

1) The document discusses the evolution from the TCP/IP networking model to the Recursive InterNetwork Architecture (RINA) model. 2) RINA addresses architectural flaws in TCP/IP like layered modularity and a lack of built-in security. It also simplifies addressing and eliminates the need for middleboxes. 3) RINA features a single type of layer with a consistent application programming interface, two core protocols, and programmable functions to provide inter-process communication as a distributed application.

F5 iApps and iWorkflow provide abstraction of L4-7 configurations and services which results in faster time to value, faster time to change, and reduced operation risk. iWorkflow additionally provides service abstraction, tenant/provider models, and role-based access control. These tools can simplify integration and reduce deployment complexity.

We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include: kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead. XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding. This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.

We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include: kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead. XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding. This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.

DPDK Summit 2015 in San Francisco. Intel's presentation by Keith Wiles. For additional details and the video recording please visit www.dpdksummit.com.

This document provides an overview of peer-to-peer (P2P) overlay networks and distributed hash tables (DHTs) and how they relate to P2P SIP networks. It discusses how DHTs like Chord work to store and locate data in a decentralized manner. It also compares different P2P overlay structures and routing algorithms, noting benefits like resilience and proximity. The document aims to introduce key concepts for building scalable, global P2P SIP networks as an alternative to traditional client-server SIP architectures.

WebRTC gives us a way to do real-time, peer-to-peer communication on the web. In this talk, we'll go over the current state of WebRTC (both the awesome parts and the parts which need to be improved) as well as what could come in the future. Mostly though, we'll take a look at how to combine WebRTC with other web technologies to create great experiences on the front-end for real-time, p2p web apps.

This document outlines an agenda for a workshop on Kubernetes networking with eBPF and Cilium. The workshop covers various topics including principles of eBPF and Cilium, Kubernetes networking, cluster mesh, security, observability, service mesh, and Tetragon. It provides overviews and examples for each topic. The workshop is presented by Raphaël Pinson who works on Cilium at Isovalent.

This document provides technical summaries of various network attacks and exploitation techniques. It begins with an overview of the author's background and experience in network security. It then summarizes several methods, including exploiting SNMP configurations, manipulating routing tables through policy routing, using GRE and ERSPAN tunnels to enable remote packet capture, exploiting DLSw to tunnel traffic covertly, and exploiting lawful intercept functions to duplicate traffic. The goal is to educate about various risks while maintaining an instructional tone.

Peer-to-peer Internet telephony: challenges and status This was presented at the VoIP conference and expo, 2010, at IIT Rice campus, IL.

Creating the distributed apps of the future using Dapr. Session given by Geert van der Cruijsen (@geertvdc) on Techdays Helsinki 2020 in March.

This document provides a summary of Prateek's professional experience in software development for telecom and networking. Over 9.5 years, he has worked on projects involving optical networking, load balancing servers, protocol development, and customer support. His responsibilities have included technical lead roles, individual development work, design, testing, and system integration. He has strong skills in C, C++, Linux, networking protocols, data structures, and development tools like version control systems. His work experience includes roles at NEC Technology, Brocade Communication, Juniper Networks, and Huawei Technology where he contributed to projects involving network security, load balancing, network address translation, and more.

Are you worried about granting too much access to resources on your Kubernetes cluster? With the extensible framework of Kubernetes, there is scarcely a day without a new tool popping up. In order to ensure the tools, users, and applications have appropriate security policies, a streamlined onboarding process is required. The onboarding process not only streamlines how securely we can grant access but also enables self-service capabilities improving the user experience. In this workshop, audiences will get a good understanding of common pitfalls and how to avoid them by leveraging the Role-Based architecture approach, pod security policies, admission controllers, policy enforcement through OPA, etc.

This document summarizes a workshop on Kubernetes security presented by Avinash Desireddy and Anoop Kumar. The workshop covered Role-Based Access Control (RBAC) to grant users access to Kubernetes resources, using Open Policy Agent (OPA) and Gatekeeper to enforce cluster-wide policies, and network policies to control traffic between pods. It provided demonstrations of creating RBAC roles, restricting node port usage and enforcing resource limits with OPA policies, and allowing traffic between applications with network policies. The key takeaways were to enforce policies, build an RBAC strategy, start with a zero-trust approach, and use network policies.

This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.

The document discusses a cluster-wide label ID table that allows for efficient policy enforcement across frontend, backend, and load balancer systems. A single hash table lookup is needed regardless of policy complexity thanks to an ID carried in network packets. Benchmark results show the approach can efficiently handle everything from small HTTP requests to ultra HD videos even with 10,000 policies on a 24-core server.

We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.

As containers are being deployed as part of multi tenant clusters, virtual multi layer switches become essential to interconnect containers while providing isolation guarantees. Assigning tenants their own private networks requires stateful network address translation (NAT) implemented in a scalable architecture to expose containers to public networks. Existing virtual switches integrated into the Linux kernel did not support stateful NAT so far. This presentation introduces a new virtual NAT service deployable as container built using existing kernel functionality such as network namespaces, routing rules and Netfilter to provide NAT services to existing virtual switches such as Open vSwitch and the Linux bridge but also the core L3 layer of Linux.

This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.

Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments. Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS. In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.

This document discusses Open vSwitch and its support for stateful services like connection tracking (conntrack) and network address translation (NAT). Open vSwitch is designed to manage overlay networks and provides programmable flow tables and remote management. It aims to integrate conntrack to enable stateful firewalling and NAT functions. This will allow matching on connection states and leveraging existing Linux conntrack and NAT modules. Examples are given of how conntrack and NAT rules could be implemented using these new Open vSwitch capabilities.

Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.