BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient. This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.
Hank Preston gave a presentation on network automation and Cisco DevNet. He discussed why networks should be automated to reduce errors and improve change management. He introduced DevNet, which aims to build a developer community around Cisco platforms. He provided a glimpse into future networking approaches like network as code and controller-based operations. He outlined tools and skills needed for network automation, noting that network engineers can acquire programming skills to transition to netdevops.
This document discusses abstract interfaces, APIs, and implementations for network functions like IPsec. It proposes a common Network Application Interface to provide hardware independence and allow live migration of virtual network functions between platforms with and without acceleration. This interface could be realized by both the Open Data Plane (ODP) and DPDK APIs/implementations to unify their approaches for network functions like IPsec processing.
This document discusses the concept of "IPC VPN slices" which provide distributed inter-process communication (IPC) between applications using the Recursive Internet Network Architecture (RINA). It describes how IPC VPN slices can be implemented across single and multiple domains/operators using RINA's distributed IPC facility (DIF) as an overlay. The objective is to provide an autonomous IPC VPN overlay and separation of concerns between the VPN and underlying L2 VPN fabric, as well as service continuity as endpoints attach across different access networks. It also shows how slice orchestration in this architecture provides recursive abstraction between different administrative domains.
BIGLOBE faces challenges in scaling their network to support increasing demand for high-speed services from their 3 million broadband customers. Rapid traffic growth stresses their core network and metro connections. Efficiently handling streaming video, which comprises 30% of traffic, is difficult. Improving peering relationships and developing an open peering ecosystem in Japan helps alleviate these issues. BIGLOBE is working on automation, measurement tools, and network evolution to manage costs and provide high quality internet experiences as demands continue rising.
This document discusses a proof-of-concept implementation of a RINA interior router using P4. The goals are to increase RINA credibility by providing a high-performance router implementation at a reasonable cost, and to understand limitations of current network programmability approaches. The implementation targets the BMv2 P4 software switch, demonstrating basic interior router functions for EFCP packets. Future work includes implementing the design on hardware and evaluating the feasibility of a border router.
OpenStack Neutron Conceptual Overview: What is networking virtualization? *Example of Neutron capabilities * Run down of components including L2, L3, DHCP agents, the service itself * Core concepts - Ports, networks, subnets * Network types - External, provider, tenant * VLANs and tunnels for connectivity and segregation * Instances IP addressing, routers, NAT and floating IPs * Nova Neutron interaction, workflow of creating a VM with network connectivity * Neutron modularity - Core and service plugins
NetBox “knows” how the network is supposed to be configured, and Cisco NSO can ensure that configuration is actually applied. In this talk we’ll look at an example of how this can be done, and is used in production to manage the DevNet Sandbox Network. In DevNet Sandbox we are on a journey to adopt NetDevOps design and operational principals throughout our platform. And “journey” is the right word. Like many of you, we have to balance the innovation and modernization of the approach with day to day “keep the lights on” activities and priority projects. But one of the first things we tackled was to adopt NetBox as our Source of Truth. We knew this was critical to being able to move forward in any meaningful way. As part of making NetBox the Source of Truth, we knew we needed to drive the network configurations pushed out to the network from NetBox directly, having a second “Source of Truth” maintained in our configuration management tool, was counter to the goals of our project. Our network configuration management tool is Cisco NSO, and it has a “Configuration Database” or CDB that could be seen as a “Source of Truth” as well. What we worked on was a way to populate the relevant parts of the CDB from NetBox. This talk will share how we approached this challenge and how we leverage the magic of Python to bring them together. And the work isn’t done yet or perfect. A few thoughts about areas we need to improve and how we plan to move forward will also be discussed.
'Software Defined Network', 'Infrastructure as Code', 'Cloud', and 'Programmability' are trends that have already changed the nature of being a Network Engineer. That's yesterday's news... today we have 'NetDevOps', 'Network Reliability Engineering (NRE)', and whatever comes tomorrow. In this session we will explore the evolution of networking, the network engineer, and network operations. We'll look back fondly on the early days of networking, when it was simple. The biggest concerns we had were the number of Spanning-Tree instances to run and which side of the OSPF vs EIGRP debate we were on that day. We'll consider the impact Cloud, Open Source, DevOps, Python, and we can't forget 'SD-Everything' that the Network Renaissance has brought us. We'll dive into the challenges and opportunities that NetDevOps offers as we adopt the culture, technical methods, strategies, and best practices from DevOps. You'll laugh, you'll groan, you might even get angry, but that's okay. Come join the evolution of the Network Engineer with open eyes and learn how to jumpstart your own transformation - Become the NetDevOps Engineer!
1. The document discusses a converged network vision that supports any access media and application using a common network infrastructure with a single architecture, management system, and user database. 2. It questions whether all-IP networks are fit for this purpose, as the IP protocol suite was not designed for generality and scalability. 3. The document introduces RINA as a better approach, describing its unified model of networking as inter-process communication, consistent layered architecture, and support for naming, addressing, mobility, security, and management.
The document provides an overview of Link Controller functionality including: - Link Controller balances load across multiple ISP links and provides failover capability. - It offers advantages over BGP by not requiring ISP coordination and allows transparent addition of new links. - While it functions similarly to LTM for outbound traffic and GTM for inbound, it has limitations such as no advanced load balancing or ability to resolve IPs it does not host. - Key aspects of deployment include defining links, listeners, pools, virtual servers, and WideIPs to direct inbound and outbound traffic across ISP links.
In this talk, we outline a kernel and upstream centric approach to data plane acceleration using an upstream SmartNIC BPF JIT. This allows extended Berkeley Packet Filter (eBPF) bytecode to be transparently offloaded to the SmartNIC from either the Traffic Control (TC) or Express Data Path (XDP) hooks in the kernel and could be used for applications such as DoS protection, load balancing and software switching e.g., Open vSwitch (OVS). We then follow this by outlining the proposed ICONICS OCP contribution related to an open approach for reconfiguration using directly compiled SmartNIC programs in situations where BPF bytecode alone is not sufficient to accommodate changing semantics in the network.
This document provides an overview of Cisco's model-driven telemetry solution. It discusses key concepts like data models, encodings, transports and the telemetry pipeline. YANG is presented as the modeling language and telemetry is described as having three key enablers: push-based collection, analytics-ready data formats, and being data model-driven. Cisco routers support model-driven telemetry via gRPC, TCP, UDP and provide interfaces, system and other data in YANG, OpenConfig and IETF models.
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.
Netronome invented the flexible network flow processor and hardware-accelerated server-based networking. Learn more from Netronome's Corporate Brochure.
This document discusses using Kubernetes to build a domestic 5G NFV platform in Taiwan. It begins with an introduction of the speaker and overview of NFV and its impact. It then covers the advantages and challenges of deploying VNFs on Kubernetes, including networking and compute/management issues. It introduces some telco Kubernetes solutions from Nokia, SK Telecom, and Huawei. It also presents Taiwan's MOEA 5G project NFVI platform based on the open source X-K8S solution from ITRI, addressing networking and compute/management challenges. Finally, it shares an example of an end-to-end EPC system integration on the platform.
RINA is a Recursive InterNetwork Architecture that uses a single consistent layering model and API. ARCFIRE aims to demonstrate the benefits of RINA technology at large scale using the FIRE+ experimental infrastructure. Over 100 nodes and 10s-100s of DIFs will be used in a week long experiment examining DDoS attacks, multi-layer management, and heterogeneous access networks. Results will provide compelling cases for RINA deployment by converging operators, application developers, and end users.
Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.
The document discusses how BPF and XDP are revolutionizing network security and performance for microservices. BPF allows profiling, tracing, and running programs at the network driver level. It also enables highly performant networking functions like DDoS mitigation using XDP. Cilium uses BPF to provide layer 3-7 network security for microservices with policies based on endpoints, identities, and HTTP protocols. It integrates with Kubernetes to define network policies and secure microservice communication and APIs using eBPF programs for filtering and proxying.
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Nomad. We will see some code examples, basic use cases and an easy tutorial on the web.
As presented by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it��s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
As presented at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
This document summarizes a presentation about Contiv, an open source container networking solution. It introduces Contiv as a way to define and enforce network policies across infrastructure to integrate application intent with operational intent. Key features of Contiv highlighted include providing container networking for schedulers like Kubernetes and Docker, distributed policy enforcement, integration with physical infrastructure, and supporting rich network policies, tenants, and microservices. The presentation concludes with a demo of Contiv's network isolation and policy capabilities.
Cloud Native Night, April 2018, Mainz: Workshop led by Jörg Schad (@joerg_schad, Technical Community Lead / Developer at Mesosphere) Join our Meetup: https://www.meetup.com/de-DE/Cloud-Native-Night/ PLEASE NOTE: During this workshop, Jörg showed many demos and the audience could participate on their laptops. Unfortunately, we can't provide these demos. Nevertheless, Jörg's slides give a deep dive into the topic. DETAILS ABOUT THE WORKSHOP: Kubernetes has been one of the topics in 2017 and will probably remain so in 2018. In this hands-on technical workshop you will learn how best to deploy, operate and scale Kubernetes clusters from one to hundreds of nodes using DC/OS. You will learn how to integrate and run Kubernetes alongside traditional applications and fast data services of your choice (e.g. Apache Cassandra, Apache Kafka, Apache Spark, TensorFlow and more) on any infrastructure. This workshop best suits operators focussed on keeping their apps and services up and running in production and developers focussed on quickly delivering internal and customer facing apps into production. You will learn how to: - Introduction to Kubernetes and DC/OS (including the differences between both) - Deploy Kubernetes on DC/OS in a secure, highly available, and fault-tolerant manner - Solve operational challenges of running a large/multiple Kubernetes cluster - One-click deploy big data stateful and stateless services alongside a Kubernetes cluster
This presentation was made by Mangesh Patankar (Developer Advocate - IBM Cloud) as part of Container Conference 2018: www.containerconf.in. "How do we make microservices resilient and fault-tolerant? How do we enforce policy decisions, such as fine-grained access control and rate limits? How do we enable timeouts/retries, health checks, etc.? A service-mesh architecture attempts to resolve these issues by extracting the common resiliency features needed by a microservices framework away from the applications and frameworks and into the platform itself. Istio provides an easy way to create this service mesh."
This talk is a gentle introduction to the core concepts required to successfully deploy your first few apps to Kubernetes, followed by an overview of the Kubernetes architecture to enable you to understand how to deploy a cluster yourself. The tool kubeadm is then used to easily set up Kubernetes clusters on any computers running Linux. We'll then try out the theory we learned by deploying some Pods, Deployments and Services to our new cluster and observing their behaviour.
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.
Container Days 2017, Hamburg: Vortrag von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware). Abstract: Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud Native Stack. In dieser Session stellen wir die wichtigsten Konzepte und Schlüsseltechnologien vor und bringen dann eine Spring-Cloud-basierte Beispielanwendung schrittweise auf Kubernetes und DC/OS zum Laufen. Dabei diskutieren wir verschiedene praktikable Architekturalternativen.
This document provides an overview of cloud native applications and the cloud native stack. It discusses key concepts like microservices, containerization, composition using Docker and Docker Compose, and orchestration using Kubernetes. It provides examples of building a simple microservices application with these technologies and deploying it on Kubernetes. Overall it serves as a guide to developing and deploying cloud native applications.
It's been two years since we introduced the Istio project to the Triangle Kubernetes Meetup group. This presentation will be a brief re-introduction of the Istio project, and a summary of the updates to the Istio project since its 1.0 release.
This document provides an overview of how to install and use Kubernetes. It discusses key Kubernetes concepts like pods, deployments, services and how they relate. It also summarizes the Kubernetes architecture and components. The presentation encourages attendees to join the Weave user group for more training on continuous delivery, monitoring and network policy in Kubernetes.
Containerization has increased the pace of deployment but doesn't overcome the need for application security. Key to making your security teams comfortable with containers is to maintain visibility into the various software components and proactively patching vulnerabilities as they are disclosed. Aporeto provides a service mesh for application security on any orchestrator, including Kubernetes, and/or any on-premises or cloud infrastructure including AWS, Azure and Google. Their easy to deploy solution provides consistent security that is automated to eliminate both manual efforts and human errors. Don Chouinard, Product Marketing lead at Aporeto, will share how Aporeto uses InfluxData to maintain visibility into the security state of the various application components whenever they run using automatically generated security policies.
On Tuesday, June 22nd Jonny Griffin, Security Engineer at Working Group Two, gave a presentation at a three day conference at GSMA FASG. In the last three years, Working Group Two has been developing a DevSecOps framework to ensure their cloud-native mobile core network is secure. Automating Cloud Security introduces the topics around cloud computing, DevSecOps, cloud-native Security Layers, and how WG2 built a security tool chain that can be leveraged by any organisation. As security is evolving so is WG2's capabilities for identifying, preventing, and responding to security events in our networks.
This document provides an overview of deep diving into Kubernetes and deploying a microservice in IBM Cloud. It discusses Kubernetes concepts and architecture, IBM Cloud Kubernetes Service (IKS), best practices for deployment, and a lab scenario for hands-on experience deploying an application in a Kubernetes cluster. The presentation aims to help attendees better understand Kubernetes and gain skills in deploying applications on IBM Cloud using Kubernetes.
ข้อมูล IoT จากอุปกรณ์มีปริมาณมาก และมีความไดนามิกต่อเนื่องตลอดเวลา มีหลายมิติ ทำอย่างไร จึงจะประมวผลได้เร็วและตอบสนองแบบทันทีทันได้ โดยใช้เครื่องมือ Streaming processing and bigdata analytics
This document discusses considerations for securing east-west traffic in Kubernetes environments. It notes growing adoption of containers and Kubernetes for application deployments. Key requirements are discussed like efficient operations, visibility and control, and application security. Common issues in Kubernetes include lack of access control between microservices and lack of application layer visibility. The document then explores potential solutions like using an ingress controller and transparent proxy to provide traffic management, access control policies, and encryption without requiring code changes. It proposes a distributed architecture with a central controller to keep configurations in sync and provide analytics on application traffic and security.
The document discusses Kubernetes networking providers and lessons learned from running Kubernetes at scale. It covers setting up Kubernetes, performing upgrades, choosing a networking provider (like Flannel, Calico, Weave), and managing secrets and configurations. Key points include running Kubernetes core, storage and workloads on separate machines to avoid single points of failure, always upgrading the master before nodes and etcd before the master, and fully leveraging Kubernetes by moving to a microservices architecture.
Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud environments.
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild. https://sched.co/184sj