DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

CILIUM: NETWORK AND
APPLICATION SECURITY
WITH BPF AND XDP
Thomas Graf
Co-founder & CTO
Covalent

Helped build the
biggest monolith
ever …
Who is this guy?

syscalls syscalls
Net IOBlock IO
Time to rethink the kernel

From monolith to “microkernel” with BPF
syscalls syscalls
BPF
BPF
BPF
BPF
Net IOBlock IO

From monolith to “microkernel” with BPF
syscalls syscalls
BPF
BPF
BPF
BPF
BPF
BPF
Security
Networking
Net IOBlock IO

BPF is revolutionizing…
• Tracing / Profiling

Container Performance
Analysis
Brendan Gregg
Wed 1:30pm “Black Belt”

• Networking
Analysis
Brendan Gregg

• Networking
• Security
Analysis
Brendan Gregg

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Delivery Frequency

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
3-Tier App
Monthly
Moderate
Delivery Frequency

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Distributed
Microservices
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate
Delivery Frequency

Network Security
has not evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:

Network Security
for Microservices
Example
Gordon is
looking for
a job…

Gordon Job Postings
Example: Security for Microservices

GET /healthz
GET /jobs/{id}
PUT /jobs/{id}
POST /jobs
API
Gordon Job Postings

GET /healthz
GET /jobs/{id}
PUT /jobs/{id}
POST /jobs
API
GET /jobs/331
Gordon Job Postings

L3/L4
GET /healthz
GET /jobs/{id}
PUT /jobs/{id}
POST /jobs
API
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
GET /jobs/331
Gordon Job Postings

L3/L4
GET /healthz
GET /jobs/{id}
PUT /jobs/{id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Gordon Job Postings
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT

Not exactly
least privilege
Security team is
not amused

L3/L4
GET /healthz
GET /jobs/{id}
PUT /jobs/{id}
POST /jobs
API
FROM Gordon
ALLOW GET /jobs/.*
GET /jobs/331
Gordon Job Postings

BPF - The
Superpowers
inside Linux

SANDBOX
BPF
GET /foo
BPF: Transparent redirection into proxy

SANDBOX
BPF
Proxy
GET /foo
redirect
rules
sk

SANDBOX
BPF
Proxy
GET /foo
redirect
rules
sk
Shared State
• Orig Dest IP
• Identity

SANDBOX
BPF
Proxy
GET /foo
redirect
reinject
rules
sk sk
Shared State
• Orig Dest IP
• Identity

SANDBOX
BPF
Proxy
GET /foo
rules
sk sk
403
Access
Denied

.insns = {
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
BPF_LD_MAP_FD(BPF_REG_1, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
BPF_EXIT_INSN(),
}
What is
BPF?
Learn more about BPF: docs.cilium.io

BPF: Toolchain – from user to kernel
USER SPACE
SOURCE CODE [C]
</>

BPF: LLVM compiles program code to bytecode
USER SPACE
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>

BPF: Bytecode is loaded and verified into kernel
USER SPACE
KERNELVERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>

BPF: Bytecode runs inside safe kernel sandbox
USER SPACE
KERNELVERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>
SANDBOX
BPF

BPF: Program is attached to event (packet-in)
USER SPACE
KERNELVERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>
SANDBOX
BPF

BPF: Program can redirect to netns & sockets
USER SPACE
KERNELVERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>
SANDBOX
BPF

BPF – An opportunity
to rethink security
policy enforcement

Status Quo: Policy Enforcement
connect()

connect()
TCP

connect()
TCP
Network
packets

connect()
TCP
Network
packets
veth
veth
namespace boundary

connect()
TCP
Network
packets
iptables
veth
veth
namespace boundary

connect()
drop
TCP
Network
packets
iptables
veth
veth
namespace boundary

connect()
drop
TCP
Network
packets
ETIMEDOUT
iptables
veth
veth
namespace boundary

connect()
drop
TCP
Network
packets
ETIMEDOUT/
ECONNREFUSED
iptables
RST
veth
veth
namespace boundary

BPF: Leverage user space tool chain
USER SPACE
KERNEL
connect()
VERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>

BPF: Attach program to connect() syscall (LSM)
USER SPACE
KERNEL
connect()
VERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>
BPF
LSM Hook

BPF: Return EACCESS – No packets created at all
USER SPACE
KERNEL
connect()
EACCESS
VERIFIER +
JIT
SOURCE CODE [C]
</>
BYTE CODE [BPF]
</>
BPF
LSM Hook

XDP/BPF – The
software loadbalancer
of the future

WHAT IF I TOLD YOU
XDP allows for 10x
IPVS performance

Source: https://www.netdevconf.org/2.1/slides/apr6/zhou-netdev-xdp-2017.pdf
FB moves from IPVS to BPF/XDP for L3/L4 LB
XDP throughput
IPVS throughput
Source:

Regular BPF mode
BPF
Driver Software Stack

XDP [Express Data Path] mode
BPF
Driver
Run BPF Program inside network
driver with access to DMA buffer
Software Stack

BPF
Driver
Can drop millions of packets per
Second while under DDoS
Software Stack
drop

BPF
Driver
Can pass packets to network stack
Software Stack
drop
Stack

BPF
Driver
Can perform loadbalancing and
transmit out the wire again
Software Stack
drop
LB & TX
Stack

How can I use BPF
with Docker?

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

Cilium Architecture
Cilium
Agent

Cilium Architecture
Cilium
Agent
Plugins

Cilium Architecture
BPF
Cilium
Agent
Plugins

Cilium Architecture
BPF
BPF
Cilium
Agent
Plugins

Cilium Architecture
BPF
BPF
BPF
Cilium
Agent
Plugins

Cilium Architecture
BPF
BPF
BPF
Cilium
Agent
CLI Monitor Policy
Plugins

Project Status
• Initial release two weeks ago
• Docker & Kubernetes integration
• Looking for feedback and
contributions

Getting Started
• Play with our vagrant box:
$ git clone https://github.com/cilium/cilium
$ cd cilium/examples/getting-started
$ vagrant up

Summary
• Never underestimate the
Jedi

Summary
Jedi
• Traditional L3/L4 network
policies are insufficient for
microservices. Least
privilege requires HTTP /
API / Function awareness.

Summary
• BPF/XDP will drive the
future of software based
networking on Linux.
Jedi

Summary
Jedi
• BPF/XDP will drive the
future of software based
networking on Linux.
• Cilium brings BPF/XDP
and L7 policies to
containers and
microservices.

Thank You!
github.com/cilium/cilium
http://cilium.io/
@ciliumproject
Want to chat? DM me! @tgraf__
Don’t forget
to vote and
grab a shirt
on the way
out!

75
140
205
240
325
365 370 365
410 412 425
445 450 460 460
490 495 505 515 525
545
565
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
BPF redirect() performance
[GBit per core]
Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores,
(1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K policies)

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

More Related Content

What's hot (20)

Similar to DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP (20)

More from Thomas Graf (10)

Recently uploaded (20)

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP