SlideShare a Scribd company logo

BPF: Next Generation of Programmable Datapath

Thomas Graf
Thomas Graf

The document discusses key advancements in programmable datapath technology as showcased at the OVS conference in San Jose, 2016, including the release of OVS 2.6 and the first OVN release. It highlights new BPF helpers that facilitate interaction with the outside world and enhances the flexibility and performance of container networking and security through individualized bytecode generation. Additionally, it reflects on lessons learned regarding the complexity of datapath development and requirements for kernel version compatibility.

Software
1 of 16
Downloaded 141 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Next Generation of Programmable Datapath OVS Conference, San Jose, 2016 Thomas Graf
What happened in 2016 so far?
OVS 2.6 was released
First ever OVN release
OVS Orbit podcast (May 16) Not subscribed yet? ovsorbit.org
Docker followed (Aug 16)
What is up next?
Stickers Available!
BPF: Next Generation of Programmable Datapath
Programs, Maps, Tail Calls
BPF Helpers: Interacting with the outside world - Map Lookup/Update/Delete - Get ktime - printk to trace buffer - Get random number - Get SMP processor ID - Load/store n bytes in skb data - Replace L3/L4 checksum of skb - Name/UID/GID of current process - Push/pop VLAN header - Set/get tunnel key and options - Tail call - Read/write perf event ring buffer - Redirect/clone to other net_device - Get routing realm - Calculate checksum diff over memory buffer - Change protocol of skb - Change type of skb (local/broadcast/…) - Check for cgroup membership - Access skb->hash or mark invalid - Trim tail of skb - Make skb linear
Experimenting with BPF ● Apply BPF to container networking & security ● Generate individual bytecode for each container at startup ○ Incredible flexibility and versatility ○ Majority of configuration becomes constant ● Decouple code (bytecode) and state (maps) ○ Allow for regeneration at any time without breaking connections
Cilium Architecture
Intel Xeon 3.5Ghz Sandy Bridge, 24 cores, 1 TCP flow per core, netperf -t TCP_SENDFILE, 10’000 policies
Learned Lessons ● Datapath development on steroids. ● Verifier complexity limit requires to split programs into multiple blocks that inherit state. ● We have probably not added the last helper yet. ● Helper requirements define minimal kernel version, so it’s pretty much kernel 4.8+ for anything non trivial.
Q&A Remember to get your BPF stickers! E-Mail: Twitter tgraf@tgraf.ch @tgraf__

More Related Content

What's hot (20)

PDF
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
PDF
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
PDF
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
PDF
Cilium - BPF & XDP for containers
Docker, Inc.
 
PDF
netfilter and iptables
Kernel TLV
 
PDF
Linux Networking Explained
Thomas Graf
 
PDF
BPF - All your packets belong to me
_xhr_
 
PDF
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
PDF
P4, EPBF, and Linux TC Offload
Open-NFP
 
PDF
LF_OVS_17_OVN and Containers - An update.
LF_OpenvSwitch
 
PPTX
DPDK KNI interface
Denys Haryachyy
 
PDF
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
PDF
debugging openstack neutron /w openvswitch
어형 이
 
PPTX
The n00bs guide to ovs dpdk
markdgray
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
PDF
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
PPTX
TRex Realistic Traffic Generator - Stateless support
Hanoch Haim
 
PDF
OpenStack networking juno l3 h-a, dvr
Sim Janghoon
 
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
Cilium - BPF & XDP for containers
Docker, Inc.
 
netfilter and iptables
Kernel TLV
 
Linux Networking Explained
Thomas Graf
 
BPF - All your packets belong to me
_xhr_
 
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
P4, EPBF, and Linux TC Offload
Open-NFP
 
LF_OVS_17_OVN and Containers - An update.
LF_OpenvSwitch
 
DPDK KNI interface
Denys Haryachyy
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
debugging openstack neutron /w openvswitch
어형 이
 
The n00bs guide to ovs dpdk
markdgray
 
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
TRex Realistic Traffic Generator - Stateless support
Hanoch Haim
 
OpenStack networking juno l3 h-a, dvr
Sim Janghoon
 

Similar to BPF: Next Generation of Programmable Datapath (20)

PDF
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
PDF
Packet crafting of2013
Shteryana Shopova
 
PDF
Spark Summit EU talk by Jim Dowling
Spark Summit
 
PDF
Model driven telemetry
Cisco Canada
 
PDF
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Canada
 
PPTX
On-premise Spark as a Service with YARN
Jim Dowling
 
PDF
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
PDF
Programmable Data Plane at Terabit Speeds
Barefoot Networks
 
PDF
Programmable data plane at terabit speeds
Barefoot Networks
 
PDF
Computer network (14)
NYversity
 
PDF
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Shixiong Shang
 
PDF
8 Ways Network Engineers use Snabb (RIPE 77)
Igalia
 
PPTX
Bgpcep odl summit 2015
Giles Heron
 
PDF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
PDF
[Webinar Slides] Programming the Network Dataplane in P4
Open Networking Summits
 
PDF
FD.io - The Universal Dataplane
Open Networking Summit
 
PDF
Apache Kafka: A high-throughput distributed messaging system @ JCConf 2014
Chen-en Lu
 
PDF
CODEONTHEBEACH_Streaming Applications with Apache Pulsar
Timothy Spann
 
PPTX
Realizing Linux Containers (LXC)
Boden Russell
 
PDF
N2os overview
hwjeon1
 
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
Packet crafting of2013
Shteryana Shopova
 
Spark Summit EU talk by Jim Dowling
Spark Summit
 
Model driven telemetry
Cisco Canada
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Canada
 
On-premise Spark as a Service with YARN
Jim Dowling
 
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
Programmable Data Plane at Terabit Speeds
Barefoot Networks
 
Programmable data plane at terabit speeds
Barefoot Networks
 
Computer network (14)
NYversity
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Shixiong Shang
 
8 Ways Network Engineers use Snabb (RIPE 77)
Igalia
 
Bgpcep odl summit 2015
Giles Heron
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
[Webinar Slides] Programming the Network Dataplane in P4
Open Networking Summits
 
FD.io - The Universal Dataplane
Open Networking Summit
 
Apache Kafka: A high-throughput distributed messaging system @ JCConf 2014
Chen-en Lu
 
CODEONTHEBEACH_Streaming Applications with Apache Pulsar
Timothy Spann
 
Realizing Linux Containers (LXC)
Boden Russell
 
N2os overview
hwjeon1
 
Ad

More from Thomas Graf (8)

PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
PDF
Cilium - Network security for microservices
Thomas Graf
 
PDF
Linux Native, HTTP Aware Network Security
Thomas Graf
 
PDF
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
PDF
Cilium - BPF & XDP for containers
Thomas Graf
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
PDF
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Cilium - Network security for microservices
Thomas Graf
 
Linux Native, HTTP Aware Network Security
Thomas Graf
 
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Cilium - BPF & XDP for containers
Thomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
Ad

Recently uploaded (20)

PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PPTX
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PPTX
Engineering the Java Web Application (MVC)
abhishekoza1981
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PDF
Executive Business Intelligence Dashboards
vandeslie24
 
PDF
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
 
PPTX
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
PPTX
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
 
PPTX
Revolutionizing Code Modernization with AI
KrzysztofKkol1
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
PDF
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
 
Tally software_Introduction_Presentation
AditiBansal54083
 
Engineering the Java Web Application (MVC)
abhishekoza1981
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Executive Business Intelligence Dashboards
vandeslie24
 
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
 
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
 
Revolutionizing Code Modernization with AI
KrzysztofKkol1
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 

BPF: Next Generation of Programmable Datapath

  • 1. Next Generation of Programmable Datapath OVS Conference, San Jose, 2016 Thomas Graf
  • 3. OVS 2.6 was released
  • 4. First ever OVN release
  • 5. OVS Orbit podcast (May 16) Not subscribed yet? ovsorbit.org
  • 7. What is up next?
  • 11. BPF Helpers: Interacting with the outside world - Map Lookup/Update/Delete - Get ktime - printk to trace buffer - Get random number - Get SMP processor ID - Load/store n bytes in skb data - Replace L3/L4 checksum of skb - Name/UID/GID of current process - Push/pop VLAN header - Set/get tunnel key and options - Tail call - Read/write perf event ring buffer - Redirect/clone to other net_device - Get routing realm - Calculate checksum diff over memory buffer - Change protocol of skb - Change type of skb (local/broadcast/…) - Check for cgroup membership - Access skb->hash or mark invalid - Trim tail of skb - Make skb linear
  • 12. Experimenting with BPF ● Apply BPF to container networking & security ● Generate individual bytecode for each container at startup ○ Incredible flexibility and versatility ○ Majority of configuration becomes constant ● Decouple code (bytecode) and state (maps) ○ Allow for regeneration at any time without breaking connections
  • 14. Intel Xeon 3.5Ghz Sandy Bridge, 24 cores, 1 TCP flow per core, netperf -t TCP_SENDFILE, 10’000 policies
  • 15. Learned Lessons ● Datapath development on steroids. ● Verifier complexity limit requires to split programs into multiple blocks that inherit state. ● We have probably not added the last helper yet. ● Helper requirements define minimal kernel version, so it’s pretty much kernel 4.8+ for anything non trivial.
  • 16. Q&A Remember to get your BPF stickers! E-Mail: Twitter [email protected] @tgraf__