The document discusses how BPF and XDP are revolutionizing network security and performance for microservices. BPF allows profiling, tracing, and running programs at the network driver level. It also enables highly performant networking functions like DDoS mitigation using XDP. Cilium uses BPF to provide layer 3-7 network security for microservices with policies based on endpoints, identities, and HTTP protocols. It integrates with Kubernetes to define network policies and secure microservice communication and APIs using eBPF programs for filtering and proxying.
7. BPF Revolution #2: XDP - DDoS mitigation
Metric iptables / ipset XDP
DDoS rate [packets/s] 11.6M 11.6M
Drop rate [packets/s] 7.1M 11.6M
Time to load rules [time] 3 min 20 sec 31 sec
Latency under load [ms] 2.3ms 0.1ms
Throughput under DDoS [Gbit/s] 0.014 6.5
Requests/s under DDoS [kReq/s] 0.28 82.8
Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible
Source: Daniel Borkmann’s presentation yesterday:
http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf
10. BPF Revolution #2: XDP
Running BPF programs at the Network driver level
https://netdevconf.org/2.1/slides/apr7/miller-XDP-MythBusters.pdf
Netdev 2.1 Keynote by David S. Miller
11. BPF Revolution #2: XDP
Running BPF programs at the Network driver level
https://netdevconf.org/2.1/slides/apr7/miller-XDP-MythBusters.pdf
Netdev 2.1 Keynote by David S. Miller
18. Network Security
has barely evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:
21. Gordon wants to build a service
to tweet out all job offerings.
We’re Hiring!
Tweet
Service
22. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/{id}
Jobs API
Service
Tweet
Service
The Jobs API service has all the
data Gordon needs.
23. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
Jobs API
Service
Tweet
Service
Gordon uses the GET /jobs/ API call
24. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
Developer etiquette.
Super simple stuff.
Gordon uses mutual TLS Auth
Good thinking Gordon
25. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
The security team has L3/L4 network
security in place for all services
GET /jobs/{id}
Jobs API
Service
Tweet
Service
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
26. Jobs API
Service
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Large parts of the API are still exposed
unnecessarily
Tweet
Service
GET /jobs/{id}
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
28. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Back to the drawing board…
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
29. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Least privilege security for microservices
GET /jobs/{id}
FROM “TurtleTweets”
ALLOW “GET /jobs/”
TLS Jobs API
Service
Tweet
Service