As 2018 came to a close, we wrote that the Extended Berkeley Packet Filter (eBPF) would start “taking over more monitoring, security and networking duties from individual kernel modules” and, indeed, the newly adopted virtual machine for the Linux kernel has appeared as central to new functionality for various products. This week, Kubernetes security and compliance provider Tigera has unveiled two new features based on the inclusion of eBPF as a newly-added data plane for its open source Calico control plane.
“His view for the data plane was to leverage what was already in place, instead of trying to reinvent it. And that was a brilliant decision. That was his first decision. The second decision he made was to make this pluggable so that if there’s a better data point in the future we can just plug it in,” said Tipirneni. “The first data plane we’ve been working on all these years is the Linux IP tables. It’s worked really well. eBPF is a new data plane. It will take several years for it to stabilize and start to become mainstream, but for some specific use cases, eBPF can be super powerful. One example is denial of service attacks and we believe it’s only a matter of time before Kubernetes clusters get hit with denial of service attacks.”
In a blog post, the company explains that eBPF will be used for two new features: the mitigation of Denial of Service (DoS) attacks and Envoy sidecar acceleration, which will “improve the networking throughput of Istio using eBPF features.” The first feature, explained in detail in the separate blog post, arrived with Calico 3.7 in May, and operates using the eXpress Data Path (XDP), “a Linux kernel capability that allows BPF programs to be inserted very early in the Linux’s packet processing pipeline,” to move the handling of DoS attacks up the stack to the network interface controller (NIC) or to the NIC device driver, rather than relying on Linux’s IPTables policy, which operates further down the stack.
The feature is reminiscent to a hardware acceleration, such as using a GPU for machine learning, which means it can withstand a much greater volume of data packets than that of the native IPTables, as shown by Tigera’s benchmarking.
The second feature, which accelerates Envoy sidecar throughput in Istio, does so by using “eBPF sockmap to bypass much of the networking overhead of the sidecar architecture,” according to the blog post. Tipirneni explained that this was essentially a shortcut, as eBPF allows them to again move the process to a different part of the stack. In this case, sockmap allows eBPF to skip many of the standard network routing functions that would normally slow the process. Tipirneni explained that eBPF allows users to have a safe environment for developing kernel level features where they would previously have risked crashing the kernel.
“You can write utilities at the user level and invoke some kernel functions without any fear of crashing the kernel. In a way, it gives you a VM, safe and warm inside the kernel, and allows you to peek inside and do some pretty cool things,” said Tipirneni. “Let’s say you’re writing a device driver, which lives inside the kernel. You’ve got an interrupt handler, and interrupt handlers need to be super efficient. You can write a simple eBPF program at the user level to peek into the device driver’s interrupt handler and look at the latency that it’s introducing in the interrupt handling code. Another example is the file system — you can write a simple utility to look at the performance of system calls to see what the latency may be. You needed to be a kernel program programmer before to even get access to that, but with eBPF you can do a lot of that cool stuff at the user level.”
Tipirneni also said that Tigera would be looking to invest further in integrating eBPF with its products given its potential.
“We’re going to invest quite a bit on eBPF, because we look at eBPF less as a technology and more as a platform for innovation. There are some incredibly complex problems you can solve by leveraging features of eBPF and we expect to put a pretty big investment into that,” said Tipirneni. “Security attacks are getting more sophisticated. You need to be able to utilize multiple vectors and we feel like eBPF can actually give us access to multiple vectors to which we can get better visibility, drive anomaly detection, and leverage some of machine learning features to both detect and prevent a lot of attacks.”
Currently, Linux users must be running Linux kernel version 4.4 or, preferably, 4.9 to run eBPF. While Calico 3.7 already uses eBPF to help mitigate DoS attacks, Calico 3.8 is expected later this month with Envoy sidecar acceleration.