Packet mark in a Cloud Native world Joe Stringer Cilium.io - - PowerPoint PPT Presentation

packet mark in a cloud native world
SMART_READER_LITE
LIVE PREVIEW

Packet mark in a Cloud Native world Joe Stringer Cilium.io - - PowerPoint PPT Presentation

Aug 28, 2023 630 likes •921 views

Packet mark in a Cloud Native world Joe Stringer Cilium.io Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25 Introduction Overview 1 Background 2 Use cases 3 Observations & Challenges August 24, 2020 Packet mark

slide-1
SLIDE 1

Packet mark in a Cloud Native world

Joe Stringer

Cilium.io

slide-2
SLIDE 2

Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25

slide-3
SLIDE 3

Introduction

Overview

1 Background 2 Use cases 3 Observations & Challenges

August 24, 2020 Packet mark in a Cloud Native world 3 / 25

slide-4
SLIDE 4

Background

Mark of the

fw_mark ct_mark skb_mark SO_MARK xfrm_mark pkt_mark s t r u c t sk_buff { . . . __u32 mark ; . . . }

August 24, 2020 Packet mark in a Cloud Native world 4 / 25

slide-5
SLIDE 5

Background

So what does the mark represent?

Nothing..

August 24, 2020 Packet mark in a Cloud Native world 5 / 25

slide-6
SLIDE 6

Background

So what does the mark represent?

Nothing.. Anything!

August 24, 2020 Packet mark in a Cloud Native world 5 / 25

slide-7
SLIDE 7

Background

So what does the mark represent?

Nothing.. Anything! MAGIC.

August 24, 2020 Packet mark in a Cloud Native world 5 / 25

slide-8
SLIDE 8

Background https://twitter.com/dave_universetf/status/1285752332135788544 August 24, 2020 Packet mark in a Cloud Native world 6 / 25

slide-9
SLIDE 9

Background August 24, 2020 Packet mark in a Cloud Native world 7 / 25

slide-10
SLIDE 10

Background

Cloud Native networking plugins

August 24, 2020 Packet mark in a Cloud Native world 8 / 25

slide-11
SLIDE 11

Background

Methodology

1 Look at CNCF landscape1 2 Find the project on GitHub 3 Search for $mark_name 4 ??? 5 Knowledge!

1https://landscape.cncf.io/category=cloud-native-network&format=card-mode&grouping=category August 24, 2020 Packet mark in a Cloud Native world 9 / 25

slide-12
SLIDE 12

Use cases

slide-13
SLIDE 13

Use cases

Network policy

1 bit, two variations:

1 bit -> drop 2 1 bit -> allow

Store complex path through rules into mark Typically netfilter -> netfilter

2 Kubernetes default August 24, 2020 Packet mark in a Cloud Native world 11 / 25

slide-14
SLIDE 14

Use cases

Transparent encryption

2+ bits

1 bit encrypt, 1 bit decrypt Variation: key index

{ eBPF, netfilter } -> xfrm

August 24, 2020 Packet mark in a Cloud Native world 12 / 25

slide-15
SLIDE 15

Use cases

Virtual IP services

1+ bits, request DNAT

1 bit: route towards bridge for DNAT 30 bits representing hashed 3-tuple

{ eBPF, netfilter } -> netfilter OVS -> routing -> OVS

August 24, 2020 Packet mark in a Cloud Native world 13 / 25

slide-16
SLIDE 16

Use cases

IP masquerade

1+ bits, request SNAT

Variation: 1 bit, Skip SNAT Variation: 32 bits for source address selection

Connection may not originate on the node {eBPF, OVS, netfilter} -> netfilter eBPF -> stack -> eBPF

August 24, 2020 Packet mark in a Cloud Native world 14 / 25

slide-17
SLIDE 17

Use cases

Multi-homing

1 bit, two variations:

Reply via primary device

Default: Pod communicates via secondary device Inbound connections must reply via primary device Store & restore in connmark

Route via management interface

{ socket, netfilter } -> routing

August 24, 2020 Packet mark in a Cloud Native world 15 / 25

slide-18
SLIDE 18

Use cases

Application identity

Variable bits

4 bit pattern: “local” traffic 16+ bits: Carry Identity to destination

Policy routing Portmap plugin

{ eBPF, netfilter } -> routing -> eBPF

August 24, 2020 Packet mark in a Cloud Native world 16 / 25

slide-19
SLIDE 19

Use cases

Service proxy

1+ bits depending on context

1 bit, route locally 16 bit tproxy port towards proxy 16+ bit Identity from proxy

eBPF -> { netfilter, routing } netfilter -> routing socket -> { eBPF, netfilter },

August 24, 2020 Packet mark in a Cloud Native world 17 / 25

slide-20
SLIDE 20

Observations & Challenges

slide-21
SLIDE 21

Observations & Challenges

Marking your territory

Bitwise usage

Simpler interoperability

Full-mark

More values to work with Most usage doesn’t make use of this

August 24, 2020 Packet mark in a Cloud Native world 19 / 25

slide-22
SLIDE 22

Observations & Challenges

A tiny bit of overload

Use every feature: 100+ bits

...but there’s only 32 bits to play with?

Mitigation: Encode meaning in bit range

Use [0x0000..0x000F] rather than bits in 0xFFFF

Mitigation: Overload bits on different paths

Ingress / Egress Make semantics dependent on packet fields

August 24, 2020 Packet mark in a Cloud Native world 20 / 25

slide-23
SLIDE 23

Observations & Challenges

Sharing is caring

Driven by common deployment scenarios The clearer responsibility assignment you have, the better Not free (in effort or in complexity)

August 24, 2020 Packet mark in a Cloud Native world 21 / 25

slide-24
SLIDE 24

Observations & Challenges

One does not simply understand skb mark

Required reading: network stack diagram Distinct bits do not guarantee integration

skb, conn matches may steer packets

Fun: replies disappear Proxies: Double the connections, double the fun

August 24, 2020 Packet mark in a Cloud Native world 22 / 25

slide-25
SLIDE 25

Observations & Challenges

Less is more

“If only I had more bits...” Consolidate subsystem usage Extend generic mark space? Formalize some use cases?

August 24, 2020 Packet mark in a Cloud Native world 23 / 25

slide-26
SLIDE 26

Observations & Challenges

Summary

Powerful mechanism for cross-subsystem programming Uncertainty when bits are OK to use There are more uses than there are bits

August 24, 2020 Packet mark in a Cloud Native world 24 / 25

slide-27
SLIDE 27

Cilium

https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject

Mark registry

https://github.com/fwmark/registry