packet mark in a cloud native world
play

Packet mark in a Cloud Native world Joe Stringer Cilium.io - PowerPoint PPT Presentation

Aug 28, 2023 •630 likes •917 views

Packet mark in a Cloud Native world Joe Stringer Cilium.io Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25 Introduction Overview 1 Background 2 Use cases 3 Observations & Challenges August 24, 2020 Packet mark

  1. Packet mark in a Cloud Native world Joe Stringer Cilium.io

  2. Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25

  3. Introduction Overview 1 Background 2 Use cases 3 Observations & Challenges August 24, 2020 Packet mark in a Cloud Native world 3 / 25

  4. Background Mark of the fw_mark ct_mark s t r u c t sk_buff { . . . skb_mark __u32 mark ; SO_MARK . . . } xfrm_mark pkt_mark August 24, 2020 Packet mark in a Cloud Native world 4 / 25

  5. Background So what does the mark represent? Nothing.. August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  6. Background So what does the mark represent? Nothing.. Anything! August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  7. Background So what does the mark represent? Nothing.. Anything! MAGIC. August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  8. Background https://twitter.com/dave_universetf/status/1285752332135788544 August 24, 2020 Packet mark in a Cloud Native world 6 / 25

  9. Background August 24, 2020 Packet mark in a Cloud Native world 7 / 25

  10. Background Cloud Native networking plugins August 24, 2020 Packet mark in a Cloud Native world 8 / 25

  11. Background Methodology 1 Look at CNCF landscape 1 2 Find the project on GitHub 3 Search for $mark_name 4 ??? 5 Knowledge! 1 https://landscape.cncf.io/category=cloud-native-network&format=card-mode&grouping=category August 24, 2020 Packet mark in a Cloud Native world 9 / 25

  12. Use cases

  13. Use cases Network policy 1 bit, two variations: 1 bit -> drop 2 1 bit -> allow Store complex path through rules into mark Typically netfilter -> netfilter 2 Kubernetes default August 24, 2020 Packet mark in a Cloud Native world 11 / 25

  14. Use cases Transparent encryption 2+ bits 1 bit encrypt, 1 bit decrypt Variation: key index { eBPF, netfilter } -> xfrm August 24, 2020 Packet mark in a Cloud Native world 12 / 25

  15. Use cases Virtual IP services 1+ bits, request DNAT 1 bit: route towards bridge for DNAT 30 bits representing hashed 3-tuple { eBPF, netfilter } -> netfilter OVS -> routing -> OVS August 24, 2020 Packet mark in a Cloud Native world 13 / 25

  16. Use cases IP masquerade 1+ bits, request SNAT Variation: 1 bit, Skip SNAT Variation: 32 bits for source address selection Connection may not originate on the node {eBPF, OVS, netfilter} -> netfilter eBPF -> stack -> eBPF August 24, 2020 Packet mark in a Cloud Native world 14 / 25

  17. Use cases Multi-homing 1 bit, two variations: Reply via primary device Default: Pod communicates via secondary device Inbound connections must reply via primary device Store & restore in connmark Route via management interface { socket, netfilter } -> routing August 24, 2020 Packet mark in a Cloud Native world 15 / 25

  18. Use cases Application identity Variable bits 4 bit pattern: “local” traffic 16+ bits: Carry Identity to destination Policy routing Portmap plugin { eBPF, netfilter } -> routing -> eBPF August 24, 2020 Packet mark in a Cloud Native world 16 / 25

  19. Use cases Service proxy 1+ bits depending on context 1 bit, route locally 16 bit tproxy port towards proxy 16+ bit Identity from proxy eBPF -> { netfilter, routing } netfilter -> routing socket -> { eBPF, netfilter }, August 24, 2020 Packet mark in a Cloud Native world 17 / 25

  20. Observations & Challenges

  21. Observations & Challenges Marking your territory Bitwise usage Simpler interoperability Full-mark More values to work with Most usage doesn’t make use of this August 24, 2020 Packet mark in a Cloud Native world 19 / 25

  22. Observations & Challenges A tiny bit of overload Use every feature: 100+ bits ...but there’s only 32 bits to play with? Mitigation: Encode meaning in bit range Use [0x0000..0x000F] rather than bits in 0xFFFF Mitigation: Overload bits on different paths Ingress / Egress Make semantics dependent on packet fields August 24, 2020 Packet mark in a Cloud Native world 20 / 25

  23. Observations & Challenges Sharing is caring Driven by common deployment scenarios The clearer responsibility assignment you have, the better Not free (in effort or in complexity) August 24, 2020 Packet mark in a Cloud Native world 21 / 25

  24. Observations & Challenges One does not simply understand skb mark Required reading: network stack diagram Distinct bits do not guarantee integration skb, conn matches may steer packets Fun: replies disappear Proxies: Double the connections, double the fun August 24, 2020 Packet mark in a Cloud Native world 22 / 25

  25. Observations & Challenges Less is more “If only I had more bits...” Consolidate subsystem usage Extend generic mark space? Formalize some use cases? August 24, 2020 Packet mark in a Cloud Native world 23 / 25

  26. Observations & Challenges Summary Powerful mechanism for cross-subsystem programming Uncertainty when bits are OK to use There are more uses than there are bits August 24, 2020 Packet mark in a Cloud Native world 24 / 25

  27. Cilium https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Mark registry https://github.com/fwmark/registry

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go 6/28/17, 11)02 AM Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29 file:///Users/kimberlyamaral/Desktop/cng-presentation/pres.html#1 Page 1 of 38 Cloud Native Go 6/28/17, 11)02 AM Agenda

566 views • 38 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry Foundation Why does Cloud Native matter? Since 2000, 52% of the Fortune 500 are no longer on the list Continuous Innovation There is a rough

794 views • 50 slides
Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native: Microservices running inside Containers on top of Platforms on any infrastructure Microservice A software component of a system that is

1.05k views • 60 slides
Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer

Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer

Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer passionate about running software reliably in production. Core developer of Prometheus Studied Computer Science in Trinity College Dublin.

370 views • 25 slides
Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

1 Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2 What is a Cloud Native Application? 3 Resilience Elasticity Common ideas Agility DevOps 4 You will build Cloud Native Applications

716 views • 47 slides
PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra Technical Marketing Manager Product Marketing Manager tqvarnst@redhat.com csaavedr@redhat.com @ tqvarnst @cesar_saavedr June 2018 EVOLUTION OF

657 views • 28 slides
The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP Developer Relations Oracle Cloud Bob Quillin, VP Developer Relations Oracle Cloud @bobquillin @bobquillin Cloud Native: New Rules, New Game How we

351 views • 17 slides
What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

Cloud Native Applications Workshop Cloud Native Applications Workshop What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker Overview Kubernetes Overview OpenShift Overview 12 Factor Apps IBM

281 views • 27 slides
Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder, Hyper.sh Reinvent IaaS with Container! Agenda Hyper.sh: a Container Native Cloud Under the Hood: How We Build a Container Native Cloud

442 views • 23 slides
PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda Context Architecture Internals HA Context PolarDB is a cloud native DB offering Based on MySQL-5.6 Uses shared storage

1.27k views • 25 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY FARBER SIDNEY SHEK Cloud infrastructure = reliable services right? SUPER RESILIENT CLOUD-BASED ARCHITECTURE Canary Progressive Rollouts

1.11k views • 93 slides
Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native

Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native

Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native deployment Cloud native deployment Multi-repo DAG management Manage Airflow Variables with code through Terraform Airflow monitoring

478 views • 30 slides
Rail Systems Rail Track Ballast Rail Track Ballast Group 7 Mr.Teeraphob Ueacharoensab 5813023

Rail Systems Rail Track Ballast Rail Track Ballast Group 7 Mr.Teeraphob Ueacharoensab 5813023

Rail Systems Rail Track Ballast Rail Track Ballast Group 7 Mr.Teeraphob Ueacharoensab 5813023 ME4 Mr.Pongsapak Lawapiledchaikul 5813034 ME4 Mr.Kotchanut Jaroenjit 5813206 ME4 What is Rail Track Ballast? Railway Track Component of Railway

227 views • 21 slides
Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

CyLab Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818:

467 views • 46 slides
Building High Power Rockets Why Bother? This is cool but this is cooler *Hand launches no

Building High Power Rockets Why Bother? This is cool but this is cooler *Hand launches no

Building High Power Rockets Why Bother? This is cool but this is cooler *Hand launches no longer required for high power certifications. What youll need Hardware Tools Nosecone & parachute Exacto knife Mailing tubes

194 views • 16 slides
From Lisp to Clojure/Incanter and R An Introduction Shane M. Conway January 7, 2010 Back to

From Lisp to Clojure/Incanter and R An Introduction Shane M. Conway January 7, 2010 Back to

From Lisp to Clojure/Incanter and R An Introduction Shane M. Conway January 7, 2010 Back to the Future The goal of this presentation is to draw some rough comparisons between Incanter and R. There has been a not insubstantial

509 views • 23 slides
CS 147: Computer Systems Performance Analysis Examples Using a Distributed File System 1 / 37

CS 147: Computer Systems Performance Analysis Examples Using a Distributed File System 1 / 37

CS147 2015-06-15 CS 147: Computer Systems Performance Analysis Examples Using a Distributed File System CS 147: Computer Systems Performance Analysis Examples Using a Distributed File System 1 / 37 Velilinds Laws of Experimentation

534 views • 37 slides
Renewal Application Training for Part I FY2019 Continuum of Care Competition June 13, 2019

Renewal Application Training for Part I FY2019 Continuum of Care Competition June 13, 2019

Renewal Application Training for Part I FY2019 Continuum of Care Competition June 13, 2019 Agenda 1. Debrief from FY2018 Competition 2. New System Structure Overview: Salt Lake Valley Coalition to End Homelessness 3. Point in Time Count

903 views • 71 slides
Port Graphs, Rules and Strategies for Dynamic Data Analytics Hlne KIRCHNER Warsaw, July 2015

Port Graphs, Rules and Strategies for Dynamic Data Analytics Hlne KIRCHNER Warsaw, July 2015

Port Graphs, Rules and Strategies for Dynamic Data Analytics Hlne KIRCHNER Warsaw, July 2015 Hlne KIRCHNER (Inria) Port Graphs, Rules and Strategies Warsaw, July 2015 1 / 53 Introduction In a world of connected data and objects

930 views • 55 slides
Introduction May all beings be happy. May they live in safety and joy. All living beings,

Introduction May all beings be happy. May they live in safety and joy. All living beings,

Trumpet Reincarnations: Abstract Argumentation 1 Christof Spanring Department of Computer Science, University of Liverpool, UK Institute of Information Systems, TU Wien, Austria Porgy & Bess: Lost & Found April 24, 2017 1 This research

882 views • 67 slides

More recommend