packet mark in a cloud native world
play

Packet mark in a Cloud Native world Joe Stringer Cilium.io - PowerPoint PPT Presentation

Aug 28, 2023 •630 likes •917 views

Packet mark in a Cloud Native world Joe Stringer Cilium.io Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25 Introduction Overview 1 Background 2 Use cases 3 Observations & Challenges August 24, 2020 Packet mark

  1. Packet mark in a Cloud Native world Joe Stringer Cilium.io

  2. Introduction August 24, 2020 Packet mark in a Cloud Native world 2 / 25

  3. Introduction Overview 1 Background 2 Use cases 3 Observations & Challenges August 24, 2020 Packet mark in a Cloud Native world 3 / 25

  4. Background Mark of the fw_mark ct_mark s t r u c t sk_buff { . . . skb_mark __u32 mark ; SO_MARK . . . } xfrm_mark pkt_mark August 24, 2020 Packet mark in a Cloud Native world 4 / 25

  5. Background So what does the mark represent? Nothing.. August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  6. Background So what does the mark represent? Nothing.. Anything! August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  7. Background So what does the mark represent? Nothing.. Anything! MAGIC. August 24, 2020 Packet mark in a Cloud Native world 5 / 25

  8. Background https://twitter.com/dave_universetf/status/1285752332135788544 August 24, 2020 Packet mark in a Cloud Native world 6 / 25

  9. Background August 24, 2020 Packet mark in a Cloud Native world 7 / 25

  10. Background Cloud Native networking plugins August 24, 2020 Packet mark in a Cloud Native world 8 / 25

  11. Background Methodology 1 Look at CNCF landscape 1 2 Find the project on GitHub 3 Search for $mark_name 4 ??? 5 Knowledge! 1 https://landscape.cncf.io/category=cloud-native-network&format=card-mode&grouping=category August 24, 2020 Packet mark in a Cloud Native world 9 / 25

  12. Use cases

  13. Use cases Network policy 1 bit, two variations: 1 bit -> drop 2 1 bit -> allow Store complex path through rules into mark Typically netfilter -> netfilter 2 Kubernetes default August 24, 2020 Packet mark in a Cloud Native world 11 / 25

  14. Use cases Transparent encryption 2+ bits 1 bit encrypt, 1 bit decrypt Variation: key index { eBPF, netfilter } -> xfrm August 24, 2020 Packet mark in a Cloud Native world 12 / 25

  15. Use cases Virtual IP services 1+ bits, request DNAT 1 bit: route towards bridge for DNAT 30 bits representing hashed 3-tuple { eBPF, netfilter } -> netfilter OVS -> routing -> OVS August 24, 2020 Packet mark in a Cloud Native world 13 / 25

  16. Use cases IP masquerade 1+ bits, request SNAT Variation: 1 bit, Skip SNAT Variation: 32 bits for source address selection Connection may not originate on the node {eBPF, OVS, netfilter} -> netfilter eBPF -> stack -> eBPF August 24, 2020 Packet mark in a Cloud Native world 14 / 25

  17. Use cases Multi-homing 1 bit, two variations: Reply via primary device Default: Pod communicates via secondary device Inbound connections must reply via primary device Store & restore in connmark Route via management interface { socket, netfilter } -> routing August 24, 2020 Packet mark in a Cloud Native world 15 / 25

  18. Use cases Application identity Variable bits 4 bit pattern: “local” traffic 16+ bits: Carry Identity to destination Policy routing Portmap plugin { eBPF, netfilter } -> routing -> eBPF August 24, 2020 Packet mark in a Cloud Native world 16 / 25

  19. Use cases Service proxy 1+ bits depending on context 1 bit, route locally 16 bit tproxy port towards proxy 16+ bit Identity from proxy eBPF -> { netfilter, routing } netfilter -> routing socket -> { eBPF, netfilter }, August 24, 2020 Packet mark in a Cloud Native world 17 / 25

  20. Observations & Challenges

  21. Observations & Challenges Marking your territory Bitwise usage Simpler interoperability Full-mark More values to work with Most usage doesn’t make use of this August 24, 2020 Packet mark in a Cloud Native world 19 / 25

  22. Observations & Challenges A tiny bit of overload Use every feature: 100+ bits ...but there’s only 32 bits to play with? Mitigation: Encode meaning in bit range Use [0x0000..0x000F] rather than bits in 0xFFFF Mitigation: Overload bits on different paths Ingress / Egress Make semantics dependent on packet fields August 24, 2020 Packet mark in a Cloud Native world 20 / 25

  23. Observations & Challenges Sharing is caring Driven by common deployment scenarios The clearer responsibility assignment you have, the better Not free (in effort or in complexity) August 24, 2020 Packet mark in a Cloud Native world 21 / 25

  24. Observations & Challenges One does not simply understand skb mark Required reading: network stack diagram Distinct bits do not guarantee integration skb, conn matches may steer packets Fun: replies disappear Proxies: Double the connections, double the fun August 24, 2020 Packet mark in a Cloud Native world 22 / 25

  25. Observations & Challenges Less is more “If only I had more bits...” Consolidate subsystem usage Extend generic mark space? Formalize some use cases? August 24, 2020 Packet mark in a Cloud Native world 23 / 25

  26. Observations & Challenges Summary Powerful mechanism for cross-subsystem programming Uncertainty when bits are OK to use There are more uses than there are bits August 24, 2020 Packet mark in a Cloud Native world 24 / 25

  27. Cilium https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Mark registry https://github.com/fwmark/registry

Recommend

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go 6/28/17, 11)02 AM Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29 file:///Users/kimberlyamaral/Desktop/cng-presentation/pres.html#1 Page 1 of 38 Cloud Native Go 6/28/17, 11)02 AM Agenda

566 views • 38 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry Foundation Why does Cloud Native matter? Since 2000, 52% of the Fortune 500 are no longer on the list Continuous Innovation There is a rough

794 views • 50 slides
Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native: Microservices running inside Containers on top of Platforms on any infrastructure Microservice A software component of a system that is

1.05k views • 60 slides
Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer

Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer

Evolving Prometheus for the Cloud Native World Brian Brazil Founder Who am I? Engineer passionate about running software reliably in production. Core developer of Prometheus Studied Computer Science in Trinity College Dublin.

370 views • 25 slides
Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

1 Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2 What is a Cloud Native Application? 3 Resilience Elasticity Common ideas Agility DevOps 4 You will build Cloud Native Applications

716 views • 47 slides
PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra Technical Marketing Manager Product Marketing Manager tqvarnst@redhat.com csaavedr@redhat.com @ tqvarnst @cesar_saavedr June 2018 EVOLUTION OF

657 views • 28 slides
The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP Developer Relations Oracle Cloud Bob Quillin, VP Developer Relations Oracle Cloud @bobquillin @bobquillin Cloud Native: New Rules, New Game How we

351 views • 17 slides
What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

Cloud Native Applications Workshop Cloud Native Applications Workshop What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker Overview Kubernetes Overview OpenShift Overview 12 Factor Apps IBM

281 views • 27 slides
Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder, Hyper.sh Reinvent IaaS with Container! Agenda Hyper.sh: a Container Native Cloud Under the Hood: How We Build a Container Native Cloud

442 views • 23 slides
PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda Context Architecture Internals HA Context PolarDB is a cloud native DB offering Based on MySQL-5.6 Uses shared storage

1.27k views • 25 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY FARBER SIDNEY SHEK Cloud infrastructure = reliable services right? SUPER RESILIENT CLOUD-BASED ARCHITECTURE Canary Progressive Rollouts

1.11k views • 93 slides
Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native

Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native

Teaching an old DAG new tricks Migrating a decade old pipeline to Airflow Outline Cloud native deployment Cloud native deployment Multi-repo DAG management Manage Airflow Variables with code through Terraform Airflow monitoring

478 views • 30 slides
fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel

fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel

fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel Cloud-Native Network Functions My View Many small network functions App App App App Runs in containers / processes Routing / Switching

207 views • 16 slides
Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and Cloud Native Computing! Google running 2B+ containers per week! Internet scale companies are running containers too: Facebook, Twitter,

1.8k views • 49 slides
Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead Agenda Cloud Native networking CNI Plugin landscape Cilium Overview Policy Overview Policy Enforcement in Cilium

532 views • 12 slides
Cloud Gaming Architecture based on StarlingX and Akraino Integrated Cloud Native Edge Stack (ICN

Cloud Gaming Architecture based on StarlingX and Akraino Integrated Cloud Native Edge Stack (ICN

Cloud Gaming Architecture based on StarlingX and Akraino Integrated Cloud Native Edge Stack (ICN Blueprint) Ziheng Qin(SJTU), Ruoyu Ying(Intel) Dingyu Wang, Qiucheng Wu, Xinyu Ye, Zhengda Wu, Yong Long(SJTU), Forrest Zhao, Guangxin Xu(Intel)

489 views • 29 slides
A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram {ylchen, jim.tuttle, waingram}@vt.edu Information Technologies and Services Virginia Tech Libraries Agenda Cloud-native concept Virginia

413 views • 20 slides
Managing Openstack in a cloud-native way Marcel Haerry Alberto Garca Leading the

Managing Openstack in a cloud-native way Marcel Haerry Alberto Garca Leading the

Managing Openstack in a cloud-native way Marcel Haerry Alberto Garca Leading the Architecture of Swisscoms Red Hat Cloud Architect ElasticStack and PaaS Over 5 years helping companies to Member of CloudFoundrys

300 views • 27 slides
Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm Overview Why we needed application credentials What are application credentials? (with demo!)

637 views • 25 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides

More recommend