performance implications of packet filtering with linux
play

Performance Implications of Packet Filtering with Linux eBPF Dominik - PowerPoint PPT Presentation

Jun 02, 2023 •419 likes •721 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul Emmerich, Alexander Kurtz, Krzysztof Lesiak

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul Emmerich, Alexander Kurtz, Krzysztof Lesiak and Georg Carle Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. History of Extended Berkeley Packet Filter (eBPF) Recent Hot Topic • 1992: BPF developed for UNIX • Packet filtering, e.g. tcpdump • 2014: eBPF introduced into Linux Kernel • Network monitoring • Network traffic manipulation • Non-networking purposes Tracing • Security auditing • . . . • • Since then: • Continuous (performance) improvements [1] • “super powers have finally come to Linux” [2] • Offloading support, e.g. Netronome SmartNIC [3] • At Host Dataplane Acceleration Tutorial @ SIGCOMM 2018 [4] [1] A thorough introduction to eBPF, https://lwn.net/Articles/740157/ [2] Brendan Gregg, BPF: Tracing and More, https://www.youtube.com/watch?v=JRFNIKUROPE [3] NetroNews, August 2018, http://hosted.verticalresponse.com/183413/a79f667b58/1413119999/c60e793082/ [4] ACM SIGCOMM 2018 Morning Tutorial on Host Dataplane Acceleration (HDA), https://conferences.sigcomm.org/sigcomm/2018/tutorial-hda.html D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 2

  3. Outline Extended Berkeley Packet Filter Use Case: Packet Filtering Case Study I: eXpress Data Path (XDP) Case Study II: Socket-attached Filtering Conclusion D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 3

  4. Extended Berkeley Packet Filter (eBPF) What is it? • User space program • Run in virtual machine in kernel space (“sandboxed”) • Dynamically interpreted (default) or compiled just-in-time (JIT) Limitations • Static verification • No backward jumps (loops) • Maximum of 4096 instructions � Cannot compromise/block kernel • Data access: key-value stores (maps) • Memory region set up before program is loaded • Key size, value type, max. number of entries predetermined � Secure data access between user space and kernel space D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 4

  5. Study: Packet Filtering Layers of Packet Filters Apps Application level Applications OS Transport prot. System level Network stack Network NAPI level Driver Poll routines NIC Hardware DMA • Hardware offloading and filtering level HW-filter • Dedicated platforms based on FPGAs or SmartNICs � High-performance, ideal for coarse filtering (DoS) D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 5

  6. Study: Packet Filtering Layers of Packet Filters Apps Application level Applications OS Transport prot. System level Network stack • Before network stack processing Network NAPI level � Dropping packets with low overhead in software Driver Poll routines NIC Hardware DMA • Hardware offloading and filtering level HW-filter • Dedicated platforms based on FPGAs or SmartNICs � High-performance, ideal for coarse filtering (DoS) D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 5

  7. Study: Packet Filtering Layers of Packet Filters Apps Application level Applications OS • Hooks into packet processing of network stack Transport prot. • e.g. iptables or nftables System level � Requires root access, system-specific knowledge Network stack • Before network stack processing Network NAPI level � Dropping packets with low overhead in software Driver Poll routines NIC Hardware DMA • Hardware offloading and filtering level HW-filter • Dedicated platforms based on FPGAs or SmartNICs � High-performance, ideal for coarse filtering (DoS) D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 5

  8. Study: Packet Filtering Layers of Packet Filters Apps • Traffic addressed for a specific application Application � Application “knows best”, high penalty for dropping packets level Applications OS • Hooks into packet processing of network stack Transport prot. • e.g. iptables or nftables System level � Requires root access, system-specific knowledge Network stack • Before network stack processing Network NAPI level � Dropping packets with low overhead in software Driver Poll routines NIC Hardware DMA • Hardware offloading and filtering level HW-filter • Dedicated platforms based on FPGAs or SmartNICs � High-performance, ideal for coarse filtering (DoS) D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 5

  9. Use Case: Packet Filtering Common Scenario – State of the Art Apps • Traffic addressed for a specific application Application � Application “knows best”, high penalty for dropping packets level Applications OS • Hooks into packet processing of network stack Transport prot. Centralized Firewall • e.g. iptables or nftables System e.g. iptables, nftables level � Requires root access, system-specific knowledge Network stack • Before network stack processing Network NAPI level � Dropping packets with low overhead in software Driver Poll routines NIC Hardware DMA • Hardware offloading and filtering level HW-filter • Dedicated platforms based on FPGAs or SmartNICs � High-performance, ideal for coarse filtering (DoS) D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 6

  10. Use Case: Packet Filtering Performance Baseline Packets [Mpps] 1 . 5 Processed nftables iptables 1 0 . 5 0 16 32 64 128 256 512 Number of Rules [#] Maximum packet rate D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 7

  11. Use Case: Packet Filtering Performance Baseline Relative Probability [%] 40 nftables 20 0 Packets [Mpps] 1 . 5 40 Processed nftables iptables iptables 1 20 0 . 5 0 40 0 No Firewall 16 32 64 128 256 512 20 Number of Rules [#] 0 20 40 60 80 100 120 140 160 180 200 Maximum packet rate Latency [ µ s] Latency distribution at 0.03 Mpps D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 7

  12. Use Case: Packet Filtering Performance Baseline Relative Probability [%] 40 nftables 20 0 Packets [Mpps] 1 . 5 40 Processed nftables iptables iptables 1 20 0 . 5 0 40 0 No Firewall 16 32 64 128 256 512 20 Number of Rules [#] 0 20 40 60 80 100 120 140 160 180 200 Maximum packet rate Latency [ µ s] Latency distribution at 0.03 Mpps Performance sufficient for today’s applications? Limitations: Centralized, complex ruleset, requiring root access D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 7

  13. Use Case: Packet Filtering (using Commodity Hardware) Possibilities with eBPF Apps Application FWs Application FWs Applications Application level Application FWs OS Transport prot. eXpress Data Path System level Network stack • First line of defense • Coarse but efficient filtering XDP Network NAPI � Protection against DoS attacks level Driver Poll routines NIC Hardware DMA level HW-filter D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 8

  14. Case Study I: eXpress Data Path (XDP) Overview Source: https://www.iovisor.org/technology/xdp D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 9

  15. Case Study I: eXpress Data Path (XDP) Measurement Setup ◭ ◭ XDP LoadGen ◮ ◮ • XDP program: • Drop if port is blacklisted • Otherwise, forward to outgoing interface � Excludes network stack • Load generator: • MoonGen [7] • Generates n UDP flows • Just-in-time compiler enabled • Traffic pinned to single core • Hyper-threading and Turbo Boost disabled [7] https://github.com/emmericp/MoonGen D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 10

  16. Case Study I: eXpress Data Path (XDP) Performance Baseline 15 Processed Packets 10GbE line-rate 90% dropped 50% dropped 10% dropped 10 [Mpps] 5 0 0 2 4 6 8 10 12 14 Offered Rate [Mpps] Packet filtering performance • Drop everything: 10 Mpps • Drop x-Percent: 6.4 Mpps to 7.2 Mpps D. Scholz, D. Raumer, P . Emmerich, A. Kurtz, K. Lesiak, G. Carle — Performance Implications of Packet Filtering with Linux eBPF 11

Recommend

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet filtering, traffic shaping shaping Linux as a router Linux as a router Capable of acting as a router, firewall, traffic Capable of acting as a

366 views • 21 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

IN3210 Network Security Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general): Packet forwarding incl. routing Properties: Connection-less Adressing: source + destination IP address No

725 views • 47 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Linux and High-Performance Computing Outline Architectures & Performance Measurement

Linux and High-Performance Computing Outline Architectures & Performance Measurement

Linux and High-Performance Computing Outline Architectures & Performance Measurement Linux on High-Performance Computers Beowulf Clusters, ROCKS Kitten: A Linux-derived LWK Linux on I/O and Service Nodes Free

630 views • 20 slides
Unifying network filtering rules for the Linux kernel with eBPF Quentin Monnet

Unifying network filtering rules for the Linux kernel with eBPF Quentin Monnet

FOSDEM19 Brussels, 2019-02-02 Unifying network filtering rules for the Linux kernel with eBPF Quentin Monnet <quentin.monnet@netronome.com> @qeole Outline Several network filtering mechanisms in the Linux kernel What are they,

415 views • 22 slides
RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com)

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com)

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com) Linux IPsec workshop, March 2018, Dresden Germany Agenda Problem description: what is this and why do we need it? Follows up on discussion

410 views • 20 slides
Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect Performance Engineering Team bgregg@netflix.com @brendangregg Porting these to Linux Massive Amazon EC2 Linux cloud Tens of thousands of

864 views • 75 slides
Pflua Filtering packets with LuaJIT FOSDEM 2015 Andy Wingo wingo@igalia.com

Pflua Filtering packets with LuaJIT FOSDEM 2015 Andy Wingo wingo@igalia.com

Pflua Filtering packets with LuaJIT FOSDEM 2015 Andy Wingo wingo@igalia.com https://github.com/Igalia/pflua Agenda Story time High-performance packet filtering in software Pflua Forward-looking statements Once upon a time People had to

572 views • 44 slides
Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3

Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/266044195 Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure Article CITATIONS READS 3 109 4 authors , including:

195 views • 8 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Brok oken en Linux Linux Per erfor ormance mance Tools ools Brendan Gregg Senior

Brok oken en Linux Linux Per erfor ormance mance Tools ools Brendan Gregg Senior

Jan 2016 Brok oken en Linux Linux Per erfor ormance mance Tools ools Brendan Gregg Senior Performance Architect, Netflix Previously (SCaLE11x) Working Linux performance tools: This Talk (SCaLE14x) Broken Linux performance

1.52k views • 95 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Linux Performance 2018 Brendan Gregg Senior Performance Architect

Linux Performance 2018 Brendan Gregg Senior Performance Architect

Linux Performance 2018 Brendan Gregg Senior Performance Architect http://neuling.org/linux-next-size.html Post frequency: 4 per year https://kernelnewbies.org/Linux_4.15 https://lwn.net/Kernel/ 4 per week LKML 400 per day

473 views • 19 slides
Linux Systems Performance Brendan Gregg Senior Performance Architect Systems

Linux Systems Performance Brendan Gregg Senior Performance Architect Systems

Apr, 2016 Linux Systems Performance Brendan Gregg Senior Performance Architect Systems Performance in 50 mins Agenda A brief discussion of 6 facets of Linux performance: 1. Observability 2.

1.06k views • 72 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra --

CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra --

CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra -- Overview Internetworking: Past and Present Overview Internetworking: Past and Present Overview TCP/IP and OSI Model TCP/IP

751 views • 47 slides
BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252)

BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252)

BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252) Christopher Campbell (cc3769) Sheng Qian (sq2168) Yuanpei Zhang (yz2727) Columbia University May 14 th , 2015 Overview Goals Design

500 views • 12 slides
1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

Filtering May be Your Work Adaptive Information Filtering Using Bayesian Graphical Models Yi Zhang Baskin School of Engineering University of California Santa Cruz yiz@soe.ucsc.edu 1 2 Filtering May be Your Work Filtering May be Your Work

415 views • 8 slides
Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018

Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018

Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018 h1p://neuling.org/linux-next-size.html Post frequency: 4 per year h1ps://kernelnewbies.org/Linux_4.15 h1ps://lwn.net/Kernel/ 4 per week LKML 400 per day

468 views • 19 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides

More recommend