We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include:
kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead.
XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding.
This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.
5. Gordon’s Task List
● Deploy Cilium HTTP-aware security
for microservices
● Isolate Kafka resources for old & new services
● DDOS mitigation via XDP/BPF
15. L3/L4
API
POST /image
Web
Front-End
Security for Microservices
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
exposed
exposed
exposed
Image
Upload
Service
GET /image
POST /image
GET /image/flagged
PUT /image/id
33. Kafka?
Used for building real-time
pipelines and streaming apps.
- Horizontally scalable
- Fault-tolerant
- “Wicked fast”
Defined by its own protocol.
1/3 of all Fortune 500
companies use Kafka[1]
34. Kafka Concepts
Topic 1 Producers
Kafka Broker
Topic 1
Topic N
Topic 1 Consumer Group A
Topic 1 Consumer Group B
53. BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
CLI,
Monitoring,
Policies
Plugins
XDP/BPF handled in NIC driver
Cilium
Agent
XDP
55. BPF with XDP Setup
pktgen attack:
~11.6 Mpps
randomly in 10.0.0.0/8
legit traffic:
netperf tests on
10.192.1.0/24
Blacklist
16M rules
All /32s in
10.0.0.0/8
56. BPF with XDP for DDoS mitigation
Metric iptables / ipset XDP
DDoS rate [packets/s] 11.6M 11.6M
Drop rate [packets/s] 7.1M 11.6M
Time to load rules [time] 3 min 20 sec 31 sec
Latency under load [ms] 2.3ms 0.1ms
Throughput under DDoS [Gbit/s] 0.014 6.5
Requests/s under DDoS [kReq/s] 0.28 82.8
Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible
Source: Daniel Borkmann’s presentation:
http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf
57. ● Cilium deployment for microservices
successfully secured HTTP traffic
● Kafka resources were isolated to
protect existing services from new ones
● Mitigated DDOS attacks via XDP/BPF
Gordon’s Summary
58. Cilium Project Status
• Cilium v0.12 release in October
• Docker, Kubernetes, and Mesos integration
• Looking for feedback and contributions
59. Take Action!
• Getting Started Using Docker: docs.cilium.io/
• Join our Slack community!
• Check out the project website for more details:
https://www.cilium.io/
Please ★
us on
GitHub