Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

1. Title.
Thomas Graf
CTO & Co-Founder @ Covalent
Linux-Native,
HTTP-Aware
Network Security

2. Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Distributed
Microservices App
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate
CODE CONSISTENCY AT VELOCITY

3. Network Security
has not evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:

4. Your HTTP ports be like …

5. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API

6. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API
GET /store/myItem HTTP/1.1

7. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API
GET /store/myItem HTTP/1.1
FROM frontend
ALLOW tcp:80

8. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /store/{id}
API
GET /store/myItem HTTP/1.1
FROM frontend
ALLOW tcp:80

9. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
GET /store/myItem HTTP/1.1
FROM frontend
ALLOW tcp:80

10. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
attacksurface
GET /store/myItem HTTP/1.1
FROM frontend
ALLOW tcp:80

11. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
exposed
exposed
exposed
FROM frontend
ALLOW tcp:80
GET /store/myItem HTTP/1.1
OK

12. L4 security has
become meaningless in
the age of microservices

13. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
GET /store/myItem HTTP/1.1

14. L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
FROM frontend
ALLOW GET /store/.*
GET /store/myItem HTTP/1.1

15. We demand
a demo!

16. BPF – The
Superpowers
inside Linux

17. What is BPF?
.insns = {
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
BPF_LD_MAP_FD(BPF_REG_1, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
BPF_EXIT_INSN(),
}

18. What is BPF?
SOURCE CODE [C]
</>
USER SPACE

19. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
USER SPACE
</>

20. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>

21. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF

22. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
Process

23. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPF
write()
Process

24. What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPF
write()
Process
EACCESS

25. How does BPF relate to HTTP?
Process
GET /foo

26. SANDBOX
BPF Process
GET /foo
How does BPF relate to HTTP?

27. SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
How does BPF relate to HTTP?

28. SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
reinject
How does BPF relate to HTTP?

29. SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
403
Access
Denied
How does BPF relate to HTTP?

30. Cilium Architecture
Cilium
Kernel
ProcessBPF
ProcessBPF
BPF
Cilium
Agent
CLI Monitor Policy
Plugins

31. • Generate networking code at Container
Startup
+ Tailored to each container
+ Include Minimal Code Required
Faster
Smaller Attack Surface
• Constant Config (IP, MAC, Ports, …),
Compiler Optimization
• Regeneration at Runtime Without
Breaking Connections
BPF CODE GENERATION AT
CONTAINER STARTUP

32. 75
140
205
240
325
365 370 365
410 412 425
445 450 460 460
490 495 505 515 525
545
565
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
BPF redirect() performance
[GBit per core]
Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores,
1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies

33. Thank You
Learn More:
cilium.io
Code:
github.com/cilium/cilium
Follow us:
@ciliumproject
KubeCon booth:
S19