Description
For the fourth year in a row, the eBPF & Networking Track is going to bring together developers, maintainers, and other contributors from all around the globe to discuss improvements to the Linux kernel’s networking stack as well as BPF subsystem and their surrounding user space ecosystems such libraries, loaders, compiler backends, and other related system tooling.
The gathering is designed to foster collaboration and face to face discussion of ongoing development topics as well as to encourage bringing new ideas into the development community for the advancement of both subsystems.
The track will be composed of talks, 30 minutes in length (including Q&A discussion). Topics will be advanced Linux networking and/or BPF related.
eBPF & Networking Track's technical committee: David S. Miller, Jakub Kicinski, Paolo Abeni, Eric Dumazet, Alexei Starovoitov, Daniel Borkmann (chair), Andrii Nakryiko and Martin Lau.
-
Daniel Borkmann (Isovalent), Jakub Kicinski (Facebook)13/11/2023, 09:25
-
Alan Maguire (Oracle)13/11/2023, 09:30
This talk focuses on a number of issues and suggested solutions around the BPF Type Format (BTF). BTF has becoming more and more central not just for core BPF features, but also in other subsystems such as ftrace. The goal explored here is to facilitate - as much as is possible - various feature requests that have been expressed around BTF support that will benefit BTF adoption.
These...
Go to contribution page -
Kumar Kartikeya Dwivedi (EPFL)13/11/2023, 10:00
There has been recent work on adding the notion of exceptions to the BPF runtime in the Linux kernel. In this presentation, we will explore the necessary changes made to the BPF subsystem to fulfill this. We will also explore various implementation choices, reasons for making the feature as generic as possible, and the possibility of integrating similar features found in other languages (C++,...
Go to contribution page -
Dan Williams (Virginia Tech), Raj Sahu (Virginia Tech)13/11/2023, 10:30
In the rapidly evolving landscape of BPF as kernel extensions, the need for early termination is becoming increasingly critical, whether it's due to kernel stalling or the need to enforce execution time restriction on critical hook points :
- The recently added bpf_loop helper can be used to attach a very long running BPF program into the kernel which has been demonstrated to stall the...
-
Harishankar Vishwanathan (Rutgers University)13/11/2023, 11:30
This talk will present our automated tool, Agni, to check the correctness of range analysis in the Linux kernel’s eBPF verifier. Agni automatically extracts the semantics of the verifier's range analysis in logic (SMT) from the kernel's C source code. We use abstract interpretation theory to provide a formal specification of the soundness of range analysis. Our tool checks the verifier's range...
Go to contribution page -
Paul McKenney (Facebook)13/11/2023, 12:00
What has happened with the BPF Memory Model, two years after the presentation [1] at the Networking and BPF Summit held at the 2021 Linux Plumbers Conference?
Until recently, not much!
But that has changed, so much so that this presentation will cover a more detailed proposal for a BPF memory model.
[1] https://lpc.events/event/11/contributions/941/
Go to contribution page -
Dan Williams (Virginia Tech), Sai Roop Somaraju (Virginia Tech), Siddharth Chintamaneni (Virginia Tech)13/11/2023, 12:30
eBPF is accelerating waves of innovation allowing applications to enhance the kernel’s capabilities at runtime, while guaranteeing stability and security. Such guaranteed safety is made possible by the verifier engine which statically verifies BPF code. However, the verifier implicitly makes assumptions about the runtime execution environment, which must hold for safety to be upheld. One...
Go to contribution page -
KP Singh (Google)13/11/2023, 14:30
As the BPF LSM matures and gains adoption there is more need to pick up some of the left-over patches and have these submitted in the kernel:
- LSM Static calls and share an update on how this series is progressing and the latest performance benchmarking results.
bpf_get_xattrandbpf_set_xattrand reach consensus on how to get this merged in the kernel.
The talk will also share...
Go to contribution page -
Song Liu (Meta), Boris Burkov (Meta)13/11/2023, 15:00
Overview
Binary authorization is a common security requirement for modern systems. Fundamentally, only securely authorized binaries are allowed to perform certain risky operations. For example, only an authenticated sshd binary is allowed to bind port 22, or only limited authorized binaries should write to raw block devices with critical data. Many proposals have sought to solve...
Go to contribution page -
Liam Wisehart (Meta), Shankaran Gnanashanmugam (Meta)13/11/2023, 15:30
Sysarmor is a security daemon used to detect possible threats, and enforce security rules at Meta. Sysarmor is deployed to higher threat environments, such as: collocated hosts, Meta Network Appliances, development servers, Meta cloud gaming, and public cloud (AWS/GCP). Sysarmor has over 40 BPF based detections, including areas such as: networking, privilege escalation, hardware attacks,...
Go to contribution page -
Avery Blanchard (Duke University), George Almasi (IBM)13/11/2023, 16:30
The Linux kernel uses non-repudiable logging to attest to system integrity. Non-repudiation ensures that the validity of the log cannot be disputed, even in the presence of an untrusted actor. We present an extensible interface for user-defined programs to leverage TPM-based non-repudiable logging of any kernel data accessible to eBPF programs. With the large variety eBPF hook locations, our...
Go to contribution page -
Jinghao Jia (UIUC)13/11/2023, 17:00
We explore the use of eBPF for kernel security, specifically in the context of enforcing kernel control flow integrity (kCFI). CFI is an effective way to defend against control hijack attacks. However, current CFI implementation in the kernel is imprecise and suffers from deployment challenges, resulting in it being underused. We believe eBPF's intrinsic strengths (safety, access to runtime...
Go to contribution page -
Neill Kapron (Google)13/11/2023, 17:30
Android’s support for BPF is currently very limited and does not include many modern upstream features, namely CO-RE and iterators. The Android ecosystem’s security requirements and device lifecycles make integrating libbpf workflows and enabling partner access to BPF difficult.
The goal of this discussion is to detail and explain the challenges for Android and explore options to enable...
Go to contribution page -
Quentin Monnet (Isovalent)13/11/2023, 18:00
Bonus/fun evening session:
eBPF gains widespread adoption, and it is relatively easy for people in tech, nowadays, to find tutorials or blog posts to get started with eBPF and to understand how it works. Other people hear about eBPF, but are less familiar with the related concepts, and they struggle more to understand what it is about, and how it changes system...
Go to contribution page -
Yusheng Zheng (PLCT Lab)14/11/2023, 09:00
In kernel operations, the uprobe component of eBPF often faces performance inefficiencies, primarily due to the overheads introduced by context switches. Transitioning to userspace, eBPF can bypass these context switch-induced delays, leading to optimized performance. Moreover, this transition facilitates greater configurability without requiring root access or privileges, thus reducing the...
Go to contribution page -
Masami Hiramatsu (Google)14/11/2023, 09:30
We are looking for the new register-set data structure, instead of pt_regs, for function entry/exit trace events. This is because pt_regs is expected to save all registers including some control registers which are usually saved when an exception or interrupt happens. However, using ftrace it will not be able to be used on some architecture. Moreover, for most RISC architecture, saving all...
Go to contribution page -
Jiri Olsa (Isovalent)14/11/2023, 10:00
We recently suffered a case where we did not get expected count of
attached kprobe hits and I realized that we don't properly keep stats
of missed probes.While this was not surprise for legacy kprobes (perf + SET_BPF ioctl)
which was brought up long time ago, it's currently not possible get
such stats even on kprobes created on top of bpf perf and kprobe_multi
links.Also we are...
Go to contribution page -
Lucas Castanheira (CMU)14/11/2023, 10:30
eBPF is fundamental for diagnosing performance issues in production environments - where flexible and continuous profiling is key. Understanding, for example, why some functions are taking too long can provide a quick path to uncovering the root cause of performance issues. However, high-level indicators such as high latency are not informative enough: To disambiguate the source of high...
Go to contribution page -
Daniel Borkmann (Isovalent)14/11/2023, 11:30
BPF for networking has seen a number of infrastructure improvements since the last year such as the introduction of tcx as the new tc BPF fast path with BPF link support. The next bigger step in this area is the introduction of a BPF programmable netdevice called "netkit" where the BPF logic is part of the driver's xmit routine. This talk elaborates on why it is needed, provides a detailed...
Go to contribution page -
John Fastabend (Isovalent)14/11/2023, 12:00
Application security and observability systems provide useful insight into L7 application networking. These systems promise nice looking service maps showing all your GRPC connections and how all the network services interact. They snoop DNS traffic providing the key insights of IP to DNS name mappings in a world where IPs are increasingly dynamic and meaningless from an identity perspective....
Go to contribution page -
Balasubramanian Madhavan (Meta Inc.), Prankur Gupta (Meta Platforms Inc)14/11/2023, 12:30
In this talk, we share some transport tunings built using eBPF to improve network performance and reliability. We will discuss examples of problems observed along with their solutions at different scopes – intra datacenter(small RTT) and inter-region(long RTT) network. Next, we talk about how we used one BPF attach-point (struct_ops) to try a TCP congestion control change aimed at improving...
Go to contribution page -
Kui-Feng Lee (Meta)14/11/2023, 14:30
The
BPF struct_opsis a kernel-side feature in Linux which allows user-defined methods to be called by subsystems. For example, it is now possible to define a congestion control algorithm in BPF and then proceed to register it with the TCP subsystem in order to effectively regulate traffic.The presentation will provide audiences with an understanding of the inner workings of struct_ops,...
Go to contribution page -
Anton Protopopov (Isovalent)14/11/2023, 15:00
In the Linux kernel the Static Keys feature allows the inclusion of seldom used features in the fast-path code via the 'asm goto' compiler feature and code live-patching techniques. When disabled, a static key incurs zero overhead.
While looking into ways to extend functionality of the pwru [1] utility to trace networking events it became clear that a similar Static Keys feature would be a...
Go to contribution page -
Guillaume Fournier (Datadog), Hemanth Malla (Datadog)14/11/2023, 15:30
Datadog has been using eBPF in production for observability, security and networking for several years now. While we managed to leverage eBPF to build new features, which would have been impossible otherwise, we also learned a lot the hard way. In this talk, we aim to get into the details of some gotchas, pitfalls and bugs uncovered over the years. You'll learn about eBPF hook points coverage...
Go to contribution page -
Barret Rhoden (Google)14/11/2023, 16:30
Flux is a framework for writing multicore schedulers, written in eBPF, that runs on top of Google's Ghost kernel scheduling class (analogous to sched_ext). Although the Flux framework is interesting in its own right, this talk will cover the data structures and trickery involved with making Flux work in BPF. Particularly, we heavily utilize array maps as a quasi memory allocator, and have...
Go to contribution page -
Sumera Priyadarsini (Polar Signals)14/11/2023, 17:00
At LPC 2022, we talked about experimenting with eBPF to extend the existing stack unwinding facility in the Linux kernel for interpreted languages, such as Ruby and Python, as well as runtimes emitting JITed code, like NodeJS.
While we have successfully implemented these features in parca-agent across both Arm64 and x86 architectures, there is...
Go to contribution page -
Alan Jowett (Microsoft)14/11/2023, 17:30
Towards a standardized eBPF ISA - Conformance testing
The BPF Conformance Suite, consisting of a test runner and a suite of test cases, is a tool that addresses the challenge of ensuring cross-runtime compatibility for BPF programs.
This presentation will delve into the core aspects of the BPF Conformance Suite, including its purpose,...
Go to contribution page -
David Wei (Meta), Pavel Begunkov (Meta)15/11/2023, 09:30
Memory bandwidth is a bottleneck in many distributed services running at scale as I/O bandwidth has not kept up with CPU or NIC speeds over time. One limitation of kernel socket-based networking is that data is first copied into kernel memory via DMA, and then again into user memory, which adds pressure to overall memory bandwidth and comes with a CPU cost. The classic way of addressing this...
Go to contribution page -
Dr Xiaochun Lu (Bytedance), Zijian Zhang (Bytedance)15/11/2023, 10:00
Homa, a unique transport protocol created specifically for hype-scale datacenters, provides optimized round-trip performance for request/reply messages. An in-depth evaluation of the Homa Linux module in contrast to TCP showed a considerable decrease in latency with RPC application benchmarks. Furthermore, our analysis of gRPC operating over Homa versus gRPC over TCP revealed significant...
Go to contribution page -
Vadim Fedorenko (Meta)15/11/2023, 10:30
More and more systems require precisely synchronized time to operate effectively. NTP and PTP are well-known protocols that distribute time information across networks. However, systems need hardware to be properly configured and monitored as a part of the solution. With SyncE adoption there is a requirement to support more rigorous approaches to time synchronization and distribution on hosts....
Go to contribution page -
Sebastian Siewior (Linutronix)15/11/2023, 11:30
Disabling bottom halves is essentially a per-CPU Big Kernel Lock. While some data structures have explicit locking - other rely on disabling BH. Depending on the load, networking has to wait until timer callbacks have finished. Even if preempted by a task with higher priority, it can not send a packet until all receiving is done.
Go to contribution page
This talk intends to discuss with the networking community,... -
Andy Gospodarek (Broadcom)15/11/2023, 12:00
In large deployments, significant CPU cycles are used on encryption for transport security (QUIC, TLS, etc). CPU crypto instructions and ‘look-a-side’ accelerators can have significant performance penalties (memory copies, cache pollution, etc).
NIC or Inline offload solves many of these problems and it leverages the natural memory copy into the NIC to implement crypto-offload. Other...
Go to contribution page -
Stanislav Fomichev (Google)15/11/2023, 12:30
AF_XDP is a relatively novel packet family which builds on top of XDP and supports directly accessing low-level networking queues from userspace. It exposes raw packet headers and payload and bypasses most of the kernel stack. Recently, it gained the support of NIC receive-side offloads and I'm actively working on...
Go to contribution page -
Frederick Lawler (Cloudflare)15/11/2023, 14:30
What happens when your application opens upwards of 50k connections to a single
destination? Short answer - connect() syscall becomes slow. Cloudflare found out the
hard way.Through this talk we would like to share our story of what we have learned about
Go to contribution page
connect() implementation for TCP in Linux, both its strong and weak sides. How
connect() latency changes under pressure, and how to... -
Martin Lau (Meta), Takshak Chahande (Meta)15/11/2023, 15:00
In the container-centric ecosystem, achieving efficient network isolation without compromising on performance has become paramount. Not all containers require the stringent network isolation akin to VMs. Many can benefit from a more flexible approach, like using eBPF hooks, to mark and manage network traffic with QOS. This presentation delves into the application of cgroup-bpf based hooks...
Go to contribution page -
Lalit Gupta (Meta), Pavel Dubovitsky, Raman Shukhau15/11/2023, 15:30
The industry extensively relies on direct server response, DSR, and Meta has a long history of employing this technology for L4 load balancing. At the same time, our fleet went through an evolution of being an isolated subset of machines per team, to a more efficient model with a single shared pool that provides multi-tenant capacity. Moving services to network namespace becomes necessary to...
Go to contribution page -
Kuniyuki Iwashima (Amazon Web Services)15/11/2023, 16:30
SYN Cookie is a technique used to protect servers from malicious connection requests. Under SYN flood, the Linux TCP stack encodes the client information into the initial sequence number (ISN) of SYN+ACK, which is called SYN Cookie, and decodes that from ACK of 3WHS so that the kernel can release resources for the connection and stays stateless during 3WHS.
For security reasons, SYN Cookie...
Go to contribution page -
Quentin Deslandes (Meta)15/11/2023, 17:00
For a significant period, bpfilter wasn't more than an empty usermode helper and an abandoned patch series. However, it has recently undergone active development as a userspace daemon, which can be found on GitHub at https://github.com/facebook/bpfilter. This daemon now offers userspace services a swift and user-friendly interface to generate packet-filtering BPF programs dynamically. This...
Go to contribution page -
Andrew Lunn15/11/2023, 17:30
RJ45 Ethernet sockets often come with a couple of LEDs. Front panels
of STB, cable modems, WiFi access points and switches have LEDs. They
give some representation of what is happening in the network, link,
link speed, RX or TX of frames etc.How these LEDs are configured was until recently a big problem. Many
Go to contribution page
patches have been NACKed, all repeating the same problem, again... -
Aditi Ghag (Isovalent)
This talk will cover two main topics around the complexities around network namespaces and rethinking some aspects of conntrack in the cilium BPF datapath in the context of cloud-native environments -
(1) Global sockets iterator and entering host-wide netns: Cilium has a few use cases where it needs to enter network namespaces on a host. There are certain challenges involved in...
Go to contribution page -
Aditi Ghag (Isovalent)
This talk will cover two main topics around the complexities around network namespaces and rethinking some aspects of conntrack in the cilium BPF datapath in the context of cloud-native environments -
(1) Global sockets iterator and entering host-wide netns: Cilium has a few use cases where it needs to enter network namespaces on a host. There are certain challenges involved in...
Go to contribution page