Speaker
Description
For some time now Cilium ships with a native WireGuard integration in order to
provide a lightweight encrypted tunneling solution in the Cloud Native ecosystem
for K8s Pod traffic and to connect multi/hybrid-cloud environments. It also acts
as an alternative to Cilium's IPsec integration. From a BPF and Cilium point of
view, it provides nice benefits in that WireGuard is i) just another hop on the
virtual wire on the local node, and ii) it is less complex to orchestrate than
alternatives.
We briefly talk about Cilium's WireGuard integration and then the talk focusses
on potential ways to improve its performance. In particular, wireguard-go, a
pure user space implementation of WireGuard was able to surpass the in-kernel
implementation's performance though piggy-backing on UDP GSO and GRO [0]. In this
experiment, we seek to bring similar benefits to its kernel implementation via
GRO and provide an analysis of our results.
[0] https://tailscale.com/blog/more-throughput