Performance Implications of Packet Filtering with Linux eBPF

Firewall capabilities of operating systems are traditionally provided by inflexible filter routines or hooks in the kernel. These require privileged access to be configured and are not easily extensible for custom low-level actions. Since Linux 3.0, the Berkeley Packet Filter (BPF) allows user-written extensions in the kernel processing path. The successor, extended BPF (eBPF), improves flexibility and is realized via a virtual machine featuring both a just-in-time (JIT) compiler and an interpreter running in the kernel. It executes custom eBPF programs supplied by the user, effectively moving kernel functionality into user space. We present two case studies on the usage of Linux eBPF. First, we analyze the performance of the eXpress Data Path (XDP). XDP uses eBPF to process ingress traffic before the allocation of kernel data structures which comes along with performance benefits. In the second case study, eBPF is used to install application-specific packet filtering configurations acting on the socket level. Our case studies focus on performance aspects and discuss benefits and drawbacks.

[1]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[2]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[3]  Nicolaas Viljoen,et al.  Hardware Offload to SmartNICs : cls bpf and XDP , 2016 .

[4]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[5]  Daniel Raumer,et al.  Performance Exploration of Software-based Packet Processing Systems , 2015 .

[6]  G. Bertin XDP in practice: integrating XDP into our DDoS mitigation pipeline , 2017 .

[7]  Daniel Raumer,et al.  Throughput and Latency of Virtual Switching with Open vSwitch: A Quantitative Analysis , 2018, Journal of Network and Systems Management.

[8]  Daniel Raumer,et al.  Optimizing latency and CPU load in packet processing systems , 2015, 2015 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS).

[9]  Björn Scheuermann,et al.  HyPaFilter — A versatile hybrid FPGA packet filter , 2016, 2016 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[10]  Raffaele Bolla,et al.  Linux Software Router: Data Plane Optimization and Performance Evaluation , 2007, J. Networks.

[11]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[12]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.