FN_Logo

Coming soon 2018 | Location to be announced

< BACK TO TOPICSLayer 7 is the New Layer 4: Cilium – Layer 7 Aware Networking & Security with BPF

Modern micro-services architectures factor out application functionality into individual services and expose them via APIs using protocols such as REST or gRPC. This creates unique new challenges for networking and security. What was previously a series of application internal function calls protected by memory segmentation is now available over the network. Traditional layer 3-4 networking security is limited to segmentation on IP and port level which, when applied to APIs, allows to either expose the entire API surface or none of it. This is clearly insufficient to implement least privilege security in micro-services architectures where services are consumed from multiple sources with differing privilege requirements.

At the same time, the rise of container based orchestration platforms closes the gap between infrastructure ops and application developers creating demand for highly scaleable, application aware, and resilient load-balancing, routing & security infrastructure. An example of this evolution is the recently launched open source project Istio which provides a platform to connect and secure micro-services focusing almost exclusively on Layer 7. Istio and similar projects use user space proxies to achieve this because the Linux kernel does not provide this functionality yet. This introduces significant performance overhead and new security threats as these proxy run in the same segmentation domain as the application itself.

This talk introduces Cilium – a platform providing application aware networking, security, and load-balancing in collaboration with orchestration systems such as Kubernetes and Istio, implemented using BPF to deliver kernel native performance and security. odern micro-services architectures factor out application functionality into individual services and expose them via APIs using protocols such as REST or gRPC. This creates unique new challenges for networking and security.
profile_pic
Thomas Graf
Co-Founder & CTO at Covalent IO
Thomas Graf has been a Linux kernel developer for 15 years, working on a variety of networking and security subsystems. His current focus is on BPF/XDP and how it can be applied to solve challenges of distributed applications. This includes providing secure networking with transparent encryption, application aware security, tracing, visibility, and mitigation of DDoS attacks. Thomas is a contributor to various open source projects including the Linux kernel, Cilium, Open vSwitch, Docker, and Kubernetes.

INFO

Event: future:net

Where: Las Vegas, Nevada

When: August 30 - 31, 2017

Venue: Four Seasons Hotel