why ebpf and xdp in suricata matters · 2019. 1. 9. · leblond (oisf) why ebpf and xdp in suricata...
TRANSCRIPT
![Page 1: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/1.jpg)
Why eBPF and XDP in Suricata matters
É. Leblond
OISF
Nov. 15, 2018
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 1 / 31
![Page 2: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/2.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 1 / 31
![Page 3: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/3.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 1 / 31
![Page 4: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/4.jpg)
Impact of loosing packets
MethodologyUse a sample trafficModify the pcap file to have specified random packet lossDo it 3 times par packet lossGet graph out of that
Test dataUsing a test pcap of 445Mo.Real traffic but lot of malicious behaviorsTraffic is a bit old
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 2 / 31
![Page 5: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/5.jpg)
Alert loss by packet loss
Some numbers10% missed alerts with 3% packets loss50% missed alerts with 25% packets loss
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 3 / 31
![Page 6: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/6.jpg)
The case of file extraction
Some numbers10% failed file extraction with 0.4% packets loss50% failed file extraction with 5.5% packets loss
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 4 / 31
![Page 7: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/7.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 4 / 31
![Page 8: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/8.jpg)
The elephant flow problem (1/2)
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 5 / 31
![Page 9: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/9.jpg)
The elephant flow problem (2/2)
Ring buffer overrunLimited sized ring bufferOverrun cause packets lossthat cause streaming malfunction
Ring size increaseWork aroundUse memoryFail for non burst
Dequeue at NQueue at speed N+M
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 6 / 31
![Page 10: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/10.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 6 / 31
![Page 11: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/11.jpg)
Stream depth method
Attacks characteristicIn most cases attack is done at start of TCP sessionGeneration of requests prior to attack is not commonMultiple requests are often not even possible on same TCPsession
Stream reassembly depthReassembly is done till stream.reassembly.depth bytes.Stream is not analyzed once limit is reachedIndividual packet continue to be inspected
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 7 / 31
![Page 12: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/12.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 7 / 31
![Page 13: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/13.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 7 / 31
![Page 14: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/14.jpg)
Introducing bypass
Stop packet handling as soon as possibleTag flow as bypassedMaintain table of bypassed flowsDiscard packet if part of a bypassed flow
Bypass methodLocal bypass: Suricata discard packet after decodingCapture bypass: capture method maintain flow table and discardpackets of bypassed flows
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 8 / 31
![Page 15: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/15.jpg)
Bypassing big flow: local bypass
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 9 / 31
![Page 16: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/16.jpg)
Bypassing big flow: capture bypass
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 10 / 31
![Page 17: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/17.jpg)
Implementation
Suricata updateAdd callback functionCapture method register itself and provide a callbackSuricata calls callback when it wants to offload
NFQ bypass in Suricata 3.2Update capture register functionWritten callback function
Set a mark with respect to a mask on packetMark is set on packet when issuing the verdict
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 11 / 31
![Page 18: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/18.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 11 / 31
![Page 19: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/19.jpg)
Stream depth bypass
Stop all treatment after bypassGo beyond what is currently doneDisable individual packet treatment once stream depth is reached
Activating stream depth bypassSet stream.bypass to yes in YAML
TLS bypassencrypt-handling: bypass
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 12 / 31
![Page 20: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/20.jpg)
Selective bypass
Ignore some trafficIgnore intensive traffic like NetflixCan be done independently of stream depthCan be done using generic or custom signatures
The bypass keywordA new bypass signature keywordTrigger bypass when signature matchExample of signature
pass h t t p any any −> any any ( content : " s u r i c a t a . i o " ; \ \h t tp_hos t ; bypass ; s id :6666; rev : 1 ; )
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 13 / 31
![Page 21: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/21.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 13 / 31
![Page 22: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/22.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 13 / 31
![Page 23: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/23.jpg)
Extended Berkeley Packet Filter
Berkeley Packet FilterVirtual machine inside kernelArithmetic operations and tests on the packet dataFilters are injected by userspace in kernel via syscall
Extended BPFExtended virtual machine: more operators, data and functionaccessVarious attachment points
SocketSyscallTraffic control
Kernel and userspace shared structuresHash tablesArrays
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 14 / 31
![Page 24: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/24.jpg)
LLVM backend
From C file to eBPF codeWrite C codeUse eBPF LLVM backend (since LLVM 3.7)Use libbpf
Get ELF fileExtract and load section in kernel
BCC: BPF Compiler collectionInject eBPF into kernel from high level scripting languageTrace syscalls and kernel functionshttps://github.com/iovisor/bcc
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 15 / 31
![Page 25: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/25.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 15 / 31
![Page 26: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/26.jpg)
And now AF_PACKET
What’s neededSuricata to tell kernel to ignore flowsKernel system able to
Maintain a list of flow entriesDiscard packets belonging to flows in the listUpdate from userspace
eBPF filter using mapseBPF introduce mapsDifferent data structures
Hash, array, . . .Update and fetch from userspace
Looks good!
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 16 / 31
![Page 27: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/27.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 16 / 31
![Page 28: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/28.jpg)
Filtering
from BPF to eBPFForget about or joined list: not (1.2.3.4 or 2.3.4.5 or12.3.34.4 or ...)
Maintain list in mapsSearch in list in constant time
More on mapsPinningAccess from external tool
Available example filtersfilter.c: drop IPv6vlan_filter.c: accept packet for a set of VLANs
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 17 / 31
![Page 29: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/29.jpg)
Pinned maps
Expose maps to systemRead and update map from external toolsUpdate BPF filter dynamically
DemoOn the wings of Murphy
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 18 / 31
![Page 30: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/30.jpg)
Murphy will decide if I need to pass this slide fast
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 19 / 31
![Page 31: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/31.jpg)
Load balancing
Custom load balancerReturn integerReadig socket determined by taking modulo
Available example filterlb.c: IP pair load balancing
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 20 / 31
![Page 32: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/32.jpg)
Bypass
eBPF bypassSuricata specialized filterFlow tables for IPv4 and IPv6Bypass function add entry to flow table
Flow handlingDedicated thread in SuricataDump table and handle cleaning
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 21 / 31
![Page 33: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/33.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 21 / 31
![Page 34: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/34.jpg)
eXtreme Data Path
Reaching bare metal performanceAnswer to high performance need
DDoS fightCustom protocol implementation
Run userspace codeWhen Linux network stack do too much
MotivationAvoid cost of skb creation"Kill" DPDK
Universal solution and APIsAvoid non Linux application on Linux
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 22 / 31
![Page 35: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/35.jpg)
A recent Linux kernel feature
Run a eBPF code the earliest possiblein the driverin the cardbefore the regular kernel path
Act on dataDrop packet (eXtreme Drop Performance)Transmit to kernelRewrite and transmit packet to kernelRedirect to another interfaceCPU load balance
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 23 / 31
![Page 36: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/36.jpg)
Implementation in Suricata
Similar to eBPF filterSame logic for bypassOnly verdict logic is different
But annoying differenceeBPF code does the parsingNeed to bind to an interface
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 24 / 31
![Page 37: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/37.jpg)
IPS and bypass
What about IPS bypass ?XDP_DROP is droppingBypassing imply dropping
To light speed and beyondXDP_REDIRECT to send packet to TX queue of other NICDirect transmit from hardware to hardware
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 25 / 31
![Page 38: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/38.jpg)
CPU redirect
Non symetric RSSNon symetric hash functionLow entropy key not always supportedRSS=1 and burn one CPU
CPU Redirect to the rescueLoad balance in XDP eBPF codeskb creation is done in all CPUs
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 26 / 31
![Page 39: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/39.jpg)
Stripping tunnels
Big TunnelCan be an elephant flowTunnelized flows can be non elephantTreating ad load balancing on internal flows can save the day
Strip tunnel headerDecode tunnel headerFind offsetMove pointer to new start
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 27 / 31
![Page 40: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/40.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 27 / 31
![Page 41: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/41.jpg)
Complete hardware offload
Join work with Netronome teamAlmost thereTest to start soon
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 28 / 31
![Page 42: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/42.jpg)
AF_XDP
New capture methodGet packet at XDP stageFully skip the Linux network stack
New architectureShared memoryUser and Kernel lists
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 29 / 31
![Page 43: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/43.jpg)
1 ProblemPacket loss impactElephant flowWork less to get more
2 BypassIntroducing bypassBypass strategy
3 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFeBPF supportXDP supportIt’s just the beginning
4 Conclusion
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 29 / 31
![Page 44: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/44.jpg)
Conclusion
Suricata, eBPF and XDPAvailable in Suricata 4.1, need Linux 4.16Network card bypass for Netronome comingAF_XDP capture is now in Linux vanilla
More informationSeptun II: https://github.com/pevma/SEPTun-Mark-II/Suricata doc: http://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 30 / 31
![Page 45: Why eBPF and XDP in Suricata matters · 2019. 1. 9. · Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 20181/31. 1Problem Packet loss impact Elephant flow Work less](https://reader036.vdocument.in/reader036/viewer/2022062610/61193ebc4a19995b715c7797/html5/thumbnails/45.jpg)
Questions ?
Thanks toJesper Dangaard BrouerAlexei StarovoitovDaniel Borkmann
Contact [email protected]: @regiteric
É. Leblond (OISF) Why eBPF and XDP in Suricata matters Nov. 15, 2018 31 / 31