4 more talks accepted by the illustrious PC!
1) Nabil Bitar and Jamal Hadi Salim introduce Policy Tables (Ptables), an Access Control List (ACL) infrastructure inspired by the trio: IPtables, IPSet and Conntracking. The IPtables trio is very widely deployed and well understood from a management perspective but has ongoing performance challenges[1]. Ptables maintains the IPtables management semantics while overcoming the IPtables performance challenges. Ptables is implemented using eBPF at TC and XDP levels; however, it is intended to use whatever kernel mechanisms available to meet desired goals. Alternative proposals take an _evolutionary_ approach by keeping IPtables ABI compatibility (either by adding kernel or libiptc transform layers); they have so far failed to see wide adoption. The authors instead take a _revolutionary_ approach by ignoring the ABI altogether and focusing on the semantic equivalence presented to the IPtables crafts-person. Ptables does not strive to be a full replacement for IPtables; instead, it takes a minimalist approach to cover the most common use cases while leaving room for innovating on new ideas.
In this talk the authors will discuss the architecture and design choices taken as well as implementation challenges faced fitting eBPF. They will also discuss future plans.
2)Ping and Traceroute have served us well over the years, however they have been overcome by events in the networking world and do have shortcomings. Ron Bonica discusses revamping these tools.
Ron describes the improvements over ping in the new PROBE diagnostic tool described in IETF RFC 8335. He also discusses ICMP extensions detailed in IETF RFC 5837 to enhance traceroute.
Ron will further discuss the contributions they have made to the Linux kernel and user space tooling to enable both these extensions.
The talk will describe the tooling details and contributions involved.
3) Qizhe Cai, Shubham Chaudhary, Midhul Vuppalapati, Jaehyun Hwang and Rachit Agarwal have spent a year analyzing Linux network stack performance issues in a data centre environment.
While a lot of prior performance evaluations are centred around short-lived TCP flows, studies show that data centre flows mostly tend to be lived. This changes the reality of where the bottlenecks are. Example, the authors found that in fact the dominant bottleneck is kernel<->user copies as opposed to TCP processing which reveals its head when the focus is on short flows. The study also looks at, amongst other things, the effect of ever increasing data centre wire speeds(and the resulting bandwidth-delay products) on modern CPU cache sizes and calls out for new mechanisms for network-aware CPU scheduling.
The authors will make recommendations and discuss challenges met.
4) Maxim Mikityanskiy describes how to accelerate synproxy with XDP. SYN cookies are a popular stateless DOS mitigation mechanism in which the sequence number of the first ACK is chosen as the result of a cryptographic hash function over easily computed parameters. Though effective, in Linux this requires traversing the network stack all the way to the socket layer. The extra compute cycles limits the rate of issuing SYN cookies. Maxim describes using eBPF at the XDP level to check SYN cookies without binding to a socket. The effort includes adding new eBPF helpers to aid this effort.
[1] https://netdevconf.info/0x15/session.html?talk-linux-ACL-performance-analysi...
cheers, jamal