research-article

Fast In-kernel Traffic Sketching in eBPF

Authors:
Sebastiano Miano

Queen Mary University of London

Queen Mary University of London
View Profile

,
Xiaoqi Chen

Princeton University

Princeton University
View Profile

,
Ran Ben Basat

University College London

University College London
View Profile

,
Gianni Antichi

Politecnico di Milano and Queen Mary University of London

Politecnico di Milano and Queen Mary University of London
View Profile

Authors Info & Claims

ACM SIGCOMM Computer Communication Review Volume 53 Issue 1January 2023pp 3–13https://doi.org/10.1145/3594255.3594256

Published:20 April 2023Publication History

ACM SIGCOMM Computer Communication Review

Abstract

The extended Berkeley Packet Filter (eBPF) is an infrastructure that allows to dynamically load and run micro-programs directly in the Linux kernel without recompiling it.

In this work, we study how to develop high-performance network measurements in eBPF. We take sketches as case-study, given their ability to support a wide-range of tasks while providing low-memory footprint and accuracy guarantees. We implemented NitroSketch, the state-of-the-art sketch for user-space networking and show that best practices in user-space networking cannot be directly applied to eBPF, because of its different performance characteristics. By applying our lesson learned we improve its performance by 40% compared to a naive implementation.

References

2021. Intel Data Direct I/O Technology. https://www.intel.co.uk/content/www/uk/en/io/data-direct-i-o-technology.html. (Feb 2021). [Online; accessed 07-March-2023].Google Scholar
Paarijaat Aditya, Istemi Ekin Akkus, Andre Beck, Ruichuan Chen, Volker Hilt, Ivica Rimac, Klaus Satzke, and Manuel Stein. 2019. Will serverless computing revolutionize NFV? Proc. IEEE 107, 4 (2019), 667--678.Google ScholarCross Ref
Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX symposium on networked systems design and implementation (NSDI 20). 419--434.Google Scholar
Anup Agarwal, Zaoxing Liu, and Srinivasan Seshan. 2022. HeteroSketch: Coordinating Network-wide Monitoring in Heterogeneous and Dynamic Networks. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). USENIX Association, Renton, WA, 719--741. https://www.usenix.org/conference/nsdi22/presentation/agarwalGoogle Scholar
Eran Assaf, Ran Ben Basat, Gil Einziger, and Roy Friedman. 2018. Pay for a sliding bloom filter and get counting, distinct elements, and entropy for free. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 2204--2212.Google ScholarDigital Library
Siamak Azodolmolky, Philipp Wieder, and Ramin Yahyapour. 2013. SDN-based cloud computing networking. In 2013 15th International Conference on Transparent Optical Networks (ICTON). IEEE, 1--4.Google ScholarCross Ref
Ziv Bar-Yossef, TS Jayram, Ravi Kumar, D Sivakumar, and Luca Trevisan. 2002. Counting distinct elements in a data stream. In International Workshop on Randomization and Approximation Techniques in Computer Science. Springer, 1--10.Google ScholarDigital Library
David Barach, Leonardo Linguaglossa, Damjan Marion, Pierre Pfister, Salvatore Pontarelli, and Dario Rossi. 2018. High-speed software data plane via vectorized packet processing. IEEE Communications Magazine 56, 12 (2018), 97--103.Google ScholarDigital Library
Ran Ben Basat, Gil Einziger, Roy Friedman, Marcelo C. Luizelli, and Erez Waisbard. 2017. Constant Time Updates in Hierarchical Heavy Hitters. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '17). Association for Computing Machinery, New York, NY, USA, 127--140. Google ScholarDigital Library
Theophilus Benson, Aditya Akella, and David A. Maltz. 2010. Network Traffic Characteristics of Data Centers in the Wild. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (IMC '10). Association for Computing Machinery, New York, NY, USA, 267--280. Google ScholarDigital Library
Gilberto Bertin. 2017. XDP in practice: integrating XDP into our DDoS mitigation pipeline. In Technical Conference on Linux Networking, Netdev, Vol. 2.Google Scholar
Qizhe Cai, Shubham Chaudhary, Midhul Vuppalapati, Jaehyun Hwang, and Rachit Agarwal. 2021. Understanding Host Network Stack Overheads. In Proceedings of the 2021 ACM SIGCOMM 2021 Conference (SIGCOMM '21). Association for Computing Machinery, New York, NY, USA, 65--77. Google ScholarDigital Library
Moses Charikar, Kevin Chen, and Martin Farach-Colton. 2002. Finding Frequent Items in Data Streams. In Proceedings of the 29th International Colloquium on Automata, Languages and Programming (ICALP '02). Springer-Verlag, Berlin, Heidelberg, 693--703.Google ScholarDigital Library
Moses Charikar, Kevin Chen, and Martin Farach-Colton. 2004. Finding frequent items in data streams. Theoretical Computer Science 312, 1 (2004), 3--15.Google ScholarDigital Library
Kenjiro Cho. 2017. Recursive Lattice Search: Hierarchical Heavy Hitters Revisited. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). Association for Computing Machinery, New York, NY, USA, 283--289. Google ScholarDigital Library
Cilium. [n. d.]. eBPF-based Networking, Observability, and Security. https://cilium.io/. ([n. d.]).Google Scholar
Graham Cormode and Shan Muthukrishnan. 2005. An improved data stream summary: the count-min sketch and its applications. Journal of Algorithms 55, 1 (2005), 58--75.Google ScholarDigital Library
Cosmin Costache, Octavian Machidon, Adrian Mladin, Florin Sandu, and Razvan Bocu. 2014. Software-defined networking of linux containers. In 2014 RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference. IEEE, 1--4.Google ScholarCross Ref
DPDK. 2018. Pktgen Traffic Generator Using DPDK. (aug 2018). http://dpdk.org/git/apps/pktgen-dpdkGoogle Scholar
DPDK. 2019. DPDK burst replay tool. (aug 2019). https://github.com/FraudBuster/dpdk-burst-replayGoogle Scholar
RickDurrett. 2010. Probability: Theory and Examples (4 ed.). Cambridge University Press. Google ScholarCross Ref
Daniel Firestone. 2017. {VFP }: A Virtual Switch Platform for Host {SDN} in the Public Cloud. In 14th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 17). 315--328.Google Scholar
Daniel Firestone, Andrew Putnam, Sambhrama Mundkur, Derek Chiou, Alireza Dabagh, Mike Andrewartha, Hari Angepat, Vivek Bhanu, Adrian Caulfield, Eric Chung, et al. 2018. Azure accelerated networking: Smartnics in the public cloud. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18). 51--66.Google ScholarDigital Library
Brendan Gregg. 2017. Performance Superpowers with Enhanced BPF. USENIX Association, Santa Clara, CA.Google Scholar
Sangjin Han. 2019. System Design for Software Packet Processing. Ph.D. Dissertation. University of California, Berkeley, Berkeley, CA.Google Scholar
Oliver Hohlfeld, Johannes Krude, Jens Helge Reelfs, Jan Rüth, and Klaus Wehrle. 2019. Demystifying the Performance of XDP BPF. In 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE, 208--212.Google Scholar
Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. 2018. The EXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies. Association for Computing Machinery.Google ScholarDigital Library
Qun Huang, Patrick PC Lee, and Yungang Bao. 2018. Sketchlearn: relieving user burdens in approximate measurement with automated statistical inference. In Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication. 576--590.Google ScholarDigital Library
Nikita Ivkin, Ran Ben Basat, Zaoxing Liu, Gil Einziger, Roy Friedman, and Vladimir Braverman. 2020. I know what you did last summer: Network monitoring using interval queries. In Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer Systems. 61--62.Google ScholarDigital Library
Rishabh Iyer, Katerina Argyraki, and George Candea. 2022. Performance Interfaces for Network Functions. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). USENIX Association, Renton, WA, 567--584. https://www.usenix.org/conference/nsdi22/presentation/iyerGoogle Scholar
Zachary H Jones. 2021. Performance Analysis of {XDP} Programs. Large Installation System Administration Conference (LISA'21) (2021).Google Scholar
Snellman Juho. 2019. parallel-xxhash. https://github.com/jsnell/parallel-xxhash. (2019).Google Scholar
Daniel Kelly, Frank Glavin, and Enda Barrett. 2020. Serverless Computing: Behind the Scenes of Major Platforms. In 2020 IEEE 13th International Conference on Cloud Computing (CLOUD). IEEE, 304--312.Google Scholar
Maurice George Kendall, Alan Stuart, and Keith Ord. 2010. Kendall's Advanced Theory of Statistics (6 ed.). Vol. 3. Oxford University Press.Google Scholar
Praveen Kumar, Nandita Dukkipati, Nathan Lewis, Yi Cui, Yaogong Wang, Chonggang Li, Valas Valancius, Jake Adriaens, Steve Gribble, Nate Foster, and Amin Vahdat. 2019. PicNIC: Predictable Virtualized NIC. In Proceedings of the ACM Special Interest Group on Data Communication. Association for Computing Machinery.Google ScholarDigital Library
Joshua Levin and Theophilus A Benson. 2020. ViperProbe: Rethinking Microservice Observability with eBPF. In 2020 IEEE 9th International Conference on Cloud Networking (CloudNet). IEEE, 1--8.Google ScholarCross Ref
Zaoxing Liu, Ran Ben-Basat, Gil Einziger, Yaron Kassner, Vladimir Braverman, Roy Friedman, and Vyas Sekar. 2019. Nitrosketch: Robust and general sketch-based monitoring in software switches. In Proceedings of the ACM Special Interest Group on Data Communication. 334--350.Google ScholarDigital Library
Zaoxing Liu, Antonis Manousis, Gregory Vorsanger, Vyas Sekar, and Vladimir Braverman. 2016. One sketch to rule them all: Rethinking network flow monitoring with univmon. In Proceedings of the 2016 ACM SIGCOMM Conference. 101--114.Google ScholarDigital Library
Sebastiano Miano, Xiaoqi Chen, Ran Ben Basat, and Gianni Antichi. 2023. Fast In-kernel Traffic Sketching in eBPF - Artifact for CCR'23. (March 2023). Google ScholarCross Ref
Sebastiano Miano, Fulvio Risso, Mauricio Vásquez Bernal, Matteo Bertrone, and Yunsong Lu. 2021. A framework for eBPF-based network functions in an era of microservices. IEEE Transactions on Network and Service Management 18, 1 (2021), 133--151.Google ScholarDigital Library
Sebastiano Miano, Alireza Sanaee, Fulvio Risso, Gábor Rétvári, and Gianni Antichi. 2022. Domain Specific Run Time Optimization for Software Data Planes. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2022). Association for Computing Machinery, New York, NY, USA, 1148--1164. Google ScholarDigital Library
Chris Misa, Walt O'Connor, Ramakrishnan Durairajan, Reza Rejaie, and Walter Willinger. 2022. Dynamic Scheduling of Approximate Telemetry Queries. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). USENIX Association, Renton, WA, 701--717. https://www.usenix.org/conference/nsdi22/presentation/misaGoogle Scholar
Quentin Monnet. 2018. Ever Deeper with BPF - An Update on Hardware Offload Support. https://www.netronome.com/blog/ever-deeper-bpf-update-hardware-offload-support/. (November 2018).Google Scholar
Hun Namkung, Zaoxing Liu, Daehyeok Kim, Vyas Sekar, and Peter Steenkiste. 2022. SketchLib: Enabling Efficient Sketch-based Monitoring on Programmable Switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). USENIX Association, Renton, WA, 743--759. https://www.usenix.org/conference/nsdi22/presentation/namkungGoogle Scholar
Jonas Otten and Lorenz Bauer. 2020. Multidimensional fair-share rate limiting in BPF. https://www.linuxplumbersconf.org/event/7/contributions/677/. Linux Plumbers Conference 2020 (September 2020).Google Scholar
Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, et al. 2015. The design and implementation of open vswitch. In 12th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 15). 117--130.Google Scholar
Urban Reini. 2020. SMhasher: Hash function quality and speed test. https://github.com/rurban/smhasher. (2020).Google Scholar
Gerald Rogers. 2014. Accelerating Network Intensive Workloads Using the DPDK netdev. http://openvswitch.org/support/ovscon2014/. (November 2014).Google Scholar
Hugo Sadok, Zhipeng Zhao, Valerie Choung, Nirav Atre, Daniel S. Berger, James C. Hoe, Aurojit Panda, and Justine Sherry. 2021. We Need Kernel Interposition over the Network Dataplane. In Proceedings of the Workshop on Hot Topics in Operating Systems. Association for Computing Machinery.Google ScholarDigital Library
Nikita Shirokov and Ranjeeth Dasineni. 2018. Open-sourcing Katran, a scalable network load balancer. https://engineering.fb.com/2018/05/22/open-source/open-sourcing-katran-a-scalable-network-load-balancer/. (May 2018).Google Scholar
Vibhaalakshmi Sivaraman, Srinivas Narayana, Ori Rottenstreich, S. Muthukrishnan, and Jennifer Rexford. 2017. Heavy-Hitter Detection Entirely in the Data Plane (SOSR '17). Association for Computing Machinery, New York, NY, USA, 164--176. Google ScholarDigital Library
Alok Tiagi, Hariharan Ananthakrishnan, Ivan Porto Carrero, and Keerti Lakshminarayan. 2021. How Netflix uses eBPF flow logs at scale for network insight. https://netflixtechblog.com/how-netflix-uses-ebpf-flow-logs-at-scale-for-network-insight-e3ea997dca96. (June 2021).Google Scholar
Linus Torvalds. 2003. Kernel floating-point. (March 2003). Retrieved June 6, 2022 from https://yarchive.net/comp/linux/kernel_fp.htmlGoogle Scholar
William Tu, Joe Stringer, Yifeng Sun, and Yi-Hung Wei. 2018. Bringing the Power of eBPF to Open vSwitch. In Linux Plumber Conference.Google Scholar
Juan Camilo Vega, Marco Antonio Merlini, and Paul Chow. 2020. FF-Shark: a 100G FPGA implementation of BPF filtering for Wireshark. In 2020 IEEE 28th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM). IEEE, 47--55.Google Scholar
VMware. 2020. VMware's per-CPU Pricing Model. https://www.vmware.com/company/news/updates/cpu-pricing-model-update-feb-2020.html. (March 2020).Google Scholar
Siyao Zhao, Haoyu Gu, and Ali José Mashtizadeh. 2021. SKQ: Event Scheduling for Optimizing Tail Latency in a Traditional OS Kernel. In Annual Technical Conference (ATC). USENIX Association.Google Scholar

Index Terms

Fast In-kernel Traffic Sketching in eBPF
1. Networks
  1. Network performance evaluation
    1. Network measurement
    2. Network performance analysis
  2. Network services
    1. Network monitoring

Recommendations

Accelerating Linux Security with eBPF iptables
SIGCOMM '18: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos
Read More
On Integrating eBPF into Pluginized Protocols

eBPF is a popular technology originating from the Linux kernel that enables safely running user-provided programs in a kernel-context. This technology opened the door for efficient programming in the operating system, especially in its network stack. ...
Read More
Verifying the Verifier: eBPF Range Analysis Verification
Computer Aided Verification
Abstract
This paper proposes an automated method to check the correctness of range analysis used in the Linux kernel ’s eBPF verifier. We provide the specification of soundness for range analysis performed by the eBPF verifier. We automatically generate ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 53, Issue 1
January 2023
70 pages
ISSN:0146-4833
DOI:10.1145/3594255
Editor:
Steve Uhlig
School of Electronic Engineering and Computer Science, Queen Mary, University of London, London, United Kingdom
Issue’s Table of Contents
Copyright © 2023 Copyright is held by the owner/author(s)
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 April 2023
Check for updates
Author Tags
XDP
eBPF
sketch
sketching algorithm
software switch
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 478
  Total Downloads
- Downloads (Last 12 months)478
- Downloads (Last 6 weeks)103
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Fast In-kernel Traffic Sketching in eBPF

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

Accelerating Linux Security with eBPF iptables

On Integrating eBPF into Pluginized Protocols

Verifying the Verifier: eBPF Range Analysis Verification