filmov
tv
LPC2018 - Combining kTLS and BPF for Introspection and Policy Enforcement
Показать описание
speaker: Daniel Borkmann (Cilium), John Fastabend (Cilium)
This talk is divided into two parts, first we present on kTLS, the current kernel's
sockmap BPF architecture for L7 policy enforcement, as well as the kernel's ULP and
strparser framework which is utilized by both in order to hook into socket callbacks
and determine message boundaries for subsequent processing.
We further elaborate on the challenges we face when trying to combine kTLS with the
power of BPF for the eventual goal of allowing in-kernel introspection and policy
enforcement of application data before encryption. Besides others, this includes a
discussion on various approaches to address the shortcomings of the current ULP layer,
optimizations for strparser, and the consolidation of scatter/gather processing for
kTLS and sockmap as well as future work on top of that.
This talk is divided into two parts, first we present on kTLS, the current kernel's
sockmap BPF architecture for L7 policy enforcement, as well as the kernel's ULP and
strparser framework which is utilized by both in order to hook into socket callbacks
and determine message boundaries for subsequent processing.
We further elaborate on the challenges we face when trying to combine kTLS with the
power of BPF for the eventual goal of allowing in-kernel introspection and policy
enforcement of application data before encryption. Besides others, this includes a
discussion on various approaches to address the shortcomings of the current ULP layer,
optimizations for strparser, and the consolidation of scatter/gather processing for
kTLS and sockmap as well as future work on top of that.
0:40:42
0:30:08
0:30:36
0:37:03
0:23:18
0:40:07
0:52:36
0:39:59
1:03:58
0:40:59
0:22:19
0:24:06
0:26:54
0:48:35
0:32:35
0:08:06
0:01:48
0:20:18
0:20:06
0:18:31
0:41:08
0:57:38
1:32:08
0:02:49