Programmable packet processing is increasingly implemented using kernel bypass techniques, where a userspace application takes complete control of the networking hardware to avoid expensive context switches between kernel and userspace. However, as the operating system is bypassed, so are its application isolation and security mechanisms; and well-tested configuration, deployment and management tools cease to function.
To overcome this limitation, we present the design of a novel approach to programmable packet processing, called the eXpress Data Path (XDP). In XDP, the operating system kernel itself provides a safe execution environment for custom packet processing applications, executed in device driver context. XDP is part of the mainline Linux kernel and provides a fully integrated solution working in concert with the kernel’s networking stack. Applications are written in higher level languages such as C and compiled into custom byte code which the kernel statically analyses for safety, and translates into native instructions.
We show that XDP achieves single-core packet processing performance as high as 24 million packets per second, and illustrate the flexibility of the programming model through three example use cases: layer-3 routing, inline DDoS protection and layer-4 load balancing.
Toke Høiland-Jørgensen (Karlstad University / Red Hat)
Jesper Dangaard Brouer (Red Hat)
Daniel Borkmann (Cilium.io)
John Fastabend (Cilium.io)
Tom Herbert (Quantonium Inc.)
David Ahern (Cumulus Networks)
David Miller (Red Hat)
Published in: ACM CoNEXT ’18, Heraklion, Greece, December 04 – 07, 2018 (open access)