Overview
Explore seamless transparent encryption in dynamic environments using BPF and Cilium in this Linux Plumbers Conference talk. Dive into the challenges of providing encryption in Kubernetes-like environments and learn how Cilium leverages BPF and Linux encryption capabilities to offer L3/L7 encryption and authentication at node and service layers. Discover how to apply encryption to entire nodes or specific services with simple configuration flags. Gain insights into Cilium's management of encrypted traffic and its monitoring interface for compliance auditing. Examine the Linux datapath and control plane implementation, and understand how Cilium integrates with evolving encryption standards like IPsec, mTLS, SPIFFE, and Istio. Explore proposed Linux kernel extensions to improve efficiency and ease adoption of these protocols, including BPF helpers, hardware support, and scaling solutions. Witness a live demo of Cilium implementing transparent encryption and engage in a discussion covering various aspects such as IPSec modes, key management, and future developments in BPF technology.
Syllabus
Intro
Agenda
What is transparent
Why is this interesting
Brief overview
IPSec modes
Packets
State
BPF
IP Priority
Keys
SPiffy
Cilium Agent
BPF Program
Subnet Mode
KTLS
Cilium Envoy
Pain Points
L7 Pain Points
Key Management
BPF Progress
Questions
Taught by
Linux Plumbers Conference