Talks

The netem qdisc has, for a long time, been the basic building block for network emulation in Linux. While netem supports many emulation effects, there is still room for improvements. KauNetEm is an extension to netem that provides per-packet, or per-millisecond, control over emulation effects. This results in a high level of control and repeatability which can be useful in a variety of performance evaluation, and protocol implementation verification, scenarios. To control what effects, and when to apply them, KauNetEm makes use of emulation patterns.

Suricata is an open source network intrusion detection and prevention system. It analyzes the traffic content against a set of signatures to discover known attacks and also journalize protocol information.

One specificity of IDS systems is that they need to analyze the traffic as it is seen by the target. For example, the TCP streaming reconstruction has to be done the same way it is done on the target operating systems and for this reason it can't rely on its host operating system to do it.

In this paper we are going to do performance comparison between two new tc packet classification approaches added to the kernel recently, ebpf and flower in comparison with old lady u32. The talk is going to briefly discuss their differing philosophical approaches in solving the packet classification problem and then focus on their respective compute overheads from a black box perspective in a methodical way.

Different data path insertion points will be analyzed from a throughput perspective in conjunction with control plane overhead.

MACsec, or IEEE 802.1AE, is an encryption standard for wired LANs. It can also secure VLANs, protect DHCP traffic, prevent tampering on ethernet headers, on real devices or over VXLAN. It can be used on its own, or rely on 802.1X for authentication and key distribution via the MACsec Key Agreement (MKA) extension.

In a cloud setting, MACsec over VXLAN could allow encryption to be performed by the tenants themselves instead of relying on the provider's hypervisor.

The current Linux bridge/ebtables architecture has several shortcomings. In the past those were worked around by adding 'header stripping' features to the bridge netfilter core or by invoking ip(6)tables hooks directly from the bridge layer.

Nftables, a framework to replace and unify the various packet filtering tools in the Linux kernel offers an opportunity to provide a more flexible approach to handling bridge filtering needs.

Some of our customers have been observing IPv6 performance problems on their high load routers; these could be tracked down to IPv6 route lookup and its scaling to higher number of CPU.

In the last year, Google Fiber has added lots of interesting (and open source) self-analysis features to our fleet of wifi access points in customers' homes in Kansas City, Provo, and Austin. In the background we collect data like transfer speeds, signal strength, device capabilities, background interference, and so on. We also have a "device taxonomy" that allows us to break down the data by device types such as tablets, iPhones, Windows PCs, Chromecasts, etc. Avery will show lots of surprising and unsurprising charts and show how they

IPVS allows very easy deployment of Linux-based load-balancers. Probably less well-known is the fact that you can also use iptables rules using the existing matches and targets to implement many of the core load-balancing features such as different scheduling approaches and dispatching methods, flow persistency, etc.

The Linux networking stack is regularly used by over a billion mobile devices such as phones, tablets, and watches. The networking problems faced by these devices are very different from non-mobile hosts such as workstations, servers and routers.

When users access the Internet via cellular networks from their mobile devices, all this traffic is encapsulated and tunneled through a variety of cellular-network specific protocol layers. Many of those protocol implementations run on proprietary special-purpose hardware and software.

One protocol has been in use between certain network elements ever since the advent of GPRS services. This protocol remained in use with EDGE, UMTS, HSPA and is even still in use in LTE: The GPRS Tunneling Protocol (GTP).