Tigera Embraces eBPF to Advance Container Networking

Tigera today announced it is adding support within the open source Calico network software project for the extended Berkeley Packet Filter (eBPF) additions to the Linux kernel.

eBPF is intended to provide higher layers of isolation without compromising performance. Tigera CEO Ratan Tipineni says that while adoption of eBPF is still very early days, there are specific use cases in which the ability to run a virtual machine at the kernel level using eBPF will benefit containerized applications significantly.

For example, Tipineni says eBPF will make it more efficient to deploy containers as sidecars within a Linux environment because each container now can be more easily isolated. Tigera will make use of eBPF to improve the networking throughput of the Istio service mesh framework by running Envoy proxy server software, which Istio depends on in a virtual machine running inside the Linux kernel.

Tigera also expects the isolation enabled by eBPF to play a role in defending containerized applications from distributed denial of service (DDoS) attacks that are all but inevitable at this point, adds Tipineni.

Tipineni says support for eBPF in version 3.8 of Calico further highlights the flexibility of a network control plane that can support multiple data planes. Calico already supports both the standard Linux kernel data plane as well as Windows Host Networking Service.

Calico LinuxCalico has been adopted by each of the major cloud service providers to provide the control plane through which they surface networking services to customers. Tigera claims Calico is already running on more than 100,000 clusters worldwide.

The challenge organizations inevitably will face is most of them will find it necessary to support multiple data planes in a world of heterogeneous computing environments. The approach to networking enabled by Calico makes it easier to create virtual networks without having to rely on a specific controller. Calico makes uses of IP routing to set up those virtual networks on each host rather than requiring IT organizations to deploy a network virtualization overlay or implement a software-defined network based on a proprietary controller.

As Calico continues to gain momentum in cloud-native computing environments, it’s a matter of time before it is deployed more widely within on-premises IT environments. While many IT organizations are trying to extend their existing on-premises IT networks in the cloud, it’s just as likely that the networks that have been created by cloud service providers will be extended into on-premises environments. In fact, it may prove easier to extend Calico to legacy applications than it is to extend legacy networking architectures to cloud-native applications.

It’s too early to say which of those two approaches will dominate, but besides providing a lighter-weight approach to creating a virtual network that can be implemented by a developer, Calico also comes with the added benefit of being free open source software. The biggest challenge may simply be getting network administrators to recognize there is an alternative approach that doesn’t require everyone to keep track of how many software licenses are being employed by who, when or, for that matter, where.

[“source=containerjournal”]