»Moving the CNI to User Space«
2019-05-19, 14:20–14:50, Sidebar

In this presentation we will explain why and how container networking is moving from the kernel into user space through projects such as the Contiv-VPP CNI plug-in (which leverages the Linux Foundation's fd.io project).

Existing container networking solutions rely on Linux Kernel networking (using iptables, eBPF, Open vSwitch etc.) . This constrains both performance and flexibility.

User-Space networking offers better performance (especially when combined with technologies such as vector-based forwarding such as d.io VPP) and enables new features to be developed and deployed without requiring changes to the Linux kernel.

Contiv-VPP is a CNI plugin for Kubernetes that leverages fd.io VPP and which provides a full implementation of Kubernetes network policy and of Kubernetes services (usually implemented by kube-proxy, which programs Linux kernel netfilter rules).

We will provide a detailed description, and live demos of Contiv-VPP, and will discuss the challenges we encountered in our implementation.

Finally we will show how user space networking enables Cloud-native Network Functions such as firewalls and VPN gateways.