Container Networking with BPF & XDP

Session information has not yet been published for this event.

Refereed Presentation
Scheduled: Wednesday, November 2, 2016 from 2:00 – 2:45pm in Sweeney F

One Line Summary

Fast in-kernel container networking with security policy enforcement based on BPF programs which are generated on the fly for each container.


This talk demonstrates that programmability and performance does not require user space networking, it can be achieved in the kernel by generating BPF programs and leveraging the existing kernel subsystems. We will demo an early prototype which provides fast IPv6 & IPv4 connectivity to containers, container labels based security policy with avg cost O(1), and debugging and monitoring based on the per-cpu perf ring buffer. We encourage a lively discussion on the approach taken and next steps.


networking, debugging, kernel, containers, bpf, visibility


  • Biography

    Thomas Graf has been a Linux kernel developer for 10 years, working on a variety of networking subsystems. His current focus is on container network and security. He contributes to various open source projects, such as the Linux kernel, Cilium and Open vSwitch. Thomas is currently at Noiro Networks, a Cisco project.

Leave a private comment to organizers about this proposal