Efficient flow monitoring for virtualized applications with eBPF

Flow monitoring is widely used to understand the composition of network traffic, which can be used to spot anomalies, attacks, misconfigurations. While dedicated hardware appliances are commonly used in physical infrastructures, efficient software implementations are today required for virtualized and software-defined systems, which are often designed to run in different environments. Traditionally, efficient packet processing in software requires acceleration frameworks kernel-bypass mechanisms, to reduce the overhead. This approach brings large performance gains, but requires additional kernel modules and the re-implementation of common functions of the standard networking stack.

In ASTRID, we investigated the usage of the extended Berkeley Packet Filter (eBPF) for effective and efficient packet inspection. Our goal is the implementation of a lightweight flow-monitoring tool that provides similar information as existing appliances but with a reduced execution footprint, in order to be easily integrated in cloud-native applications. The scope is limited to basic flow identification, including most common fields in the IP, ICMP, TCP, end UDP headers, whereas Deep Packet Inspection (DPI) if currently out of the scope.