[ad_1]
//php echo do_shortcode(‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’) ?>
To build a fully virtualized, end-to-end, cloud-native mobile network, it’s a great idea to make use of the extended version of the Berkeley Packet Filter (eBPF) technology—which makes it possible to monitor and control the network in new ways to deliver a differentiated mobile service experience to customers.
To do this, companies should begin with the OS kernel, which is the process scheduler for the CPU and which manages memory and file access: It connects the CPU with devices and manages system calls, among other tasks. Cloud-native processes that run in the kernel have access to this functionality for better observability, security and networking.
There is a major challenge, though: The kernel has its own stack that can accommodate changes only via an open-source development process to maintain OS stability. This process is thorough but slow. Some have attempted to address this by adding functionality to the kernel via creation of parallel stacks that can be loaded into the kernel—e.g., remote direct memory access and TCP offload engine. Parallel stacks require a full kernel reboot to deploy or update, and they have been known to impact OS stability.
But that is not a good idea for cloud-native infrastructure, on which developers need to safely and reliably deploy software frequently. Also, platform engineering teams must be able to provision, connect, observe and secure scalable, dynamic, available and high-performance environments so that developers can focus on coding high-quality applications and microservices.
Many of the Linux kernel building blocks are decades old, and eBPF is creating the necessary cloud-native abstractions and new building blocks required for dynamically programming the kernel in a safe, performant and scalable way.
eBPF efficiently extends the cloud-native and other capabilities of Rakuten Mobile’s network. This more modular architecture enables us to instrument the kernel behavior and innovate at this layer with cloud-native context—without requiring changes to kernel source code or loading kernel modules.
We have been able to deploy Open RAN coverage across 300,000 cells in Japan, fully virtualized from RAN to core with a 5G system architecture.
Defining eBPF
eBPF is an abstract virtual machine with its own instruction set that runs within the Linux or Windows kernel. It can execute user-defined programs inside a sandbox in the kernel. Those sandbox programs are triggered by events in the kernel, receiving pointers to kernel or user space memory.
eBPF makes it possible for programs to run in Linux and Windows kernels (Windows 10, Windows Server 2016 and later). It lets software developers instrument the kernel without changing the kernel source code. eBPF programs are portable between kernel versions and atomically updateable, which avoids workload disruption and node reboot. They can also be verified at load time in the kernel to prevent crashes and other kernel instabilities.
eBPF provides excellent visibility and enforcement control of policy and lets operators observe all programs running in the user space, which is rarely achieved by applications that operate in the same space.
This is a boon for cloud-native platforms, introducing several important capabilities to cloud-native environments:
- Powerful programmability: eBPF makes the kernel programmable at runtime and ensures the safety of the kernel and stability of loaded programs.
- Excellent visibility and control: Because there is only one kernel on a host, eBPF provides visibility and enforcement control of all programs running in user space and kernel space.
- Low overhead: eBPF’s low overhead makes it ideal for any cloud-native function (CNF) and production-level cloud-native environments for telco.
Specifically, eBPF programs can be utilized for efficient networking, tracing and data profiling, observability, and security tooling like real-time threat detection and response. These eBPF stack capabilities are shown in Figure 1.
The intersection between security and networking leads to “network security” applications. The overlap between security and observability yields real-time threat detection and response applications. Networking and observability, run jointly, deliver network observability applications. Intelligent application sandboxing is the result of security, networking and observability intersection.
Unleashing eBPF in Japan
Rakuten Mobile uses its eBPF platform to create custom code and load eBPF programs into the kernel dynamically, as shown in Figure 2. This makes it possible to estimate energy consumption of CNFs, derive performance counters and gauges of the transport network layer and 5G application and non-access stratum protocols, and detect and respond to unauthorized access to cloud-native resources in real time.
The ability to inspect packets provides highly performant observability tools that can be mapped to other features, such as 5G and Kubernetes metadata with access to in-depth security forensics from the extracted information. For example, Rakuten Mobile uses the ability of eBPF to drop or modify packets based on network policies applied to various hooks in the kernel or apply security policies based on application-level verbs or specific paths and do encryption with eBPF.
Because packets can be sent and their destination changed, eBPF supports creation of powerful networking features like load balancing, routing and service mesh, with minimal utilization of envoy proxies. eBPF eliminates the need to instrument pods with sidecars, improving cloud performance without any app, network micro-service or configuration change.
Leading a major wave of innovation
Like JavaScript for web browsers, eBPF represents a safe way to run programs in the kernel and instrument kernel behavior without changing its source code or threatening its stability.
Challenges exist across development difficulty, a fast-paced rate of change, implementation differences across kernel versions and lack of easy packaging and deployment. Yet this fundamental enabling technology is poised to lead a major wave of innovation in the kernel space.
It is accelerating how network architects redefine networking, security, tracing and observability for current (5G) and future (6G) mobile networks. This is especially due to its dynamic programmability, reliability and ability to provide great workload visibility with minimal disruption.
Just as Rakuten Mobile accomplished in Japan, eBPF can be used by other leaders to bring immediate benefits to cloud-native environments across industries.
[ad_2]
Source link
