In this talk, we will introduce FD.io VPP and the Ligato cloud-native networking framework and demonstrate how these are used to address two use cases - a CNI plugin for Kubernetes (Contiv/VPP) and an IPSEC VPN gateway.
FD.io VPP is a high-performance packet forwarder that runs on commodity CPUs. Ligato provides a platform for developing Cloud-Native Network Functions (CNFs) using VPP running in Linux user-space and leveraging Intel's DPDK to grab packets directly from the NIC.
Contiv/VPP is a CNI (Container Network Interface) plugin that uses VPP to provide network connectivity for Kubernetes pods. Its aim is to bypass the kernel for packet handling in a Kubernetes cluster wherever possible. To achieve this, it replaces the kube-proxy load-balancer by leveraging VPP's advanced NAT functionality, and implements native Kubernetes policy (to avoid the requirement for a kernel-based policy plugin). As well as providing fast packet processing, Contiv/VPP can be used as the foundation for CNF deployments running in Kubernetes - since it is based on the Ligato VPP Agent its functionality can be easily extended to interconnect CNFs, e.g. using the Ligato SFC Controller.
StrongSwan is probably the most common IPSEC VPN concentrator in use today. It provides an IKE daemon but leverages the Linux kernel for IPSEC forwarding. Using Ligato we can interface StrongSwan's IKE implementation to VPP's IPSEC forwarding plane to create a high-performance IPSEC VPN CNF.
In general we will look at the benefits of forwarding traffic using VPP rather than the Linux Kernel in terms of:
1) performance
2) flexibility
3) manageability