In this episode of “Nerding Out with Viktor,” I’m joined by Liz Rice, a renowned security expert and open-source advocate. Liz and I first connected in the early days of the London Kubernetes scene, and since then, she has authored two books, with her most recent focusing on eBPF (Extended Berkeley Packet Filter). Our discussion primarily revolves around eBPF, its evolution, and its applications, though we also touch on broader topics in security and open-source software.

We start by defining eBPF, explaining that it allows dynamic programming of the Linux kernel to alter its behavior. This is particularly powerful because the kernel is central to managing hardware interactions, permissions, processes, and more. eBPF’s capabilities have extended far beyond its original purpose of packet filtering, making it useful for observability, security, and networking.

I highlight eBPF’s early acclaim, notably through Brendan Gregg’s work at Netflix for network diagnostics. Liz shares that her introduction to eBPF was through Thomas Graf’s presentation on Cilium at DockerCon in 2017. Cilium uses eBPF for container networking, significantly improving efficiency and performance by intercepting and redirecting network packets within the kernel.

We discuss how eBPF can replace traditional tools like IP tables, which can become performance bottlenecks in dynamic environments like Kubernetes. eBPF’s efficiency allows for complex tasks such as network policy enforcement and zero-trust networking, making it integral to modern cloud-native architectures.

Liz also mentions other key contributors to eBPF’s development, such as Alexei Starovoitov and Daniel Borkmann, who saw the potential for eBPF in kernel networking. By integrating eBPF programs into various points of the networking stack, they could manipulate, drop, or redirect packets, enhancing container networking capabilities.

Our conversation then shifts to zero-trust networking and encryption. Liz explains how eBPF, combined with tools like WireGuard and IPsec, can achieve secure, encrypted communication between nodes. This approach separates identity verification from encryption, leveraging standards like SPIFFE/SPIRE for cryptographic identities.

We also delve into the complexities of using eBPF for security, particularly its ability to dynamically change kernel behavior. While eBPF’s verifier ensures safety by checking memory access and program completion, it cannot differentiate between malicious and legitimate uses. This underscores the importance of trusted sources for eBPF programs and robust supply chain security.

We explore the idea of using eBPF for intrusion detection systems (IDS) and runtime security. Liz highlights Tetragon, a project by Cilium, as a next-generation IDS that uses eBPF for efficient, kernel-level event filtering and enforcement. This approach allows for real-time, low-overhead monitoring and response to security threats.

Our discussion then touches on recent supply chain security issues, such as the Log4j vulnerability. Liz explains how Tetragon can quickly adapt to detect and respond to such threats through policy updates, demonstrating the agility and effectiveness of eBPF-based security tools.

We also address the need for improved security practices in the Linux world, drawing parallels with traditional antivirus solutions and emphasizing the potential of eBPF for advanced threat detection and response.

We conclude by discussing the broader implications of supply chain security and compliance, especially in regulated industries like financial services. Liz mentions a collaborative white paper by Cilium and ControlPlane on using Cilium to meet compliance requirements, highlighting the ongoing efforts to integrate cutting-edge technology with regulatory standards.

Finally, Liz shares her thoughts on the recent acquisition of Isovalent by Cisco, expressing optimism about the future. The acquisition promises to provide more resources and support for the continued development of Cilium and related projects, enhancing their impact on the open-source and security communities.

This episode offers deep insights into eBPF, its transformative potential for networking and security, and the collaborative efforts driving innovation in the open-source world.

Found an error or typo? File PR against this file.