This is a guest post from Nathan Skrzypczak at Cisco. Nathan is part of a team of external contributors to Calico Open Source that have been working on an integration between Calico Open Source and Cisco’s data plane technology, VPP, for the last year.
Calico v3.23 is out, and with it a lot of new features! This release marks a long-awaited milestone for me and my team, as it includes the Calico VPP data plane (beta). So now seems to be a good time to reflect on what this integration actually is, and why we built it.
The Calico VPP data plane is the fourth data plane option for Calico. Alongside the Linux kernel, eBPF data plane, and Windows kernel, you can now choose to have packet processing done in a userspace network stack: the Vector Packet Processor (VPP). This means the service load-balancing, NAT-ing of packets, encapsulation, encryption and policies will all run in a user-space application. It all seems mostly transparent from the user’s perspective, is seamless to enable, and enabling it allows access to a series of really interesting features.
Quick packets yields more throughput
The first thing the Calico VPP data plane aims to improve is performance. Processing packets in a user-space application allows us to leverage various optimization techniques, circumvent the usual kernel bottlenecks, and reach higher throughput, lower latency, and deliver many more packets per second. It gets really interesting when encryption is involved, with WireGuard & IPsec throughput reaching above 10 Gigabits/s thanks to VPP’s optimized cryptographic engine.
Enabling data plane features: WireGuard, Maglev load-balancing, SRv6, and more
Having the data plane run as a regular application in a container also enables quicker iterations on the packet path. Do you need WireGuard or IPsec encryption? It ships directly
as part of the binary, no need to install a kernel module. Do you want Maglev load-balancing for your services? It’s also an option that we added when implementing service load-balancing. The same applies to SRv6 node-to-node encapsulation. Having the data plane at hand allows applications to easily leverage advanced networking features while still benefiting from the Kubernetes platform.
Exposing advanced networking directly to applications
Those advanced networking functions can even be directly exposed to the application. As an example, a network-intensive application can request a memory interface (a memif) in addition to its regular
eth0 netdev, which allows much faster packet transmission. The same is true for transport protocols, with an application that can open TLS, or even QUIC connections directly in VPP via a socket-like API. Having this platform will also allow us to bring even more networking functions closer to the applications in the future, like the ability to access multiple networks via multiple interfaces.
Ready to try it on your own cluster? Follow these instructions.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!