Calico VPP: Empowering High-Performance Kubernetes Networking with Userspace Packet Processing

This is a guest post authored by Nathan Skrzypczak, R&D Engineer at Cisco.

Calico VPP, the latest addition to Calico’s suite of pluggable data planes, revolutionizes Kubernetes networking by enabling transparent user-space packet processing. With features such as service load balancing, encapsulation, policy enforcement, and encryption, Calico VPP brings the performance, flexibility, and observability of VPP to Kubernetes networking. In the 3.27 release, Calico VPP is now Generally Available, offering users the power to unlock new classes of workloads on Kubernetes.

Key Highlights

Shared memory interfaces

The VPP data plane integration comes with support for shared memory interfaces memif in addition to regular Linux netdevs (Veth or TunTap). It is a high performance, packet oriented interface type which can prove particularly useful for containerized network functions (CNF) that typically process high numbers of packets. Currently, bindings exists for C/C++ and golang, and it is also supported in DPDK.

Advanced load-balancing algorithms

The VPP data plane is a userspace, plugin-based application framework designed for high performance packet processing. It was leveraged to add support for advanced load-balancing algorithms such as Maglev, so that network functions benefit from its HA guarantees. It also exposes advanced hashing parametrization for those protocols where classical flow hashing is not sufficient.

Leveraging a userspace Hoststack

In addition to shared memory interfaces, the VPP data plane exposes a userspace hoststack supporting TCP, UDP, TLS and QUIC that can be leveraged from pods. This allows the design of containerized network functions leveraging highly performant L4 implementations.

10Gbps of node to node encryption for every core

As VPP comes with highly optimized cryptographic libraries, enabling node to node traffic encryption over either IPsec or WireGuard tunnels comes at a low performance cost, which makes it essentially seamless in most deployments.

Support for multiple networks

Finally, this data plane option offers support for multiple Kubernetes pod networks. This is an advanced configuration option that allows pods to request multiple interfaces attached to distinct isolated pod networks. This enables the design of containerized network functions acting as gateways between pod networks (e.g. WAN & LAN interfaces), benefiting from Kubernetes constructs: Services, Calico constructs: BGP advertisement & policies, and VPP features: memory interfaces.

Quotes

Intel® Data Streaming Accelerator (DSA) – Calico VPP with Intel® DSA on 5th Gen Intel® Xeon® Scalable Processor Technology Guide.

“We enabled acceleration for VPP-memif processing using Intel 4th and 5th Generation Xeon processors and received excellent scaling, acceleration and CPU core savings using Intel(R) Data streaming accelerators as shown in Figure 1. Our Calico customers are evaluating this solution as a viable alternative for their cloud native deployments” —Mrittika Ganguli, PE, Director Cloud native Architecture, NEX, Intel

“Cloud networking requires a truly performance optimized CNI to run networking workloads under Kubernetes. The combination of Calico & FD.io/VPP, two leading open source software technologies, were integrated to provide a highly scalable and network optimized solution to address this need.” —Emran Chaudhry, Vice President, Engineering, Cisco

Looking to explore more? Try our Calico Open Source workshops