• Louis DeLosSantos
    About the speakerLouis DeLosSantos

    Louis is passionate about networking, software engineering, and open source technologies. He started his career in data center and enterprise networking where he worked on complex network architectures. Louis then began a journey in software development, initially specializing in live video streaming technologies at two large video based companies. This journey further progressed to a specialization in container technologies. He created the ClairCore libraries which provide static analysis of container vulnerabilities and created Clair V4. Louis now works at Isovalent where he focuses on container networking technologies, Linux kernel networking, and Cilium.

SRv6 on Cilium – An Introductory Demo

[05:40] In this demo, Isovalent Staff Software Engineer Louis DeLosSantos walks through an introductory demo of SRv6 on Cilium, for a L3VPN use case. The demo was first shown live during eBPF Day North America 2022.

Transcript

Hey everyone,

We’re going to do a demonstration of SRv6 L3 VPN proof of concept in Cilium.

Let’s describe our topology, on the right side we have PE1, which is Cilium, hanging off Cilium are two pods. We’re going to be focusing on Pod 1, which is in VRF 0. Cilium is peered over BGP with PE 0, in our case it is an FRR instance which is SRv6 aware. Hanging off PE 0 are two CE routers, CE1 belongs to VRF 0 and CE2 belongs to VRF 1. Both routers have a VPN network which overlaps 10.3.0.0/24.

The goal of our demo is to demonstrate that Pod 1 can send pings to VRF 0’s 10.3.0.0 network. To achieve this, we will have Cilium encapsulate the egress traffic in the locator for VRF 0. Likewise, the return traffic will be encapsulated in an SRv6 locator which Cilium provided to FRR over BGP.

Let’s take a look at our initial FRR configuration. You’ll notice two ENDT4 routes here. We’re interested in the route which is associated with VRF 0. This route is informing us that when traffic is ingressing FRR, if the destination is for this SID, it will decapsulate that traffic and send it to VRF 0.

What we don’t have is a routing entry which tells FRR to encapsulate traffic towards VRF 0 in Cilium. Cilium must allocate and provide that SRv6 SID over BGP to PE0, so let’s go ahead and trigger that.

What we just applied is a trigger which will program the SRv6 maps as we outlined in our talk.

That should trigger our BGP control plane to allocate a Sid and advertise that to FRR. Great, looks like we did this and we allocated this Sid. You can see here so let’s take a look at FRR to see the results of that.

We’re dumping the routing table which is associated with VRF0 and you see a new in-cap rule. What this is saying is that traffic which is heading towards 10.1.0.0 will be encapsulated in the Sid which we allocated. So this indicates that Cilium correctly advertised this information to FRR.

This 10.1.0.0/24 is the pod-CIDR range of Cilium. So let’s go ahead to pod one, this is the pod that’s in VRF1, and let’s issue a ping to 10.3.0.1.

We’re already seeing the return traffic, so this is a great sign. Let’s look at things a little bit deeper on the wire. Let’s take a look at FRR and dump the interface which is handling the traffic between Cilium and FRR.

Great, so what we’re seeing here is an echo request and its reply. The echo request is sourced from our allocated Sid coming from Cilium and has been encapsulated with a destination of VRF0’s locator. You can see that this is an encapsulated packet. The source of the encapsulate of the inner IP is our pod, and the destination is the VPN network in VRF0. The return traffic has the source address of our FRR node and it’s been encapsulated into that into the SRv6 Sid which Cilium provided FRR. You’re seeing the return traffic enter Pod 1 as demonstrated here because Cilium is decapsulating this Sid and delivering the traffic to 10.2.10.97.

It would be interesting to look at our CE as well. This just demonstrates that the traffic is actually being decapsulated and delivered to our CE router from FRR. There is no IPv6 involved anymore since the decapsulation happened at FRR. That’s a complete demonstration of end-to-end SRv6 L3 VPN. I hope you enjoyed it.