12-15-2021 TSC Meeting Minutes
- LJ Illuzzi
- Raga lahari
- Daniel Havey
TSC Meeting Zoom link
Meeting Recording
Meeting Chat File
Attendees & Representation. Please add your name to the attendance table below.
Attendees | |
Name | Company |
@Daniel Havey | Microsoft |
@Dave Thaler | Microsoft |
Matteo Croce | Microsoft |
@VM (Vicky) Brasseur | Wipro |
@Santhosh Fernandes | |
@Satya Pradhan | |
@Eric Tice | Wipro |
@Raga lahari | Walmart |
@Balachandra Kamat | Wipro |
LF Staff: @LJ Illuzzi
Agenda
Meeting note taker
Welcome to new attendees
From 12/08 meeting: Cross-platform signing:
The overall approach to signing should be the same on Linux as well as Windows and the tooling should work in the same manner. So for instance if you have two obj files, one for Windows and one for Linux then the same command and tooling should work for both files.
Matteo Croce to kick off the technical discussion
Here is a discussion link on Windows for eBPF GitHub about the topic: How do we do signing? · Discussion #693 · microsoft/ebpf-for-windows (github.com)
Private Enterprise Number (PEN) Request for L3AF- LF Legal gave the ok to proceed. Schedule call with Raga to fill out the PEN application.
Developer and Testing Forum in January 2022 (virtual event)
Topic submission- L3AF: eBPF for Windows and Cross Platform eBPF programs - thank you Daniel and Poorna!
Tuesday Jan 11, 11:30am to 12noon ET
Schedule the session
Holiday schedule:
Meetings on Dec. 8, 15
Dec. 22 and 29th to be canceled
Jan 5th: Developer and Testing Forum Prep.
General Topics (cover as needed)
Use Cases
Roadmap
Project structure
Governance
Technical Steering Committee
Minutes/Updates
PEN request
Raga: Schedule call after this meeting
Dave: What layer of the org is the PEN assigned to?
L3AFD project, LF, L3AFP?
Louis: Just put it under LFN. Ramnifications?
Dave: Next PEN would probably have a sub-delegation under the original PEN
This is how MSFT does this so that there is a single management point.
Lous: Difference between L3AFd and L3AFP?
Dave: Github organization with different GitHub repos under it.
Louis: PEN that covers L3AF as a project and all current and future repos?
Dave: Common use of PENS is for OID and PEN is inserted into the OID with arbitrary number of layers underneath.
OIDs are used in x.509 certificats, etc.
Lous: How are we going to use the PEN for L3AF? Want a PEN that covers all of L3AF, but not all of LF or LFN,
Raga: As part of flow exporter we will add custom field support identified with PEN number.
Dave: Inventing a new slot that fields are going to go in, can it be just an array of fields of integers?
Raga: Will dig more and find out?
Dave: It matters to how we will fill out the application.
Raga: This is a requirement for the flow_exporter. We will not need another PEN number for L3AF.
Lous: Will reconsult with legal and set up call with Raga. Review by email with rest of L3AF team (if this is doable).
Dave: It's just a simple web form and cannot be pending
Dave: Do we use LF, L3AFP or L3AFd for the name?
Lous: Will discuss with legal.
Dev testing forum
Set date and time for MSFT presentation
Cross platform signing
Matteo: No way to do cross platform signing with eBPF programs
Implementation that allows loading eBPF programs to kernel that takes care of relocation
Created patch that does this. Creates eBPF prog and adds sig to it.
Dave: talked about 3 peices in kernel function marketplace
Orchestrator pulls stuff from marketplace
Can you put signed programs in the marketplace
We are discussing an option that allows remote distribution and is compatible with L3AF.
The other approach does not play well with the L3AF vision that we have discussed.
Vicky: Do we have representation as the L3AF at the kernel level where these decisions will be made?
Dave: Need Karan, Chris, ect. If we had a collective decision it would carry more weight.
This could be a call to create new contacts.
Dave: This discussion is happening on the Linux kernel list
MSFT would like cross-platform
Move to the eBPF foundation (which is cross-platform)?
Dave: Next BPF steering committee meeting would like L3AF to present.
Invited Karan.
Dave: BSC does not officially have an answer if the meeting is open.
Still have time to ask. Should be a yes answer (at least for this meeting)
Matteo: Proposed to BPF ML & then another solution appeared from the BPF maintainer
Very different solution: create an approve-list of programs that can load BPF programs
Only allow programs loaded from progs on this approve-list
Suspects this solution won't be cross-platform: verification requires Linux fs verity method
Also allows L3AFd to install anything it wants if L3AFd is in the allow list, Could be a security flaw
Matteo's approach allows individual signing and allows individual verfication, reputation, etc.
Raga: Where is the signature exactly? Do you still have the verification step on signed programs? Use case please.
Matteo: XDP. SOme BPF programs take actions on packets. These can be loaded and attached to network drivers.
Malicious programs can mangle pacet traffic (very dnagerous). Must make sure that program is safe.
Dave: Big value add: signing instead of verification step.
Verification step can be CPU intensive. Signature check is cheap.
Verification and signing together does not give this benefit. This is what the patch does.
Raga: Does this work for UM progs also? Yes.
Dave: Other approach with white list? How is this different from cap BPF?
Matteo: Whitelist enforces Cap BPF.
Dave: L3AFd pushes out both kernel function as well as a program that can use the kernel function.
Matteo: Whitelist is a list programs that can be loaded
Matteo: Sig verification is before verification check.
Dave: Also reduces DOS style attacks.
If sig check fails then verification does not run and waste cycles.
Santhosh: Verifier runs only once at load time.
Dave: Yes, but you can spin the loader.
Dave: That is the intro.
If we can get several orgs to support this then we can approach the BSC.
Vicky: Once the video for the call is available we can take this to the mailing list.
Lous: Cancelling next weeks call on the 22nd?
Dave: Nope, on vacation.
Vicky: Probably most people have made plans so Jan 5th would be better.
Matteo: PR is urgent for MSFT because we want a signature system.
It's too dangerous to load untrusted BPF programs
Dave: Please post opinions on Linux Kernel mailing list sooner rather than later.
Dave: Include signing into the BSC meeting on Jan 12th at 1PM PST.
Lous: Please register for Dev and Test Forum
Action Items
Future Agenda Items
***** Minutes from previous call *****
Abhi Patil: Where is the L3AF project at currently? (high level overview)
Orchestration across any eBPF platform in order to solve business problems
L3AFd which runs on any host.
Many eBPF programs - see wiki
Create marketplace/repo of eBPF programs
Simplify chaining of eBPF programs
extend eBPF programs to Kubernetes
Abhi P:
Targeting DDOS programs
Lead for DDOS initiative
Peraton Labs and Georgia tech working on their project
Karan: More details on the and use case yo move forward
General Topics (cover as needed)
Use Cases
eBPF program (soon to be open sourced)
export records in IBPF format
Enterprise number will be needed for this
Dave T: eBPF programs that will be put into marketplace
L3AF could include signed programs
samples
Include other programs that are not signed by L3AF
Is L3AF a framework for marketplace?
Vicky B: Peel off marketplace from L3AF?
Handled by different team that works with L3AF so it can support different project such as Polycube
Dave T: Is the PEN for L3AF
Karan: L3AF team is contributing programs and that is what the PEN is for.
Jason: Agree with Dave, be careful with diluting L3AF
Wallmart added programs should not be natively part of L3AF itself, but rather the Wallmart contribution to L3AF
Dave T: Could you use a Wallmart PEN and contribute that to L3AF?
Karan: Once the eBPF program is OSSed then we should use the Wallmart PEN and it should be under the LF after OSSing
What kind of signing are we looking for?
Verification that the eBPF programs are compatible with the L3AF platform
For instance chaining.
Need deeper dive.
Dave T: Whose PEN do you use. Whoever the signer is going to be?
Karan: For now we don't have a clear bifurcation. It's just one L3AF.
We should consider how to do this.
Louis: IPfix program, is this a one time sign off or every time it is used?
Dave T: Whenever there is a change to the program it must be resigned. Not a one time thing.
PEN is a one time number. The signature changes with updates and revs.
Karan: If someone wants to use IPfix and change the PEN they can do this. Not tying anyone to the existing PEN.
Dave T: Then it would be a different program. Stars and other marketplace artifacet would be invalidated.
Christopher L: Maintainer of the code should sign the code. The org that controls the commit bit.
Raga P: planning to use PEN on IPfix to define custom fields. If there is no PEN then it would be an unknown field.
Karan: Anyone could pass a PEN into these fields and change things. If you don't change things then you get the predefined custom fields.
Term L3AF has been overloaded. L3AF team, platform, project, marketplace
Dave T: L3AF is the foundation. The more we put programs into it the more it becomes the L3A instead of L3AF.
Karan: If L3AF is the platform (L3AFd) how do we want to structure the remaining components?
Keep L3AF marketplace as a separate project? Should we drop the L3AF branding on it?
Vicky: Makes sense to have the marketplace be a separate thing with separate branding that is closely tied into L3AF.
L3AF becomes the initial consumer of this, but we plan for other consumers.
Louis: Consider breaking off separate projects under L3AF to ensure that the output of these is compatible with L3AF.
Common in OSS world for Project Tech Leads to spin off other projects in this manner.
Vicky: Makes a lot of sense to have things under L3AF initially. Perhaps move them later (eBPF Foundation).
Jason: Small set of programs provided by L3AF itself and make sure they are compatible to help get things started in the begining.
Vicky: This will help to get L3AF off the ground with a small set of programs that are useful and work.
Jason: Yeah, these could be examples and building blocks that others can use.
Karan: Definitely a good thing.
Dave T: 3 catergories of stuff: core daemon, marketplace, programs
Which one should be in different projects?
Are they all under the L3AF?
Where do the programs go?
Is the marketplace part of the L3AF repo?
Multiple marketplaces (Google, Apple, etc.). Is the marketplace part of the foundation?
Does L3AF just contain samples? Leaning towards this one?
Vicky: If marketplace is separate this is incredibly valuable because orgs can run their own marketplace. Should be a separate project.
LJ: are any programs in the marketplace paid for items?
DaveT: Yes, Vicky: leave door open
LJ: Not sure it should be OSS?
DaveT: Marketplace is not the programs. Paid programs can be distributed by on open source marketplace.
Vicky: cannot confuse monitization strategy with the licensing strategy. For pay programs should not be excluded from an OSS project. It's the licensing.
Brian M: This is good. Will take all these thoughts and work them into paper. Available this month(?), when we reconvene.
Karan: Better to leave it open so that it is an attractive proposition for folks to contribute. We need to iterate on this a little more.
Vicky: Brian's paper will help us to create a parallel working group to address this.
Jason: Start them in the base and then move when available.
Housekeeping: Next meeting is the 15th. Dec 22 and 29th are cancelled, reconvene on January 5th for Dev and testing forum prep