-
Notifications
You must be signed in to change notification settings - Fork 3.7k
CFP: Add support for the SCTP protocol #20490
Copy link
Copy link
Open
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/cfpCilium Feature ProposalCilium Feature Proposalkind/featureThis introduces new functionality.This introduces new functionality.pinnedThese issues are not marked stale by our issue bot.These issues are not marked stale by our issue bot.
Metadata
Metadata
Assignees
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/cfpCilium Feature ProposalCilium Feature Proposalkind/featureThis introduces new functionality.This introduces new functionality.pinnedThese issues are not marked stale by our issue bot.These issues are not marked stale by our issue bot.
Cilium Feature Proposal
Introduced in k8s 1.12
kubernetes/kubernetes#64973
Work Breakdown
The work can be broken down into 3 subtasks that can be tackled sequentially. Simply achieving M1 great benefit because it enables a significant amount of SCTP use cases and M1 can be achieved right now. M2 will enable most SCTP usecases but will require kernel modifications.
M1 - Limited Support for Pod <-> Service communication
Currently, Cilium simply drops SCTP packets. This GitHub PR fixes things for limited use cases. With a little work, this SCTP PR can be updated to provide support for Pod <-> Service communication and NetworkPolicy support as long as no port translation is required (ie, targetPort == containerPort). Modifying the ports means modifying the SCTP header. Modifying the SCTP header will change the checksum, which will cause packets to fail checksum validation. SCTP uses a crc32c checksum on the SCTP header and data, which is not easily supportable in eBPF. As long as any modifications to the packet do not modify the SCTP header (ie, we only modify the L2 or L3 headers) SCTP will work fine.
M2 - Port Translation Support
In order to add port translation support, we will need to expose kernel hooks to re-checksum the packet if we modify the ports. Note that this does not fully mean SCTP NAT is supported, since there is more to SCTP NAT than just port translation. This means that we will need to upstream this support into the Linux kernel, which will take time.
M3 - Multihoming and Beyond
This work is unscoped for now and will involve deeper parsing of SCTP packets which may not be performant (or feasible) under eBPF.