13-15 November 2018
America/Vancouver timezone

In-kernel protocol aware filtering

15 Nov 2018, 14:00
Pavillion-Ballroom-C (Sheraton Vancouver Wall Center)


Sheraton Vancouver Wall Center



Peter Parkanyi (Red Sift)


Deep packet inspection seems to be a largely unexplored area of BPF use cases. The 4096 instruction limit and the lack of loops make such implementations non-straightforward for many protocols. Using XDP and socket filters, at Red Sift, we implemented DNS and TLS handshake detection to provide better monitoring for our clusters. We learned that while the protocol implementation is not necessarily straightforward, the BPF VM provides a reasonably safe environment for DPI-style parsing. When coupled with our Rust userspace implementation, it can provide information and functionality that previously would have required userspace intercepting proxies or middleboxes, at a comparable performance to iptables-style packet filters. Further work is needed to explore how we can turn this into a more comprehensive, active component, mainly due to the BPF VM restrictions around 4096 instruction programs.

Presentation Materials

Platinum sponsors

Gold sponsors

Silver sponsors

Catchbox sponsor
T-Shirt sponsor
Your browser is out of date!

Update your browser to view this website correctly. Update my browser now