F5 eBPF Observability: Kernel-Level Observability for Modern Applications

eBPF Observability (EOB) from F5: A Detailed Overview

Key Concepts:

• eBPF (Extended Berkeley Packet Filter): A powerful technology within the Linux kernel allowing for safe and efficient program execution in kernel space, used here for data collection and analysis.
• Cloud Native: Environments leveraging containers as a core architectural component (e.g., Docker, Kubernetes, Red Hat OpenShift).
• DaemonSet: A Kubernetes construct ensuring a single instance of an agent runs on each node in a cluster.
• Message Bus: A system for asynchronous communication between different components, used here to distribute collected data.
• 5G Core Network Functions: AMF (Access and Mobility Management Function), SMF (Session Management Function), PFCP (Packet Forwarding Control Protocol), EIR (Equipment Identity Register), F1 AP.
• SBI (Service-Based Interface): A standardized interface for 5G core network functions.

Introduction to eBPF Observability (EOB)

F5’s eBPF Observability (EOB) solution, acquired through MantisNet, provides cloud-native observability for containerized environments. The core goal is to establish end-to-end visibility within these dynamic infrastructures. EOB is applicable to any environment utilizing containers, ranging from simple Docker labs to complex production deployments like those on Red Hat OpenShift. The solution focuses on collecting data within cloud-native environments, rather than relying on traditional, resource-intensive methods.

EOB Architecture and Deployment

EOB operates through a network of agents deployed as DaemonSets on each node within a cloud-native environment. This ensures a single point of presence for data collection on each node, avoiding the need for agents within every pod. This approach reduces the overall footprint and leverages the performance benefits of eBPF.

These agents collect data encompassing pod and container traffic, including:

• Topology Metrics: Information about containers, AMF/SMF composition, links, flows, processes, labels, and annotations – essentially, understanding the structure and relationships within the environment. The system tracks how AMFs evolve over time.
• Flow Data: Beyond traditional IP-based flow data, EOB incorporates contextual information like process IDs, parent process IDs, and executables associated with network events, providing a “full stack” view. Netblock information is also included.
• Protocol Data: EOB can dissect protocol stacks relevant to 5G, including the SBI stack, PFCP, EIR, and F1 AP, transforming unstructured traffic into usable data for security and analytics.
• Plain Text Payload: A key feature is the ability to access plain text payloads of encrypted traffic within the 5G core control plane. This is achieved by leveraging eBPF to intercept messaging before encryption on the sending side and after decryption on the receiving side, directly from the kernel. This avoids the resource-intensive process of traditional decryption methods.
• Packet Capture: While supported, packet capture is positioned as one tool among many, acknowledging its resource intensity.

Data Flow and the Message Bus

Collected data is published to a message bus, categorized into distinct topics:

• Control Topic: Used for managing and configuring the EOB agents.
• Topology Metrics: Data related to the structure and relationships within the containerized environment.
• Flow Data: Detailed information about network flows, including contextual data about the processes involved.
• Protocol Data: Decoded information from various 5G protocols.
• Plain Text Payload: Decrypted message content, accessible due to eBPF’s kernel-level access.
• Packet Capture: Raw packet data, available when needed.

The message bus serves as a crucial demarcation point. EOB itself does not include built-in analytics. Instead, it acts as a “pub/sub” system, allowing security, analytics, and service assurance tools to consume the data by establishing a client relationship with the message bus.

Key Advantages and Design Principles

Two core principles underpin EOB’s design:

1. Demarcation Point: EOB focuses solely on data collection and delivery, leaving analytics to specialized tools. This allows for flexibility and integration with existing security and monitoring infrastructure.
2. Vendor Agnosticism: Leveraging eBPF allows EOB to operate independently of the underlying container orchestration platform or the vendors of the network functions (e.g., Nokia, Ericsson, Samsung). The container layer is abstracted, providing a consistent view across different vendors. As stated, “Because we’re sitting at the the node level from a an agent point of view and building visibility up into the potted container space, everything at that potted container space is an abstracted layer for us.”

eBPF and Performance Considerations

The use of eBPF is central to EOB’s performance. Traditional packet capture is resource-intensive, especially in cloud-native environments. EOB’s approach, focusing on messaging and leveraging eBPF’s kernel-level access, allows for more efficient data collection and analysis. Specifically, accessing plain text payloads before encryption/decryption significantly reduces the computational overhead compared to traditional decryption methods.

Conclusion

EOB from F5 provides a powerful and flexible observability solution for cloud-native environments. By leveraging eBPF and a pub/sub architecture, it delivers comprehensive data collection without being tied to specific analytics tools or vendors. Its vendor-agnostic nature and focus on performance make it a valuable asset for organizations seeking deep visibility into their containerized 5G core networks and beyond. The solution’s strength lies in its ability to provide granular data, including plain text payloads, while minimizing resource consumption.