H2020 FISNEC Webinar Presentation, August 26th, 2020, Aidan-Shribman, Lev Greenberg, Ehood Katz

1. Skydive Network Analyzer
understand and protect your network infrastructure
By: Aidan Shribman, Lev Greenberg, Ehood Katz
Ack: Sylvain Afchain, Sylvain Baubeau, Nicolas Planel

2. Skydive goals
● Topology exploration and visualization
● Network traffic capture
● Make network troubleshooting easier
● SDN agnostic
● Real-time / post-mortem network analysis framework
● Lightweight, easy to deploy

3. Architecture
AGENT AGENT AGENT
ANALYZER ANALYZER
PROBE PROBE PROBE

4. Network topology as a graph
● Event based
● Pub/Sub, WebSocket
● Node/Edge create, update, delete event
● Revision of every graph modification

5. Topology probes
● Netlink, metrics, routing tables, etc.
● OpenvSwitch, OVN, table, metric, exploration
● VPP
● LLDP
● LibVirt
● BESS
● Docker, Runc
● Kubernetes, OpenShift
● Network Service Mesh
● OpenStack Neutron
● OpenContrail/Tungsten Fabric
● Block Devices
● Socket Info And more….

6. Distributed packet capture (1)
● Distributed packet capture
● Multiple capture methods
AFpacket, eBPF, DPDK, sFlow, …
● BPF Filtering
● Support L2/L3 flow tracking, tunnels supported too
GRE, VXLAN, MPLS, etc.

7. Distributed packet capture (2)
● Packet/Flow forwarding to an external endpoint
sFlow, NetFlow, ERSPAN
● Flows and metrics stored in a time series database
● Flow bus, ex : conversion to VPC Flow Logs
● Same query method than for topology:
G.V().Has(“Capture.Name”, “my-dockers-cap”).Flows(“Application”, “HTTPS”).Metrics()

8. Distributed packet injection
● Distributed packet generator/injection
● ICMP, TCP, UDP
● Long running injections
● Ping-mesh with RTT report
skydive client injection create --dst 'G.V().Has("Type, "veth")' --src 'G.V().Has("Type, "veth")'
● PCAP socket probe allowing to inject remote or recorded traffic

9. Wait ! There’s still more..
● Alerting
● Workflows (in JavaScript)
● Open API, Rest, WebSocket
● Golang and Python client
● Ansible module
● Plugin support, ex: Collectd
● Grafana datasource

10. Network Topology Visualization
(Discovery)
Use cases

11. Flow Troubleshooting (Capture)
Use cases

12. Flow Troubleshooting (Tracking)
Use cases

13. Skydive in action

14. Skydive Gremlin API

15. Flow Troubleshooting (Tracking)
Use cases
G.Flows().Has(‘TrackingID’, ‘e38c81871794612d’).Nodes().Dedup()

16. Skydive capture probes
Kernel Overhead Limitations
AF Packet all Huge None
BPF (Syn/Fin/Rst/Ack/!Psh) 2.5+ Low
No packets metrics
TCP only
Start and end session
eBPF 3.18+ Low
No classification
No fragmentation
No tunneling
(implementation)

19. Thanks
https://skydive.network
https://github.com/skydive-project/skydive
https://github.com/skydive-project/skydive-ui