Calico/VPP: Using Calico’s Pluggable Dataplanes for Fun and Fast Networking

The Calico VPP data plane makes it easy to extend and experiment with the Kubernetes network, particularly for high-performance networking applications.

• Calico VPP is a data plane that uses VPP as a data plane for pod traffic in Calico.
• VPP brings a lot to the table for custom networking requirements and network-intensive applications.
• The host stack can be enabled for a pod with an annotation, providing a substantial performance boost.
• Regular Kubernetes networking features apply to traffic processed through either MIF or the host stack.
• AF packet or AF XDP sockets can be used under the interface in the pod without Calico VPP, but performance is lower.

VPP has an extremely performant IPsec implementation, allowing for one terabit per second of encryption when doing IPsec on standard two socket Ice Lake servers. Maglev is a constituent consistent layer 4 load balancer that allows connections to survive node failures and reduces global networking load on the cluster if enabled. Android, a famous node layer 7 proxy used in the Steel Service Mesh, is a great candidate for optimization with the whole stack.

The Calico VPP dataplane, introduced during last year’s KubeCon, adds a new networking option for Calico on Linux alongside iptables and eBPF. This takes advantage of Calico’s pluggable dataplane support, which offers futureproofing and agility for the user in dataplane choices. As it turns out, having VPP’s flexible and modular userspace networking stack in a Kubernetes environment enables all sorts of interesting things -- such as allowing network-intensive pods to send and receive data at ludicrous speeds while conserving the CNI features we love, thanks to kernel bypass. This is useful for any workload that spends most of its time doing network I/O. Think proxy, content delivery server, or network functions such as VPN endpoints. In this talk, we will show you how we achieve that, the level of performance that we can reach, and how it compares to other approaches.