Our infrastructure supports thousands of services that handle billions of requests per second. We’ve previously discussed how we built our service encryption infrastructure to keep these globally d…
Overview
The article discusses Facebook's approach to enforcing encryption across its vast infrastructure, which supports thousands of services handling billions of requests per second. It details the design and implementation of SSLWall, a system aimed at blocking non-SSL connections while maintaining performance and reliability.
What You'll Learn
1
How to implement encryption enforcement at scale using SSLWall
2
Why eBPF is critical for network traffic inspection and management
3
When to use Transparent TLS for noncompliant applications
Prerequisites & Requirements
- Understanding of encryption protocols like TLS
- Familiarity with eBPF and its applications(optional)
Key Questions Answered
What is SSLWall and how does it enforce encryption?
SSLWall is a system developed by Facebook to block non-SSL connections across its network. It operates transparently, ensuring that applications do not need to change their code while enforcing encryption policies effectively.
How does eBPF contribute to SSLWall's functionality?
eBPF allows SSLWall to inspect and manage network traffic at the kernel level without requiring changes to applications. It provides capabilities like traffic filtering and monitoring, which are essential for enforcing encryption policies.
What challenges did Facebook face when implementing SSLWall?
Facebook encountered several challenges, including managing the execution order of kprobes and TC filters, adhering to BPF program size limits, and optimizing performance to minimize CPU impact on high QPS services.
What are the requirements for implementing Transparent TLS?
The requirements for Transparent TLS include transparently encrypting connections without application changes, avoiding double encryption for existing TLS connections, and managing performance impacts for applications that do not use common libraries.
Technologies & Tools
Backend
Ebpf
Used for inspecting and managing network traffic at the kernel level.
Backend
Scribe
Used for logging events emitted by the management daemon.
Backend
Tc-bpf
Leveraged for traffic control and filtering in the SSLWall implementation.
Key Actionable Insights
1Implementing SSLWall can significantly enhance the security of your services by ensuring that all traffic is encrypted, thereby reducing the risk of data breaches.This is particularly important for organizations handling sensitive data, as it helps maintain compliance with security standards.
2Utilizing eBPF for network traffic management allows for efficient inspection and enforcement without impacting application performance.This approach is beneficial in large-scale environments where performance and reliability are critical.
3Effective communication and planning are essential when rolling out encryption policies to minimize disruptions across teams.By proactively sharing information and gathering feedback, organizations can ensure a smoother transition to enhanced security measures.
Common Pitfalls
1
Underestimating the complexity of implementing encryption enforcement can lead to significant disruptions.
This often occurs when teams do not adequately communicate the changes or fail to plan for potential impacts on existing services.
2
Ignoring the performance implications of eBPF programs can result in degraded service quality.
It's crucial to optimize BPF programs to ensure they do not introduce latency, especially in high-traffic environments.
Related Concepts
Encryption Protocols
Network Security Best Practices
Kernel-level Programming With Ebpf