There has been a lot of energy recently behind eBPF in the cloud-native space, with adoption rates increasing and use cases expanding over the past few years. eBPF appears to have moved firmly out of the early adopter stage and is now entering a more mainstream and accelerated path along its technology maturity curve. One of the biggest indicators of this shift has been the recent acquisition of eBPF power house Isovalent by Cisco for an incredible $650 million- a 30x valuation! In short, it is becoming clear that eBPF isn’t just a flash in the pan- it is here to stay, and worth taking a deeper look at.
At MantisNet, we are glad to see the increased use of eBPF driven solutions- eBPF has been the backbone of our observability product offering for the past four years. However, as emerging technologies gain more attention from broader audiences, nuance can sometimes be overlooked, and generalizations often applied. I am noticing this more and more as it pertains to eBPF. During discussions of our eBPF-based product with customers and partners, there is a growing amount of feedback coming in that seems to be routed in confusion. Some people are starting to think that all eBPF solutions are created equal. Or more specifically, that all eBPF programs can do the same thing. Turns out, they really can’t.
Clearing up the confusion
To help explain this confusion I am seeing, I want to point to a quick story. I work with a guy named Elliott, who is our CTO. Like any good CTO, Elliott can take complex topics and boil them down to a very simple analogy. In this case, the analogy Elliott draws on helps people understand that eBPF is not a “one size fits all” type of solution. When faced with the feedback of “ok, so you guys use eBPF, well company X has eBPF too” blanket type statements, he has a great way of helping clear up the air. He likes to point out in response that eBPF is just a technology, stating that this is the same as saying...
“Oh, you guys use computers? Well we use computers too!”
What really matters is how you leverage the technology in your solution to provide value to customers.
Elliott is spot on in this instance. Yes, eBPF is a newer technology that can be used to provide immense value while also increasing performance, that is fair to state. It is also fair to state that eBPF is a general-purpose virtual machine running inside of the kernel, and that it enables new functionality to be added to the kernel quickly and custom programs to be built. Where things go off the rails is when assumptions are made that all companies are applying the technology the same way and focusing on the same problems to solve.
eBPF can be used for a variety of use cases- network load balancing, behavior profiling, application performance monitoring, network tracing, security monitoring, general observability, orchestration visibility, power level tracking- the list goes on. The truth is that any company with a solution built on eBPF is looking to address a subset of the “networking”, “security”, or “you name it” markets, while leveraging their expertise in the specific subset they are focusing on. One example may be an eBPF based solution focused on a sole use case for security. Another example may be a solution for widespread, general insights into any and all distributed computing environments. Even another example may be a solution focused on delivering observability into 5G Stand Alone telco environments, and only 5G SA telco environments (such as MantisNet’s Tawon CVF). All of this is to say that the first step to understanding an eBPF based solution/tool’s value is to thoroughly understand the actual problem or initiative that the solution has been designed to address. The second step is to seek out how the solution is actually getting the job done.
eBPF for 5G observability
As mentioned above, MantisNet focuses on using eBPF as a technology to help address a very specific market- observability for 5G telco networks. Our focus on this market is driven by our technical teams’ deep understanding of mobile networking, and the broader teams’ understanding that 5G networks demand a new approach for observability/monitoring/visibility simply because they are built very differently from 4G and below networks. vTAPs from vendors are no longer cutting it- for cost reasons, yes, but more importantly for resource constraint reasons and technical roadblocks. The same holds true for service mesh-based solutions, or sidecar container-based solutions. These are all packet heavy options with limitations that demand a large amount of resources (and licenses) to operate- they are also options that are disjointed across all the different Network Function vendors. (For those interested, we have spent time in the past covering the need for change in visibility strategies as telcos move more rapidly into their 5G deployments).
So how does eBPF fit into the mix? How does MantisNet provide an approach that is different from Isovalent or other general purpose eBPF-based visibility solutions? I’ll reference back to a statement made earlier- what really matters is how you leverage the technology, and what steps are being taken to get the job done.
The chart below helps illustrate how there are different areas of consideration for choosing and deploying an eBPF solution- while also highlighting the specific challenges facing individuals and organizations tasked with monitoring 5G networks. We will expand on this more in an upcoming blog post, but for now, this is a great introduction for anyone who may be thinking that eBPF is a “one size fits all” solution.