This talk gives a rundown of various potential improvements being thought about and experimented on for the CUBIC Congestion Control implementation in Neqo, Firefox's QUIC stack. Detecting and recovering from Spurious Congestion Events -- network hiccups mistaken as congestion signal. Reacting differently to Explicit Congestion Notifications (ECN) than to packet loss. Optimizing the Slow Start exit point to avoid unnecessary loss through various heuristics.
While many of these make sense on paper and produce good results in simulations the reality of the internet is much more complicated. One ongoing challenge is designing metrics that measure impact of change in the real world without getting lost in the noise of wildly varying network conditions across millions of internet users to validate that those improvements genuinely make Firefox quic(k)er.
Links: - Neqo, Firefox's QUIC implementation: https://github.com/mozilla/neqo - CUBIC Congestion Control (RFC9438): https://datatracker.ietf.org/doc/html/rfc9438
iroh is a library to establish peer-to-peer QUIC connections assisted by relay servers. It needs to route UDP datagrams carrying QUIC payloads over relayed and holepunched network paths. While this used to be done outside of QUIC's knowledge, over the past year we have worked to adopt the QUIC multipath proposed standard so that QUIC itself is aware of multiple paths.
This talk will cover iroh's experience of adding QUIC multipath to the Quinn library and the challenges of adopting it. The multipath draft does only cover how to send packets over the wire, and does not specify how path selection works, consequently we'll also cover iroh's choices for path selection as well as changes we will still be experimenting with.
Finally iroh has also moved holepunching into a QUIC extension, which integrates tightly with multipath. The mechanism of how holepunching with multipath support works in iroh will covered as well.
The Web’s transport stack is changing rapidly, with QUIC, HTTP/3, and encrypted DNS seeing broad adoption. This talk gives an overview of the modern network protocols Firefox already deploys and invests in, including QUIC and HTTP/3’s growing share of Web traffic. It will highlight what Firefox actually sends on the wire today, what benefits we observe in practice, and where the Web’s protocol landscape stands in early 2026.
The session will also offer an outlook on what’s likely to land in Firefox and across the Web in 2026 and beyond. This includes emerging mechanisms like Happy Eyeballs v3 to manage increasingly complex protocol selection, WebTransport as a modern WebSocket primitive, MASQUE-based proxying for new tunneling use cases, and ongoing work around encrypted DNS, resolver discovery, and Encrypted Client Hello. Together these protocols form the foundation of a faster and more private Web.
Traffic Management (TM) is critical for predictable network performance. It controls packet priority, shapes transmission rates, and allocates bandwidth to meet SLAs in large-scale deployments such as ISPs, telecom networks, and data centers.
FD.io Vector Packet Processing (VPP), a widely adopted high-performance networking stack across these environments, currently relies on software-based TM. This introduces bottlenecks at scale: CPU overhead grows with traffic classes, latency spikes under load, and token bucket waste cycles. At 100G/200G and beyond, these limitations pose a critical risk of SLA violations.
The new TM framework addresses these challenges by offloading shaping and scheduling to hardware through a vendor-neutral architecture and a unified API that works across all platforms supporting traffic management in silicon.
The proposed TM framework integrates VPP with hardware traffic management engines in supported NICs, SmartNICs, and DPUs. It detects hardware capabilities, classifies flows in software, and steers them to hardware queues where TM policies are enforced at line rate—eliminating software-based per-packet arbitration.
Hierarchical Scheduling: Organizes traffic into multi-level queues to prioritize critical services while preserving fairness across remaining traffic. Dual-Rate Shaping: Applies committed and peak rate control with burst handling, compliant with RFC 2698, to prevent congestion and maintain predictable performance. Priority and Fairness: Combines strict priority for latency-sensitive traffic with weighted sharing for bulk flows to balance resources. Policing: Enforces traffic limits at line rate by dropping or marking packets appropriately.
Performance: Delivers line-rate Traffic Management with high accuracy and low latency. Scalability: Supports thousands of queues at line rates without proportional CPU costs. Efficiency: Shifts workload to hardware, enabling CPUs to focus on application logic while reducing energy usage Reliability: Ensures stable Quality of Service under peak load conditions.
Hardware-assisted TM is no longer optional—it is mission-critical for networks scaling toward 400G/800G with diverse traffic and tight latency budgets. The VPP TM framework delivers this through a vendor-neutral API, making VPP ready for demanding telecom and data center workloads while preserving its modular design. For open-source stacks like VPP, this is not just an enhancement—it’s a long-overdue capability.
Have you heard about HTTP Archive (HAR) files and wondered how you could leverage this data for deeper insights into your web applications?
Imagine analyzing your page load request data as OpenTelemetry traces in your favorite observability backend. This talk will explore the lessons learned from transforming HAR into an OpenTelemetry trace and streaming it to Jaeger. Learn how to convert HAR data into spans following OpenTelemetry semantic conventions.
Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets. Suricata provides network protocol, flow, alert, anomaly logs, file extraction and PCAP capture at very high speeds and provides a wide range of deployment options - IDS/IPS/FW/NSM.
Suricata 8 is the latest stable edition that has been in development for 2 years, powered by collaborative work of the OISF team, Suricata community and consortium members. This talk will highlight the new and groundbreaking features available in the latest Suricata 8 edition. The new additions include runmodes, deployment options, detection, logging and protocol parsing that empower the cyber defenders with improved capabilities for network security monitoring in terms of efficiency, detection, accuracy, performance and flexibility. Don't miss this opportunity to get a firsthand overview at how Suricata 8 is shaping the future of network detection and prevention.
Everyone's building MCP servers for network automation. Your agents can finally talk to each other and share context about your infrastructure. But what context are they actually sharing?
If your agent's understanding of the network comes from vector embeddings and RAG, MCP is just helping you share incomplete topology understanding and missed policy dependencies faster. Vector similarity can't represent "which devices are upstream of this link" or "what routing policies affect this prefix."
MCP makes context sharing easy. Knowledge graphs make that context actually correct.
This talk will discuss lessons learned as a developer advocate maintaining coffeeAGNTCY, an open-source multi-agent system. Mainly, sharing the discovery of why knowledge graphs with LangGraph are essential for network automation agents.
We'll cover:
-What MCP servers can't fix (the context representation problem) -Knowledge graphs for network topology, routing, and policy dependencies -LangGraph for reasoning over graph-structured network data -Real patterns from coffeeAGNTCY project (lungo) . Code: https://github.com/agntcy/coffeeAgntcy/tree/main/coffeeAGNTCY/coffee_agents/lungo
Network operations still depend heavily on manual workflows. Engineers move between CLIs, dashboards, and scripts to answer operational questions, validate configurations, and enforce compliance across diverse network platforms. These tasks are repetitive, error-prone, and hard to scale.
This talk presents a practical AgenticOps architecture for network operations built with open source tools. It shows how low-code visual orchestration can be combined with LLM-based reasoning to automate both interactive and scheduled tasks while preserving native CLI access.
The system uses n8n for workflow orchestration, Model Context Protocol servers written in Python with FastMCP to expose network capabilities, and Cisco pyATS to execute platform-aware CLI commands across multiple device families. Operators interact through a chat interface using natural language. The LLM classifies intent, discovers device type, selects the correct commands, executes them via pyATS, and returns structured results.
The same workflows also handle automated compliance checks, report generation, and scheduled validations. The session includes a live demonstration and a GitHub repository with MCP servers, n8n workflows, and deployment examples ready to adapt to real environments.
"For better or worse, benchmarks shape a field." FD.io's approach to the better: open, reproducible benchmarks-as-code that guide development and guard against regressions in the VPP data plane, via CSIT. Problem: a race-track number doesn't translate to production deployments. CSIT's approach: MLRsearch (IETF BMWG, RFC in publication) for conditional throughput (NDR/PDR) with explicit stopping rules and inspectable artifacts; a continuous open-source benchmarking pipeline spanning packets and sessions; and a test matrix covering IMIX, QUIC/TLS, NAT, IPsec, ACL, SRv6, and NGFW/proxy use cases. This methodology drives terabit-class packet and session performance on commodity x86/Arm - reliably and repeatably. Takeaways: a replicable recipe (tools, configs, artifacts) for your lab; why benchmarks-as-code beat ad-hoc testing; and concrete contribution paths across CSIT and VPP (tests, profiles, analysers, data visualisation).
Relevant links: https://fd.io/ https://csit.fd.io/ https://wiki.fd.io/ https://github.com/FDio/
As enterprises and service providers transition to virtualized and cloud-native infrastructures, the need for scalable, high-performance security becomes critical. FD.io's Vector Packet Processing (VPP) platform has emerged as a leading open-source framework for fast packet processing, but how well does it handle modern IPsec workloads in Virtual Network Functions (VNFs) and Cloud-Native Network Functions (CNFs)?
In this talk, we dive deep into the architecture and implementation of IPsec within FD.io VPP. We'll explore real-world performance benchmarks, discuss recent improvements, and present best practices for deploying secure, high-throughput IPsec tunnels in containerized and virtualized environments. Attendees will see how VPP's modular pipeline enables flexible integration with orchestration systems, and how it can be tuned for different network function scenarios-from high-density edge sites to large-scale data centers.
Whether you're building secure SD-WAN, 5G core, or edge networking solutions, this session will provide actionable insights on leveraging open-source VPP to deliver robust, scalable, and efficient IPsec-powered VNFs and CNFs.
Key Takeaways: - How FD.io VPP implements and accelerates IPsec for virtualized and cloud-native deployments - Tuning and scaling techniques for maximizing IPsec throughput and minimizing latency - Integration patterns for orchestration and real-world deployment considerations - Lessons learned from operational use cases and performance testing
Join us to learn how open-source innovation is redefining secure, high-performance networking for the next generation of infrastructure!
https://elixir.bootlin.com/linux/v6.17.7/source/drivers/infiniband/ulp/rtrs
This presentation traces a five-year cat-and-mouse chase between a small VPN provider — more than 150 servers worldwide, millions of users, available on all major platforms — and the Russian state censorship machine. A real-world “Tom and Jerry” scenario where survival hinges on constant adaptation.
I’ll walk through the evolving technical and non-technical tactics used by Russian authorities to block VPN access for ordinary users. Every story comes from real, first-hand experience. The methods used five years ago and the methods used today are on entirely different levels; Tom keeps learning new tricks, and Jerry’s struggle to stay alive only gets harder.
This talk aims to be useful and insightful for network security engineers, business decision-makers, and human rights activists. Russia is not the only dictatorship experimenting with these techniques — and we expect more dictators to learn from the Russian playbook and adopt similar methods.
Rethink Firewall is the most downloaded FOSS network security tool on F-Droid for Android devices. For seemingly always-on, always-connected smartphones, on-device firewalls are notoriously hard to implement and maintain. This talk is about how 3 unsuspecting developers frustrated by digital surveillance and internet censorship got together, using the $12k in grant awarded by Mozilla in 2020, to build the missing "network sandbox" for 3B+ Android users, and the financial, technical, systemic challenges they faced along the way: From fighting the networking gods to make IPv6 work across a garden variety of topologies, to pushing the limits of SQLite for real-time stats & capturing network flows, to using Rethink itself to monitor & block its own egress, to testing the frontier of packet manipulation (for Deep Packet Inspection censorship resistance) and IP/domain filtering (supporting over 12 million entries) an Android app can achieve consuming limited resources (battery, processor, and memory), all the while supporting multiple WireGuard upstreams at once through open source virtualization layer (gVisor) Google built for its cloud servers! With a stream of recommendations from GrapheneOS, CalyxOS, DivestOS, the Guardian Project developers, and the varied feature-set Rethink packs, has made it the most downloaded (and probably the most confusing) WireGuard client on F-Droid.
Since Aug 2020, we've also been operating Rethink DNS, an anycast, public, censorship-resistant, highly-available DNS resolver serving 40bn requests per month & 400 TB / month in traffic at peak. It has been subject to DDoS attempts & bans by state actors. It is used in the default configuration by some popular anti-censorship projects like VLess, Hiddify, and I2P. The costs for Rethink DNS is paid for by its lead developers and partially by grants from FOSS United, an Indian non-profit. Besides discussing the software optimizations on both the client and server to bring down the costs, an unexpected lending hand from Cloudflare played a major role in handling traffic surges and keeping bad actors in check.
An anti-censorship and anti-surveillance tool for non-rooted Android devices is something we wished existed. We thought we'd be done in a year, but it is year #5 and we've so much left to do, as new users bring in newer feature requests, which mean more bugs and higher costs, too. To give a sense of our strong purpose, the toll of having drawn no salary for 5 years yet feeding our kids, living a frugal lifestyle just so this thing that we're building would exist, is not something our wives take very lightly!
Code: https://github.com/celzero/rethink-app (the UI) https://github.com/celzero/firestack (the network engine) https://github.com/serverless-dns/serverless-dns (the resolver)
OpenPERouter is a lightweight, open-source Provider Edge (PE) router designed to bridge traditional networking with the cloud-native ecosystem. By running directly on Linux hosts and Kubernetes nodes, it terminates VPN protocols and exposes a standard BGP interface, simplifying complex network topologies. In this session, we will explore the architecture of OpenPERouter and demonstrate how to deploy and interact with host-level Layer 3 protocols and Layer 2 interfaces. We will showcase its seamless integration with the cloud-native ecosystem, specifically enabling L3 EVPN tunneling to common Kubernetes network components like Calico and MetalLB. Additionally, we will demonstrate how OpenPERouter naturally extends to virtual machine networks by achieving a cross-cluster Layer 2 overlay using EVPN, VXLAN, and KubeVirt. Finally, we will share the project roadmap, highlighting upcoming support for new VPN protocols and standalone deployment methods outside of Kubernetes. Join us to discover how to transform your nodes into advanced network endpoints and simplify fabric connectivity.
Border Gateway Protocol (BGP) has traditionally been associated with hardware routers and static configurations, but modern networks increasingly demand software‑defined, programmable control planes. GoBGP, an open source BGP implementation written in Go, offers a rich API surface that enables dynamic policy changes, on‑the‑fly route injection, and tight integration with automation systems and controllers. This talk explores the practical challenges and solutions involved in turning GoBGP into a multi‑tenant, production‑grade BGP control plane. We will start with a brief overview of GoBGP's architecture and its gRPC/HTTP APIs, then dive into how those APIs can be leveraged to build a flexible control plane that reacts in real time to external events (for example, service discovery, telemetry feedback, or orchestration workflows).
The core of the session focuses on multi‑tenancy and operational aspects: - Building logical separation between tenants while sharing the same GoBGP control plane. - Mapping tenants to their own BGP server, route policies, and address families, and keeping configuration manageable as the number of tenants grows. - Handling dynamic tenant lifecycle events (creation, updates, deletion) through the API without disrupting existing sessions.
Building site-to-site VPNs over LTE/5G or behind NAT and stateful firewalls has always been painful. You either need a central relay server with a public IP, or spend hours configuring port forwarding and STUN. STUNMESH-go takes a different approach. It helps WireGuard peers find each other and establish direct P2P connections without running your own infrastructure.
The key idea is simple. Reuse existing public services instead of running your own. STUNMESH-go uses STUN servers to discover NAT endpoints, encrypts peer information with Curve25519, and stores it using flexible plugins, whether that's Cloudflare DNS, a shell script, or any custom key-value storage backend. Peers fetch each other's information and WireGuard handles the rest.
This session will cover: - Cross-platform packet capture (Linux raw sockets vs BSD BPF) - The plugin system and bringing your own storage without running servers - Compatibility with WireGuard kernel module (no wireguard-go embedding needed) - Minimizing binary size for embedded systems - Real deployments (SD-WAN over LTE and site-to-site VPN mesh) - Future IPv6 support for stateful firewall traversal
This talk shares experience from building P2P networking that works across Linux, FreeBSD, macOS, and embedded routers like VyOS, EdgeOS, and OpenWrt.
Github: https://github.com/tjjh89017/stunmesh-go/
IPv6 is nothing new yet IPv4 remains the default for the majority, despite IPv6 being ideal for containerized workloads. This talk covers the current state of IPv6 support in Kubernetes.
Discover why an IPv6 only Kubernetes environment can be a good idea. Potential challenges to anticipate, and valuable lessons from doing it in production using Cilium as CNI.
The Internet of Threads (IoTh) is an experimental networking model that assigns full IPv6 identities—addresses, routing behavior, and protocol stacks—to processes or even individual threads. Instead of containers or VMs, IoTh leverages user-space TCP/IP stacks.
This talk presents the open IoTh toolchain and its networking architecture: * libioth: the core IoTh library: a pluggable TCP/IP stack framework for user-space nodes. * nlinline: A quick and clean API for NetLink networking configuring (implemented in a header file). * libnlq: Netlink configuration library (for netlink clients and servers). * iothconf – Simple and expressive configuration for IoTh stacks. Common network setups can be defined with a single character string. * iothdns + iothnamed: DNS services supporting hash-based addressing and OTIP (One-Time IP) models * namedhcp: a DNS-driven DHCPv6/4 server for stateful, reproducible address assignment * otip-utils: tooling for ephemeral, privacy-oriented IPv6 addressing * iothradvd: an embeddable RA daemon for user-space IPv6 configuration
Deploying a Private 5G network has traditionally been the domain of proprietary vendors with complex, closed hardware. However, the maturity of open-source projects now allows engineers to build fully functional networks using standard servers and open software. Using purely open-source components requires precise orchestration of the hardware and software stack. This session aims to demonstrate a complete, end-to-end O-RAN deployment blueprint on top of OpenNebula. We will explain how to orchestrate the srsRAN suite (providing the centralized and distributed units) and Open5GS (the 5G Core). We will dive into the specific infrastructure requirements for running latency-sensitive telco workloads, focusing on Enhanced Platform Awareness (EPA) features. Attendees will learn how to configure SR-IOV and Passthrough for optimized network throughput, implement CPU Pinning and NUMA awareness for performance isolation, and manage Precision Time Protocol (PTP) synchronization from the host to the guest VM. The session will include a walkthrough of the automation blueprints used to configure 5G-ready edge nodes and instantiate verified telco appliances from the OpenNebula Marketplace.
Lightweight tunneling (LWT) has been supported on linux kernel since almost 10 years ago. It enables virtual environments to scale up their tunneling infrastructure, especially when containers are involved and container-to-container communication is needed.
Nftables now allows to scale up with tunnel expression, combining it with the infrastructure existing ruleset and other powerful features like maps, sets and stateful objects. During this talk, we will get a good understanding of what is the lightweight tunneling, when it can be useful and how to use it together with Nftables.
dn42 (decentralized network 42) is a community-driven overlay network over the Internet, it provides a testbed aimed at experimenting with Internet protocols such as BGP, IPv4 and v6, DNS, that can be used to skill-up, develop new ideas, or interconnect your local hackerspace(s) in a proper network without NAT.
Think of it as a real-world lab where you can break things without taking down the Internet, with over a thousand routes, traffic exchanged, real-life links and latencies and actual peers around the world.
This talk covers:
AS4242420263, aka "Flip Flap Network"),
in different geographic zones using Ansible, Debian, WireGuard and Bird.Developed in Python under MIT license, this service has permitted my network to grow to the top 25 of dn42 networks by number of BGP peers and graph centrality.