pith. sign in

arxiv: 2605.31084 · v1 · pith:GMVQ6DHXnew · submitted 2026-05-29 · 💻 cs.NI

Offloading L7 Policies to the Kernel

Laurin Brandner , Ayush Mishra , Sebastiano Miano , Aurojit Panda , Gianni Antichi , Laurent Vanbever This is my paper

Pith reviewed 2026-06-28 20:12 UTC · model grok-4.3

classification 💻 cs.NI
keywords service mesheBPFL7 policieskernel offloadmicroservicesTLSHTTP/2performance
0
0 comments X

The pith

L7FP enforces most L7 policies in kernel eBPF by synthesizing programs from high-level rules, cutting service mesh latency up to 6x.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that service meshes can move the bulk of application-layer policy enforcement from user-space sidecar proxies into the kernel. It does so by taking high-level policies and automatically generating eBPF code that handles them on the data path. A sympathetic reader would care because the current approach of interposing proxies creates repeated context switches that slow down microservice communication. If the approach holds, existing deployments gain speed without rewriting applications and retain compatibility through automatic fallback.

Core claim

L7FP is a fast path for service meshes which can enforce the vast majority of application-layer policies seen in the wild directly in kernel space. Given high-level policies, L7FP automatically synthesizes an eBPF-based data plane which enforces them in the kernel. L7FP accelerates existing microservices without any code modification, and transparently falls back to existing service proxies for the few unsupported policies. It fully supports TLS and HTTP/2 and delivers up to 6 times lower median request latency while sustaining 3 times more throughput than state-of-the-art service meshes.

What carries the argument

Automatic synthesis of eBPF programs from high-level L7 policies to create a kernel-resident fast path that handles enforcement.

If this is right

  • Microservices run faster with no source changes or redeployment.
  • Service mesh throughput rises by a factor of three on realistic workloads.
  • Only a small fraction of policies ever reach the slower user-space path.
  • Existing proxy-based meshes can adopt the kernel path without breaking compatibility.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Operators could reduce the number of dedicated proxy CPU cores needed per service instance.
  • Kernel networking stacks might evolve to expose more L7 primitives natively if this pattern spreads.
  • Similar synthesis techniques could target other policy domains such as rate limiting or observability.

Load-bearing premise

The vast majority of real-world application-layer policies can be correctly and completely expressed as eBPF programs that run safely inside the kernel.

What would settle it

A trace of production microservice traffic showing that a large share of observed L7 policies trigger fallback to user-space proxies, erasing the reported latency and throughput gains.

Figures

Figures reproduced from arXiv: 2605.31084 by Aurojit Panda, Ayush Mishra, Gianni Antichi, Laurent Vanbever, Laurin Brandner, Sebastiano Miano.

Figure 1
Figure 1. Figure 1: By default, service proxies route inter-pod traf￾fic through the loopback device (blue line). State-of-the-art service meshes optimize IPC by rerouting the traffic using eBPF (orange line). L7FP offloads L7 policy enforcement to the kernel, eliminating the service proxy from the critical path (green line). traced back to two main sources: (1) Service proxies execute highly general code and can enforce any … view at source ↗
Figure 2
Figure 2. Figure 2: Protocol parsing, policy enforcement, and IPC are the main sources of overhead that dictate Envoy’s perfor￾mance. L7FP optimizes these inefficiencies simultaneously, resulting in a 46% lower request latency. The following paragraphs discuss why L7FP’s data plane can profit from specialization and what the benefits of of￾floading that data plane to the kernel space using eBPF are. Specializing the data plan… view at source ↗
Figure 3
Figure 3. Figure 3: The most popular L7 policies can be implemented in eBPF and do not require kernel changes. We conclude that eBPF is sufficient to offload the most popular L7 policies to kernel space. In the following section, we discuss how L7FP accelerates applications in detail. 3 Design L7FP enforces the vast majority of the L7 policies found in the wild ( [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The fast path processes L7 policies in the kernel. The slow path falls back to the service proxy. routing /admin requests onto an open socket to the service proxy, as these requests cannot be authorized in the kernel. 3.1 Data Plane Given a high-level policy, L7FP automatically synthesizes an eBPF-based data plane and loads it into the kernel. This data plane adopts the Parse-Match-Action paradigm com￾monl… view at source ↗
Figure 5
Figure 5. Figure 5: The data plane parses the message and returns a header vector. Subsequent actions enforce the L7 policy based on this data structure. Action Description compare Compares two data values. read/write Reads/writes a segment of the message. en-/decode En-/decodes data with a given scheme. en-/decrypt En-/decryptes data with a given scheme. hash Hashes data with a given scheme. get/set Manage state in a global … view at source ↗
Figure 6
Figure 6. Figure 6: L7FP synthesizes the Action stage with predefined policy templates. mutation template shown in [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: L7FP reduces the request latency across every percentile while increasing the throughput. 20K req/s for the Hotel Reservation. We repeat this experi￾ment 30 times to reduce noise [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: L7FP’s slow path improves the throughput for messages smaller than 6.8 kB. For larger headers, the parsing overhead outweighs the IPC optimizations. is spent on parsing. This overhead is fundamental, as L7FP must iterate over the full HTTP header to match the mes￾sage against the configured policy. The remainder of the runtime is implementation-specific and accounts for data copies, string comparisons and … view at source ↗
Figure 10
Figure 10. Figure 10: The eBPF runtime is less efficient than user space, such that the performance degrades more quickly when en￾forcing the Mutate policy. Despite this, L7FP still outperforms the L4 fast path by 2.2× in the worst case. overhead is only 0.30 ms, whereas Envoy’s overhead reaches 0.78 ms for every request (0.68 ms with the L4 fast path). To summarize, eBPF’s runtime is indeed less efficient than that of the use… view at source ↗
Figure 9
Figure 9. Figure 9: Even for the most complex policies, L7FP improves the throughput of the L4 fast path by at least 39%. For above￾average complex policies, the throughput improvement can reach up to 73%. Understanding L7FP’s overheads. The previous exper￾iment shows that the performance of L7FP degrades more quickly than Envoy’s. This is to be expected, as eBPF pro￾grams are executed in a virtual machine that lacks some run… view at source ↗
read the original abstract

Service meshes have recently emerged as the de-facto standard for deploying microservices. Conceptually, they provide a uniform abstraction for inter-process communication (IPC) between services by implementing common networking mechanisms -- such as encryption, routing, and load balancing -- and by allowing these mechanisms to be configured and composed through high-level policies. Supporting these policies, however, comes with a significant performance cost, since service meshes interpose proxies (``sidecars'') on the data path, leading to numerous context switches. This paper presents L7FP, a fast path for service meshes which can enforce the vast majority of application-layer policies seen in the wild directly in kernel space. Given high-level policies, L7FP automatically synthesizes an eBPF-based data plane which enforces them in the kernel. L7FP accelerates existing microservices without any code modification, and transparently falls back to existing service proxies (the slow path) for the few unsupported policies. We fully implemented L7FP, with support for both TLS and HTTP/2. Compared to state-of-the-art service meshes, L7FP reduces the median request latency of realistic applications by up to $6\times$ while sustaining $3\times$ more throughput.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents L7FP, a kernel fast path for service meshes that automatically synthesizes eBPF programs to enforce the majority of L7 policies (TLS and HTTP/2) directly in the kernel. It claims transparent fallback to user-space proxies for unsupported policies, no application changes required, and performance gains of up to 6× lower median latency and 3× higher throughput versus state-of-the-art service meshes on realistic applications.

Significance. If the synthesis covers the vast majority of production L7 policies without frequent fallback and the reported speedups are reproducible, the work would meaningfully reduce the overhead of service-mesh sidecars while preserving their policy model.

major comments (2)
  1. [Abstract and Evaluation (implied)] The central performance claim (6× latency, 3× throughput) is realized only when the synthesized fast path handles the workload. The manuscript states that fallback occurs for 'the few unsupported policies' but supplies no measurement—e.g., success rate or distribution—of how many policies from representative deployments (Istio/Linkerd configs, production traces) synthesize successfully versus requiring the slow path. This quantification is load-bearing for extrapolating the headline numbers beyond the specific evaluated applications.
  2. [Abstract] The abstract asserts that the system 'was fully implemented and evaluated' with support for TLS and HTTP/2, yet provides no details on synthesis correctness verification, policy coverage metrics, baseline proxy configurations, or statistical significance of the reported speedups. These omissions prevent verification of the soundness of the implementation claims.
minor comments (1)
  1. Clarify the exact set of L7 policy primitives supported by the eBPF synthesizer versus those that trigger fallback.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. The two major comments highlight important gaps in quantification and verification details. We address each below and will revise the manuscript accordingly to improve clarity and reproducibility.

read point-by-point responses

  1. Referee: The central performance claim (6× latency, 3× throughput) is realized only when the synthesized fast path handles the workload. The manuscript states that fallback occurs for 'the few unsupported policies' but supplies no measurement—e.g., success rate or distribution—of how many policies from representative deployments (Istio/Linkerd configs, production traces) synthesize successfully versus requiring the slow path. This quantification is load-bearing for extrapolating the headline numbers beyond the specific evaluated applications.

    Authors: We agree that explicit quantification of synthesis success rates across representative policy sets is necessary to support extrapolation of the performance results. The current evaluation focuses on realistic applications where the fast path applies, but we did not include aggregate coverage statistics from Istio/Linkerd configurations or production traces. We will add this analysis in a revised Section 5 (or new subsection), reporting success rates and fallback frequency on sampled production-like policy sets. revision: yes

  2. Referee: The abstract asserts that the system 'was fully implemented and evaluated' with support for TLS and HTTP/2, yet provides no details on synthesis correctness verification, policy coverage metrics, baseline proxy configurations, or statistical significance of the reported speedups. These omissions prevent verification of the soundness of the implementation claims.

    Authors: The full manuscript contains implementation details (Sections 3–4) and evaluation methodology (Section 5), including baseline proxy versions and how correctness was validated via differential testing against user-space proxies. However, we acknowledge that the abstract and evaluation sections lack explicit coverage metrics, configuration details, and statistical reporting (e.g., confidence intervals or number of runs). We will expand the abstract if space permits, add a dedicated paragraph on verification approach, and include statistical details plus baseline configurations in the revised evaluation section. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper describes an implementation (L7FP) that synthesizes eBPF programs from high-level L7 policies and evaluates it via benchmarks against service meshes. No equations, fitted parameters, predictions derived from inputs, or self-citation chains appear in the provided text. The performance claims (6× latency, 3× throughput) rest on direct measurement of the implemented system rather than any reduction to self-referential definitions or ansatzes. The coverage assumption noted by the skeptic is an evaluation gap, not a circular derivation step.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

This is an applied systems implementation paper; the central claim rests on the engineering correctness of eBPF program synthesis and the representativeness of the evaluated workloads rather than new mathematical constructs.

axioms (1)
  • domain assumption eBPF verifier guarantees safety for the synthesized L7 policy programs
    The paper relies on the existing eBPF safety mechanisms to allow kernel execution of the generated data plane.

pith-pipeline@v0.9.1-grok · 5757 in / 1320 out tokens · 30367 ms · 2026-06-28T20:12:18.262849+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

74 extracted references · 24 canonical work pages

  1. [1]

    Marcelo Abranches, Erika Hunhoff, Rohan Eswara, Oliver Michel, and Eric Keller. 2024. LinuxFP: Transparently accelerating linux net- working. In2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS). IEEE, 543–554

    2024

  2. [2]

    Daroc Alden. 2025. Taking BPF programs beyond one-million in- structions. Retrieved January 22, 2026 fromhttps://lwn.net/Articles/ 1017116/

    2025

  3. [3]

    Gianni Antichi and Gábor Rétvári. 2020. Full-stack SDN: The Next Big Challenge?. InProceedings of the Symposium on SDN Research (SOSR ’20). ACM, 48–54.https://doi.org/10.1145/3373360.3380834

    work page doi:10.1145/3373360.3380834 2020

  4. [4]

    auth0. 2026. JSON Web Tokens. Retrieved January 22, 2026 from https://jwt.io

    2026

  5. [5]

    Go Authors. 2026. Go HTTP/2 Library. Retrieved January 20, 2026 fromhttps://pkg.go.dev/golang.org/x/net/http2/hpack#HeaderField

    2026

  6. [6]

    Adam Belay, George Prekas, Ana Klimovic, Samuel Grossman, Christos Kozyrakis, and Edouard Bugnion. 2014. IX: A Protected Dataplane Operating System for High Throughput and Low Latency. In11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 49–65.https://www. usenix.org/conference/osdi14/techni...

    2014

  7. [7]

    Fatéma Zahra Benchara, Mohamed Youssfi, Omar Bouattane, and Hassan Ouajji. 2016. A new efficient distributed computing middle- ware based on cloud micro-services for HPC. In2016 5th International Conference on Multimedia Computing and Systems (ICMCS). 354–359. https://doi.org/10.1109/ICMCS.2016.7905644

    work page doi:10.1109/icmcs.2016.7905644 2016

  8. [8]

    Sanjit Bhat and Hovav Shacham. 2022. Formal verification of the linux kernel ebpf verifier range analysis

    2022

  9. [9]

    Bhatia, C

    S. Bhatia, C. Consel, A.-F. Le Meur, and C. Pu. 2004. Automatic special- ization of protocol stacks in operating system kernels. In29th Annual IEEE International Conference on Local Computer Networks. 152–159. https://doi.org/10.1109/LCN.2004.28

    work page doi:10.1109/lcn.2004.28 2004

  10. [10]

    Marco Spaziani Brunella, Giacomo Belocchi, Marco Bonola, Salva- tore Pontarelli, Giuseppe Siracusano, Giuseppe Bianchi, Aniello Cam- marano, Alessandro Palumbo, Luca Petrucci, and Roberto Bifulco. 2022. hXDP: Efficient software packet processing on FPGA NICs.Commun. ACM65, 8 (July 2022), 92–100.https://doi.org/10.1145/3543668

    work page doi:10.1145/3543668 2022

  11. [11]

    Calico. 2026. Calico. Retrieved January 22, 2026 fromhttps://www. tigera.io/project-calico

    2026

  12. [12]

    Jingrong Chen, Yongji Wu, Shihan Lin, Yechen Xu, Xinhao Kong, Thomas Anderson, Matthew Lentz, Xiaowei Yang, and Danyang Zhuo

  13. [13]

    In20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23)

    Remote Procedure Call as a Managed System Service. In20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). USENIX Association, Boston, MA, 141–159.https://www. usenix.org/conference/nsdi23/presentation/chen-jingrong

  14. [14]

    Ruining Chen and Guoao Sun. 2018. A Survey of Kernel-Bypass Tech- niques in Network Stack. InProceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence (CSAI ’18). ACM, 474–477.https://doi.org/10.1145/3297156.3297242

    work page doi:10.1145/3297156.3297242 2018

  15. [15]

    Oliver RA Chick, Lucian Carata, James Snee, Nikilesh Balakrishnan, and Ripduman Sohan. 2016. Shadow kernels: A general mechanism for kernel specialization in existing operating systems.ACM SIGOPS Operating Systems Review50, 1 (2016), 3–8

    2016

  16. [16]

    Cilium. 2026. Cilium GitHub Repository. Retrieved August 1, 2025 fromhttps://github.com/cilium/cilium

    2026

  17. [17]

    Cilium. 2026. Cilium Service Mesh. Retrieved January 22, 2026 from https://cilium.io/use-cases/service-mesh

    2026

  18. [18]

    Linux Community. 2026. BPF Kernel Functions (kfuncs). Retrieved January 22, 2026 fromhttps://docs.kernel.org/bpf/kfuncs.html

    2026

  19. [19]

    Linux Community. 2026. Linux Kernel Crypto API. Retrieved January 22, 2026 fromhttps://www.kernel.org/doc/html/v4.20/crypto/index. html

    2026

  20. [20]

    Jonathan Corbet. 2025. QUIC for the kernel. Retrieved January 22, 2026 fromhttps://lwn.net/Articles/1029851/

    work page arXiv 2025

  21. [21]

    eBPF Community. 2026. eBPF. Retrieved July 27, 2025 fromhttps: //ebpf.io

    2026

  22. [22]

    Envoy. 2026. Envoy. Retrieved August 1, 2025 fromhttps://www. envoyproxy.io

    2026

  23. [23]

    Linux Foundation. 2015. Data Plane Development Kit (DPDK). Re- trieved May 28, 2026 fromhttp://www.dpdk.org

    2015

  24. [24]

    Yu Gan, Yanqi Zhang, Dailun Cheng, Ankitha Shetty, Priyal Rathi, Nayan Katarki, Ariana Bruno, Justin Hu, Brian Ritchken, Brendon Jackson, Kelvin Hu, Meghna Pancholi, Yuan He, Brett Clancy, Chris Colen, Fukang Wen, Catherine Leung, Siyuan Wang, Leon Zaruvinsky, Mateo Espinosa, Rick Lin, Zhongling Liu, Jake Padilla, and Christina Delimitrou. 2019. An Open-S...

    work page doi:10.1145/3297858 2019

  25. [25]

    Grafana. 2026. Grafana k6: Load testing for engineering teams. Re- trieved January 22, 2026 fromhttps://k6.io

    2026

  26. [26]

    gRPC Authors. 2015. gRPC. Retrieved January 20, 2026 fromhttps: //grpc.io/

    2015

  27. [27]

    Shuveb Hussain. 2020. What is io_uring? Retrieved January 22, 2026 fromhttps://unixism.net/loti/what_is_io_uring.html

    2020

  28. [28]

    Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. 2018. The eXpress data path: fast programmable packet processing in the operating system kernel. InProceedings of the 14th International Confer- ence on emerging Networking EXperiments and Technologies (CoNEXT ’18). ACM, 54–66.https...

    work page doi:10.1145/3281411.3281443 2018

  29. [29]

    Internet Engineering Task Force (IETF). 2015. HPACK: Header Com- pression for HTTP/2. Retrieved January 22, 2026 fromhttps: //datatracker.ietf.org/doc/html/rfc7541

    2015

  30. [30]

    Istio. 2026. Istio. Retrieved January 22, 2026 fromhttps://istio.io

    2026

  31. [31]

    Istio. 2026. Istio Ambient. Retrieved January 22, 2026 fromhttps: //istio.io/latest/docs/ambient/overview

    2026

  32. [32]

    Istio. 2026. Istio GitHub Repository. Retrieved August 1, 2025 from https://github.com/istio/istio

    2026

  33. [33]

    Devki Nandan Jha, Saurabh Garg, Prem Prakash Jayaraman, Rajkumar Buyya, Zheng Li, Graham Morgan, and Rajiv Ranjan. 2021. A study on the evaluation of HPC microservices in containerized environment. Concurrency and Computation: Practice and Experience33, 7 (2021), 1–1

    2021

  34. [34]

    Richard Jones. 2026. Ketama. Retrieved January 22, 2026 from https://github.com/RJ/ketama

    2026

  35. [35]

    Richard Jones. 2026. xxHash: Extremely fast non-cryptographic hash function. Retrieved January 22, 2026 fromhttps://xxhash.com/doc/v0. 8.2/index.html

    2026

  36. [36]

    Narasim- man, Meng Lin, Jeffrey Chen, Abhay Balkrishna Mhatre, Preetha Sub- barayalu, Mert Coskun, and Indranil Gupta

    Gopal Kakivaya, Lu Xun, Richard Hasha, Shegufta Bakht Ahsan, Todd Pfleiger, Rishi Sinha, Anurag Gupta, Mihail Tarta, Mark Fussell, Vipul Modi, Mansoor Mohsin, Ray Kong, Anmol Ahuja, Oana Pla- ton, Alex Wun, Matthew Snider, Chacko Daniel, Dan Mastrian, Yang Li, Aprameya Rao, Vaishnav Kidambi, Randy Wang, Abhishek Ram, Sumukh Shivaprakash, Rajeet Nair, Alan...

    work page doi:10.1145/3190508.3190546 2018

  37. [37]

    The kernel development community. 2026. Kernel Connection Mul- tiplexor. Retrieved January 22, 2026 fromhttps://docs.kernel.org/ networking/kcm.html

    2026

  38. [38]

    The kernel development community. 2026. Kernel TLS offload. Re- trieved January 22, 2026 fromhttps://docs.kernel.org/networking/tls- 13 Arxiv, 2026 Brandner et al. offload.html

    2026

  39. [39]

    The kernel development community. 2026. Stream Parser (strparser). Retrieved May 28, 2026 fromhttps://docs.kernel.org/networking/ strparser.html

    2026

  40. [40]

    Ashwin Kumar, Abhik Bose, Khushboo Tiwari, Arnav Mishra, Ab- hishek Dixit, Abuhujair Khan, and Mythili Vutukuru. 2024. Fea- sibility of Application Layer Header Parsing in eBPF and P4. In 2024 IFIP Networking Conference (IFIP Networking). 475–481.https: //doi.org/10.23919/IFIPNetworking62109.2024.10619855

    work page doi:10.23919/ifipnetworking62109.2024.10619855 2024

  41. [41]

    Wubin Li, Yves Lemieux, Jing Gao, Zhuofeng Zhao, and Yanbo Han

  42. [42]

    In2019 IEEE International Conference on Service- Oriented System Engineering (SOSE)

    Service Mesh: Challenges, State of the Art, and Future Re- search Opportunities. In2019 IEEE International Conference on Service- Oriented System Engineering (SOSE). IEEE, 122–1225.https://doi.org/ 10.1109/sose.2019.00026

    work page doi:10.1109/sose.2019.00026 2019

  43. [43]

    Shengkai Lin, Shizhen Zhao, Peirui Cao, Xinchi Han, Quan Tian, Wenfeng Liu, Qi Wu, Donghai Han, and Xinbing Wang. 2023. ON- Cache: A Cache-Based Low-Overhead Container Overlay Network. https://doi.org/10.48550/ARXIV.2305.05455

    work page doi:10.48550/arxiv.2305.05455 2023

  44. [44]

    Linkerd. 2026. Linkerd. Retrieved January 22, 2026 fromhttps: //linkerd.io

    2026

  45. [45]

    Watson, and Mark Handley

    Ilias Marinos, Robert N.M. Watson, and Mark Handley. 2014. Net- work stack specialization for performance.ACM SIGCOMM Com- puter Communication Review44, 4 (August 2014), 175–186.https: //doi.org/10.1145/2740070.2626311

    work page doi:10.1145/2740070.2626311 2014

  46. [46]

    Sean McArthur. 2026. Rust HTTP Library. Retrieved January 20, 2026 fromhttps://docs.rs/http/latest/http/header/struct.HeaderValue.html# method.set_sensitive

    2026

  47. [47]

    Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner

  48. [48]

    https://doi.org/10.1145/1355734.1355746

    OpenFlow: enabling innovation in campus networks.ACM SIGCOMM Computer Communication Review38, 2 (March 2008), 69–74. https://doi.org/10.1145/1355734.1355746

    work page doi:10.1145/1355734.1355746 2008

  49. [49]

    Dylan McNamee, Jonathan Walpole, Calton Pu, Crispin Cowan, Charles Krasic, Ashvin Goel, Perry Wagle, Charles Consel, Gilles Muller, and Renauld Marlet. 2001. Specialization tools and techniques for systematic optimization of system software.ACM Transactions on Computer Systems (TOCS)19, 2 (2001), 217–251

    2001

  50. [50]

    Sebastiano Miano, Xiaoqi Chen, Ran Ben Basat, and Gianni An- tichi. 2023. Fast In-kernel Traffic Sketching in eBPF.ACM SIG- COMM Computer Communication Review53, 1 (January 2023), 3–13. https://doi.org/10.1145/3594255.3594256

    work page doi:10.1145/3594255.3594256 2023

  51. [51]

    YoungGyoun Moon, SeungEon Lee, Muhammad Asim Jamshed, and KyoungSoo Park. 2020. AccelTCP: Accelerating Network Applications with Stateful TCP Offloading. In17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20). USENIX Association, Santa Clara, CA, 77–92.https://www.usenix.org/conference/nsdi20/ presentation/moon

    2020

  52. [52]

    Justin Ngai. 2025. Kernel-Resident Regex and Jails: DFA-powered eBPF filtering and certificate-safe agent isolation at fleet scale. Retrieved January 20, 2026 fromhttps://lpc.events/event/19/contributions/2176

    2025

  53. [53]

    Somu Perianayagam, HaiFeng He, Mohan Rajagopalan, Gregory An- drews, and Saumya Debray. 2006. Profile-guided specialization of an operating system kernel. InProc. Workshop on Binary Instrumentation and Applications

    2006

  54. [54]

    Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martin Casado. 2015. The Design and Implemen- tation of Open vSwitch. In12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, Oakland, CA, 117–130.https://w...

    2015

  55. [55]

    C. Pu, T. Autrey, A. Black, C. Consel, C. Cowan, J. Inouye, L. Kethana, J. Walpole, and K. Zhang. 1995. Optimistic incremental specialization: streamlining a commercial operating system. InProceedings of the Fifteenth ACM Symposium on Operating Systems Principles(Copper Mountain, Colorado, USA)(SOSP ’95). Association for Computing Machinery, New York, NY,...

    work page arXiv 1995

  56. [56]

    Calton Pu, Andrew P Black, Crispin Cowan, Jonathan Walpole, and Charles Consel. 1997. Microlanguages for operating system special- ization. (1997)

    1997

  57. [57]

    Shixiong Qi, Leslie Monis, Ziteng Zeng, Ian-chin Wang, and K. K. Ramakrishnan. 2022. SPRIGHT: extracting the server from server- less computing! high-performance eBPF-based event-driven, shared- memory processing. InProceedings of the ACM SIGCOMM 2022 Confer- ence (SIGCOMM ’22). ACM.https://doi.org/10.1145/3544216.3544259

    work page doi:10.1145/3544216.3544259 2022

  58. [58]

    Luigi Rizzo, Marta Carbone, and Gaetano Catalli. 2012. Transparent acceleration of software packet forwarding using netmap. In2012 Proceedings IEEE INFOCOM. IEEE, 2471–2479

    2012

  59. [59]

    Mohammad Reza Saleh Sedghpour, Cristian Klein, and Johan Tordsson

  60. [60]

    InProceedings of the 2022 ACM/SPEC on International Conference on Performance Engineering (ICPE ’22)

    An Empirical Study of Service Mesh Traffic Management Policies for Microservices. InProceedings of the 2022 ACM/SPEC on International Conference on Performance Engineering (ICPE ’22). ACM, 17–27.https: //doi.org/10.1145/3489525.3511686

    work page doi:10.1145/3489525.3511686 2022

  61. [61]

    Harshit Saokar, Soteris Demetriou, Nick Magerko, Max Kontorovich, Josh Kirstein, Margot Leibold, Dimitrios Skarlatos, Hitesh Khandelwal, and Chunqiang Tang. 2023. ServiceRouter: Hyperscale and Minimal Cost Service Mesh at Meta. In17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). USENIX Association, Boston, MA, 969–985.https:/...

    2023

  62. [62]

    Divyanshu Saxena, William Zhang, Shankara Pailoor, Isil Dillig, and Aditya Akella. 2025. Copper and Wire: Bridging Expressiveness and Performance for Service Mesh Policies. InProceedings of the 30th ACM International Conference on Architectural Support for Programming Lan- guages and Operating Systems, Volume 1 (ASPLOS ’25). ACM, 233–248. https://doi.org/...

    work page doi:10.1145/3669940.3707257 2025

  63. [63]

    Korakit Seemakhupt, Brent E Stephens, Samira Khan, Sihang Liu, Hassan Wassel, Soheil Hassas Yeganeh, Alex C Snoeren, Arvind Kr- ishnamurthy, David E Culler, and Henry M Levy. 2023. A cloud-scale characterization of remote procedure calls. InProceedings of the 29th Symposium on Operating Systems Principles. 498–514

    2023

  64. [64]

    Farbod Shahinfar, Sebastiano Miano, Aurojit Panda, and Gianni An- tichi. 2025. Demystifying Performance of eBPF Network Applica- tions.Proc. ACM Netw.3, CoNEXT3, Article 16 (Sept. 2025), 21 pages. https://doi.org/10.1145/3749216

    work page doi:10.1145/3749216 2025

  65. [65]

    Farbod Shahinfar, Sebastiano Miano, Giuseppe Siracusano, Roberto Bifulco, Aurojit Panda, and Gianni Antichi. 2023. Automatic Kernel Offload Using BPF. InProceedings of the 19th Workshop on Hot Topics in Operating Systems (HOTOS ’23). ACM, 143–149.https://doi.org/10. 1145/3593856.3595888

    work page arXiv 2023

  66. [66]

    Rajath Shashidhara, Tim Stamler, Antoine Kaufmann, and Simon Peter

  67. [67]

    In 19th USENIX Symposium on Networked Systems Design and Implemen- tation (NSDI 22)

    FlexTOE: Flexible TCP Offload with Fine-Grained Parallelism. In 19th USENIX Symposium on Networked Systems Design and Implemen- tation (NSDI 22). USENIX Association, Renton, WA, 87–102.https: //www.usenix.org/conference/nsdi22/presentation/shashidhara

  68. [68]

    Giulio Sidoretti, Sebastiano Miano, Stefano Salsano, Gianni Antichi, and Aurojit Panda. 2023. Application Layer Processing Offload in the Kernel

    2023

  69. [69]

    Mark Slee, Aditya Agarwal, and Marc Kwiatkowski. 2007. Thrift: Scalable cross-language services implementation.Facebook white paper5, 8 (2007), 127

    2007

  70. [70]

    Enge Song, Yang Song, Chengyun Lu, Tian Pan, Shaokai Zhang, Jianyuan Lu, Jiangu Zhao, Xining Wang, Xiaomin Wu, Minglan Gao, Zongquan Li, Ziyang Fang, Biao Lyu, Pengyu Zhang, Rong Wen, Li Yi, Zhigang Zong, and Shunmin Zhu. 2024. Canal Mesh: A Cloud-Scale Sidecar-Free Multi-Tenant Service Mesh Architecture. InProceedings of the ACM SIGCOMM 2024 Conference (...

    work page doi:10.1145/3651890.3672221 2024

  71. [71]

    Hao Sun and Zhendong Su. 2024. Validating the eBPF Verifier via State Embedding. In18th USENIX Symposium on Operating Systems Design and Implementation (OSDI 24). USENIX Association, Santa Clara, CA, 615–628.https://www.usenix.org/conference/osdi24/presentation/ sun-hao

    2024

  72. [72]

    2023.Verifying the Verifier: eBPF Range Analysis Verification

    Harishankar Vishwanathan, Matan Shachnai, Srinivas Narayana, and Santosh Nagarakatte. 2023.Verifying the Verifier: eBPF Range Analysis Verification. Springer Nature Switzerland, 226–251.https://doi.org/ 10.1007/978-3-031-37709-9_12

    work page doi:10.1007/978-3-031-37709-9_12 2023

  73. [73]

    Xiangfeng Zhu, Guozhen She, Bowen Xue, Yu Zhang, Yongsu Zhang, Xuan Kelvin Zou, Xiongchun Duan, Peng He, Arvind Krishnamurthy, Matthew Lentz, Danyang Zhuo, and Ratul Mahajan. 2022. Dissecting Service Mesh Overheads.https://doi.org/10.48550/ARXIV.2207.00592

    work page doi:10.48550/arxiv.2207.00592 2022

  74. [74]

    Danyang Zhuo, Kaiyuan Zhang, Yibo Zhu, Hongqiang Harry Liu, Matthew Rockett, Arvind Krishnamurthy, and Thomas Anderson. 2019. Slim: OS Kernel Support for a Low-Overhead Container Overlay Net- work. In16th USENIX Symposium on Networked Systems Design and Implementation (NSDI 19). USENIX Association, Boston, MA, 331–344. https://www.usenix.org/conference/ns...

    2019