Xaptum believes that open principles (open-source software, open standards, open collaboration) are a key driver for the development and adoption of new technologies. The open internet and web allowed anyone to easily participate, accelerating growth. The rapid adoption and continued evolution of commercially successful cloud platforms like AWS and GCP are in part directly attributable to the open-source components on which they run: the Linux kernel, Docker, runtimes like OpenJDK and Python, protocols like HTTP and MQTT, and more. We believe that achieving the grand vision of edge computing requires a similar model.
Companies participate in the open-source community for a variety of reasons:
Xaptum appreciates these benefits too, but for the edge, there’s a stronger reason to engage with the broader community. Edge computing is an emerging market with massive expectations, but with significant barriers to realization. The incredible diversity in device types (smart dust to industrial PCs), communication (ad-hoc low-power wireless mesh to wired ethernet), and environment (high-tech factory floor to a remote forest) is quite complex. A proprietary solution will struggle in this market, simply because a single company cannot hope to develop support for such a broad and heterogeneous ecosystem. Instead, collaboration among many participants is required to achieve the grand vision of a connected world.
Xaptum’s contributions to the open-source community include conference talks, patches to upstream projects, submitting our device drivers to the mainline Linux kernel, and open-sourcing all protocols and software that run on our customers’ hardware.
Instead of inventing new protocols for IoT and Edge-to-Cloud, the ENF overlay network is a standards-compliant IPv6 network. This approach brings two significant benefits:
Of course, IPv6 was designed 25 years ago for the internet, not for the current vision/state of edge computing. Xaptum’s core innovation is in the peripheral technologies (scaling, access management, deployment, etc.) necessary to secure and operate IPv6 networks at the needed scale. The following sections describe these capabilities and Xaptum’s related open-source contributions.
At the heart of the ENF is a scalable IPv6 backbone designed to present a “flat” network regardless of the global locations and movement of the connected devices. This software-defined core is built on the Linux kernel networking stack using two ‘new-ish’ technologies. Segment Routing (SRv6) is a method to steer IPv6 packets along any path through a network, providing a natural way to enforce policies within the network. eBFP is a way to run user-supplied programs in the Linux kernel, making it easy to insert additional capabilities in the Linux networking stack.
“Using Segment Routing (SRv6) to Ease Management of eBPF Programs” by Zane Beckwith
Abstract: The demands placed on modern networks evolve rapidly but still require the fundamentals of efficient forwarding and granular visibility. eBPF can be combined with SRv6 to form a powerful tool for creating dynamic networks. eBPF enables the creation of efficient, safe, and tailored functionalities, while SRv6 makes the deployment and configuration of these functionalities scalable. This talk discusses the use of these tools to create a software-defined overlay network that allows new functionality to be quickly deployed.
The Linux kernel ntables firewall capabilities does not currently support filtering on SRv6-encapsulated packets. After discussing this proposal with the netfilter maintainers, Xaptum has implemented support. These patches are currently being tested internally before being submitted upstream.
Manual key provisioning doesn’t scale for millions of edge devices, so a low-touch approach integrated into the manufacturing process is needed. For this, Xaptum developed the XTT zero-touch provisioning protocol building on the DAA group signature scheme invented by Intel and incorporated into both the FIDO and TPM 2.0 standards.
Xaptum released the first open-source, C implementation of DAA.
Abstract: Static analysis tools can dramatically improve the reliability of software, but are often dismissed as onerous to set up and use. Static analysis is particularly useful for cryptography projects and other critical systems, which tend to have a tight focus and require a very clean code style. This talk discusses tools and approaches that were helpful during the development of an open-source elliptic curve pairing-based library, ECDAA, for privacy-preserving signatures such as are used by the FIDO Alliance. The emphasis of the talk is on concrete lessons for improving the reliability of critical code while fitting seamlessly into a modern development process. Tools discussed include venerable standbys Valgrind and cppcheck, as well as modern examples like scan-build and Infer. The lessons learned are of interest to developers of many types of projects, not just cryptography libraries.
Today, connecting a Linux host to an overlay network or VPN requires several steps: install a VPN client, enter the access credentials, and configure the kernel to route traffic through the VPN as desired. For securing low-touch IoT devices or edge gateways, a simpler approach with less room for error is desired. To that end, Xaptum has developed the ENF Router Card , a mini PCI-e module that takes care of all these steps automatically.
Underlying the router card is a new USB model we developed, Host Socket Sharing (HSS), which allows a USB device to use the host’s internet connectivity.
Abstract: Daniel Berliner introduced a new USB model for sharing host internet connectivity with devices. The talk discussed how this is accomplished, why it is useful to allow devices to connect to the internet through their host, and some of the challenges that came up during implementation. This model allows for data to be passed without the device having to know the details of its host’s network.
Most internet-connected USB devices either have specific host drivers or dedicated networking hardware to connect to the internet. Several models exist for allowing USB devices to transmit data over an existing network, but they describe how to send Ethernet packets as if the connected device were a distinct entity on the network. With the model described in this talk, the host creates sockets for the device to manage, so the complexity of managing a distinct network entity is eliminated.
Xaptum released a reference implementation of both host and device (gadget) drivers.
All software required by a device to connect to the ENF overlay is open-source. This includes both drivers for hardware options (router card and access card) and software options (enftun) and all dependencies – XTT , ECDAA, and TPM.
The drivers have been submitted upstream.
Finally, the entire firmware (including the external buildroot tree) for the ENF Router Card has been open-sourced. We envision this as a reference implementation for other NIC and modem manufacturers to directly incorporate ENF support into their devices.