# Rootless Networking

The "classic" approach for container networking is `veth` + bridge.

Pros:

- good performance

- easy to manage and understand

- flexible (possibility to use multiple, isolated bridges)

Cons:

- requires root access on the host to set up networking

---

## Rootless options

- Locked down helpers

  - daemon, scripts started through sudo...

  - used by some desktop virtualization platforms

  - still requires root access at some point

- Userland networking stacks

  - true solution that does not require root privileges

  - lower performance

---

## Userland stacks

- [SLiRP](https://en.wikipedia.org/wiki/Slirp)

  *the OG project that inspired the other ones!*

- [VPNKit](https://github.com/moby/vpnkit)

  *introduced by Docker Desktop to play nice with enterprise VPNs*

- [slirp4netns](https://github.com/rootless-containers/slirp4netns)

  *slirp adapted for network namespaces, and therefore, containers; better performance*

- [passt and pasta](https://passt.top/)

  *more modern approach; better support for inbound traffic; IPv6...)*

---

## Passt/Pasta

- No dependencies

- NAT (like slirp4netns) or no-NAT (for e.g. KubeVirt)

- Can handle inbound traffic dynamically

- No dynamic memory allocation

- Good security posture

- IPv6 support

- Reasonable performance

---

## Demo?