ABSTRACT
IP addresses and port numbers (network based identifiers) are major identifiers for network devices to identify systems and roles of hosts exchanging packets for access control lists, priority control, etc. However, in modern system design on cloud, such as microservice architecture, network based identifiers are inefficient to identify systems and roles of hosts because VMs and containers (workloads), which elastically change due to autoscaling and deployment of new codes, have only network based identifiers based on servers where workloads are running. We propose a new system, Acila, to classify packets based on the identity of a workload at network devices, by marking packets with necessary information extracted from the identity that is usually stored in cloud controllers. We implement Acila and show that packet filtering and priority control work with Acila, and entries for them with Acila is more efficient than network based identifiers approach, with little overhead on performance.
- Anubhavnidhi Abhashkumar, Kausik Subramanian, Alexey Andreyev, Hyojeong Kim, Nanda Kishore Salem, Jingyi Yang, Petr Lapukhov, Aditya Akella, and Hongyi Zeng. 2021. Running BGP in Data Centers at Scale. In NSDI. 65--81.Google Scholar
- Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. 2008. A scalable, commodity data center network architecture. ACM SIGCOMM computer communication review 38, 4 (2008), 63--74.Google Scholar
- M. Alizadeh and T. Edsall. 2013. On the Data Path Performance of Leaf-Spine Datacenter Fabrics. In 2013 IEEE 21st Annual Symposium on High-Performance Interconnects. 71--74. Google ScholarDigital Library
- P Ayuso. 2006. Netfilter's connection tracking system. LOGIN: The USENIX magazine 31 (2006), 34--39.Google Scholar
- Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. 2014. P4: Programming Protocol-Independent Packet Processors. SIGCOMM Comput. Commun. Rev. 44, 3 (July 2014), 87. Google ScholarDigital Library
- Cilium. 2021. Cilium - Linux Native, API-Aware Networking and Security for Containers. https://cilium.io/Google Scholar
- Dr. Steve E. Deering and Bob Hinden. 2017. Internet Protocol, Version 6 (IPv6) Specification. RFC 8200. [Online; accessed on 2020-11-16]. Google ScholarCross Ref
- Nicola Dragoni, Saverio Giallorenzo, Alberto Lluch Lafuente, Manuel Mazzara, Fabrizio Montesi, Ruslan Mustafin, and Larisa Safina. 2017. Microservices: yesterday, today, and tomorrow. In Present and ulterior software engineering. Springer, 195--216.Google Scholar
- Dino Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. 2013. The Locator/ID Separation Protocol (LISP). RFC 6830. Google ScholarCross Ref
- Clarence Filsfils, Darren Dukes, Stefano Previdi, John Leddy, Satoru Matsushima, and Daniel Voyer. 2020. IPv6 Segment Routing Header (SRH). RFC 8754. [Online; accessed on 2021-01-08]. Google ScholarCross Ref
- Jesse Gross, Ilango Ganga, and T. Sridhar. 2020. Geneve: Generic Network Virtualization Encapsulation. RFC 8926. Google ScholarCross Ref
- Jim Guichard, Clarence Filsfils, [email protected], Zhenbin Li, Francois Clad, Pablo Camarillo, and Ahmed Abdelsalam. 2020. Simplifying Firewall Rules with Network Programming and SRH Metadata. Internet-Draft draft-guichard-spring-srv6-simplified-firewall-02. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-guichard-spring-srv6-simplified-firewall-02 Work in Progress.Google Scholar
- Istio. 2021. Istio. https://istio.io/Google Scholar
- Kubernetes. 2021. Production-Grade Container Orchestration - Kubernetes. https://kubernetes.io/Google Scholar
- W. Li, Y. Lemieux, J. Gao, Z. Zhao, and Y. Han. 2019. Service Mesh: Challenges, State of the Art, and Future Research Opportunities. In 2019 IEEE International Conference on Service-Oriented System Engineering (SOSE). 122--127. Google ScholarCross Ref
- Mallik Mahalingam, Dinesh Dutt, Kenneth Duda, Puneet Agarwal, Larry Kreeger, T. Sridhar, Mike Bursell, and Chris Wright. 2014. Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348. Google ScholarCross Ref
- Peter M. Mell and Timothy Grance. 2011. SP 800-145. The NIST Definition of Cloud Computing. Technical Report. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA.Google ScholarDigital Library
- S. Miano, M. Bertrone, F. Risso, M. Tumolo, and M. V. Bernal. 2018. Creating Complex Network Services with eBPF: Experience and Lessons Learned. In 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR). 1--8. Google ScholarCross Ref
- Microsoft Corporation. 2020. microsoft/ethr: Ethr is a Comprehensive Network Measurement Tool for TCP, UDP & ICMP. Retrieved 2021-01-11 from https://github.com/microsoft/ethrGoogle Scholar
- P. Nikander, A. Gurtov, and T. R. Henderson. 2010. Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 Networks. IEEE Communications Surveys Tutorials 12, 2 (2010), 186--204. Google ScholarDigital Library
- Yuki Nishiwaki. 2018. OpenStack Summit Vancouver 2018 Recap (2/2). Retrieved 2021-06-15 from https://engineering.linecorp.com/en/blog/openstack-summit-vancouver-2018-recap-2-2/Google Scholar
- Charles E. Perkins. 1996. IP Encapsulation within IP. RFC 2003. Google ScholarDigital Library
- C. E. Perkins. 1997. Mobile IP. IEEE Communications Magazine 35, 5 (1997), 84--99. Google ScholarDigital Library
- Arjun Singh, Joon Ong, Amit Agarwal, Glen Anderson, Ashby Armistead, Roy Bannon, Seb Boving, Gaurav Desai, Bob Felderman, Paulie Germano, et al. 2015. Jupiter rising: A decade of clos topologies and centralized control in google's datacenter network. ACM SIGCOMM computer communication review 45, 4 (2015), 183--197.Google Scholar
- SPIFFE. 2021. SPIFFE - Secure Production Identity Framework for Everyone. https://spiffe.io/Google Scholar
- E. Yuan and J. Tong. 2005. Attributed based access control (ABAC) for Web services. In IEEE International Conference on Web Services (ICWS'05). 569. Google ScholarDigital Library
- Zirak Zaheer, Hyunseok Chang, Sarit Mukherjee, and Jacobus Van der Merwe. 2019. EZTrust: Network-Independent Zero-Trust Perimeterization for Microservices. In Proceedings of the 2019 ACM Symposium on SDN Research (San Jose, CA, USA) (SOSR '19). Association for Computing Machinery, New York, NY, USA, 49--61. Google ScholarDigital Library
Index Terms
- Acila: attaching identities of workloads for efficient packet classification in a cloud data center network
Recommendations
Design and evaluation of a joint profit and interference-aware VMs consolidation in IaaS cloud datacenter
AbstractCloud service providers employ virtualization technologies in order to deliver energy efficiency and optimize resource utilization in cloud datacenters. In this way, Virtual Machine (VM) consolidation is an efficient technique for reducing energy ...
Implementing Packet Transfer in Wireless Networks Using PyGame
ITNG '15: Proceedings of the 2015 12th International Conference on Information Technology - New GenerationsCloud environment on wireless networks is a combination of cloud and mobile technologies. The goal is to support mobile applications more efficient way to utilize bandwidth, energy consumption, hardware utilization, and cost. Cloud is a virtualization ...
A framework for preserving privacy in cloud computing with user service dependent identity
ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and InformaticsThe widespread focus on the Cloud Computing has necessitated the corresponding mechanisms to ensure privacy and security. Various attempts have been made in the past to safeguard the privacy of the individual or agency trying to utilize the services ...
Comments