Acila: Attaching Identities of Workloads for Efficient Packet Classification in a Cloud Data Center Network

TL;DR

Acila is a system that classifies network packets based on workload identities in cloud data centers, improving efficiency of packet filtering and priority control amidst dynamic VM and container creation.

Contribution

It introduces a workload identity-based packet classification system that enhances efficiency over traditional IP and port-based methods in cloud environments.

Findings

Packet filtering with Acila is more efficient than conventional methods.

Acila incurs minimal performance overhead.

Effective workload-based classification supports better network management.

Abstract

IP addresses and port numbers (network based identifiers hereafter) in packets are two major identifiers for network devices to identify systems and roles of hosts sending and receiving packets for access control lists, priority control, etc. However, in modern system design on cloud, such as microservices architecture, network based identifiers are inefficient for network devices to identify systems and roles of hosts. This is because, due to autoscaling and automatic deployment of new software, many VMs and containers consisting of the system (workload hereafter) are frequently created and deleted on servers whose resources are available, and network based identifiers are assigned based on servers where containers and VMs are running. In this paper, we propose a new system, Acila, to classify packets based on the identity of a workload at network devices, by marking packets with the necessary information extracted from the identity that usually stored in orchestrators or controllers. We then implement Acila and show that packet filtering and priority control can be implemented with Acila, and entries for them with Acila is more efficient than conventional network based identifiers approach, with little overhead on performance