admin-defined policies is required in container networks 2 Slide: https://onoe.dev/middleware2025 Achieved by container overlay networks using TCP/IP packet processing (such as encapsulation and NAPT)
between hosts with dedicated hardware 4 Higher Throughput Slower Connection Establishment Time Slide: https://onoe.dev/middleware2025 Lower Latency Lower CPU Time
access control 5 Each transport requires different access control models Applications need to select a transport Slide: https://onoe.dev/middleware2025
latency, and CPU time for multiple transports using socket API • Improve container network performance by flexibly selecting multiple acceleration techniques 7 Slide: https://onoe.dev/middleware2025
TAPS Propose the use of multiple transports, but lack the flexible transport selection, access control, and consideration of UNIX domain socket and RDMA AF_GRAFT[Nakamura 2018], Slim[Zhuo 2019], O2H[Choochotkaew 2022], ShuntFlow[Liu 2023], ONCache[Lin 2023], bypass4netns[Matsumoto 2024] Improve performance by bypassing TCP/IP network stack after connection-based access control FreeFlow[Kim 2019], SocksDirect[Li 2019], MasQ[He 2020], TSoR[Sun 2023] Propose container virtual network and access control for RDMA Acila[Ohnishi 2022] Achieve access control by converting label-based policies into identifier-level entries 8 Slide: https://onoe.dev/middleware2025
socket API Use IP addresses and port numbers as identifiers, not TCP/IP addresses Assign virtual IP addresses to containers and virtual port numbers to applications Convert and apply container-label-based policies into entries 9 Slide: https://onoe.dev/middleware2025
used to specify server containers and virtual port numbers exposed by applications Tiaccoon determines server host addresses for all available transports and registers them as server entries Tiaccoon selects transports by choosing server entries 12 Slide: https://onoe.dev/middleware2025
access control entries and enforces them. Tiaccoon identifies and applies the appropriate entries based on the virtual addresses of the client and the server. 13 Slide: https://onoe.dev/middleware2025
using Netperf while varying the per-send data size and the socket buffer size. Connection Establishment and Close Time Measured the completion time of the connect and close system calls 10,000 times. Two physical machines, each equipped with a 16-core CPU, directly connected via 100 Gbps Ethernet NIC supporting RDMA (RoCEv2) 16 Slide: https://onoe.dev/middleware2025
improved by using a faster transport available instead of TCP/IP Bypassing Container TCP/IP Network Stack Throughput, latency, and CPU time are improved by socket replacement Connection Establishment Process Connection establishment time degrades due to additional processing: system call hooking, transport selection, access control, and socket replacement 20 Slide: https://onoe.dev/middleware2025
from other containers on the same host Portability Containers can use host-independent virtual addresses to communicate with other containers Controllability Only admin can enforce network policies (access control) →Tiaccoon meets the requirements 21 Slide: https://onoe.dev/middleware2025
control and transport selection by replacing socket API Can serve as an alternative to container overlay networks for connection-oriented protocols Throughput, latency, and CPU time are higher than container overlay networks and comparable to host networks Connection establishment time increases Available: https://github.com/hiroyaonoe/tiaccoon Future Works: Consideration of other transports / Fine-grained transport selection 22 Slide: https://onoe.dev/middleware2025
hiroyaonoe
matsui_528
ks91
techtekt
yoshioshingyouji
hagino3000
rpc
akifumi_wachi
.jpg){kind=avatar}
yukizenimoto
ivargrimstad
.png){kind=avatar}
satai
yuukit
taihei_oki
quramy
chriscoyier
kneath
reverentgeek
vanstee
jonrohan
productmarketing
tammyeverts
moore
gr2m
chrisshort
palkan
![Related Works AppSwitch[Subhraveti 2017], AF_GRAFT[Nakamura 2018], NetKernel[Niu 2022], Flower, IETF](https://files.speakerdeck.com/presentations/d9f40d4900ae42cc8b88c0515d7484ea/slide_7.jpg){kind=link}
