Tiaccoon: Unified Access Control with Multiple Transports in Container Networks 26th ACM International Middleware Conference 17th December 2025 Hiroya Onoe, Daisuke Kotani, Yasuo Okabe 1 Slide: https://onoe.dev/middleware2025 

Background: Container Networks and Access Control Access control based on admin-defined policies is required in container networks 2 Slide: https://onoe.dev/middleware2025 Achieved by container overlay networks using TCP/IP packet processing (such as encapsulation and NAPT) 

Background: Various Transports UNIX Domain Socket Available only for use between containers on the same host Higher Throughput Lower Latency 3 Slide: https://onoe.dev/middleware2025 

Background: Various Transports RDMA(Remote Direct Memory Access) Accelerate container communication between hosts with dedicated hardware 4 Higher Throughput Slower Connection Establishment Time Slide: https://onoe.dev/middleware2025 Lower Latency Lower CPU Time 

Challenges Flexibly using appropriate transports for hosts while maintaining unified access control 5 Each transport requires different access control models Applications need to select a transport Slide: https://onoe.dev/middleware2025 

Tiaccoon 6 Achieve unified access control and container communication regardless of transports by replacing the process of socket API Slide: https://onoe.dev/middleware2025 

Contributions • Enable unified access control without degrading throughput, round-trip latency, and CPU time for multiple transports using socket API • Improve container network performance by flexibly selecting multiple acceleration techniques 7 Slide: https://onoe.dev/middleware2025 

Related Works AppSwitch[Subhraveti 2017], AF_GRAFT[Nakamura 2018], NetKernel[Niu 2022], Flower, IETF TAPS Propose the use of multiple transports, but lack the flexible transport selection, access control, and consideration of UNIX domain socket and RDMA AF_GRAFT[Nakamura 2018], Slim[Zhuo 2019], O2H[Choochotkaew 2022], ShuntFlow[Liu 2023], ONCache[Lin 2023], bypass4netns[Matsumoto 2024] Improve performance by bypassing TCP/IP network stack after connection-based access control FreeFlow[Kim 2019], SocksDirect[Li 2019], MasQ[He 2020], TSoR[Sun 2023] Propose container virtual network and access control for RDMA Acila[Ohnishi 2022] Achieve access control by converting label-based policies into identifier-level entries 8 Slide: https://onoe.dev/middleware2025 

Tiaccoon Access control, transport selection, and socket creation by hooking socket API Use IP addresses and port numbers as identifiers, not TCP/IP addresses Assign virtual IP addresses to containers and virtual port numbers to applications Convert and apply container-label-based policies into entries 9 Slide: https://onoe.dev/middleware2025 

Server-Side Socket API 10 Slide: https://onoe.dev/middleware2025 

Client-Side Socket API 11 Slide: https://onoe.dev/middleware2025 

Transport Selection Admin registers a server policy, including label conditions used to specify server containers and virtual port numbers exposed by applications Tiaccoon determines server host addresses for all available transports and registers them as server entries Tiaccoon selects transports by choosing server entries 12 Slide: https://onoe.dev/middleware2025 

Access Control Tiaccoon converts label-based access control policies into virtual-address-based access control entries and enforces them. Tiaccoon identifies and applies the appropriate entries based on the virtual addresses of the client and the server. 13 Slide: https://onoe.dev/middleware2025 

Implementation: System Call Hooking Access control and transport selection with seccomp_unotify Replace sockets with SECCOMP_IOCTL_NOTIF_ADDFD at TCP/UNIX 14 Slide: https://onoe.dev/middleware2025 

Implementation: RDMA Access control and transport selection with seccomp_unotify Socket creation with rsocket for Tiaccoon loaded by LD_PRELOAD Assign SR-IOV Virtual Function (VF) to containers 15 Slide: https://onoe.dev/middleware2025 

Evaluation Throughput, Latency, and CPU Time Measured the 10-second average using Netperf while varying the per-send data size and the socket buffer size. Connection Establishment and Close Time Measured the completion time of the connect and close system calls 10,000 times. Two physical machines, each equipped with a 16-core CPU, directly connected via 100 Gbps Ethernet NIC supporting RDMA (RoCEv2) 16 Slide: https://onoe.dev/middleware2025 

Evaluation: TCP/IP Container Overlay Network vs. Tiaccoon 17 Improved throughput, latency, and CPU time across TCP/IP, UNIX, and RDMA Slide: https://onoe.dev/middleware2025 

Evaluation: Host Networks vs. Tiaccoon 18 Comparable throughput, latency, and CPU time across TCP/IP, UNIX, and RDMA Slide: https://onoe.dev/middleware2025 

Evaluation: Connection Establishment & Close Time 19 Degradation across TCP/IP, UNIX, and RDMA Slide: https://onoe.dev/middleware2025 

Discussion: Performance Transport Selection Throughput, latency, and CPU time are improved by using a faster transport available instead of TCP/IP Bypassing Container TCP/IP Network Stack Throughput, latency, and CPU time are improved by socket replacement Connection Establishment Process Connection establishment time degrades due to additional processing: system call hooking, transport selection, access control, and socket replacement 20 Slide: https://onoe.dev/middleware2025 

Discussion: Container Network Requirements Isolation Containers can communicate without interference from other containers on the same host Portability Containers can use host-independent virtual addresses to communicate with other containers Controllability Only admin can enforce network policies (access control) →Tiaccoon meets the requirements 21 Slide: https://onoe.dev/middleware2025 

Conclusion Achieve transport-independent access control and container communication Label-based access control and transport selection by replacing socket API Can serve as an alternative to container overlay networks for connection-oriented protocols Throughput, latency, and CPU time are higher than container overlay networks and comparable to host networks Connection establishment time increases Available: https://github.com/hiroyaonoe/tiaccoon Future Works: Consideration of other transports / Fine-grained transport selection 22 Slide: https://onoe.dev/middleware2025