IP addresses and port numbers (network based identifiers hereafter) in packets are two major identifiers for network devices to identify systems and roles of hosts sending and receiving packets for access control lists, priority control, etc. However, in modern system design on cloud, such as microservices architecture, network based identifiers are inefficient for network devices to identify systems and roles of hosts. This is because, due to autoscaling and automatic deployment of new software, many VMs and containers consisting of the system (workload hereafter) are frequently created and deleted on servers whose resources are available, and network based identifiers are assigned based on servers where containers and VMs are running. In this paper, we propose a new system, Acila, to classify packets based on the identity of a workload at network devices, by marking packets with the necessary information extracted from the identity that usually stored in orchestrators or controllers. We then implement Acila and show that packet filtering and priority control can be implemented with Acila, and entries for them with Acila is more efficient than conventional network based identifiers approach, with little overhead on performance
翻译:然而,在现代云层系统设计中,例如微服务结构,基于网络的识别标志对网络设备来说效率低下,因为网络设备无法自动和自动部署新软件,因此许多由系统(以下称为工作负荷)组成的VM和集装箱经常在具备资源的服务器上创建和删除,而基于网络的识别标志是根据集装箱和VM正在运行的服务器分配的,而基于网络的识别标志则根据网络设备工作量的特性进行分类的。在本文件中,我们提议一个新的系统,Acila,根据网络设备工作量的特性对包进行分类,用从通常存储在操作器或控制器中的身份中提取的必要信息对包进行标记。我们随后实施Acila,并表明可以与Acila一起执行包过滤和优先控制,而用Acila的条目比基于常规网络的识别标志方法更有效率,使用少量的间接操作。