Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enabling Network Policy Enforcement in Service Meshes

Behrooz Farkiani, Fan Liu, Patrick Crowley

TL;DR

The paper tackles the challenge of enforcing network policies across heterogeneous infrastructures by relying on Layer 3 policies. It introduces an overlay L3 network integrated into portable service meshes, using tunneled traffic and Stand-alone Proxies (SaPs) to enforce L3 while preserving Layer 4–7 controls. A control-plane coordinates L3 components, SaPs, GUE-over-UDP encapsulation, and per-overlay authorization keys within a default-deny framework, enabling end-to-end L3–L7 policy enforcement across clusters and even unmanaged endpoints. The authors implement a Kubernetes/Istio prototype, showing sub-millisecond overhead for policy enforcement in many paths and competitive or superior end-to-end latency compared with native Kubernetes network policies, thereby enabling portable, consistent security across diverse environments.

Abstract

Portable service mesh implementations enable Layer 4 to Layer 7 policy enforcement across heterogeneous infrastructures, yet they depend on the underlying network's connectivity and policies. Layer 3 network policies govern IP traffic regardless of whether upper layers authorize the flow. While these policies are integral to security, correct enforcement often requires coordination across multiple teams, and achieving consistent policy behavior across heterogeneous environments is challenging. Studies show that most Kubernetes clusters do not enforce any network policies. We propose integrating Layer 3 network policy enforcement with service meshes to protect data-plane traffic in a portable, infrastructure-agnostic manner. This integration allows developers to define Layer 3-7 policies and to ensure enforcement across any infrastructure. Our solution builds an overlay Layer 3 network and enforces Layer 3 policies by routing traffic through specific policy enforcement points and applying default-deny principles with authorization keys. We prototyped our approach using Kubernetes and Istio and found that it adds less than 1ms of latency while supporting complex policies comparable to native Kubernetes network policies.

Enabling Network Policy Enforcement in Service Meshes

TL;DR

The paper tackles the challenge of enforcing network policies across heterogeneous infrastructures by relying on Layer 3 policies. It introduces an overlay L3 network integrated into portable service meshes, using tunneled traffic and Stand-alone Proxies (SaPs) to enforce L3 while preserving Layer 4–7 controls. A control-plane coordinates L3 components, SaPs, GUE-over-UDP encapsulation, and per-overlay authorization keys within a default-deny framework, enabling end-to-end L3–L7 policy enforcement across clusters and even unmanaged endpoints. The authors implement a Kubernetes/Istio prototype, showing sub-millisecond overhead for policy enforcement in many paths and competitive or superior end-to-end latency compared with native Kubernetes network policies, thereby enabling portable, consistent security across diverse environments.

Abstract

Portable service mesh implementations enable Layer 4 to Layer 7 policy enforcement across heterogeneous infrastructures, yet they depend on the underlying network's connectivity and policies. Layer 3 network policies govern IP traffic regardless of whether upper layers authorize the flow. While these policies are integral to security, correct enforcement often requires coordination across multiple teams, and achieving consistent policy behavior across heterogeneous environments is challenging. Studies show that most Kubernetes clusters do not enforce any network policies. We propose integrating Layer 3 network policy enforcement with service meshes to protect data-plane traffic in a portable, infrastructure-agnostic manner. This integration allows developers to define Layer 3-7 policies and to ensure enforcement across any infrastructure. Our solution builds an overlay Layer 3 network and enforces Layer 3 policies by routing traffic through specific policy enforcement points and applying default-deny principles with authorization keys. We prototyped our approach using Kubernetes and Istio and found that it adds less than 1ms of latency while supporting complex policies comparable to native Kubernetes network policies.

Paper Structure

This paper contains 4 sections, 1 figure, 2 tables.

Table of Contents

  1. Introduction
  2. Solution and Implementation
  3. Prototype Implementation and Evaluation
  4. Conclusion

Figures (1)

  • Figure 1: Overlay evaluation topology consisted of four pods. There are two overlay subnets (blue and black) and the tunnel devices that are part of each one are shown with the same color.