Secure Inter-Container Communications Using XDP/eBPF

Abstract

While the use of containerization technologies for virtual application deployment has grown at an astonishing rate, the question of the robustness of container networking has not been well scrutinized from a security perspective, even though inter-container networking is indispensable for microservices. Thus, this paper first analyzes container networks from a security perspective, discussing the implications based on their architectural limitations. Then, it presents Bastion+, a secure inter-container communication bridge. Bastion+ introduces ( <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$i$ </tex-math></inline-formula> ) a network security enforcement stack that provides fine-grained control per container application and securely isolates inter- container traffic in a point-to-point manner. Bastion+ also supports ( <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$ii$ </tex-math></inline-formula> ) selective security function chaining, enabling various security functions to be chained between containers for further security inspections (e.g., deep packet inspection) according to the container’s network context. Bastion+ incorporates ( <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$iii$ </tex-math></inline-formula> ) a security policy assistant that helps an administrator discover inter-container networking dependencies correctly. Our evaluation demonstrates how Bastion+ can effectively mitigate several adversarial attacks in container networks while improving the overall performance up to 25.4% within single-host containers and 17.7% for cross-host container communications.