AppSwitch: Application Level Network Namespacing


One Line Summary

This talk presents AppSwitch, a completely new TCP-layer network element similar to a router at IP layer or a bridge at link layer, that addresses a number of issues in modern environments, especially ones based on microservices.


This talk presents AppSwitch, a completely new network element that operates at TCP layer, similar to a router at IP layer or a bridge at link layer. The key idea is that it decouples applications from underlying network at the system call layer rather than at the network device or packet level as traditional overlay mechanisms do. That provides the applications a distinct identity independent of the host and provides several advantages including significantly more efficient implementation of application-level network functions such as application firewall and load balancer, reduced operational cost and complexity by minimizing unnecessary friction between applications and operations teams, ability to seamlessly run applications across heterogeneous infrastructure backends including bare metal, VMs, containers and cloud, and improved performance by selecting most suitable network medium. It would also effectively remove the performance penalty associated with unnecessary data path processing that is typical in microservice application environments.

In this session, we’d like to discuss the kernel support required to implement AppSwitch. There are a few candidate approaches that could be considered. It could be made to work with tracepoints but the implementation turns out somewhat hacky. Extending Netlink is cleaner but requires deeper changes.


  • Subhraveti


    Dinesh is the CTO and cofounder at AppOrbit. He developed the core principles that underlie the container abstraction as a part of his Ph.D. Published at OSDI conference in 2002, his work showed for the first time that enterprise applications could be live-migrated using that abstraction. Based on his original implementation, he drove the development of the industry’s first container live-migration product at Meiosys, the company behind LXC that IBM acquired in 2005. Dinesh authored numerous research papers on containers, checkpoint-restart and record-replay. He holds a Ph.D. in computer science from Columbia University.