Original post

Trireme, an open-source library curated by Aporeto to provide
cryptographic isolation for cloud-native applications. Trireme-lib is a
Zero-Trust networking
library that makes it possible to setup security policies and segment
applications by enforcing end-to-end authentication and authorization
without the need
for complex control planes or IP/port-centric ACLs and east-west


Trireme-lib supports both containers and Linux processes as well user-based activation, and it allows security policy enforcement between any of these entities.


In the Trireme world, a processing unit (PU) end-point can be a
container, Kubernetes POD, or a general Linux process. It can also be a
user session
to a particular server. We will be referring to processing units as PUs
throughout this discussion.

The technology behind Trireme is streamlined, elegant, and simple. It is based on the concepts of Zero-Trust networking:

  1. The identity is the set of attributes and metadata that describes
    the container as key/value pairs. Trireme provides an extensible
    interface for defining these identities. Users can choose customized
    methods appropriate to their environment for establishing PU identity.
    For example, in a Kubernetes environment, the identity can be the set of
    labels identifying a POD.
  2. There is an authorization policy that defines when PUs with
    different types of identity attributes can interact or exchange traffic.
    The authorization policy implements an Attribute-Based Access Control
    (ABAC) mechanism (https://en.wikipedia.org/wiki/Attribute-Based_Access_Control), where the policy describes relationships between identity attributes.
  3. Every communication between two PUs is controlled through a
    cryptographic end-to-end authentication and authorization step, by
    overlaying an authorization function over the TCP negotiation. The
    authorization steps are performed during the SYN/SYNACK/ACK negotiation.

The result of this approach is the decoupling of network security
from the underlying network infrastructure because this approach is
centered on workload identity attributes and interactions between
workloads. Network security can be achieved simply by managing
application identity and authorization policy. Segmentation granularity
can be adjusted based on the needs of the platform.

Trireme is a node-centric library. Each node participating in the
Trireme cluster must spawn one instance of a process that uses this
library to transparently insert the authentication and authorization
step. Trireme provides the data path functions but does not implement
either the identity management or the policy resolution function.
Function implementation depends on the particular operational
environment. Users have to provide PolicyLogic (ABAC “rules”) to Trireme
for well-defined PUs, such as containers.

Share This: