IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation

Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.