Cilium Made eBPF the Network Data Plane. The Protocol Layer Carries No Governance.
by Nick Clark | Published March 28, 2026
Cilium leverages eBPF to provide networking, security, and observability for Kubernetes and cloud-native environments. Its identity-aware enforcement, L7 policy support, transparent encryption, and Hubble observability represent the state of the art in cloud-native networking. But Cilium's intelligence lives in the enforcement layer. The traffic being enforced upon carries standard IP packets with no governance semantics. Cilium inspects and decides from outside the protocol. The gap is between intelligent enforcement infrastructure and protocol semantics where governance is intrinsic to the content.
Cilium's use of eBPF for programmable kernel-level networking is technically impressive. The combination of identity-aware enforcement, Hubble flow observability, and ClusterMesh multi-cluster connectivity addresses real operational challenges. The gap described here is about what the protocol carries, not about what eBPF can inspect.
Identity-aware enforcement on identity-unaware traffic
Cilium assigns cryptographic identities to workloads based on Kubernetes labels. These identities are maintained in Cilium's own identity management system and mapped to eBPF programs that enforce policies. The enforcement is identity-aware. But the packets themselves are standard IP packets. They carry no identity information. Cilium identifies them by their source and context, not by what the packets themselves declare.
If a packet appears from an unexpected source or if the identity mapping is stale, the enforcement system must handle the mismatch. The traffic cannot self-identify. It depends on the infrastructure to identify it.
L7 inspection as protocol intrusion
Cilium can enforce policies at L7, inspecting HTTP headers, gRPC methods, and DNS queries. This provides fine-grained control. But L7 inspection means the enforcement layer must parse application protocols to extract governance-relevant information. The governance information is not in the protocol's native structure; it must be extracted from application-level content.
Each new application protocol that needs governance enforcement requires new parsing logic in Cilium. The governance capability grows with the enforcement layer, not with the protocol.
What memory-native protocol semantics provide
A memory-native protocol would embed governance semantics at the protocol level, eliminating the need for external identity mapping and L7 parsing. Each packet would carry its own trust scope, governance constraints, and routing authority as protocol-native fields. Cilium's eBPF programs could enforce these protocol-native governance fields at kernel speed without parsing application-layer content.
The enforcement would shift from inferring governance from infrastructure metadata and application-layer inspection to validating governance fields that the protocol itself carries.
The remaining gap
Cilium brought programmable, identity-aware networking to Kubernetes through eBPF. The remaining gap is in the protocol layer: whether governance can be a protocol-native property rather than an inference made by the enforcement infrastructure.
