Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/ Dest Port ○ Request level auth is 时修改请求数据包 #IstioCon MetaProtocol: 响应处理路径 处理流程： 1. Decoder 解析 Upstream 的响应，填充 Metadata 2. Router 根据 connection/stream 对应关系找到响应的 Downstream 连接 3. L7 filter 从 Metadata 获取所需的数据，进行响应方向的业务处理 4. L7 filter 将需要修改的数据放入

scenarios like SIP Trunking #IstioCon Common Ways to Preserve Original Src Addr  L3 • LVS, one connection • HAProxy transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol packet dest ip + port and forward it to POSTROUTING ④ send out to real server Note: Only one connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to HAPROXY works on userspace ③ Listen on vip + port and accept user connection ④ Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s

auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection, which could lead to a denial of service scenario if a large request was sent. This is a vulnerability assessed Golangs recommended solution for capping H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit the memory consumed by this body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http request smuggling

Envoy网络及线程模型-网络处理 系统内核 Worker Thread Dispatcher LibeventDispatcher 待清理对象 ListenerManager Listener Connection 创建 监听 socket 新连接 事件 连接 socket 数据传输 事件 L4处理 读写 延迟 删除 L7处理 阻塞 运行 ConnectionHandler 匹配 当新连接到达时，内核网络协议栈调用回调并创建新连接 的Socket。 • 通过ConnectionHandler调用监听过滤器获得真实访问目 标地址 • 根据目标地址匹配得到业务监听器后创建Connection连接 对象 • 之后Connection对象再次向libevent注册Read/Write回 调onFileEvent，并作为L4层过滤管理器处理 onNewConnection，onData数据接收。 • p），匹配业务监听器（不真正监听网络）地址并传递新建下游连接。 • 下游连接过滤器判断TLS，ALPN（应用协议名），HTTP版本后匹配到L4层http_connection_manager网络过滤器。 • http_connection_manager使用http codec解码http协议header/body/tailer等并触发回调函数。 • http header/body处理回调

根据原目标 IP（通配）和端口（9080）转发到 0.0.0.0_9080 这个 outbound listener。 5. 根据 0.0.0.0_9080 listener 的 http_connection_manager filter 配置，该请求采用 9080 route 进行分发。 6. 9080 这个 route 的配置中，host name 为 reviews:9080 的请求对应 的 在 15006 端口上监听的 VirtualInbound listener 收到了该请求。 11.根据匹配条件，请求被 VirtualInbound listener 内部配置的 Http connection manager filter 处理，该 filter 设置的路由配置为将其发送给 inbound|9080|http|reviews.default.svc.cluster.local 这个

Panel: Istio Istio Open Source Ecosystem Outlook From China The road to microservice for Database as a Service (DBaaS) via Istio Tencent Music service mesh with Istio and Aeraki Flexible proxy

Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ● Automate for easy management

rights reserved. ● Augment tracing to surface 5G specific tags ● Optimize HTTP/2 stream and connection settings ● Configure sidecar proxy concurrency Tuning Istio to Meet 5G Requirements 13 ©2021

transport layer ● Improvements ○ TCP head of line blocking ○ Faster handshakes ○ Earlier data ○ Connection-ID ○ More encryption, always [1] Http3 Full Stack Fest, Daniel Stenberg #IstioCon HTTP/3 ●

more than the sum of all sleeps in the preStop hooks. ➔ If the pod is terminated too early, connection draining may not complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application