categorization, see Appendix A on page 38. Title ID Risk Inability To Secure Control Plane Network Communications 004 High Lack of Security Related Documentation 016 High Lack of VirtualService Assessment Google / NCC Group Confidential Finding Details Finding Inability To Secure Control Plane Network Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Istio should not have any plaintext endpoints exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace

Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external access. Edge security

proxies deployed as sidecars. The proxies consist of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside the cluster and is validated against the specified policies before it reaches the service trust boundary as it passes the proxy. Controlplane Dataplane High to low Policies are created by users with privileges. The policies are propagated to the dataplane. Egress Sidecar External Apis High to

in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ Controllers watch K8s clusters and translate policies into K8s NetworkPolicies to be enforced in the clusters ○ There are also other enforcers to enforce L4 policies on - ■ hardware Firewalls, Bare Metals Replace Hardware LBs with Software K8s API Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response

for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See VM metrics alongside containers to lift and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic

operational agility ● You can't be Cloud Native at scale without a modern application- aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to Microservices ● clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple on top of the upstream Istio. • We aim to solve the complexity of Istio and build a zero-trust network for application connectivity. • We are committed to maintaining Istio's open source ecosystem.

meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and a more uniform user experience to more users. Higher performance Authorization between CNFs 5 ©2021 Aspen Mesh. All rights reserved. 5G Network Function Decomposition Microservice Network Function Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/ Optical Tap Network Analyzer Encrypted traffic w/PFS Intra node traffic HTTP/2 awareness Contextual data 16 ©2021

Huawei Technologies Co., Ltd. All rights reserved. Page 15 Envoy过滤器架构 • 根据位置及作用类型，分为： • 监听过滤器（Network::ListenerFilter） • onAccept接收新连接，判断协议类型，TLS握手，HTTP协议自动识别、提取连接地址信息 • L4 网络过滤器 • HTTP、Mysql、Dub 前的目标服务地址，作为后续负载均衡的输入。 envoy.filters.network.tcp_proxy L4网络过滤器 基于L4层1对1上下游网络连接代理 envoy.filters.network.wasm L4网络过滤器 基于WASM（WebAssembly）技术，支持沙箱、热升级、 跨语言的扩展机制，处理L4层新连接、数据收发。 envoy.filters.network.dubbo_pro xy L4网络过滤器 RPC协议并提取请求中方法、接口、 metadata等信息，并根据元数据进行路由选择。 envoy.filters.network.local_rateli mit L4网络过滤器 基于L4层网络限流，通过令牌桶防止定期时间间隔内 过多下游连接。 envoy.filters.network.http_conne ction_manager L4网络过滤器 专门用于处理HTTP请求的网络过滤器，根据协议类型

a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Could happen in suddenly increased nodes and

Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying as hash key Use pod_ip to generate a unique key is a way to distinguish socket from different network namespace #IstioCon Outbound Acceleration #IstioCon Envoy to Envoy Acceleration(same host)