certificates at gateways Learnings Along the Way 14 ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload

which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler in an http.MaxBytesHandler project from memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption Length of new byte slice controlled by potentially untrusted file size Low High Yes 5 Possible memory exhaustions in http utilities Low Medium Yes 6 Istio skips certificate verification Low High Yes

eBay scale ■ Proxy config convergence time (CDS, EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune configuration params - debounce interval, push concurrency Testing: Results ● Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled from single Pilot instance to 0 - 3,000 sidecars < 1 second ○ Pilot CPU & memory within acceptable limits: < 10 cores, 25 GB memory ○ Pilot can scale horizontally ● Need to tune PILOT_DEBOUNCE_AFTER, PILOT_DEBOUNCE_MAX

/main.go Impact Trace profiling risks providing attackers with information about the processes, memory, and potentially sensitive information about Istio. An attacker with network access to the control operator - server imagePullPolicy: IfNotPresent resources: limits: cpu: 200m memory: 256Mi requests: cpu: 50m memory: 128Mi env: - name: WATCH_NAMESPACE value: istio-system - name: LEADER_ELECTION_NAMESPACE the minikube cluster named reference with Kubernetes 1.17.5: minikube --profile=reference start --memory=16384 --cpus=4 --kubernetes-version=v1.17.5 Build istioctl at the commit 7353c84b560fd469123611476314e4aee553611d:

for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel

the HPA calculation 22 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Memory: 100MB Pod App container Container requests 23 Define HPA target for multi-containers pods performance are: ● Latency: +2.65 ms at p90 (no telemetry) ● Compute resources: 0.35 vCPU and 40 MB memory / 1000 RPS 56 ● What do we want when implementing Istio? ○ Added value to the business ○ Reliable