Using Istio to Build the Next 5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved Observability, Debugging Uniform metrics and tracing for all CNF traffic Enforcement Primitives to Build Zero Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via

continuously. ● All fuzzers are hosted in the Istio repository along with the OSS-Fuzz build script. ● The OSS-Fuzz build is maintained to avoid disruption. ● Istio does not run the fuzzers in its CI pipeline High Yes 10 H2c handlers are uncapped High High Yes 11 STS server is susceptible to DoS if debug mode is enabled High Medium Yes 17 Istio Security Audit, 2023 1: Possible disk exhaustion when extracting code where a user has explicitly opted into insecure mode, InsecureSkipVerify mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks

running within it. Instead, NCC Group used various hosting options (i.e. Minikube, GKE, KOPS) to build reference clusters and test various configurations. These reference architectures were used to provide malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety of customizations to fit it into different something formal such as CIS benchmarks is not recommended in this case but a similar approach could be build a self- hosted checklist of features and configuration options that Istio believes match security

Running, NIST SPs 800-204A, NIST SP 800-204B Sheng Wu Creator, SkyWalking ● Tetrate’s product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Indicates that the configurations to be added to the group will use macro APIs up • We built products on top of the upstream Istio. • We aim to solve the complexity of Istio and build a zero-trust network for application connectivity. • We are committed to maintaining Istio's open

– reviews-v1 & v3 ○ Otherwise, send plain text – reviews-v2 ● Server side will be in PERMISSIVE mode by default #IstioCon mTLS in Istio - PeerAuthentication Defines what type of traffic the server "demo-peer-policy“ namespace: "default“ spec: selector: matchLabels: app: reviews mtls: mode: STRICT 1) Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS in Istio

listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts

control plane and related tooling ● Sidecar injection by namespace or on-demand ● Passthrough mode during rollout ● Service entry to connect internal proxy ● Kubernetes Cluster-IP services deployed improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully

Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM CUSTOM gRPC TRANSCODER Build Custom Envoy Filter 6 | Copyright failures Speed: Near native performance Sustainable: Eliminates need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language rust > meshctl wasm build rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter

Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without sidecars. Graduated Announcing Istio's graduation within the CNCF Join CNCF

is also used by our partners as well. Ingress Mutual TLS ● Using Istio Gateway mechanism with mode MUTUAL ● Leverage subjectAltNames to verify client SAN ● Additional AuthorizationPolicy to add