Is 5G and Why Does It Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and improved efficiency empower new user experiences and connects new industries. -Qualcomm 3 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload certificate attributes ● Multi-cluster/site visibility

Using envoyfilter to implement requirements on platform level, reduces application workload. Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/ logs wisely)

com/istio/istio – 7353c84b560fd469123611476314e4aee553611d • github.com/istio/proxy – c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio.io – 26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823 istio/istio.io Istio documentation and security guidelines from the master branch

Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing disclosed to the Golang security team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit, 2023 Project summary Ada Logics auditors Name Title Email Adam Korczynski

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced

○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability application 配置中为 Provider 增加 service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs.qq.com/doc/DVnlqUVB1ek1laFBQ

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) Istio benefits – Venky / Prasad – point here • Demo • Questions 2 Structure | CONFIDENTIAL 3 API-driven applications exploding Service Testing Component Testing E2E API Tests Engineering effort

Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control plane Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload