(eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct map​ ○ sk_msg_md ■ Match features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel bypass / direct user space access ○ Transport fully offloaded to the NIC HW ○ Zero-copy operation ○ Secure, channel based

Fetcher has a possible disk exhaustion vulnerability. If the chart is bigger than the available disk space, a Denial-of-Service scenario would happen. Case 1 https://github.com/istio/istio/blob/d86fa8b48 Close() return tgz.Extract(reader, f.destDirRoot) } Case 2 This will run out of memory before disk space. See issue 5 case 1. 92 // DownloadTo downloads from remote srcURL to dest local file path 18 Istio

information and to store state ● Accessed from eBPF programs as well as from applications in user space #IstioCon Work Flow of Acceleration ● Attach SOCK_OPS program to global cgroup ● Capture socket

Share collected information ● Accessed from eBPF programs as well as from applications in user space ● Map type o HASHMAP o SOCKHASH: Hold socket as value Istio Meetup China ebpf Background Knowledge

Super simple to register and navigate through live and recorded sessions" Networking event Space Escape Escape room focus on having fun time and teamwork, where participants solve together different