a step towards graduation for Istio. The engagement was a holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future well-maintained project that has a strong and sustainable approach to security. The project follows a high level of industry standards in dealing with security. In particular, it is worth highlighting that: fuzzers in its CI pipeline. Istio has had its fuzzing suite for around a year and has previously found high severity security issues such as CVE-2022-23635 along with dozens of reliability issues. As such,

The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features 15th, 2020. Commit: 26dacdde40968a37ba9eaa864d40e45051ec5448 Finding Breakdown Critical issues 0 High issues 4 Medium issues 5 Low issues 7 Informational issues 2 Total issues 18 Category Breakdown Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential Table

○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine integration. ○ Debugging Virtual Machines to learn between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency ○ And of course, reduce overheads introduced! ● High availability ● CapEx, OpEx #IstioCon Gateway ○ Need to setup L3 networking if enhanced performance is desired ● Overheads introduced ● No high performance data path support ○ Multi-Gbps bandwidth ○ Ultra low latency #IstioCon Performance

controls, across clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery

peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and a more uniform user experience to more users. Higher performance and improved efficiency ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload certificate attributes ● Multi-cluster/site

Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling, networking, etc. ● PoP: 20+ Points of Presence Scale Testing: Results ● Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled

istio 1.7.1 (istio #23029, envoyproxy #13037) o envoy still suffers from overload of XDS pushes in a high churn environment. Istio scalability optimization during Knative Service provisioning • Random missing [Istio 1.9.x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL provisioning • support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn 30s #IstioCon Unleash maximum scalability by fully leveraging Istio features

5 tips for your first Istio.io Contribution Albert Sun | @albertsun0 #IstioCon About Me I’m a high schooler who loves learning about everything related to computers, especially interface design