#IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ LVS work on INPUT, modify the packet dest ip + port and forward it to POSTROUTING ④ send out to real and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon TOA Address Caveats : install response packet redirected back to envoy -A PREROUTING -p tcp -m mark --mark 0x539 -j CONNMARK --save-mark --nfmask 0xffffffff -- ctmask 0xffffffff # mark connection 1337 according to packet sent to application

certificate attributes ● Multi-cluster/site visibility ● Deep packet inspection Going Beyond Istio 15 ©2021 Aspen Mesh. All rights reserved. Deep Packet Inspection AMF Frontend Namespace AMF Namespace

privileges ○ No support for smart DNS proxying (yet…) ● Further security middle boxes support ○ Deep packet inspection (DPI) ○ DDoS defense ○ Firewall ● Lack dedicated gateway support (architectural changes)