29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import ( "bytes" "context" "crypto/tls" "fmt" "io" "log" "net/http" "os" "os/signal" "time" byteSize "github.com/inhies/go-bytesize" user has explicitly opted into insecure mode, InsecureSkipVerify mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom Audit, 2023 0a9a5cf72728c896a f/istioctl/cmd/analyz e.go#L397 } runtime.SetFinalizer(r, func(x *os.File) { x.Close() }) readers = append(readers, local.ReaderSource{Name: path, Reader: r}) return nil https://github

App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen Mesh. All rights reserved. How to Make Legacy Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh. All rights reserved. ● CNI to avoid escalated AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/ Optical Tap Network Analyzer Encrypted

performance) ● Offload ○ Traffic management ○ Security (DDoS defense…) ● HW acceleration ○ Crypto ○ Rule matching ● Further isolation w/ host ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory

Start a Pod in a namespace that is not managed by Istio 1https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#control-plane-security 5 | Google Istio Security Assessment Google / 32 @ 0x4374a0 0x405f77 0x405c3b 0x135de04 0x4674a1 # 0x135de03 k8s.io/client- go/tools/cache.(*controller).Run.func1+0x33 k8s.io/client- go@v0.18.0/tools/cache/controller.go:124 32 @ 0x4374a0 0x447663 0x447663 0x1355d95 0x135561b 0x135ea23 0x1226f5f 0x1226023 0x13549a d 0x1226e0e 0x1226ec1 0x4674a1 # 0x1355d94 k8s.io/client- go/tools/cache.(*Reflector).watchHandler+0x1e4 k8s.io/client- go@v0.18.0/tools/cache/reflector

SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Rules ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept basis which of the two versions is present. - Proxy Protocol Transport Socket #IstioCon HTTP XFF x-forwarded-for (XFF) is a standard proxy header which indicates the IP addresses that a request has mark --mark 0x539 -j CONNMARK --save-mark --nfmask 0xffffffff -- ctmask 0xffffffff # mark connection 1337 according to packet sent to application -A OUTPUT -p tcp -m connmark --mark 0x539 -j CONNMARK

Social Media mentions of presenter and their company a. Keynotes: 2x b. Tech talks, lightning talks, workshops: 1x c. Event supporters: 2x 2. Screensaver / screen between sessions. This screen will have offering swag. 4. Slack / event chat mentions: a. Keynotes: 1x b. Tech talks, lightning talks, workshops: 1x c. Event supporters: 1x 5. One shared mention at slack and social media for those who visits to different places at Gather.town) ● The first 10 to solve the hunt, will get a gift card 10 x $100 per gift card ($1000 usd) per social event. Social event Gift cards Available sponsorship: 2

14.lo 网络发送 • outbound方向：本POD内发起对外调用流量 • outbound方向增加ISTIO_OUTPUT、 ISTIO_REDIRECT链。 • 除目标为127.0.0.x及Envoy自身发出的 流量外，其余都通过REDIRECT （DNAT）保存原始目标地址后，进入 Envoy的15001端口。 • inbound方向：从二层网络设备进入POD内的 流量 • 增加ISTIO_INBOUND、 All rights reserved. Page 11 Envoy网络及线程模型 主线程 初始化 日 志 线 程 读 取 配 置 x D S 监 听 网络事件 启 动 工 作 线 程 定时器事件 a d m i n 请 求 X D S 更 新 合 并 s t a t 刷 新 D N S 调度器 工作线程 网络事件 定时器事件 监 听 器 监 听 过 滤 器 检测下游连接是否为TLS加密，并且获取ALPN（应用层 协商协议），用于网络层过滤器匹配判断。 envoy.listener.http_inspector 监听过滤器 检测应用层协议是否HTTP，并判断具体类型为HTTP/1.x 或HTTP/2，用于网络过滤器匹配判断 envoy.listener.original_dst 监听过滤器 根据Socket上属性SO_ORIGINAL_DST获取iptables DNAT 前的目标服务地址，作为后续负载均衡的输入。

Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support certificateChain.inlineBytes' | \ sed 's/"//g' | base64 --decode | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: … Signature Algorithm: sha

curl/7.64.1 X-devroute: { “foo”:”192.168.1.12:8001” } Accept: */* #IstioCon Pseudo implementation 1 function envoy_on_request(request_handle) 2 contract = request_handle:headers():get("x-devroute")