Is 5G and Why Does It Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption & Authorization between CNFs 5 ©2021 certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen

Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT authentication with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful

Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ● Fine-grained Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control

Year of Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting #IstioCon 2021: Year of

RPC RPC RPC Message Message Message Cache RDB NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 理能力： ● Routing based on layer-7 header ○ Load balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method

Istio 流量管理原理与协议扩展 赵化冰 赵化冰 腾讯云 服务网格团队 https://zhaohuabing.com Service Mesh Service Mesh Layer 处理服务间通信（主要是七层通信）的云原生基础设施层： Service Mesh 将各个服务中原来使用 SDK 实现的七层通信相关功能抽象 出来，使用一个专用层次来实现，Service Mesh 对应用透明，因此应用 流量控制：服务发现、请求路由、负载均衡、灰度发布、错误重试、 断路器、故障注入 可观察性：遥测数据、调用跟踪、服务拓扑 通信安全： 服务身份认证、访问鉴权、通信加密 Proxy Application Layer Service 1 Istio 流量管理 – 概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Istio 协议支持现状 • 七层服务治理 – 服务发现（基于服务的逻辑名称） – LB、基于应用协议的错误码进行 Retries 和 Circuit Breaker – 基于七层协议 Meta data 的路由（RPC协议中的调用 服务名、方法名等） – Fault Injection（RPC 协议层的错误码） – RPC 调用的 Metrics（调用次数，调用失败率等） – Tracing •

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra

10 Istio Security Audit, 2023 Threat model Istio is a service mesh which is an infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path)

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external