Comments (11)
This might be intentional since we don't want Istio to reinvent the wheel. The standardization effort is done by https://www.ietf.org/archive/id/draft-schinazi-masque-02.html. The specific instance used by Istio differs in two ways:
- it's mTLS, not TLS - QUIC implementations are not ready for mutual yet
- it's only TCP - hence it's regular HTTP CONNECT with authority populated (no need for extended or UDP yet)
The operational concerns (stream management, flow control) are handled via regular HTTP means.
The one extra header (baggage) has been removed from the protocol specification after some extensive discussion.
from ztunnel.
Based on my (admittedly limited) understanding of Rust, and in line with what you've written above, it seems that the transport connection is H2 frames over TCP. Identical (i.e., based on client and server identities) connection are pooled into a single ztunnel (TCP socket). Is that correct?
Yes. This is the same for Envoy, and should not be Rust specific, really.
Also, which identities (i.e., certificates) are used between ztunnels? I think it the workload's identities upon each TCP connection establishment, but would like to confirm. In addition, since it is H2/TCP, it would seem that mTLS is supported, but I may have misunderstood the Rust TLS acceptor set up.
Ztunnel doesn't present its own identity, it presents the identities of the source/destination pods on their behalf. This is a limitation, but it works for now.
I understand how the operational concerns of different (i.e., "unpooled") connections between ztunnel gateways are handled, as each is its own TCP connection and the kernel stack would handle fairness, congestion, etc. It is less clear to me how operational concerns of multiple client-server connections, using the same tunnel, are handled. Is the ztunnel implementation responsible for allocating fair share of the TCP stream between multiple pooled streams?
Yes, it should be responsible for fair-sharing network resources and handling the noisy neighbors. This is my main concern about production-readiness of ambient - I don't think we have enough evidence the current settings are adequate.
What was the rationale for pooling (as opposed to opening a new ztunnel socket for each client-server)? Was it resource usage, latency in establishing new streams (the current scheme may avoid roundtrips used for TCP establishment), or something else?
The main benefit of pooling is reducing the overhead of the TLS handshake. I don't know how ztunnel pools, but in Envoy we set max streams to 100 so ensure better CPU utilization.
Is there a general timeline for switching over to MASQUE/QUIC (via https://www.ietf.org/archive/id/draft-schinazi-masque-02.html or any of the more the specific encoding specified under the WG)?
You don't need full MASQUE if all traffic is TCP. We will need it when UDP or arbitrary IP traffic becomes in scope for Istio.
from ztunnel.
The closest thing we have is being submitted in a PR: istio/istio#46472. Take a read through that and see what gaps exist in the doc and we'll be happy to add it
from ztunnel.
thanks @keithmattix !
I'll go through that, noting gaps (if any) in the PR discussion
from ztunnel.
Client authorization is done in a simplistic way: source IP and identity is forged by ztunnel. There's no delegation (separate ztunnel identity) or client forwarding (XFF) that are needed right now, but could be easily added.
from ztunnel.
This might be intentional since we don't want Istio to reinvent the wheel.
Well, we invented a codename/acronym, and we have to at least contend with that :D
My $0.02 is just put @kyessenov 's explanation above into architecture/HBONE.md
and call it a day.
from ztunnel.
@kyessenov - apologies for not replying earlier, hope you are ok restarting this conversation.
I've taken the time to read through the ztunnel architecture doc and the code.
This might be intentional since we don't want Istio to reinvent the wheel. The standardization effort is done by https://www.ietf.org/archive/id/draft-schinazi-masque-02.html. The specific instance used by Istio differs in two ways:
- it's mTLS, not TLS - QUIC implementations are not ready for mutual yet
- it's only TCP - hence it's regular HTTP CONNECT with authority populated (no need for extended or UDP yet)
Based on my (admittedly limited) understanding of Rust, and in line with what you've written above, it seems that the transport connection is H2 frames over TCP. Identical (i.e., based on client and server identities) connection are pooled into a single ztunnel (TCP socket). Is that correct?
Also, which identities (i.e., certificates) are used between ztunnels? I think it the workload's identities upon each TCP connection establishment, but would like to confirm. In addition, since it is H2/TCP, it would seem that mTLS is supported, but I may have misunderstood the Rust TLS acceptor set up.
The operational concerns (stream management, flow control) are handled via regular HTTP means.
I understand how the operational concerns of different (i.e., "unpooled") connections between ztunnel gateways are handled, as each is its own TCP connection and the kernel stack would handle fairness, congestion, etc.
It is less clear to me how operational concerns of multiple client-server connections, using the same tunnel, are handled. Is the ztunnel implementation responsible for allocating fair share of the TCP stream between multiple pooled streams?
What was the rationale for pooling (as opposed to opening a new ztunnel socket for each client-server)? Was it resource usage, latency in establishing new streams (the current scheme may avoid roundtrips used for TCP establishment), or something else?
Is there a general timeline for switching over to MASQUE/QUIC (via https://www.ietf.org/archive/id/draft-schinazi-masque-02.html or any of the more the specific encoding specified under the WG)?
from ztunnel.
https://github.com/istio/istio/blob/master/architecture/ambient/ztunnel.md#hbone
enough there now?
from ztunnel.
https://istio.io/latest/docs/ambient/architecture/hbone/ is published now and is actually likely the most complete description of the protocol at this point, inward-or-outward-facing - between these two it's as described as it needs to be IMO.
from ztunnel.
Thanks!
Between https://github.com/istio/istio/blob/master/architecture/ambient/ztunnel.md#hbone and https://istio.io/latest/docs/ambient/architecture/hbone/ there's enough info, IMHO.
You may close.
from ztunnel.
thanks!
from ztunnel.
Related Issues (20)
- Provide a new label for metrics regarding destination type HOT 3
- Issue trying ambient mode on an ipv4-only k8s cluster HOT 13
- [release-1.22] h2: remove illegal double oneshot recv HOT 1
- [release-1.22] Properly handle named targetPort services
- dualstack: DNS always returns both IP families regardless of service configuration
- Support dual-stack localhost binding for DNS
- Emit end-of-process access logs
- Stress test on-demand DNS querying
- [release-1.22] Add option for disabling IPv6 HOT 1
- local_address and peer_address can panic
- Ztunnel does not scale up with number of worker threads in expected way HOT 13
- Implement DNS-over-TCP redirection HOT 1
- Do not error if the app sends a RST
- Implement improved draining HOT 14
- CVE-2023-4039 when will fix ? HOT 4
- Failure to do `apk update` when ambient captured from wolfi pods HOT 2
- Refactoring improvements now that we have a proxy-per-workload approach HOT 4
- Feature Request: Allow Customized XDS Address to be set HOT 7
- log output in json format HOT 1
- failed to connect to server "/var/run/ztunnel/ztunnel.sock" HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ztunnel.