►
From YouTube: CNCF Network Service Mesh Meeting 2020-03-31
Description
CNCF Network Service Mesh Meeting 2020-03-31
A
A
A
A
A
A
See
I
don't
make
it
easy
to
find
a
chat
wire
while
you're
working.
So
so,
if
you
could
add
yourself,
there
that'd
be
fantastic,
and
with
that
it's
going
get
started.
So
we
also,
we
also
have
a
meeting
every
other
week
that
is
Asia
friendly.
It
is
currently
set
for,
according
to
my
calendar,
1:00
a.m.
every
other
week
before
the
NSM
meeting.
What
AMS,
if
ik
time
on
Tuesdays
and
I,
believe
we
had
one
today
actually.
B
A
A
We
the
link
to
access
the
calendar
and
the
zoom,
are
in
the
agenda.
We
have
a
host
of
things
that
have
been
postponed
and
canceled
due
to
due
to
kovat
19:00
good
news,
though
cube
con
has
finally
had
some
date
set.
So
if
you
were
not
aware
of
the
new
dates,
these
are
the
new
proposed
dates
at
August
13th
through
16th.
A
A
recommendation
from
the
CN
CF,
though,
is
that
any
travel
that
you
booked
make
sure
that
it's
refundable
in
case
they
need
to
turn
it
into
a
virtual
event,
because
we
do
not
know
what's
gonna
happen,
then
the
next
within
the
next
several
months.
That
being
said,
we
do
have
a
call
for
paper
lists
for
things
that
have
that
were
added
and
for
things
that
were
things
that
were
submitted,
not
everything
that
is
on
this
list
will
have
made
it
in,
but
it
is
still
useful
for
people
where
there's
a
topic
you're
interested
in
yeah.
A
A
It
has
been
pulled
into
a
Cisco
related,
meaning
that
he
wasn't
able
to
avoid.
Just
just
so
people
know
he's
still
very
strongly
committed
to
to
working
with
us
is
just
unfortunate
timing
with
with
the
interesting
set
of
events
that
have
been
going
on
recently
so
I.
He
should
be
back
next
week,
barring
any
other
and
any
other
major
things
that
pop
up
between
now
and
then.
C
So
the
last
week,
as
far
as
social
media
updates,
Goods
been
another
slow
week
again
considering
what's
going
on
in
the
world
at
the
moment.
So
as
far
as
Twitter
goes,
we've
gained
two
followers.
We've
followed
an
additional
four
accounts
and
we
have
had
a
total
of
thirteen
tweets
and
retweets
amongst
those.
Some
of
the
posts
have
included
the
postponement
update
for
coupon
cloud
native
con
happening
now
in
August,
sent
out
core
reminders
for
the
meetings
that
I've
happened
and
will
be
happening
this
week,
as
well
as
all
CN
CF
weekly
webinars.
C
As
far
as
the
linkedin
goes,
we
have
gained
an
additional
four
followers
and
we
continue
to
promote
the
same
original
content
that
we
do
tweaked
on
twitter
and
the
plan
moving
forward
will
be
to
you
continue
retweets
contributor
podcasts,
as
well
as
now
getting
back
to
promoting
in
a
sem
karna,
coupon
sponsorship,
the
prospectus
and
just
trying
to
get
the
word
out
there
for
that
coming
up
in
the
summit,
so
backs
it
on
the
social
media.
End
of
things.
For
this
week.
A
Fantastic,
thank
you
very
much
and
so
yeah.
So
right
now
we
have
our
our
heads
down
and
we're
working
to
produce
some
some
extra
work.
So
we
can
have
a
stronger
release
for
the
next
cue
con,
and
so,
as
we
are
closer
to
those
to
those
milestones,
we
will
discuss
what's
going
on
and
and
try
to
try
to
work
out
how
we
want
to
how
we
want
to
pitch
this
as
we
as
we
start
to
to
approach
as
we
approach
cube
con.
A
A
I
have
a
presentation
on
cloud
native,
zero
trust
that
I've
been
working
on,
and
so
what
I
would
like
to
do
is
I'd
like
to
share
it
and
get
a
little
bit
of
feedback
from
this
from
this
group,
and
so
it's
still
a
work
in
progress.
But
it's
it's
at
a
point
now,
where
I
can,
where
I
can
share
it,
and
and
it
should
start
to
be
a
useful,
useful
deck
so.
A
A
There
are
different
forms
of
perimeter,
defenses
are
more
advanced,
so
one
example
is
the
creation
of
a
DMZ,
and
so
a
DMZ
you
have.
The
internet
goes
to
a
firewall
up
to
a
private
network
that
has
been
sectioned
off
from
both
the
internet
and
your
internal
network,
and
then
the
connection
goes
through
another
firewall
to
and
from
the
Corp
Network
they
there
are
no
direct
connections
between
the
Internet
and
the
to
the
Corp
Network.
A
Although
in
some
scenarios
or
many
most
scenarios
now
I
assume,
there
may
be
connections,
it
goes
in
the
opposite
direction,
possibly
to
the
DMZ.
There
are
several
variations
of
this.
When
a
variation
is
you
have
a
single
firewall
that
then
creates
a
DMZ
for
you
and
also
firewalls
off
the
cordon
the
corporate
network
and
still
provides
you
with
the
internet.
So
it's
still
this
particular
one,
but
instead
of
two
devices
defending
you,
it's
one
device
that
has
it
has
three
access
to
three
networks.
A
B
A
A
However,
they
did
the
details
matter
and
so
from
a
details
side
we
want
to
make
sure
that
we
match
our
IP
addresses
properly
or
that
we
put
in
the
proper
network
address
translations
in
these
areas.
We
also
have
to
specify
access
control
lists
in
terms
of
like,
what's
allowed
to
connect
to
what
in
both
sides.
So
this
side
has
outbound
rules
of
the
system
connecting
from
here
to
here.
A
So
what
ends
up
happening,
though,
when
you
want
to
allow
a
specific
set
of
address
that
specific
address
to
connect
them
out
another,
so
your
axes
of
control
has
become
much
more
detailed
or,
if
you
want
to
connect
to
more
than
one
service
that
is
than
the
other
control
in
the
other
trust
zone.
So
again,
your
access
control
lists
are
two
to
your
larger
simultaneously.
On
the
opposite
side,
how
do
you
establish
trust
in
the
in
the
client?
A
A
It's
it's
not
uncommon
to
expose
the
IP
address
directly
out
on
many
systems
or
to
stick
some
type
of
an
application
gateway
in
between,
so
that
way
that
this
could
be,
you
could
have
an
f5
gateway
or
something
similar
and
nginx,
or
some
other
sort
of
thing
that
that
sits
in
the
middle
and
so
there's
also
questions
on.
How
do
you
differentiate
between
multiple
nodes,
in
terms
like
service,
a
and
service
and
service
B?
If
you
have
multiple
served
services
where,
where
you
need
to
a
horizontally
scale
or
or
short,
shut
them
down?
A
But
you
have
to
be
very
careful
because
these
IP
addresses
that
you
have
to
you
have
to
do
some
form
of
IPAM
or
some
form
of
network
address
translation
with
a
private
network
in
the
VPNs.
In
order
to
minimize
the
see
potential
conflicts,
a
little
aside
be
very
careful
with
with
L
2
VPNs
L
2
VPNs
end
up.
A
You
end
up
having
to
share
your
your
our
tables
around,
and
you
have
to
synchronize
them
together
across
multiple
systems
in
order
to
perform
our
caching
in
an
efficient
way,
and
these
all
come
because
literally
layer
2
is
generally
not
routable.
These
problems
tend
to
go
away
when
you
use
layer
3,
because
layer
3
is,
is
rattleball
and.
A
So
when
you
start
to
hook
up
multiple
subnets
together
and
you
start
to
combine
them,
then
what
ends
up
happening
is
you
have
to
decloak
them,
and
so
in
two
networks
you
only
have
to
deconflict
for
one
connection
for
three
networks:
three
connections,
six
and
so
on.
So
the
more
you
add
in
the
more
subnets
you
have
to
to
deconflict,
and
so
you
can
model
them
based
upon
this
formula,
but-
and-
and
so
when
you
have
to
be
careful
with
is-
is
in
addition
to
reducing
the
conflicts.
How
do
you
also
manage
these?
A
A
The
edge
might
be
a
system,
that's
owned
by
an
ISP
or
could
be
Equinix
or
some
other
system,
and
then
you
then
connect
into
something
like
Amazon,
which
maybe
your
system
work
of
your
partners,
and
so
that
means
you,
then
have
to
synchronize
with
all
of
your
potential
partners
in
order
in
working
out
these
these
subnets.
And
so
you
also
have
to
be
a
bit
careful.
Because
what
happens?
If
you
don't
plan
appropriately
for
your
growth,
which
is
your
easy
to
do?
A
And
you
often
see
things
using
using
that
in
terms
of
trying
to
reduce
the
complexity
on
this
which
helps.
But
then
you
end
up
with
a
lot
of
complexity
and
managing
V
than
that
system,
and
for
many
people
I
know.
This
is
not
the
only
answer,
but
when
things
start
to
break,
you
often
see
a
lot
of
a
lot
of
manual
work
going
into
managing
the
firewalls
or
managing
the
d.edge
perimeters.
A
A
Remove
this
one,
we
also
end
up
with
fragile
configurations,
potentially
fragile
configurations.
Esting
ends
can
help
here,
but
to
say,
there's
still
a
lot
of
things
to
to
manage,
and
even
more
so
when
you
bring
in
multiple
companies
and
then
trying
to
gain
observability
and
debugging,
these
systems
can
be
in
practice
very,
very
difficult.
And
finally,
the
main
problem
with
that,
though
it
would
talk
about
security,
is
you're.
Defending
with
the
assumption
that
the
attacker
is
is
attacking
from
the
from
the
ins
that
the
attacker
is
coming
from.
The
eye
from
the
outside.
A
A
But
the
problem,
though,
is
what,
if
your
attack
actually
starts
from
from
from
in
here
or
someone
is
our,
do
you
have
a
malicious
actor
that
has
already
gained
access
to
the
inside,
and
so
that's
where
perimeter
defense
starts
to
to
fall
down.
So
we
want
to
move
from
perimeter
defense
to
a
to
a
zero
trusted
environment
where
we
were
no
longer
relying
on
the
trusted
trusted
networks
with
a
trusted
tunnel
between
them.
A
So
the
question
is:
how
do
we
achieve
this?
So
we
start
by
establishing
a
trust
omein.
So
at
the
top
of
each
trust,
domain
is
a
CA
and
so
think
of
a
trust
of
a
an
IKE
it
like
an
organization
like
your
your
organization.
They
may
manage
a
CA
and
they
get
to
rotate
it
over
time.
You
then
they
test
the
workloads.
A
A
You
want
to
establish
policy
and
how
these
things
connect
with
each
other.
So
this
is
one
that
I
that
I
got
from
Mississippi,
so
I'll
make
sure
it
is
to
cite
this,
but
in
this
scenario
we're
pulling
this
bit
the
source
50
ID.
So
you
see
this.
This
is
very
declarative,
you're
saying
what
path
do
I
want
to
allow
I
want
to
allow
pet
/
owner
using
the
gap
using
a
get
request
and
the
ID
must
match
must
match
the
spiffy
domain,
10/4
end
and
API
for
for
its
identity.
How
do
we
get
that
ID?
A
And
we
specify
that
by
saying
one
of
the
requires?
Has
they
exported
client
certificate,
where
we
were
able
to
extract
that
information
out
and
and
verify
it?
So
we
were
able
to
this
example:
doesn't
show
it
but
we're
able
to
we're
also
able
to
validate
the
certificate
that's
passed
through
so
this.
So
before
we
grab
the
client
ID,
we
would
validate
the
certificate
to
make
sure
that
it's
that
it's
a
valid
certificate
that
is
known
by
by
our
infrastructure
and
if
it
is
and
then
we
and
it's
and
I,
respects
these
this
contract.
A
And
then
we
allow
the
connection
through,
and
so
we
can
establish
this
type
of
API
in
a
much
more
detailed.
Is
this
way
as
well?
So
if
there's
a
de
WT,
we
can
also
include
information
about
the
JWT
in
order
to,
and
it
from
the
token
and
pull
that
information
to
also
scope
the
path
even
further
and
I
guess.
It
would
be
good
idea
to
put
an
example
through
that
as
well,
so
true
establishing
trust
between
organizations.
A
So
if
you
have
multiple
CAS,
our
organization
or
gonna
want
an
organization
to
you,
don't
have
to
send
all
the
certificates
that
have
been
generated.
You
only
have
to
send
the
the
to
CAS
or
you
only
have
to
share
the
CI
information
with
each
other,
and
if
you
shared
the
CA
information
with
across
both
sides,
that
means
organization,
one
can
attest
organization,
two
workloads,
an
organization
to
get
a
test
organization.
A
One
workloads
so
once
you've
established
the
trust
between
organizations,
then
in
your
spiffy
IDs,
that
you
are
that
you're
setting
up
in
this
one
you
say
the
destinations
be
fading
is:
is
the
storage
API
and
this
one
you're
saying
you
are
allowing
connections
from
and
you
can
set
your
policy
to
allow
things
from
this
specific
for
this
specific
workload.
So,
in
this
scenario,
we
can
identify,
even
if
we,
even
if
we
create
the
storage
API,
even
if
this
ends
up
horizontally
scaling
up
or
down
when
we
hit
a
storage
API.
A
A
The
network
service
endpoint
itself
has
its
identity
and,
and
they
can
have
policy
about,
we
can
enforce
policy
about
what
is
allowed
to
connect
to
it.
We
also
can
wire
in
the
intrusion
detection
system
in
this
scenario,
so
this
is
the
Sarah's
use
case
that
that
we
tend
to
use,
and
so
so
each
of
these
has
an
identity
in
the
in
the
network
in
the
management
layer.
A
So
these
systems
here
don't
have
that
identity
themselves,
but
rather
we're
driving
the
identity
through
here,
and
so
once
we
establish
the
chain
and
we
are
comfortable
with
the
with
the
identities
and
the
policy
here.
One
key
point
with
NSM
is
it's
being
developed
so
that
you
can
check
the
chain
of
a
whole
of
a
whole
of
the
whole
chain
itself,
so
you
can
check
policy,
that's
not
just
between
like
the
policy.
A
For
this
connection,
you
can
say
what
is
the
policy
for
the
entire
chain
itself
and
make
sure
that
it
follows
a
acceptable
and
acceptable
path,
and
when
these,
these
things
get
connected,
they
get
connected
based
upon
the
settings
that
are
here
after
they've
been
validated
properly.
Now
a
key
to
this,
though,
is
as
an
operator.
You
have
to
be
mindful
that,
just
because
this
is
encrypted
and
the
management
is
is,
is
set
up
to
verify
each
other's
identity.
A
That
doesn't
mean
that
this
here
necessarily
is,
and
so
you
have
to
make
sure
that
the
primitives
that
you
expose
out
at
the
lower
levels
also
respect
the
privacy
that
you
that
you
need,
and
so
there.
So
this
a
really
good
example
between
like
the
firewall
and
the
intrusion
detection
system.
You
don't
want
there
to
be
an
attacker
here,
but
what's
good
in
a
scenario
is
NSM?
Has
the
has
the
capability
to
pass
context
forward
and
back?
So
if
you
want
to
set
up,
let's
say
like
we're.
A
Building
wire
guard
is
an
is
support
in
to
an
assembly
as
an
example.
So
if
you
want
these
things
to
be
wire
guard
as
an
example,
then
that
means
that
we
can
pass
the
parameters
and
synchronize
them
at
this
level.
So
then
they
get
injected
into
these
systems,
and
then
your
link
becomes
secure.
So
part
of
this
path
is
making
sure
that
if
it's
important
for
the
data
path
to
be
secure,
then
you
negotiate
those
parameters
at
the
top.
So
that
they
can
get
injected
into
the
into
the
tunnels
themselves.
A
A
A
A
This
is
something
that
I
and
that
I
was
going
to
to
give
at
a
at
a
meet-up
here
in
the
San
Francisco
Bay
Area
on
Windigo
San
Francisco,
so
I
want
to
make
sure
that
this
presentation
is
ready
to
go
for
when
they
would
they
resume,
and
it
is
also
going
to
become
the
the
basis
for
rather
for
other
talks
on
giving
as
well
and
so
another
thing
to
to
also
that
I
would
like
to
suggest
and
all
on.
This
is
also
ways
to
simplify
it.