►
From YouTube: Ambient Mesh WG Meeting 2022 12 07
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
so
this
proposal
is
regarding
to
leverage
ebpf
for
traffic
redirection
in
ambient.
So,
as
we
know
currently
I'm
being
rely
on
the
IP
tables
and
genuine
tunnel
to
redirect
public
traffic
to
the
tunnel
part
on
the
Sim
node.
So
this
approach
is
error
prone
and
low
performance,
so
the
ebtf
is
a
natural
choice
to
replace
it.
So
this
is
some
background
information
for
the
requirement
Parts.
A
Actually,
because
in
our
ebpm
program
we
rely
on
the
TC
the
traffic
control
hook,
so
this
web
number,
this
is
a
TC
Hook-
is
existing
in
kernel
for
a
long
time.
So
basically
it
means
this
proposal
doesn't
require
very
newer
kernel
version.
So
in
theory
the
version
are
greater
than
4
pound
20
should
work,
but
in
our
you
know,
prototype
verification
work
we
have
verified
in
version
dot,
5.4
and
515,
and
also
we
verified
only
in
the
kind
cluster.
So
this
is
the
reason
we
put
the
requirement
here.
A
So
let's
take
a
look
about
the
overall
design
idea,
so
basically
the
EPF
will
be
used
within
the
kernel
track
controller
in
the
data
pass.
So
especially
the
TC
program.
Will
be
hooked
into
the
application
part
and
the
tunnel
virtual
ethernet
pair,
so
the
ecl
saying
I.
We
want
to
repurpose
it
as
a
control
plan
for
the
eppm
program,
so
it
will
run
as
a
demon
set.
So
this
is
similar
to
what
the
ambient
has
into
today.
A
So,
but
all
the
original
Ip
tables,
IP
rules
and
the
genome
tunnels
ended
by
ambient
will
be
removed
from
the
worker
nodes.
So
the
overall
architecture
you
can
get
from
this
picture
here,
so
basically
the
eclci.
It
will
watching
the
part
and
namespace
event.
So
this
logic
already
existed
in
the
istio
cyanide
today,
so
we
just
we
can
just
re-reutilize
this
so
after
it
got
the
Pod
event.
A
For
example,
if
the
a
new
workload
part
has
been
joined
and
been
mesh,
we
will
execute
related
ebpf
user
space
program,
so
this
picture
actually
is
related
in
two
parts.
The
upper
part
is
the
user
speed
part
and
the
lower
part
is
the
kernel
part.
So,
as
I
said,
with
a
new
workload,
pod
has
joined
ambient
mesh,
the
UCL
CEI.
It
will
call
the
user
Space
Program
to
attach
the
related
evpn
program
into
the
related
part,
West
pair
West,
Drive
West
device
on
the
host.
A
So
internally
we
we
have
2D
structures
to
record
the
information
for
the
tunnel
and
the
pop
and
the
workloading
for
on
this
on
this
specific
node.
So,
for
example,
when
the
for,
when
the
internal
part
has
been
rescheduled
or
restarted,
or
something
like
this,
the
Easter
saying
I
will
also
called
user
Space
Program
to
do
the
ciud
functions
like
to
create
a
read
or
update
or
delete
the
data
information
we
installed
in
the
data
array,
because
there
is
only
one
record,
so
we
select
array
as
the
Deep
structure
here
for
the
IPP
info.
A
We
select
a
map
here
because
there
are
multiple
Parts
in
the
Sim
node
which
belongs
to
ambient,
so
basically
the
we
will
record,
for
example,
for
the
workload
AP
workload
part
or
the
outload
app.
We
will
record
the
macro
address
for
the
rest
device
on
the
host
for
the
part,
the
if
index
and
their
IP
information,
the
port
IEP
for
the
application
for
the
tunnel.
A
We
also
will
record
this
information,
so
the
edpm
program
running
in
the
kernel
space
will
read
the
information
in
the
map
or
array
and
attach
our
execute
the
related
redirection
logic
according
to
the
stored
information
in
the
map
already.
So
this
is
a
control,
plane
architecture
you
can
think
about.
Then,
for
the
data
path,
I
mean
the
ebpf
program
running
the
kernel
space.
This
is
the
architecture
for
it.
So
basically
we
we
hook
the
TC
program
into
four
cook
ponds.
A
So
in
this
picture
you
can
see
there
is
a
app
ATP
Port,
so
it
means
acting
as
a
client
or
acting
as
a
server.
So
just
the
app
part-
and
the
bottom
part
is
the
tunnel
part,
so
they
have
the
West
pair
one
one
and
in
the
is
running
in
the
is
residing
in
the
part
itself.
The
other
end
is
designed
on
the
host.
A
So
this
is
the
meaning
for
this
for
this
children
here
so
for
the
ATP
part,
we
hook
the
TC
program
into
the
Ingress
and
egress
part,
but
we
both
are
on
the
the
best
on
the
host
part.
So
in
the
English
part,
actually
we
rely
on
a
special
outbound
Mac
address.
So
when
the
traffic
coming
out
from
the
application,
we
will
get
this
package
and
we
will
add
a
special.
We
will
modify
the
source
Mac
or
this
package
to
us
measure,
outbound
Mark,
address
and
redirect
to
the
data.
A
Now
then,
on
the
lower
left
side,
it
comes
into
the
tunnel
part.
So
in
the
tunnel
part
there
are
two
Focus
ponds.
One
is
hooked
inside
the
West
within
the
tunnel
part
the
other
is
hook
on
the
host
part.
So
when
the
traffic
of
the
package
coming
into
the
tunnel
part.
A
Within
the
titanopard
I
mean
so
it
will.
We
will
look
up
the
connection.
If
this
is
a
new
connection,
then
we
will
leverage
the
T
proxy
ipt
by
rows
to
the
to
the
D
tunnel
outbound
part.
So
one
thing
to
mention
here
is
we
for
the
tunnel
part
we
will
currently,
we
still
rely
on
the
IP
tables
and,
oh
sorry,
we
still
rely
on
the
ipt
box
and
the
T
proxy
to
redirect
the
traffic,
but
the
gdu
tunnel
has
been
removed
in
the
D
tunnel.
A
So
this
is
the
the
thing,
and
this
is
the
future
enhancement
point
we
want
to
do
so.
Also
in
the
in
this
hook
Point
when
the
internal,
when
there
is
a
Ingress
package,
we
will
also
look
up
the
connection
and
if
we,
if
this
is
the
first,
if
the
pack
the
first
time
coming
it
means
not
fund,
we
will
keep
proxy
to
the
inbound
part
toward
the
tunnel.
So
then,
in
the
right
side,
it's
the
TC
Ingress
hook
pond.
A
So
it's
this
compound
is
is
hooked
to
the
West
on
the
host
side.
So
as
we
match
it
at,
we
keep
a
map
in
the
kernel
path
to
record
all
the
parts
that
is
managed
by
or
either
running
on
this
the
tunnel
node.
So
we
will
do
a
search
to
see
whether
the
definition
IP
is
within
the
range.
If
it
is
within
the
range,
then
we
will
redirect
to
the
related
part.
Otherwise
it
will
just
go
through
the
normal,
normal
traffic
flow,
so
in
the
right
upper
side.
A
So
this
is
the
egress
hook
pond.
So
we
also
rely
on
the
special
inbound
Mark
address
so
then,
when
we
will
redirect
it
to
the
tunnel.
A
So
the
first
one
as
I
mentioned
within
the
tunnel
pad,
we
still
rely
on
the
proxy.
So
we
we
plan
to
leverage
eppr
for
this
part
as
well,
but
this
may
might
require
is
a
manual
kernel
version.
So
this
is
the
One
Direction.
The
other
part
is
So.
Currently
the
ambient
can
only
work
on
the
kind
cluster
or
some
specific,
very
basic,
saying
I
config
cluster.
So
we
need
to
work
with
different
design
eyes
to
make
sure
the
the
eppm
hook
can
work
well.
A
For
example,
in
the
chemical
part,
they
also
hook
some
ebpn
program
in
their
cni,
so
there
might
some
conflict,
so
we
need
to
work
with
the
with
them
to
to
see
how
to
make
sure
this
approach
can
work.
Well,
so
also
for
the
other
thing
I,
they
might
also
work
and
there
also
require
some
additional
work
and
well
then,
the
the
the
the
the
other
part
is,
you
know.
Currently,
as
I
said,
we
we
have
two
special
inbound
and
outbound
Mac
address
to
to
distinguish
the
traffic
flow
Direction.
A
So
so
we
have
checked
the
kernel
code
in
this
part,
so
the
kernel
when
they
generated
the
MAC
address
for
the
water
ethernet
it
will
using
some
random
random
one
as
well.
So
in
theory
the
conflict
the
conflict
is
might
be.
Where
is
the
law?
It
might
be
very
low,
but
we
still
want
to
see
if
there
are
any
other.
A
You
know
new
or
better
method
to
achieve
this,
so
this
is
when
one
thing
we
want
to
consider
and
the
last
part
is
we
have
a
one
tcpip
bypass,
a
solution
that
is,
that
works
well
in
the
against
the
original
istio
sidecar
mode.
So
the
performance
again,
if
you
utilize,
this
solution
is
around
10
percentage,
so
maybe
in
some
time
more
than
10
percentage.
So
we
want
to
leverage
this
solution
as
well.
A
C
Yeah
so
I
have
a
number
of
extremely
detailed
questions,
so
I
don't
know
how
much
time
you
want
to
spend
on
that,
but
I
I,
maybe
I,
can
just
dig
in
it.
If
it's
getting
getting
too
much,
I
can
stop
so
overall
I
think
this
is
a
reasonably
good
approach.
Actually,
let
me
start
with
high
level
stuff
and
then
I'll.
Let
other
people
ask
questions
and
I'll
get
into
like
very
wonky
technical
questions,
a
couple
of
points
just
in
terms
of
kind
of
broad
Direction.
C
The
way
I
would
see
something
like
this
is
as
a
kind
of
reasonable
default
reference
implementation.
You
mentioned,
trying
to
get
it
to
work
with
Calico
and
other
cni
vendors,
it's
great.
If
we
can
get
it
to
work
there,
but
ultimately,
I
would
think
people
using
other
cnis
are
gonna
want
those
cnis
to
support
redirection
to
Z
tunnel
natively.
If
for
no
other
reason
than
it,
there
should
be
a
way
to
kind
of
integrate.
C
C
C
Performance
I
think
is
important.
It's
probably
a
little
early
to
overly
focus
on
some
of
the
more
aggressive
optimizations.
I
think
just
doing
this
in
ebpf
in
the
kind
of
lighter
weight,
more
direct
way
that
you're
doing
here
than
what's
existing
will
perform
better
and
I'm
much
more
concerned
about
something
that's
stable
and
works
consistently.
Well,
so
that's
just
a
general
thought
and
then
I
have
a
bunch
of
extremely
detailed
technical
questions,
but
I'm
gonna.
C
A
C
Or
feel
free
to
demo
I
understand
the
proposal.
I
have
questions
about
some
like
edge
cases,
but
I
the
the
the
basic
proposal
totally
makes
sense.
I.
B
A
So
let
me
try
to
see
whether
I
can
get
it
work.
D
My
my
interest
is
more
on
the
control
plane
side
of
this
or
not
necessarily
data
plane,
but
the
communication
between
cni
and
Z
tunnel
and,
as
you
know,
I'm
particularly
interested
in
in
seeing
you
still
running
on
VMS
and
other
environments,
not
necessarily
on
your
kubernetes
and
and
for
that
I
think.
It's
super
important
to
not
get
tied
into
Mac
addresses
and
a
particular
solution
to
communicate.
D
You
know
the
local
ports
and
maybe
even
for
kubernetes,
to
have
a
more
seamless
one,
because
both
creation
population
are
not
very
frequent
events
and
not
performance,
critical
and
having
you
know,
grpc
or
some
other
HTTP
call
between
the
cni
and
eternal
to
communicate
the
information
about
the
ports,
maybe
simpler
than
any
PDF
I,
don't
know,
but
either
way,
I
would
like
to
have
one
solution
that
is
independent
of
EPF
and
can
be
run.
Yeah.
C
A
lot
and
I
actually
put
on
the
agenda,
something
to
talk
about
I
think
there
is
a
redirection
strategy
that
I'm
actually
having
Brian
I,
don't
know
if
he's
on
the
call
work
on
that
is
just
simple,
iptables,
that's
possible
that
will
work
very,
very
cleanly
for
VMS
and
and
other
cases
I'm
also
uncomfortable
with
the
MAC
address
thing
for
different
reasons
if
you
can
get
into
later,
but
I
I
do
think
that
we're
going
to
have
a
little
bit
of
heterogeneity
and
how
the
redirection
work
depends
on
depending
on
the
context,
but
I
I
agree
that
this
would
not
be
appropriate
on
a
VM.
D
For
example,
it
must
be
done
because
that's
only
things
that
Android
support
to
intercept
package.
So
so
again
there
are
some
some
I
mean
we
need
to
be
flexible,
I
mean
the
interception
may
have
multiple
Solutions.
That's.
There
is
no
question
about
this.
My
concern
is
really
only
about
having
a
metadata.
It's
a
metadata
exchange
or
cni
telling
Z
tunnel,
you
know
informational
support
or
whatever
is
necessary,
be
have
an
alternative
that
is
based
on
the
HTTP
or
grpc
yeah.
That's
it.
E
Yeah
I
would
say
I
think
in
general,
there's
going
to
be
multiple
redirection
solution
for
different
environments.
Right
now
we
need
the
basic
one
for
if
you
just
install
istio-
and
you
know,
you're
unkind
or
whatever,
then
a
vendor
like
Calico
or
psyllium,
May
Implement,
a
better
one,
that's
specific
to
their
cni.
E
You
may
have
one
for
VMS.
Maybe
we
have
one
for
Android
but
I
on
the
metadata,
though
that
part's
not
quite
clear,
because
whether
it's
Ingress
or
egress
is
not
a
property
or
whether
the
Pod
is
local.
On
the
Node,
it's
a
property
of
the
direction
of
the
traffic
right.
D
E
D
E
C
I
I
think
actually
well.
First
of
all,
if
you're
running
the
host
Network
namespace,
you
don't
need
that
because
we
can
just
redirect
to
the
Ingress
regress
port
like
I
would
recommend.
We
shall
this
conversation
until
the
Ingress
versus
egress
versus
I
actually
think
we
want
like
a
local
pod
bit,
but
I
recommend
we
sell
that
until
next
week,
because
I'm
literally
writing
a
very
detailed
doc
on
it
and
it
might
be
a
better
basis
for
arguing
about
that
and
I
think
it's
kind
of
orthogonal
to
the
to
the
proposal.
That's
here.
A
So
costing
and
and
join
your
suggestion
is
you
can
currently
we
we
rely
on
the
the
traffic
flow
information
determined
by
ourselves,
not
the
metadata
from
XCS
to
define
the
traffic
direction.
So
your
suggestion
is
whether
we
can
leverage
XDS
for
this
part.
Is
this
one?
No.
D
B
C
Okay,
while
we're
on
this
I,
my
only
feedback
would
be
I
I,
don't
like
using
the
MAC
address
for
this,
but
I'm,
not
I
I've
been
ringing,
my
hands
on
it,
but
I
I'm,
more
or
less
convinced
that
some
sort
of
tunnel
header
like
a
geneviter,
is
actually
the
right
way
to
indicate
this
bit
but
I
we
can
debate
it.
Maybe
we
should
do
the
the
Demo
First.
A
In
my
system,
the
same
eye
has
been
removed,
removed
totally
so
anyway,
as
the
Prototype.
We
do
the
control
plan
part
for
the
ebpf
manually.
So
you
can
see
there
are
no
Umi.
We
attach
the
edpm
program
and
update
the
related
map
and
the
ring
manually,
but
in
the
future
we
will
manage
all
the
logic
instead
of
CI.
So
and
then
you
can
see
if
I
go
to
the
worker
node.
A
Request
you
can
see
here
and
if
I,
we
can
also
see
some
more
ebf
cheats
here.
A
Let's
see
it,
will
you
know
the
data
not
really
detected
to
app,
and
you
know
we
all
may
with
two
for
the
debugger
purpose.
We
have
also
put
all
the
flow
in
the
in
the
trees,
so
you
can
see
underline
the
eppf
is
taking
action
here
so
yeah.
This
is
a
quick
demo
for
for
our
current
environment
yeah.
So
we
can
go
ahead
with
the
discussion
now.
B
So,
can
you
talk
about
the
CLI?
Is
there
any
additional
privilege
or
permission
you
have
to
give
to
it's
your
cni
to
run
the
ebtf
code.
A
You
know
currently,
the
eclci
has
also
has
already
run
on
the
host
network
mode.
So
in
theory,
I,
don't
expect
any
more
privilege
required
for
istlci
based
on
current
version,
but
we
as
I
said
all
the
control
panel.
All
the
control
problem
path.
Work
for
the
eppf
has
been
done
manually
currently,
so
we
will
see
if
we
integrate
all
the
logic
into
Easter
CI.
What's
the
change
required
but,
in
theory
should
know
more
require
a
privilege,
privilege
required.
B
A
Actually
I
mean
not
to
I,
haven't
touched
more
detail
about
the
membrane
implementation,
so
we
just
go
ahead
with
the
TC
hook
in
our
site.
So
no
compression
has
been
done
between
the
two
approach,
but
the
one
thing
I
got
from
the
main
Bridge
part
is:
they
currently
cannot
work
on
the
kind
cluster,
so
I.
C
I
I
know
enough
about
the
Murray
Bridge
proposal.
What
I
can
they're
they're
capturing
traffic
at
the
socket
from
the
application
and
I?
My
understanding
of
this
proposal
is
it's
capturing
packets
as
it
egresses
the
pod
in
essentially
the
TC
hook,
which
is
kind
of
vaguely
related
to
where
IB
tables
runs
in
the
chord
kernel
anyway.
I
think
the
difference
is
going
to
be.
This
proposal
has
the
potential
to
be
much
more
stable
and
robust.
C
In
the
long
term
The
merbage
Proposal
there
will
exist
benchmarks
for
which
it's
faster
right,
but
it's
a
little
bit
more
fragile
and
finicky,
probably
I
I,
think
I'm.
You
know
50
confident
on
that,
but
but
that
that's
the
main
difference
Murray
bridge
is
is
capturing
at
the
socket
in
the
application
and
shoving
directly
to
Z
tunnel.
So
you
skip
the
entire
Linux
networking
stack
and
this
is
still
going
through
the
Linux
networking.
So
it's
a
bunch,
maybe
smaller
change,
yeah.
B
And
I
noticed
one
of
the
key
differences,
the
kernel
requirement,
because
merbridge
has
very
high
much
higher
kernel
requirements
to
your
point
about
yeah
yeah,
thanks
to
Ethan.
C
Maybe
some
quick
wonky
technical
points
or
maybe
it's
a
question:
did
you
so
you're
capturing
traffic
as
it
egresses
the
Pod
Thief
right.
C
So
does
the
proposal
work
suppose
I
have
a
non-z-tunnel
pod
and
a
z,
tunneled
pod,
on
the
same
node
or
or
actually
it's
simpler
case.
Suppose
I
have
like
an
in-plane
in
the
internet,
sending
traffic
to
a
z-tunled
pod
and
that
endpoint
in
the
internet
doesn't
speak
h-bone.
So
one
of
the
requirements
is
the
traffic
that
goes
to
the
Pod,
since
it
should
be
captured
by
ambient
it's
redirected
to
z-tunnel.
Instead,
instead
of
being
directed
sent
directly
to
the
Pod,
do
you
does
the
proposal
handle
that
case
am
I,
making
that
clear.
A
Oh
so,
in
our
proposal
we
will
we
have
a
map
and
this
map
record
only
the
port
information
and
managed
by
ambient.
So
if
it's
outside
of
ambient
scope,
it
will
not
be
rede
directed.
C
C
Yeah
so
that'd
be
a
a
piece
of
feedback
to
I.
Think
it's
possible
with
the
approach
you're
taking
so
it'd,
be
like
the
next
thing
to
work
on
if
I
have
a
destination
part
of
server
pod,
that's
an
ambient
all
traffic
to
that
server
pod,
whether
it's
coming
from
even
random
points
on
the
internet
needs
to
be
redirected
to
the
Z
tunnel.
C
Does
that
make
sense
and
again
I
I
I'm
next
on
the
agenda?
I'm
writing
a
very
detailed
requirement
stock
that
I've
committed
to
finishing
by
Friday,
so
I'll
send
that
out
which
covers
some
of
these
more,
like
less
obvious
edge
cases,
so
it
it
might
be
a
good
idea
to
kind
of
cross-reference
I'm
familiar
with
that,
but
that's
the
biggest
Gap
that
I
thought
I
noticed
and
then
the
second
one
I'm
I'm,
pretty
uncomfortable
with
using
the
MAC
address.
E
C
Yeah,
so
the
the
only
two
viable
options
I've
heard
are
using
the
MAC
address,
as
you
suggested,
which
I
had
not
thought
of
before
reading
your
doc
and
it's
clever
so
I'll
have
to
think
more
about
it.
The
concern
I
have
is
what,
if
a
pod
on
the
Node,
that's
not
part
of
the
mesh
learns
that
Mac
address
and
sends
traffic
to
it.
Can
it
trick
Z
tunnel
into
thinking.
A
You
know
we
we
just
modify
the
source
Mac
address,
so
the
definition
Mac
address
which
doesn't
detach
it,
so
it
should
be
okay.
So
the
only
thing
we
worried
is
the
you
know
the
the
special
source
Mac
we
selected
is
conflict
with
others,
but
after
checking
from
a
lot
of
you
know,
information
we
find
the
conflict.
Risk
is
rare,
but.
C
You
could
allocate
a
Mac
that
that's
not
a
like
if
it
you
could
there's
there's
parts
of
the
MAC
address
range
that
aren't
used
that
you
could
so
that
I'm
not
so
worried
about.
Could
you
could
you
add
to
the
doc
more
description
of
the
MAC
address,
stuff
and
I'll?
Look
at
it
out
of
fan
I
I
I'm,
not
convinced
either
way,
but
more
detail
would
help.
A
B
Cool
Joel
you're
up
next.
E
Yeah
I
was
gonna,
say
instead
of
updating
the
doc
and
is
it
possible
to
open
source
the
code?
Then
it's
code's
much
better
than
Docs.
A
E
In
my
opinion,
we
want
at
least
one
General
redirection
mechanism
in
the
studio
core
I
mean
we
have
to
have
one
right.
You
have
to
be
able
to
install
these
donor
Works.
That
could
be
this
solution.
I'll
be
open
to
that
potentially
I
mean
I,
can't
say
that
it
will
be
the
solution
until
we
see
the
code
obviously
and
try
it
out
and
whatnot,
but
I
have
no
reason
against
that.
B
So
so
I
guess
my
my
concern
would
be
you
know
we
want
some
solution
to
replace
what
we
have,
but
in
the
condition
it's
better
than
what
we
have
right.
So
so
far
what
you
have
it
looks
promising
I
think.
Maybe
it
makes
more
sense
to
open
so
somewhere
some
people
can
play
with.
Maybe
it
could
be
a
branch
right,
even
though
we're
already
a
branch,
and
then
we
can
evaluate
on
that
because,
right
now
you
have
a
lot
of
manual
steps.
A
Yeah,
especially
for
the
control
part,
so
we
need
to
end
all
that
manual
step
in
the
same
eye.
So
maybe
we
can
have
an
experimental
Branch.
Then
we
can
contribute
the
code
there
and
if
all
the
part
has
down,
we
can
see
the
possibility
to
merge
it
into
back
into
the
mainstream.
F
D
Have
some
directories
in
in
cnis
and
some
options?
I'm
pretty
sure
we
have
some
BP
uploading
and
definitely
and
I
will
be
evolved
as
a
picture,
so
you
know
we
had
all
kind
of
experimental
features
as
long
as
we
get
rid
of
them.
If
we
find
out,
we
don't
use
them,
I.
Think
it's
fine
too.
The
mother
of
the
bench.
A
C
And
then
I'll
just
give
like
a
quick
vote
of
confidence.
I
I
mean
there
are
details
that
need
to
get
kind
of
more
fleshed
out
before
I
think
we
should
merge
it,
but
I
I
do
think
in
general,
we're
going
to
end
up
with
a
BPF
and
an
iptable
solution
up
merged
upstream
and
I,
like
this
approach,
a
lot
a
lot
better
than
the
merbridge
approach.
C
B
E
Job
yeah
I,
agree,
I
prefer
this
approach
over
my
bridge.
The
other
thing,
though
it
seems
like
most
of
the
redirection
issue,
is
all
about
inbound
versus
outbound
detection
Maybe.
D
Kind
of
I
mean
I
I.
Think
it's
important
I
mean
it's
the
last
data
plane,
wonderful,
but
let's
keep
any
Mr
Data
or
anything
that
is.
You
know
there
is
a
space
for
go
as
well
for
some
some.
E
Let
me
explain
why
I
wanted
to
have
two
separate
ports
and
have
the
redirection
tell
us
whether
it's
Ingress
or
regress,
because
I
think
you
can
look
at
the
source
and
destination
IP
and
try
and
derive
whether
which
direction
the
traffic
is.
The
issue
is
that
if
you
ever
get
that
decision
wrong,
it
is
one
of
the
worst
vulnerabilities
that
you
can
have
in
Easter
right.
That
is,
that
is
absolutely
horrendous.
E
So
doing
it
based
on
what
we
know
about
pods
from
XDS,
it
just
feels
a
little
bit
potentially
risky,
whereas
the
cni
it
knows
for
sure
whether
it's
Ingress
or
regress
right,
that's
something
very
clear
at
the
V
level
where
the
traffic
is
going,
so
it
felt
more
reliable
that
way
if
it
ends
up
that
you
know
it's
causing
all
sorts
of
headaches
and
blowing
up
everything,
and
maybe
maybe
we
just
dropped
that
we
determined
in
Z
tunnel
and
we
try
and
make
ways
to
make
sure
that
we
don't
mess
up.
C
D
C
The
the
concern
is
that
it
becomes
an
even
bigger
concern
once
you're
allowed
once
we
allow
kind
of
raw
packet
forwarding
is
some
random
endpoint
on
the
internet.
Sense
of
traffic
sends
a
packet
to
the
Z
tunnel
with
a
source
IP
of
a
pod.
That's
on
the
Node
and
Z
tunnel
forwards
it
as
if
it's
that
pod
I
I
don't
see
how
to
get
around
that.
We.
D
Are
only
talking
about
local
IP
addresses
which
have
been,
which
are
also
in
a
cidr
Range,
because
each
node
gets
assigned
you
know
a
specific
cidr
range.
So
it's
not
even
that's
in
the
local
lookups
and
they
cannot
be
forced
because
you
cannot,
you
know
they
have
private
IPS
and
they
are.
You
know
the
local
to
your
host's
beauty.
Do
not
accept
from
the
internet
request
to
your
localhost.
C
D
C
F
And
about
the
Mac
address,
did
you
look
at
looking
at
the
skbcb
field?
I,
don't
think
it's
scrapped
across
namespaces.
F
F
E
B
Yeah,
that's
it!
Thank
you.
Iris
all
right,
I
think
we
are
down
with
this
topic.
So
thank
you
again,
Aries
for
presenting
the
idea
and
also
thank
you
for
the
great
demo.
It
went
very
well
next
up
we
have
a
quick
topic
on
ambient
board,
so
John
and
I
have
been
putting
together.
You
guys
all
know
we
have
a
zetano
board
and
thanks
to
many
of
you
already
jumping
to
help
out
with
the
zitana
work
item
on
the
board.
B
So
if
you
click
on
the
link,
you
should
be
able
to
see
the
ambient
tracking
board
at
the
moment,
so
with
probably
still
continue
going
to
populate
more
items,
but
you
can
see
a
lot
of
tasks
in
the
back,
not
in
the
backlog
and
also
up
next.
So
once
you,
you
know,
get
it
out
in
your
eye.
If
you
are
interested
in
helping
out
something,
that's
not
relevant
to
Zita
now
because
I
know
at
one
point
y'all
mentioned:
zetano
was
a
small
project
and
also
some
of
you
share.
B
You
know
you're
new
to
rust.
So
so
maybe
the
rest
of
her
ambient
could
be
interesting,
so
definitely
is
checking
out
the
board
and
signing
up
for
things.
That's
interesting.
The
other
thing
I
want
to
share
is,
for
instance,
from
Google,
and
us
are
running
twice
by
week.
Stand
up
so
if
you
own
an
ambient
work
item,
Please
assign
to
you
and
then
we'll
invite
you
to
the
stand
up
once
you
own
a
work
item
John,
you
won't
add
anything
yeah.
E
The
other
thing,
I
will
say
is
that
on
the
ambient,
especially
Z
tunnel,
we're
kind
of
in
a
unique
situation
in
the
project
that
we
have
a
bunch
of
people
trying
to
work
on
relatively
small
number
of
tasks.
E
If
you
are
owning
an
issue
and
you
get
reprioritized
work
on
something
else,
you
realize
that
maybe
should
have
started
with
a
smaller
issue
to
get
started
and
ramped
up
and
rust
or
whatever
or
whatever.
The
case
is.
Please
fail
fast
and
let
us
know
there's
definitely
people
that
are
willing
to
pick
up
any
tasks
that
are
dropped
so
just
make
sure
that
we're
not
waiting
on
someone
to
work
on
something.
E
That's
never
going
to
happen,
and
if
you,
if
it
is
the
case
of
you,
feel
like
you're
in
over
your
head,
let
me
know:
I
can
there's
plenty
of
like
beginner
ramp
up
issues
that
we
can.
We
can
give
if
you're
interested
in
contributing
but
took
on
something
that
was
harder
than
you
expected.
B
Yeah
great
point:
in
fact:
we
had
a
wonderful
guys
signed
up
something
and
realized
he's
not
the
right
person
to
do
it.
So
there's
no
need
to
apologize.
It's
just
you
know,
inform
Eris,
go
ahead.
B
Yeah,
that's
right,
so
I
will
make
sure
you
guys
sign
up
for
the
redirection
task.
I
think
there
are
a
task
for
that,
and
then
we
should
be
able
to
invite
you
guys
to
the
meeting
to
whoever
work
on
the
task.
A
Okay,
thank
you.
So
one
thing
is,
you
know
some
of
my
members
are
in
different
time
zones,
so
it
will
hard
for
them
to
attend
to
stand
up
so.
B
That's
a
great
point:
I,
don't
think,
okay,
so
we
don't
take
notes.
The
reason
is,
every
note
is
in
the
GitHub.
So
basically
the
way
we
work
in
that
meeting
is
we
have
each
owner
provides
an
update
and
then
we
update
the
GitHub.
So
you
get
the
notes
in
the
GitHub
already.
G
I
have
just
a
quick,
FYI
and
request
for
feedback
code.
Spaces
have
been
enabled
for
the
z-tunnel
project,
so
I'll
give
just
a
quick
demo
of
how
to
get
started.
We
won't
follow
through
the
whole
thing.
Yeah.
B
G
It
so
you
just
click
on
code
and
create
a
code
space
billing
for
the
code.
Spaces
is
totally
up
to
you.
Github
gives
free
users
120
compute
hours
a
month.
If
you
want
more
than
that,
you
can
purchase
more
than
that
I'm
working.
This
is
actually
remarkably
slow,
I'm
working
with
GitHub
to
get
pre-builds
set
up
so
that
your
experience
of
getting
up
and
running
with
Z
tunnel
and
getting
the
Z
Tunnel
built
for
the
first
time
should
be
like
a
30
second
operation,
as
opposed
to
I.
G
But,
oh
you
guys
can't
see
the
other
part
of
my
screen
so
what's
happening
since
I
click
that
button
Visual
Studio
code
has
automatically
opened
and
is
working
on
connecting
to
a
container
on
GitHub
and
that's
it
from
there.
You
can
do
your
development,
you
can
push
commits
review.
Prs
Etc
so
really
would
appreciate
any
feedback.
People
have
any
snags
they
hit
along
the
way.
Using
this,
you
can
also
open
it,
not
in
vs
code,
if
you
want
to
use
it
like
in
IntelliJ
or
in
the
browser.
That's
also
possible.
G
There
will
be
one
for
istio,
particularly,
but
for
now
there's
just
the
GitHub
code
spaces
documentation,
but
it
is
pretty
simple.
Just
two
clicks
I
can't
hear
actually
I'll
demonstrate
opening
it
in
the
browser
here,
because
that
was
something
you
all
can
see.
G
G
C
I'd
I'd
like
to
have
a
really
wonky
conversation
about
redirection
with
John,
which
I
would
invite
everyone
else
to
leave,
because
it's
going
to
be
boring
but
I
figured.
We
can
have
it
in
here
in
case
there's
interests,
so
is
that
okay.