►
From YouTube: Ambient Mesh WG Meeting 2023 01 18
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Right
yeah,
so
I
want
to
talk
about
the
metrics.
We
have
a
label
called
connection
security
policy
that
can
be
either
unknown
or
Mutual.
Tls
I
think
this
field
is
super
important
for
ambient,
because
it's
essentially
the
only
way
you
can
tell
that
Z
tunnel
is
actually
doing
anything
when
you
do
with
the
Z
tunnel,
it's
transparent,
and
so
your
application
doesn't
change.
B
However,
in
the
current
implementation
in
East
Geo,
not
ambient
in
general
and
istio,
we
actually
only
say
that
it's
mtls
on
the
server
side,
the
client
always
says
unknown,
even
if
it's
doing
mtls
the
reason
which
goes
back
like
many
years,
but
apparently
is
that
on
the
client
side,
one
is
that,
due
to
the
implementation,
we
didn't
actually
know
if
we
were
doing
mtls
or
doing
TLS
to
google.com,
for
example,
that
is
kind
of
void.
Now
we
clearly
know
when
we're
doing
age
bone
and
when
we're
not
and
can
set
this
true
or
false.
B
But
the
other
argument
is
that
as
a
client,
you
technically
don't
know
if
the
server
is
verifying
your
TLS
or
not,
because
they
could
just
have
a
function.
That
says
return
true
right.
Instead
of
actually
checking
the
certificate,
I
think
that
argument's
not
really
compelling
enough
to
intentionally
set
unknown
because
on
the
inverse
side,
we
also
don't
know
if
the
other
side's
verifying
like
you
can't
really
know
as
either
a
client
or
server.
Then
both
sides
are
verifying
the
TLs,
but
it
doesn't
really
matter
like
the.
B
We
can
document
this
as
like
a
weird
caveat
that
Mutual
tlos
doesn't
mean
that
both
sides
verified,
but
just
that
both
sides
used
TLS.
B
It
just
seems
like
a
very
pedantic
and
that
it's
not
worth
putting
unknown,
which
then
is
saying
like
well,
we
can't
be
absolutely
100
sure,
they're
verifying
things
so
we'll
just
treat
this
the
same
as
if
there
wasn't
any
T
loss
at
all.
B
C
Yeah
go
ahead.
Okay.
Thank
you.
A
quick
question.
Thank
you.
Thank
the
issue.
Up
I
actually
run
into
the
same
thing
just
a
day
ago.
So
a
question
for
you,
I
guess
I
forgot
to
check
is:
do
we
actually
report
the
correct
connection
security
policy
on
the
server
side?
Is
this
a
unknown
issue,
more
related
just
on
the
client
side,
because
we
don't
know
the
future
TRS
will
be
enforced,
but.
B
E
B
Hard
to
expose
that
in
boring
SSL,
so
we
we
technically
know,
but
we
may
not
actually.
D
B
D
B
E
C
F
G
F
And
I
don't
even
know
if
it's
if
it
matters
with
H1,
if
it's
you
know
TLS
or
something
else
or
because
in
reality,
what
is
the
purpose
really
of
of
this
I.
B
Think
really
what
the
user
wants
to
know
is
was
my
thing
encrypted
or
not.
The
fact
that
we
happened
to
put
Mutual
TLS
as
a
field.
I,
don't
think,
is
ideal
because
sure,
maybe
we
don't
know
if
it
was
Mutual
but
I,
don't
think
it's
worth
changing
the
name.
I'd
rather
have
a
naming.
That's
slightly
imprecise
that
we
can
explain
for
people
that
really
care
about
the
precise
details
like
that's,
not
100,
accurate,
then
say
unknown
and
just
leave
them
to
figure
it
out
themselves,
but.
B
Okay,
so
I
start
my
cluster,
it's
all
disabled,
then
I,
enroll
ambient
and
maybe
I,
do
a
name
says
my
name
says
right
now:
I
start
seeing
more
and
more
Mutual
TLS
pop
up
and
maybe
once
I'm
done,
everything's
Mutual
TLS,
that's
still
useful
right.
It
shows
that
we're
migrating
to
mtlus.
It
shows
that
afterwards
everything
is
encrypted.
B
F
We
it's
another
question
and
a
number
of
you
know
usage
of
age-borne
isometric.
We
support
you
know
to
other
means.
So
if
it's
age
bone
it's
secure,
if
it's
not
this
one,
it
may
or
may
not
be
I
mean
we
have
it
in
istio,
because
we
have
this
permissive
mode
and
it
was
not
clear
what
it
is,
but
in
age
one
there
is
no
ambiguity.
C
Yeah
I
I
think
having
HBO
as
a
value
is
also
a
alternative
good
sub
option
right.
So
then
they
can
determine
it's
it's
much
better
than
unknown,
which
is
super
confusing
yeah.
So
if
we
tell
them
it's
HBO
and
then
they
can
say,
oh
actionable
means
Mutual
TLS.
It
has
to
be
KRS
if
the
source
and
Target
both.
B
E
H
C
G
Yeah
go
ahead
yeah,
so
my
point
is:
if
for
H
Bones,
the
server
side
is
always
only
allowing
the
mutuality
mgis,
we
can
claim
Mutual
mtos.
If
it
also
allows
toss,
then
maybe
we
probably
just
weekly,
say
you
know
this
is
a
TOS
basically
meaning
encrypted,
but
not
necessarily
authenticating
the
client.
But
that
depends
on
the
implementation
of
H1.
If
it's
really
only
the
mtis
only
at
the
server
side,
then
it
must
because
of
the
plain
text
and
the
TLs
are
not
allowed.
F
Yeah,
unfortunately,
you
didn't
see
what
they
wanted
to
say
so
I
have
to
so.
We
have
discussions
about
using
adopting
open
Telemetry,
and
we
have
discussions
about.
You
know
simplifying.
Also
the
Telemetry
side
of
of
istio
I
mean
to
resolve
the
high
cardinality
and
a
lot
of
other
issues,
so
mpls
the
mutual
TLS
and
and
what
we
have
done
in
the
past.
I,
don't
think
it's
relevant
anymore
and
should
I
mean
for
ambient.
F
We
should
be
able
to
you
know
kind
of
cut
some
of
the
dimensions,
but
it
is
a
cardinality
and
maybe
start
adopting
the
open,
Telemetry
naming
and-
and
so
so,
if
the,
if
we
want
an
avoidable,
will
have
dashboards
to
modify
a
bit
for
ambient
if
they
do,
they
should
modify
to.
You
know
something
that
is
more
thin
and
simpler.
Yeah.
G
F
B
I
Reasons,
okay,
yeah,
so
the
accuracy
no
on
both
the
server
side
and
the
client
side
is-
is
that
it's
using
POS
right,
not
not
muted,
yes,.
B
Sure,
yes,
I
I
I'm
in
complete
agreement
that
the
naming's
bad
the
reason
I'm
suggesting
we
keep.
The
naming
is
because
I
think
it's
good
enough
and
it
avoids
an
API
change
and
we
can
caveat
in
documentation
the
precise
meaning
of
of
the
word
and
what
it
entails
from
a
client
and
server
perspective.
F
Bigger
compatibility,
I
think
I,
don't
mind
having
this
but
I
think
moving
forward.
We
should
deprecate
it
and
not
recommend
it
and
kind
of
if
it
does
just
as
a
migration
or
on
teams
of
dashboards.
I
mean
not
remove
it
before
its
replacement
is
ready,
but
we
seriously
need
to
consider
you
know
improving
the
elementary
story
in
yeah
yeah.
C
B
C
B
The
option
yeah
emotions
goes
away,
you're
right.
If
someone
wants
to
make
a
new
mode
that
instead
of
these
three
request,
total
it's
open,
telemetry.hp
requests
with
all
their
names
or
whatever.
That's
you
can
opt
into
that
seems
like
a
reasonable,
Future
Path,
but
I,
don't
think
it
should
prevents.
F
But
once
we
need
to
start
a
discussion
about
switching
to
open
Telemetry
because
again
it's
a
standard.
It's
used
in
a
lot
of
places
and
when
we
switch,
we
should
switch
completely
and
and
again
maybe
discuss
use
access,
looks
for
communities
and
all
kind
of
other
discussions
that
we
should
are
perfect
for
ambient.
Because
it's
you
know
penguin
or
not.
Why.
I
Just
for
these
metrics
can
we
say,
because
we
don't
really
know
Mutual
to
us.
Can
we
say
just
do
not
use
Music
TS
value,
but
only
use
the
tis
and
the
raintex
and
unknown.
B
E
Can't
change
the
blender
extension
I,
don't
I,
don't
think
we'll
have
to
be
I
mean
the
cardinality
problem
is
the
problem
of
the
Prometheus
and
grafana
pipeline.
But
other
pipelines
don't
suffer
fluency
issue,
so
we
cannot.
We
can
easily
change
the
stackdriver
option
because
it's
it
doesn't
have
the
same
issue.
F
I
B
B
G
G
C
Yeah
so
I
guess
we're
trying
to
think
through
as
a
user.
How
would
they
tell
if
it's
me
TLS,
because
now
we're
saying,
okay,
okay,
you
can
check
this
image
TRS
right
in
the
field,
but
that
actually
means
it's
TLS
when
they
read
the
talk
so
now
the
question
is:
how
do
they
really
check
if
it's
mutual
TLS.
B
E
F
F
E
B
B
That
says,
I
mean
the
control
plane
sends
a
cluster
says:
H
Pawn
initiate
TLS
context,
use
TLS
Telemetry
say
it
was
mtls
if
a
user
wants
to
lie
and
use
an
Envoy
filter
to
remove
that
and
add
one
that
says
like
they
can
insert
Telemetry
on
their
own
too.
If
they're
trying
to
do
crazy
things
right,
it's
like
Telemetry,
secured
and
I
can't
go
spin
up
a
rampod
that
says
I
see
much
request
with
mtls.
E
B
F
E
C
Yeah
so
I
think
quad
is
asking:
is
there
any
value
on
the
metrics
to
indicate
to
use
whether,
in
addition
to
Major,
TRS
or
genius,
whether
user
wants
to
know
if
it's
a
classical
major
TS
was
edgeable.
F
And,
and
for
the
for
for
each
one,
there
is
no
such
thing
as
classical
TLS.
B
C
F
C
G
C
E
B
B
B
Okay,
it's
not
really
fully
finished
yet,
but
given
we
just
happen
to
have
the
meeting
today,
I
figured
I
would
present
my
life
now
and
get
some
early
feedback,
so
just
for
Preamble.
This
has
no
user
facing
impact.
Necessarily
so
don't
be
freaked
out.
If
you
see
obscure
things
that
look
weird
so
today
a
request
between
two
Z
tunnels.
We
send
to
the
Pod
IP
on
Port
15008,
and
then
we
have
some
redirection
logic.
That's
we'll
actually
bump
that
over
to
the
server
Z
Tunnel
right.
B
We
need
to
know
what
the
intended
destination
is
during
the
TLs
handshake,
so
that
we
can
serve
the
correct
certificate,
there's
not
any
options
for
how
we
can
convey
that
either
the
destination
IP
or
some
I,
don't
know
alpn
hack
or
something
or
Sni,
and
we
didn't
use
Sni
primarily
because
one
it
doesn't
allow
IP
addresses,
which
is
obviously
what
we
want
to
put
in
the
Sni
as
part
of
the
RFC,
and
most
libraries
will
actually
reject
it,
as
well
as
last
I
checked
and
the
main
reasons
that
we
were
considering
doing
the
Sni
was
to
simplify
the
redirection.
B
So
we
didn't
need
this.
You
know
redirect
from
calls
to
the
server
to
the
Z
tunnel,
that
to
me
wasn't
very
convincing,
because
we
still
do
need
that
redirect
for
plain
text
requests
for
the
server.
So
when
the
client
doesn't
have
a
z
tunnel,
so
we
can
enforce
policies
bump
it
to
the
Waypoint,
do
whatever
we
need
to
do.
B
So,
that's
why
we
didn't
do
it
after
that's
why
we
did
it
that
way
at
the
time,
but
I
think
now.
Some
of
the
circumstances
have
changed
a
bit.
So
I
think
it's
worth
revisiting
I'll
pause.
If
there's
any
any
questions.
B
Okay
yeah,
so
the
main
two
things
that
have
changed
is
one
I
think
we
found
a
reasonable
format
to
encode
the
info
we
want
in
the
Sni,
and
the
other
is
that
we've
also
I
think
found
some
use
cases
where
it
could
be
useful,
but
you
can
scroll
down
to
the
design
Francis.
B
So
I'll
start
with
the
format
which
is
part
three
of
this,
so
we
can
receive
either
request
to
services
or
to
pods
for
services,
there's
already
kind
of
well-known
names
for
each
VIP.
B
So
you
know
myservice.mynameface
service.local
could
be
the
Sni
actually
now
that
I
think
about
it.
This
may
not
even
be
well.
That
would
be
relevant
only
for
waypoints,
a
server
side.
Z
tunnel
doesn't
get
requests
to
VIPs.
It
only
gets
requests
to
pod
IPS
and
then
the
the
director
workload
was
a
more
problematic
one,
but
it
turns
out
the
kubernetes
actually
does
have
a
naming
format
for
pods.
B
They
happen
to
insert
these
in
the
cluster
DNS.
We
don't
technically
care.
It's
DNS.
We
just
want
Ace
format,
that's
at
least
arguably
standardized,
and
so
that
looks
like
the
IP
dot
namespace.pod.cluster.local
that
the
Pod
is
a
is
a
constant,
not
the
Pod
name,
there's
also
IPv6,
which
is
the
same
thing.
Basically,
just
all
the
dots
or
colons
are
replaced
with
dashes.
B
So
that
would
be
the
format
we
would
use.
The
kind
of
extra
use
case
would
be
doing
Sni
routing
at
an
East-West
Gateway.
We
could
use
this
info
to
kind
of
do
similar,
routing
that
we
do
with
Envoy
today,
it'd
be
slightly
different
because
it
would
be
aware
of
kind
of
the
next
top
for
the
request
and
that's
I
I
split-
that
out
into
this
other
dock,
which
I
worked
on
at
the
same
time,
but
we
can
discuss
that
too.
That's
that's
pretty
much.
B
The
main
thing
I
think
I
might
have
missed
some
some
important
details
here.
Any
any
questions
or
thoughts.
G
For
the
ones
are
to
using
the
IP
address,
will
this
IP
address
suddenly
changed
due
to
some?
You
know:
iph
IP
address
change
as
I'm
making
this
like
altitated
when
you
use
that
as
part
of
S9
name.
B
It
is
possible
but
note
that
we're
going
from
We're
before
and
after
we
were
still
conveying
the
IP
address,
we're
just
conveying
it
in
a
different
format
now,
so
that
doesn't
really
change
at
all.
With
this
proposal,
okay,.
H
B
Identity
already
includes
the
namespace
as
part
of
it,
so
they
should
already
have
this
information
for
workloads
for
for
services.
It's
a
bit
different,
but
in
order
to
resolve
a
service
dip
to
a
concrete
IP
address,
I
already
need
info
about
that
service.
So
to
add,
just
one
string
value
for
the
hostname
doesn't
seem
terribly
onerous
right.
They
already
need
the
VIP
Imports
and
IPS
under
that
VIP
tapping.
H
E
B
So
I,
if
you
go
down
to
the
very
bottom,
I
address
this,
because
I
I
thought
about
this
after
you
mentioned
this
last
night,
did
you
scroll
down
Francis
I?
Forget
why
I
didn't
like
it
see?
Oh
yeah,
so
for
Z
tunnel
and
waypoints.
This
does
work
pretty
well,
because
all
we
use
for
the
S
deciding
what
certificate
to
serve,
and
so
we
can
determine
that
based
on
the
service
count,
and
that's
that's
fine
and
then,
of
course
we
would.
B
I
B
Yeah
give
me
the
Food
Service
account
and
I
want
to
actually
request
bar.
So
that's
no
problem.
The
issue
is
that
it
would
break
the
the
multi-network
forwarding
through
Sni,
but
that
dog
is
also
super
work
in
progress
and
I.
Don't
think
anyone's
looked
at
it
other
than
me
and
Constance.
So
if
we
don't
do
what
I'm
proposing
there,
then
this
may
become
a
viable
option
again,
but
for.
C
E
A
Yeah,
what's
the
right
and
similar
question
required?
What's
the
right
level
of
specificity
like
should
the
protocol
specify
that
you
use
the
IP
or
you
use
the
service
account,
or
should
the
protocol
just
specify
that
best
and
I
is
populated
and
in
our
implementation
we
can
kind
of
do
what
works
well,
that
we.
B
F
And
age,
one
in
the
internet,
you
know
using
certificate
has
been
done
for
a
very
long
time
and
there
are
very
well
known
practices.
You
know.
Ip
cannot
be
used
because
the
standard
doesn't
allow
IP
in
Sni,
unfortunately,
and
mangling.
It
is
kind
of
a
hack
that
is
probably
not
nobody
else
is
doing
normally
it's
either
a
service
name
or
a
hostname,
actually,
whose
name
is
the
most
common
and
for
codes?
F
Is
not
very
reliable
identity?
What
id
is
a
reliable
identity?
So
I
really
like
this
proposal,
because
it
moves
H1
close
to
the
internet
standards
where,
where
you
actually
use
the
host
name,
which
you
know
in
case
of
code,
is
suppose
that
you
don't
name
space
dot
whatever.
And
if
it's
a
destiny
address
to
a
service,
it's
a
service
ID
and
then
you
can.
You
can
do
some
mappings
and-
and
you
know,
populate.
A
B
The
reason
that
I
didn't
do
that
initially
is
so
one
that
we
have
a
nice
property
that
the
the
current
IP
format
is
unique
within
a
names
for
within
a
network.
If
we
switch
to
ID,
it's
only
unique
within
a
cluster,
and
the
second
thing
is
that
you
would
need
so
any
client
should
have
the
IP
in
the
namespace
already
anyways,
but
they
would
not
necessarily
have
the
name.
B
A
E
F
Using
IEPs
I
mean
in
SLI
is
again
Nobody
Does
it
it's
I
I
like
to
avoid
hacks
and
things
that
have
to
get
an
EQ
only
and
are
not
the
environment
of
these
things
hosting
is
universal
I,
don't
think
anyone
would
have
a
problem
or
or
anyone
will
support
it.
There's.
B
No
hostname
is
it:
hostname
could
be
Foo
like
literally
food
with
no
qualifications.
Every
part
in
the
in
the
match
could
have
the
same
host
named
Foo.
It's
there's
no
standard,
it
has
to
be
uniquely
identifiable
and
there's
no
standard,
uniquely
identifiable
host
name.
F
J
G
B
Ip
overlap
is
something
that
we
solve
by
Network,
so
an
IP
address
is
only
relevant
within
a
single
Network
when
we
Traverse,
we
know
which
network
we're
going
to
and
which
network
we're
coming
from.
B
F
D
Yeah
I
was
going
to
make
like
it
seems
like
the
key
decision.
Point
here
is
how
we
want
East
West
gateways
to
work
yeah
and
and
whether
we
want
direct
pod
addressing
through
an
East-West
Gateway
or
not.
D
Clearly,
the
East-West
Gateway.
If
you
want
direct
polit
addressing
right
service,
account,
isn't
going
to
cut
it
right
right,
particularly
if
you
want
the
East,
West
gateway
to
route
or
the
East-West.
The
other
problem,
by
the
way
with
the
East-West
Gateway
or
in
fact
any
Trusted
Man
In,
The
Middle
right.
The
service
account
mechanism
doesn't
work
for
Trusted
Man
in
the
middle
right.
D
So
like
there's,
an
admin
Gateway,
that's
going
to
do
packet,
interception
and
it's
going
to
be
able
to
terminate
mtls
in
the
handshake
and
the
client's
going
to
trust
it,
because
it's
in
a
white
listed
or
Wireless
to
Echo
right
for
known
trustable
service
accounts
that
have
super
powers,
so
I
I
think
we
can
rule
service
account
out.
For
that
reason,
then
the
second
question
is:
what
do
we
actually
use
and
does
it
have
to
be
multi-network
capable
or
not?.
D
Most
of
the
basic
kubernetes
and
CA
infrastructure
out
there
is
going
to
want
to
issue
they're
going
to
issue
certificates
to
pods
and
they're,
going
to
put
the
pod
the
cluster
local
pod
ID
into
either
the
common
name
or
ascend
right.
They
may
put
the
network
in
as
an
attribute
into
the
certificate,
but
it's
going
to
be
pretty
hard
to
persuade
people
to
be
fully
multi-network
in
the
CAA
infrastructure.
Right.
D
If
you
use
IPv6,
you
could
probably
address
your
multi-network
name
Collision
problems
right
by
partitioning
your
IPv6
namespace,
even
if
they
weren't
physically
reachable.
A
D
I
think
we
could
probably
still
make
Sni
work
for
that,
but
I
think
we
need
to
have
a
little
bit
more
detail
and
design
John.
So
in
general,
I
think
the
pattern
is
right,
I
think
it's
just
an
adult
like
it's
a
naming
convention
for
right.
The
the
mechanism
that
exists
today
for
the
hostname
right
for
pods
is
just
a
way
of
generating
a
unique
pod.
Id
right,
that's
Network
addressable,
but
not
necessarily
stable
right.
F
I
F
F
C
D
B
D
B
B
F
F
B
The
guarantee
is
that
uid
is
unique
within
a
cluster
I,
don't
know
if
it's
Unique
across
clusters,
though.
D
F
D
D
Well,
so
you
can
either
put
a
requirement
on
hey
if
you're,
using
multi-cluster
infrastructure,
you
better
make
sure
you're
you,
your
uids,
not
uuids
are
non-colliding,
which
you
probably
want
for
a
variety
of
other
reasons
that
have
nothing
to
do
with
us
right,
like
Telemetry
and
debugging
and
logging
and
those
other
things
right.
Just
if
you
have
multi-cluster
kubernetes
and
you're,
not
using
istio
today.
How
are
you
telling
the
difference
between
two
parts.
A
J
Yeah
I
mean,
if
you
look
at
I,
think
no
sorry
cost
and
put
in
chat
about
you
know:
suffixing
with
a
cluster
name.
I
know
that
kubernetes
just
removed
cluster
name
from
their
spec,
but
that
doesn't
mean
that
that
doesn't
mean
that
I
mean
in
this
case
like
if
you,
as
a
user,
are
managing
a
fleet
of
kubernetes
clusters
right.
J
You
can't
guarantee
the
API
server
is
going
to
give
a
uuid
That's
Unique
across
all
of
those,
but
you
can
at
least
guarantee
that
you
name
those
uniquely
across
let's
say
regions
or
whatever
you
know,
or
else
you're
going
to
be
in
a
whole
department
of
trouble
of
your
own.
So
I
think
that
that
is
a
fair
assumption
to
make
Acro
if
you're
talking
about
a
fleet
rather
than
a
single
cluster.
If
you
add
the
cluster
name
into
the
into
the
ID.
C
B
It's
the
one
thing:
that's
not
unique
is
across
time,
so
uid
is
guaranteed
even
across
time,
which
may
be
more
secure,
but.
F
John
you,
you
might
be
a
proper.
Your
idea,
I
think,
is
a
non-smarter,
because
it's
never
used
enough.
I
mean.
F
G
D
D
F
D
D
F
B
C
J
D
So
it
depends
how
they
initialize
it
right.
That's
what
we
need
to
know
all
right,
so
it's
very
implementation,
detailed,
specific
piece
of
information
that
we
need,
if,
when
you
bootstrap
the
cluster
they
generate
and
make
a
good
job
of
generating
a
random
number.
That's
the
bootstrap
for
the
uuid,
the
odds
of
colliding
in
space
across
many
many
clusters
in
a
single
mesh
or
vanishingly
low.
B
F
H
D
If
they're,
relying
on
new
Ides
like
algorithmic,
like
probabilities,
to
make
a
stipulation-
and
we
make
the
same
stipulation
for
multi-clutter,
because
multi-cluster
is
just
a
bigger
version
of
angle
cluster,
the
only
reason
that
it
could
happen
it
is
more
likely
to
occur
in
multi-cluster
is
if
they
did
a
bad
job
with
bootstrap.
But.
H
D
F
H
F
J
Okay,
so
what
about
virtual
machines?
So
those
those
are
not
I
mean
those
have
identities.
F
D
D
J
D
J
F
D
Mean
sure
yeah
like
we
can
use
that
for
but
some
people
don't
right.
H
D
A
Is
there
a
point
of
disagreement
still
or
I
I
can't
tell
if
we've
reached
consensus
and
are
still
debating
or
if
there
is
still
debate
what
the
debate
is
about
like
like
what?
What
do
we
need
to
know
to
make
progress
so.
D
B
A
D
So
if
they're
not
bootstrapping
their
you,
your
ID
with
prng
yeah
right
they're,
doing
it
wrong
or
something
equivalent
to
prng
right
or
they
have
a
guarantee
that
some
system
is
coordinating
the
bootstrap
so
that
there's
no
Collision
in
which
Step
in
the
multi-cluster
environment,
either
of
those
two
is
fun.
C
That's
it,
but
if
we're
adding
namespace
and
cluster
name
with
the
answer
method,
though,
because
as
long
as
a
unique
within
that
cluster,
then
it
should
be
okay
right,
if
even
if
I
have
two
duplicate
uid
on
different
cluster,
as
long
as
I
have
unique
cluster
name.
C
C
J
I
D
D
B
Yeah
I
have
a
question
as
well.
One
thing
in
the
like
domain,
fronting
Sni
and
Authority
header
is
something
that
some
load
balancers
project
I
know
some
people
don't
like
it.
I
think
the
gate
API
is
said.
You
can't
do
this
using
the
Gateway
API.
B
Basically,
my
understanding
is
that
in
order
to
get
around
firewalls
people
in
like
China
would
set
their
asinitis
and
bogus
value
all
the
time
and
then
the
actual
destination
they
want
is
in
the
host
header
and
they
would
use
that
as
firewall
circumvention
and
then
I,
don't
know
how
the
history,
but
somehow
they
convinced
a
bunch
of
people
that
this
was
a
terrible
thing
and
that
those
fields
should
always
match
and
I
think
Google,
load,
bouncer,
maybe
I,
think
I
definitely
saw
Azure
load
balance
like
they
actually
reject
this.
D
D
D
And
this
partly
was
to
right.
This
is
what's
causing
the
great
firewall
to
China,
to
block
all
quick
traffic
and
often
to
block
all
ecg2
traffic,
but
the
interact
Community
adopted
ech
to
help
people
get
around
the
Great
Wall
of
China.
So
there's
an
ongoing
War.
There.
F
But
on
this
topic
since
they're
having
this
discussion
and
controversy,
we
should
also
consider
putting
these
names
that
we
put
in
Sni
into
the
list
of
songs
as
a
URL
as
a
domain
sun.
And
that
will
avoid
many
confusion
and
introduction,
because
I
think
what
John
mentioned
is
based
on
the
fact
that
certificate
you're
asking
for
once
Sni
and
then
you
get
a
different
Sinister
certificate.
F
D
B
D
F
F
F
B
F
C
B
B
I
B
Doc,
that's
about
multinetic
routing.
That
would
be
useful
to
get
some
early
reviews
on
as
well.
C
Okay,
I
think
we're
out
of
time.
Next
week.
We
probably
should
have
Mitch's
agenda
go
first,
because
I
feel
bad,
that
Mitch
you're
supposed
to
go
to
this,
and
somehow
it.
A
Wasn't
until
yeah.
C
Got
to
meet
the
first
item
next
week,
yeah.