►
From YouTube: Ambient Mesh WG Meeting 2022 12 14
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
I
mean
all
right.
Thank
you.
So
yeah
welcome
everyone
so
I.
First,
the
announcement
is
I.
Don't
believe
we
have
a
meeting
next
week
so
we'll
put
on
the
agenda.
A
Okay,
yeah
I'll,
put
on
the
meeting
minutes
and
I
think
we
only
have
one
agenda
on
the
the.
A
I'll
put
in
the
notes,
so
we
don't
have
any
meetings.
Yeah
next
up,
you'll
see
I'd
like
to
you
to
take
over
the
discussion
of
sea
tunnel
layer
for
policy
designs.
I
know:
there's
a
little
bit
of
disagreement,
so
you'll
see
go
ahead.
E
D
Yeah,
okay,
so
I
kind
of
summarized
the
open
issues
of
the
open
concerns
that
we
have
over
the
IDS
and
the
the
message
that
is
defined
in
this
design
document.
The
message
itself
is
I
mean
the
Photobucket
kind
of
a
living
live
in
photographer,
I'm,
updating
the
photographing,
based
on
the
feedback
that
I
get
from
from
the
people
over
here.
I
I
know
that
I
still
need
to
Target.
They
mean
concern
about
the
logic
of
all
and
end,
and
so
it
would
probably
be
updated
further.
D
In
order
to
pass
the
information
between
the
control,
plane
and
the
tunnel,
and
if
I
read
behind
between
the
lines
of
questions
comments
it,
there
is
also
a
hidden
question
whether
we
actually
want
the
custom
you
can
collect.
If
I
want,
whether
we
can
we,
we
actually
need
the
next
in
a
new
external
API.
For
that,
so
we
can
use
one
of
the
existing.
D
F
I
correct
question:
yeah
you're,
absolutely
correct,
I
mean
even
today
you
can
get
the
resources
from
from
D
tunnel
to
istio
D
with
the
existing
protocol.
I'm
not
saying
we
should
not
change
the
syntax
of
the
I
mean
we
can
change
the
actual
URLs
that
we
use
to
to
retrieve
it
to
be
something
different
and
put
the
filter.
So
it's
Network
compatible,
but
even
with
existence
you
ID
with
no
changes
whatsoever.
It
is
implementable
already,
so
you
can.
You
can
ask
for
giving
all
the
policies
rust
can
very
easily.
F
You
know,
process
existing
is
your
resistant
I,
don't
know
if,
if
you
can
show
how
the
different
Proto
will
be
easier
to
implement
in
Rust,
I
would
agree
with
a
different
Proto,
but
I
don't
really
see
how,
if
you
move
the
fields
a
bit
around,
you
make
it
easier
to
implement
the
harass
you
still
iterate
you'll
still
create
some
internal
Maps
you'll.
Still.
If,
if
you,
if
we
find
some
Rust
implementation
of
that,
it's
in
Broad
uses
tested
and
we
convert
from
hour
to
whatever
rust
already
provides.
D
D
F
Yeah,
it
is
just
different,
then,
what's
the
point
I
mean
we
are
just
inventing
a
new
API.
That
is
doing
pretty
much
the
same
thing
with
different
words
and
we
don't
really
gain
anything.
We
just
delay
the
process
because
we
need
to
implement
it
in
security.
We
need
to
implement
it
in
Rust.
We
need
to
keep
it
stable
and
it's
not
going
to
be
stable
because,
probably
iterates
since
it's
a
new
API
versus
something
that
is
stable,
Works
can
be
used
today
with
no
change
in
history
or
D.
Maybe
some
optimizations
later.
B
B
A
Time
we
discussed
this
was
a
challenge
because
we
don't
send
the
label,
so
you
have
to
redo
the
work
to
think
out
which
policy
of
sleep
policy
is
associated
with
which
workload
through
the
selector.
F
I
I'm
confused,
so
there
are
two
kinds
of
labels:
one
is
sending
the
labels
of
you
know
the
not
metadata
like
we
sent
today
and
I
think
we
have
those
we
don't
have
to
send
them
into
the
I
mean,
and
the
other
thing
is
a
workload
Proto
where
we
return
the
labels
for
the
destination.
We.
F
F
B
F
So
but
but
they
will
not
get,
it
will
not
get
the
labels
from
I
mean,
isn't
watching
the
post?
Don't
you
get
need
to
get
some
good
information
about
all
supports
running
on
the
Node
anyway,
foreign.
D
A
F
F
Okay,
so
let
me
rephrase
the
combination
of
whatever
runs
on
the
Node,
that
I'm
not
proposing
changes
to
the
workload
API,
how
to
get
labels
and
proposing
that
the
Z
tunnel
should
be
aware
of
more
information.
And
yes,
if
you
want
to
filter
it,
I'm.
Okay,
with
that
as
well
I
mean
to
have
history.
I
did
do
some
pre-filtering
and-
and
you
know,
return
a
slightly
different
format,
but
not
with
changing
the
entire
structure
of
the
API.
What
is
matched.
B
F
Makes
it
scalable
that's
another
option?
What
what
do
you
prefer?
The
problem
with
pre-filtering
an
ISD
I
mean
I
still
doing
some
label
matching.
Is
that
if
history
goes
out
for
a
while
or
we
have
any
problems,
then
a
new
pod
starts
on
on
the
Lord,
and
we
may
have
a
delay
where,
where
the
body
is
running,
but
we
don't
necessarily
know
the
what
the
policies,
because
this
study
couldn't
sell
them.
F
We
block
for
startup
and
at
this
Point's
IP
table
annotations
are
known,
so
we
know
the
labels
all
ready
to
to
before
we
start
but
estrd
may
be
delayed.
So
I
don't
think
we
block
until
it's
your
distance,
all
the
authorization
because
it
the
studio,
will
say
no
I,
don't
know
I
didn't
receive
yet
a
notification
on
the
phone
I
didn't
match
it.
I
I
will
not
yeah.
B
B
F
Okay,
I
need
to
think
about
it,
but
going
back
to
the
point,
are
you
are
you
getting
labels
for
the
local
workloads?
Is
it
a
problem
with
that?
Do
we
think.
B
We
don't
do
it
now,
we
could
do
it.
One
concern
that
I
have-
and
this
is
a
much
much
broader
concern
is
today
we
have
the
workload
of
resource
and
it
is
not
client
specific
right,
and
so
we
could.
We
actually
don't
do
this
today,
but
in
theory
we
could
take
that
pre-generate
all
the
serialized
protobufs
and
store
them
in
a
map
and
then
just
pipe
those
down
like
a
CDN
right
and
that
could
be
in
other
implementations,
even
more
like
a
CDN.
B
If
we
make
it
so
it's
client
aware,
then
we
have
to
go
regenerate
it.
Every
time.
F
B
F
Yeah,
no
I
I
think
I
think
that
we
should
I
I
agree
with
you
workload
and
we
we
may
need
different
variation
of
workload.
Protocol
I
mean
different
names.
Someone
mentioned
a
question
mark
I
mean
a
query,
parameter
or
a
different
URL
syntax
about
what
we
return
so
I'm,
trying
to
understand
what
what
what
is
easier
for
for
us
I
mean
to
have
this
mechanisms
to
return
labels
with
an
alternative
to
workload
or
workload
with
labels
or
some
other
protocol,
or
to
do
the
label
matching
history
as
a
general
rule.
F
B
Yeah
I
think
the
other
case
we
would
need
labels
is
when
we
add
Network
policy,
but
I
think
that
if
we
do
this,
we
should
use
the
same
Proto
for
obviously
policy
and
network
policy.
So
Z
tunnel
doesn't
even
need
to
care
that
they're
the
same
for
that.
They
are
different,
user-facing
ones
because
they
ultimately
are
representing
the
same
information.
B
G
Okay,
yeah,
so
label
information
will
be
set.
It's
just
a.
We
may
not
use
the
label
as
the
identifier
for
workloads
inside
the
RC
policy.
B
I
wouldn't
say:
label
info
will
be
sent
if
it's
more,
like
labels
can
configure
some
specific
properties
of
the
workload
like
version
and
version
is
sent,
but
that's
not
the
same
as
saying
labels
are
sent
because
we
don't
send
all
the
labels.
We
send
very
specific
ones
and
we're
technically
not
sending
the
label
we're
sending
something
that
can
be
configured
by
a
label,
but
it
can
also
be
configured
by
other
means.
C
I
think
I
I,
don't
necessarily
know
the
answer
either
way
on
this,
but
just
as
a
general
principle,
I
think
it's
a
good
idea
to
keep
Z
tunnel
as
simple
as
possible
and
have
as
few
kind
of
higher
layer
abstractions
leak
into
the
data
plane
as
possible,
particularly
when
you
consider
that,
ultimately,
we're
going
to
expect
alternative
implementations
we're
going
to
expect
cnis
that
build
the
tunnel-like
functionality
implementing
the
same
API,
the
thinner.
We
can
keep
that
and
the
more
we
can
keep
out
of
the
data
plane
in
terms
of
logic,
I.
B
Yeah,
like
one
example
where
I
think
is
kind
of
a
irritating,
is
that
these
two
API
has
like
from
Two
and
then
which
are
typed
and
then
when,
which
is
just
this
arbitrary
string
thing
that
can
match
anything
and
has
like
prefix
and
suffix
matches
and
all
this
craziness.
B
It
certainly
could
be
implemented
in
D
tunnel.
But
it's
kind
of
nice
to
not
have
to
worry
about
that
and
just
get
kind
of
a
sanitized
version
of
it.
That's
kind.
F
Of
minimal
so
John
I,
I
I,
don't
disagree
completely
with
you,
I
mean
if
we
have
to
implement
a
tour
policy,
but
if
we
decide
to
Environmental
Policy
I,
don't
think
we
have
too
many
choices
except
to
send
the
labels,
because
that
that
involves
source
and
destination
labels
and
I,
don't
think
there
is
any
other
way
to
to
use
it.
F
How
about
we
kind
of
split
the
baby
or,
however,
it's
called
we
Define
a
workload
with
labels,
it's
not
very
difficult
to
put
in
history
and
it
doesn't
have
any
cost
in
history,
and
we
also
Implement
filtering
on
sdod,
based
on
workloads
and
on
the
matter
of
protocol.
If
we
Implement
selection
in
sdod,
obviously
will
be
a
small
change
in
what
the
protocol
we
have
today,
but
we
can
still
reuse
the
rest
of
the
protocol.
So
the
when,
where
I
mean
all
the
structure
of
the
protocol
will
be
the
same.
F
F
Discussion
again,
basically
so
we'll
have
ability
to
get
labels
if
we
need
them
debugging,
Telemetry,
whatever
Network
policy.
If
someone
wants
to
implement
or
policies
that
will
be
the
only
way
I
think
we
agree
that
you
know
we
don't
have
the
same
luxury
with
network
policy
where
we
just
have
five
seems
that
we
need
version.
G
Yeah
I
think
I
agree
with
costly
label
will
be
very
valuable
in
many
places
like
Telemetry
I'm,
pretty
sure
we
will
need
to
send
labels
associated
with
the
workloads.
A
G
E
B
F
The
data
plane
no,
no,
no,
no,
no,
no!
So
for
a
VM
again
on
right
now
in
kubernetes,
let's
say
the
cni
layer
is
implementing
Network
policy
and
you
can
express
allow
from
pods
with
labels
X
and
deny
from
both
the
level.
If
we
run
zitana
on
a
VM
or
outside
kubernetes,
we
either
lose
Network
policy.
So
if
the
VMS
will
not
obey,
not
our
policy
or
implementator
policy
in
zitana
to
implement
Network
policies,
Eternal
will
need
to
support
arbitrary
level
because,
unfortunately,
Network
policy
is
based
on
arbitrary
labels
and
sourcing
destination.
Yeah.
A
F
For
for
Network
policy,
you
need
source
and
destination
labels.
Unfortunately,
so
you
need
to
get
both
so.
F
That's
fine,
it
doesn't
impact
the
protocol
in
client
it'll
be
just
a
slightly
different
resources
that
returns
same
information
plus
labels.
So
normally
we
don't
pay
any
cost,
but
if
someone
decides
to
implement
Network
or
something
that
requires
labels,
whatever
I
mean
Telemetry
extra
hour,
then
we
have
the
ability
to
to
get
it
relatively
easily.
I,
don't
think
it's
a
bad
sink
anyway,
it
doesn't
hurt
anyone.
A
F
G
F
G
F
F
Without
labels
I
mean,
but
if
you
need
Network
policy
or
need
to
implement
some
some
policies
that
requires
label,
we
have
it
there
for,
but
that's
a
different
discussion,
I
mean
I.
Think
we
agreed
now
that
that
history
will
do
selection
like
original
proposal.
It's
just
a
matter
of
how
do
we
express
the
rest
of
the
protocol?
Basically.
A
Okay,
maybe
not
Ethan,
did
you
also
had
a
hand
yeah.
C
I'll
just
say:
I,
don't
know
whose
decision
this
is,
but
stepping
back
to
me.
It
really
sounds
like
there's
not
an
immediate
use
case
for
labels,
I,
I,
I'd,
say
70
by
the
argument
that
we'll
need
it
when,
if
we
Implement
Network
policy,
I
want
to
get
this
thing
out
the
door
quickly,
so
removing
features
is
better,
so
I
I
would
like.
C
We
can
always
add
them
later
so
I
I
would
propose
that
we
file
a
bug
on
it,
put
it
in
the
backlog,
but
like
say
No
Labels,
at
least
in
the
alpha
release.
C
I
guess
my
meta
question
is:
how
do
we
like
make
a?
How
do
we
arrive
at
a
short-term
resolution
on
this?
Like?
Is
there
maybe
not,
maybe
not
unanimous
consensus,
but
is
there
a
majority
majority
consensus
on
this
Panther
I.
F
Don't
think
we
have
any
major
disagreement,
I
mean
I.
Think
most
of
us
understand
like
we
may
need
labels.
We
have
a
way
to
add
labels
and
it's
pretty
simple.
We
don't
have
to
do
it
now,
and
this
problem
is
not
blocked
necessarily
on
the
labels.
I
mean
so
only
issues
that
we
still
have
with
this
proposal
is.
If
we
do
I
mean
it's
it's
clear:
all
the
selection
is
your
D,
because
we
need
to
do
it
in
UF
optimization.
F
F
G
Yeah
I
think
for
the
work
of
the
selection,
I.
Think
most
of
us
already
arrived
at
Rough
consensus
right.
We
can
as
a
cost
interest
rate,
we
can
have
the
set
of
costs
selected
by
ECT
yeah
toward
basically
to
replace
the
label,
selection
or
label
selector
in
control
place,
and
the
other
thing
we
want
to
discuss
is
the
Outback
rules.
How
do
we
represent
it?
Do
we
want
to
I
think
there
are
two
two
options
like
that:
I
think
is
possible.
We
can
move
forward.
G
Why
is
directly
copy
the
control
plane
portal
just
remove
the
L7
properties
only
sent
to
The
L4
properties
and
the
other
possibility
which
I
can
see
which
I
mentioned
in
one
of
the
comments
is.
Maybe
we
can
consider
something
similar
to
what
is
implemented
in
my
Outback
protocol
today,
everyone
Outback
I'm,
not
saying
we
should
use
everything
in
my
iPad
because
the
currently
it
has
like
principal
permission
and
we
don't
need
this
distinguishing,
but
the
part
of
that
I
like
about
nyr
case.
It
has
unlimited
nested
and
then
all
combinations.
F
G
B
Mean
I
think
what
you
listed
as
the
pro
is
at
con
and
doing
more
than
we
want,
is
just
an
attack
surface
place
for
bugs
Etc
and
I.
Don't
agree
that
it's
efficient
in
implementation,
I
mean
I,
sent
you
a
link
to
the
example
of
a
simple
policy
that
becomes
for
like
300
lines
of
code.
It's
doing
regex's
to
do
simple.
B
B
What,
basically,
my
argument
is
that
we
should
have
the
most
efficient
simplest
form
over
the
wire
right.
If
that
ends
up
looking
like
Envoy,
that's
fine,
it's
not
going
to
be
the
same
as
Envoy
I
almost
guarantee,
but
it's
actually
very
simple.
This
is
not
subjective.
We
can
quantitatively
go
and
test
out
two
protos
and
see
how
efficient
they
are
right.
It's
a
very
simple
single
number
output.
So,
if,
if
we
want,
we
can
go
test
out
side
by
side
and
improve
it,
we
don't
need
to
you
know
kind
of
debate
over
it.
G
B
But
I
feel
like
we're
almost
agreeing,
because
we
were
saying
we
want
to
take
Envoy
and
strip
out
all
the
parts
we
need
to
get
an
efficient
representation
and
that's
exactly
what
I'm
saying
as
well.
I
guess.
So
my
only
thing
is
that
I
don't
care
at
all
about
sticking
anywhere
similar
to
Envoy
if
it's
not
the
most
efficient
I,
only
care
that
we
end
up
efficient,
but
if
it
looks
like
Envoy
without
the
bad
parts
of
it.
That's
perfectly
fine
with
me.
Okay,.
B
E
No
I
was
gonna
say
you
said
that
the
the
one
goal
is
that
is
the
efficiency
over
the
wire,
but
you
would
also
said
that
we
want
to
keep
the
code
in
the
Z
tunnel
as
simple
as
possible,
so
the
one
goal
cannot
be.
E
B
C
F
Even
if
they
are
conflicting,
yes,
so
one
one
one
one
point
here
is
we
we
go
down.
You
know
it's
a
rabbit
hole
basically
I
mean
we
will
keep
discussing
for
many
months.
What
is
the
most
efficient
wire
versus
whatever
versus
the
same
way?
F
What
is
bad
enough
way,
how
a
general
purpose
language
can
be
optimized,
and
then
we
have
to
because
employees,
basically
an
expression
language
that
is
evaluated
and
so
forth,
how
about
pragmatically
just
start
with
what
we
have
in
history
API,
because
that's
exactly
what
it's
a
minimum
thing
we
need
to
support,
so
anything
we
have
to.
It
will
be
extra.
F
That
is,
you
know,
effort
and
testing,
and
if
later
someone,
you
know
six
months
from
now,
somewhere
Heaven
Wasn't
representation
or
ebpf
translation
or
whatever
fancy
language
intermediary
language
they
want
to
Define
and
they
prove
that
it's
more
efficient
than
what
we
have
we
can
go
with
it.
We
can
swap
it
it's
implementation
detail,
but
to
get
started.
I,
don't
think
the
current
photos
that
we
have
in
istio
are
difficult
in
Rust
to
to
parse
and
create
some
data
structures
that
work
efficiently,
because
it's.
A
Yeah
I
would
say
the
only
challenging
I
have
is
so
folks
two
weeks
ago
we
will
discuss
this
topic
right
and
on
that
call
everybody
was
kind
of
prefer.
There
needs
to
be
some
internal
representation
of
authorization
policy
for
layer,
four
right,
so
that's
the
past
yossi
has
been
going
through
and
I
think
you
also
have
some
prototype.
That's
working
on
his
machine,
so
number
one
is
folks
already
made.
Some
progress
by
yossi
number
two
is
form
the
requirement
of
the
car
two
weeks
ago.
I
think
we
made
it
clear.
A
Whatever
internal
representative
we
want
to
come
up
with,
we
need
to
cover
not
only
the
SEO
RC
policy,
but
also
the
network
policy
for
potential
down
the
road,
which
is
why
another
argument
point
that
we
believe
the
internal
representation
is
needed
for
a
case,
because
the
like
istio
ABAC
couldn't
cover
the
network
policy.
F
Yeah,
that's
that's.
Nothing
is
wrong
here,
I
mean
everything
is
still
true.
We
do
want
at
some
point
to
have
an
internet
representation
that
can
represent
whatever
we
may.
We
I
think
we
don't
disagree
that
eventually
we
need
to
implement
our
policy,
but
it
will
be
a
different
proposal
and
you
know
maybe
we'll
send
Network
policy
on
the
wire
and
but
to
get
things
moving
and
to
not
get
bugged
into
discussion
about
what
is
the
most
efficient
and
future
proof
and
can
implement
it
or
policy
representation.
G
Yeah
I
think
that's
what
policy
can
be
the
next
goal.
It's
probably
not
the
one
we've
tried
to
optimize
in
the
first
implementation.
Natural
policy
actually
includes
what
causing
the
source
labels
Source
labels
can
be
either
can
be
used
to
identify
the
client,
and
it's
probably
not
the
goal
we
want
to
achieve
in
our
first
virgin
and
yeah
I.
Think
one
of
the
important
goals
in
Sea
tunnel.
We
should
try
to
optimize
for
implementation
efficiency.
G
That's
why
I
was
talking
about
the
existing.
My
back
like
you
can
handle
the
embedded
like
any
level
of
and
then
or
combination
very
easily
like
using
very
short
code.
Otherwise
you
have
to
duplicate
the
larger
click
in
several
levels.
If
you
need
two
levels,
three
levels,
you
basically
duplicate
the
same
logic
every
time
you
need
to
generate,
and
then
all
logic,
so
yeah,
of
course,
I'm
not
saying
I
already
yeah,
like
the
previous
discussion
with
John.
G
D
Is
suggestion
is
that
we
will
use
the
account
of
the
authorization
policy
as
a
vehicle
or
as
the
message
to
be
passed
on
the
on
the
wire,
and
we
will
clean
up
the
illness
and
pass
from
there.
I
mean
we
will
clean
up
the
entire
seven
policy.
We
don't
care
about
those,
and
we
will
also
replace
the
selectos
with
something
which
turns
the
attorney
cannot
understand
and
all
the
logic
that
we
need
is
already
there
I
mean
the
end,
the
laws
and
whatever
the
user
defines.
D
C
Can
we
turn
this
into
a
written
proposal
and
I
think
that
would
help
or
I
I'm
I'm
having
trouble
agreeing
to
something
because
I'm
having
trouble
holding
in
my
head?
What
we're
agreeing
to.
G
G
Yeah
yeah,
maybe
you
can
just
go
through
well,
when
you
are
ready,
you
can
show
us
the
examples.
How
do
you
plan
to
enforce
this
control
plane
rules
directly?
Let.
F
G
Yeah
I
actually
recommended
on
the
Outback
policy
rules
in
in
USA
stock
I
gave
one
example,
I
think
yeah
in
of
the
policy
of
the
current
control
plane
policy
I
think
it's
a
actually
in
the
country
proposal,
there's
only
one
level
of
nno,
so
it's
not
possible
to
implement
some
of
the
policy
we
already
supported
today.
G
Yeah
yeah
another
yeah
I.
Another
point
I
I
made
is
because
currently
we
we
still
we're
still
going
to
support
sidecar,
so
we're
going
to
have
some
logic
to
converge
to
the
myr
back,
so
the
logic
already
exists
today.
Maybe
we
can
have
some
shared
Logic
for
both
ambient
and
the
second
and
the
data
plane.
Implementation
can
also
be
yeah.
Actually,
the
animal
Outback
implementation
is
pretty
simple:
that's
what
I
can
see,
but
yeah,
but
maybe
yeah.
B
G
C
Okay,
so
taking
a
step
back
in
this
specific
meeting,
what
outcome
are
we
driving
to
so
I
think
there's
a
decision
that
needs
to
be
made.
I
can't
tell
if
that
decision
was
made
or
not.
So
what
was
the
what's
the
next
step
to
arriving
at
a
decision,
yeah.
A
C
A
We're
on
the
same
page,
so
I
think
one
of
the
big
decision
Point
as
Yoshi,
was
implementing
Leia
for
authorization
policies
for
Z
tunnel.
He
needs
to
decide
what
is
the
contract
between
the
control
plan
to
Zeta
mode
right,
so
one
proposal
on
the
table
was
there's
an
internal
representation
which
I
think
everyone
reviewed
two
weeks
ago
now
costing
is
more
feeling
strongly
about.
Why
don't?
Why
not
just
reuse
the
existing
RC
policy
from
istio
and
have
that
present
to
the
zetano
and
then
zetano
can
process
there
I
think.
A
That's
all
the
thing
we're
trying
to
think
out
and
it
looks
like
yossi
kind
of
agreed.
That's
the
easiest
way
to
get
started,
although
the
is
a
little
bit
of
challenging
of.
Would
that
work
for
Network
policy
down
the
road,
but
if
we're
okay
with
you
know,
just
supporting
the
what
istio
supports
right
now
worry
about
Network
policy
down
the
road
when
we
need
to
implement
it
might
be
a
reasonable
starting
point.
That's
what
you
know,
I
think
about
trying
to
decide.
A
C
G
H
G
B
Yeah
I
just
want
to
expand
on
that.
To
make
sure
that's
not
the
only
concern.
I'm
also
concerned
that
it's
not
going
to
be
safe
to
implement
correctly.
The
obviously
API
is
like
a
bunch
of
stuff
that
is
not
relevant
to
Z
tunnel
and
it's
complicated.
It
has
all
sorts
of
string
parsing.
That
needs
to
be
done
as
much
as
we
can
avoid
parsing
things
in
the
Z
tunnel.
B
There's
less
opportunity,
for
you
know,
cves,
it's
much
more
efficient,
et
cetera,
so
I'd
much
prefer
that
the
Z
tunnel
just
gets
a
minimum
representation
because
remember
if
Z
tunnel
gets
the
obviously
policy,
it's
going
to
need
to
process
that
into
some
other
form
internally,
so
that
I
can
use
it
against
requests.
I.
Imagine
that
for
each
request
it's
not
going
to
go
through
the
actual
original
authorization
policy,
as
is
and
like
try
and
compute
whether
it
matches
right
it's
going
to
have
to
convert
it
to
its
own
form,
anyways,
so
I'd.
B
Much
rather
have
most
of
that
conversion
be
done
by
that
control
plane
into
an
efficient
form.
That's
efficient
both
over
the
wire
use,
your
frizzy
tunnel
to
understand
I.
Don't
think
it
saves
us
much
time
by
using
the
current
one,
because
we're
still
going
after
convert
it.
It's
just
whether
or
not
it
becomes
a
Proto
or
not,
which
is
largely
an
internal
implementation.
Detail.
D
I
think
the
authorization
policy
that
John
the
attorney
repulses
will
not
have.
D
B
D
No
I
think
really
I
I
misunderstood
the
the
part,
because
I
thought
that
the
suggestion
was
that
the
the.
D
B
Still
parsing
to
be
done,
though,
all
the
fields
even
in
The
L4
Fields,
the
Aussie
policy,
represents
everything
as
a
string,
so
we
may
represent
a
cider
as
a
string
we
may
represent
IPS
as
a
string.
They
may
represent
a
prefix
of
the
string
right.
We
need
to
process
all
that
and
if
we're
saying
that
we're
stripping
out
all
the
L7
fields,
we're
either
just
stripping
them
out
from
the
actual
contents,
but
not
the
Proto,
in
which
case
z
tunnel
has
to
handle
those
in
some
way
right.
B
Does
it
just
ignore,
like
90
of
the
fields
and
pretend
they
don't
exist,
maybe,
but
it's
a
bit
suspicious
from
a
design
point
of
view.
If
we
actually
change
the
Proto
to
actually
remove
those,
then
we're
basically
making
our
own
Proto
and
we
might
as
well
optimize
it
more
than
just
stripping
out
fields.
F
Is
that
we
we
we
may
make
it
more
complicated
than
it
is
I,
don't
think
I'm
against
converting
strings
to
to
you,
know,
numbers
and
and
sending
them
in
a
more
efficient.
But
my
concern
was
about
changing
the
semantics
of
the
of
the
authorization
policy
and
creating
something
that
is
more
generic
and
more
complicated
than
than
what
we
have.
A
G
That's
that's
right,
yeah,
so
yeah
the
the
reason
I'm
talking
about
and
what
about
is
not
saying.
We
need
to
have
a
different
product
to
align
with
what
the
NY
has
it's,
basically
making
the
implementation
much
easier.
Basically,
the
the
mobile
portal
is
optimized
for
processing
this
embedded
and
then
all
logic.
That's
totally
designed
for
machine
to
consume,
to
to
easy
to
enforce
the
recursion
logic.
F
I
strongly
disagree
that
and
full
implementation
is,
is
sufficient.
I
mean
efficient
would
mean
to
use
three
and
and
all
kind
of
efficient
data
structures
to
to
map
the
cidrs.
There
are
a
lot
of
other
things
that
go
into
efficiency,
not
necessarily
writing
interpreters,
that
is
implementing
some
Android
and
other
things.
Recursively.
A
C
To
change
the
API
to
get
a
written
proposal,
because
I
now
I
I
can
sense
that
we're
actually
debating
about
different
things
like
I'm,
not
I'm,
not
sure
we're
on
the
same
page
about
even
what
what's
being
proposed.
So
I
I'd
like
for
someone
to
leave
this
meeting
with
may
I
to
do
that.
Probably
shouldn't
be
me
because
I
don't
think
I
agree
with
it.
B
It's
it's
quite
far
along
okay.
A
H
Yeah
so
Carson
it
sounds
like
they're.
Most
people
think
that
there
should
be
a
tailored
representation
right,
I,
think
right,
and
there
are
a
variety
of
reasons
for
that
right.
Even
even
if
we
ignore
the
selection
mechanism,
there
are
other
normalizations
of
the
data
that
need
to
occur
for
the
Z
tunnel
to
be
able
to
perform
its
work
like
when
we
talk
about
comparing
identities
right.
H
H
We
know
we're
going
to
have
representational
changes
anyway,
to
simplify
the
work
for
Z
tunnel
over
time
right,
particularly
normalizing,
identifiers,
right
IDs,
and
at
some
point
we
expect
the
Z
tunnel
to
do
things
that
are
not
currently
in
the
altitude
API,
either
Network
policy
or
egress
policy
right.
H
F
H
F
Yeah
no
I'm
perfectly
fine,
with
optimizing
I
mean
to
have
a
slightly
equivalent
functionality,
but
different
representation
or
optimal
hold
for
it.
I
mean
it's,
it's
clearly
easier
better
and
it's
not
changing
what
I'm
I
mean.
My
concern
was
having
an
expression.
Language
basically
sneaked
into
I
mean
an
ebpf
sneaked
into
into
this
proto-basically.
B
F
F
B
B
Absolutely
I
think
we
want
Z
tunnel
to
not
be
arbitrary.
We
want
it
to
be
the
least
generic
API,
oh
not
the
least
generic,
but
like
we
that's
kind
of
the
intent
of
the
workload
as
well
right,
we're
not
putting
labels
just
because
they're
there
and
we
can
we're
putting
the
fields
we
need
and
only
the
fields
we
need
to
implement
the
Z
channel.
So.
B
Yeah
I
was
going
to
agree,
I
was
going
to
say
the
it
seems
like
the
outstanding
concern
really
is
that
the
Proto,
as
this
maybe
can't
represent
all
the
current
states
of
the
API
but
I,
think
that's
that's
minor
issues,
not
fundamental
issues,
so
we'll
just
need
to
make
some
tweaks
to
the
Proto,
but
then
to
me
looks
good
to
me
once
we
do
that.
A
Okay,
cool
sounds
like
we
have
consensus
and
you'll
see.
Do
you
want
to
say
anything.
D
No,
there
is
one
more
question
that
actually
five
minutes
is
is
enough
to
discuss
that,
but
did
the
Thursday
stimulator
that
John
did
of
the
comparison?
Whether
we
will
have
the
references
in
the
workloads
of
the
or
vice
versa
and
I
know
that
in.
H
D
D
B
Yeah
I
mean
I
like
the
proposal,
that's
in
the
doc
right
now,
but
I
think
I'm
a
bit
biased
because
I
think
that
was
what
I've
suggested
so
I,
don't
think
my
opinion's
terribly
useful
beyond
that.
G
Yeah
sorry,
yeah,
yeah
I,
think
I
added
a
comment
yeah
just
to
show
an
example
saying
that
the
country
Proto
can
probably
cannot
be
used
to
express
order.
Existing
is
the
oscillation
policy.
B
G
H
It's
been
a
while
since
I
looked
at
the
talk
is
the
current.
The
adoptions
are
either
the
workload
refers
to
the
rules
by
reference,
the
rule
gets
embedded
in
the
workload
right.
So
it's
not
by
reference
or
there's
the
workload
reference.
Sorry,
the
rule
references,
the
workload
set
right.
Those
are
the
three
constructions.
B
I
think
we've
narrowed
it
down
and
refined
them
a
bit.
So
we
know
for
that
Global
or
namespace
rules.
There's
no
need
for
anything
to
be
in
the
workload
the.
So
the
question
is
for
workload,
selector
rules.
What
do
we
do
and
one
option
is
to
put
a
list
of
workloads
into
Aussie
policy
and
the
other
one
is
to
say
in
the
policy.
This
is
a
workload
selector
one
defer
to
the
workloads
and
then
put
the
list
of
workload
selector
rules
in
the
workload.
B
So
it's
a
bit
wonky
because
you
like
the
implementation
like
in
some
cases,
you
look
only
at
the
rule.
In
some
cases
you
look
at
both
the
reason
why
we
did
it
was.
We
did
some
simulation
of
in
terms
of
turn
of
things
updating
like,
because
policies
are
bigger
and
yeah.
It
ends
up
being
that
it's
a
bit
more
efficient
to
update
the
put
it
in
the
workloads
because
policies
don't
change
often,
but
workloads
do
change
often
so,
basically
anywhere.
H
H
A
B
E
F
A
F
One
one
more
point
on
what
the
living
was
saying
about:
it's
not
representing
the
full
power
of
istio
API
that
we
have
today.
We
need
to
identify
what
is
not
supported
for
sure,
but
we
could
as
well
have
a
discussion
if
we
want
to
support
the
full
power,
because
it's
an
L4
policy
there
are
user
is
aware
that
there
are
some
changes.
We
need
to
document
that
some
attributes
are
not
going
to
be
supported,
so
we
we
have
an
opportunity
to
simplify
as
well
and
to
reduce.
B
That
Institute
in
the
dark
there's
a
list
of
what
parts
like
what
attributes
are
supported,
which
is
obviously
the
outboard
part.
I,
think
the
thing
that
Lee
Min
was
worried,
isn't
representable
as
some
of
the
like
there's
a
bunch
of
like,
and
an
ores,
basically
and.
B
G
Actually,
for
the
principle,
the
only
thing
we
pause
is
only
when
we
need
to
support
the
namespace
level
policy.
Then
we.
F
B
A
B
A
Read
our
initial
launch
blog
I
think
we
had
Justin
will
know
for
sure
I
think
we
had
layer
for
routine
as
well
in
cicano
in
the
Lego
layout.