►
From YouTube: Ambient Mesh WG Meeting 2022 11 02
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yeah
so
kubecon
was
pretty
great.
It
was
cool
to
meet
a
whole
bunch
of
you
at
the
conference.
A
lot
of
people
that
I
had
only
ever
seen
online
or
in
pull
requests
got
to
see
in
3d,
which
was
fantastic.
A
This
is
the
ambient
meeting
and,
of
course,
ambient
made
a
pretty
big
splash
with
talks
that
service,
meshkan
and
kubecon
on
the
ambient
architecture,
lots
and
lots
of
demos
and
Labs
being
run
on
it.
Lots
of
excitement
a
decent
amount
of
confusion
too,
as
far
as
what
it's
all
about,
but
with
Innovation.
That's
often
the
case
I
think
that,
as
things
move
towards
production,
ready
we'll
see
a
lot
less
of
that.
B
Yeah
I
think
you
captured
a
well,
so
definitely
there's
a
lot
of
excitement
around
ambient
John.
We
are
actually
saying
it
at
the
same
time,
except
for
you
use
voice.
So
that's
cool
yeah
and
it's
really
nice
to
see
everybody.
It's
nice.
We
had
a
lot,
it's
your
Meetup
for
the
first
time
after
covet.
The
only
sad
part
is
I.
Think
I
captured
some
virus
at
the
conference,
so
I'll
do
less
talking.
B
C
Well,
this
is
a
question
from
our
site,
so
we
want
to
know
so.
Currently
we
have
a
rust-based
implementation
for
the
tunnel.
So
what's
the
future
plan
from
the
community,
we
are
at
a
final.
You
know
recommended
approach
for
for
the
for
the
levels
level,
4
layer,
all
there
were
there
any
other
options.
Also,
like
you
know,
dptk
or
something
some
other
things.
D
I
would
say
that
the
tentative
direction
of
the
community
so
far
has
been
around
the
the
rust
one
that
we're
working
on.
We
haven't
like
committed
to
like
that's
the
one
true
way
to
do
it,
but
we're
exploring
it
and
there
seems
to
be
general
direction
that
that's
that's
going
to
work
out
to
be
kind
of
the
standard
option,
whether
that
will
be
like
we
just
drop
the
envoy
one
entirely.
D
That's
still
to
be
determined
if
there's
other
implementations
other
than
the
restaurant
and
the
envoy,
one
I
think
that's
definitely
something
to
explore,
but
right
now
no
one
has
yet
talked
about
them,
except
for
you.
So
if
you
want
to
discuss
it
more,
that
would
be
awesome.
Yeah
go
ahead.
Ethan.
E
Yeah,
just
one
bit
of
color
I
I
think
to
merge
the
envoy
implementation
of
Z
tunnel.
It
would
need
work
to
get
ready
for
Upstream,
at
least
so
and
I.
Don't
know
that
we're
going
we're
going
to
do
that
work.
So
someone
someone
would
need
to
contribute
I,
don't
know
if
you
agree
with
that
or
not
John.
D
Good
enough,
oh
oh,
oh,
oh
I,
see
what
you
mean.
Okay,
okay,
yeah,
merge
to.
E
D
Like,
in
my
opinion,
there's
no
need
to
have
an
Envoy
one
and
arrest
one,
because
the
rest
one
is
going
to
be
better
in
every
way.
But
I,
don't
you
know
I,
don't
want
to
say
we're
going
to
kill
the
other
one.
Yet
until
it's
actually
it's
actually
better
because
right
now
it's
it's
not
yet
complete.
So.
F
But
I
mean
as
I.
F
My
interesting
social
support
proxy
is
grpc
and
and
other
environments,
so
it
will
probably
necessary
to
have
some
support
for
the
protocol
in
in
all
languages
supported
by
grpc
and
I.
Presumably,
you
know
have
some
compatibility
and
make
sure
that
multiple
implementations
I
mean.
Even
if
we
support
on
his
arrest
implementation,
we
focus
on
the
rust
implementation.
It
should
be
possible
to
interoperate
with
you
know,
things
like
proxiliation,
RPC
and
other
implementations
on
the
same
protocol,
especially
since
a
standard
protocol.
C
E
E
There's
a
little
bit
of
exploration
of
using
the
rust
z-tunnel
just
for
h-bone
or
I'll,
say
we're
researching
that,
but
z-tunnel
will
never
pers
L7,
so
it
L7's
always
going
to
be
on
the
way.
B
Yeah,
that's
a
good
point.
So
I
also
have
a
processing.
It's
definitely
to
oh
boy
yeah.
What
information
it
could
potentially
be
interesting
to
reuse,
some
of
the
similar
code
to
handle
Edge
bone
connection.
We
could
potentially
reuse
that
code
from
zetano
I
guess
as
fast
Waypoint
proxy
goes
on
the
way.
Currently,
the
Waypoint
proxy
is
for
service
account
right,
so
we've
got
actually
a
lot
of
users
asking
about
per
namespace
voice
per
service
account
right
now.
It's
all
implemented
per
service
account
at
the
moment.
E
We
could
do
per
namespace,
it's
just
a
trade-off.
Now
you've
got
a
wavelength,
that's
operating
on
behalf
of
multiple
multiple
keys,
so
I
I
would
ask
what
the
what
the
motivation
for
the
ask
is
more
than
anything
but
there's
no,
like
technical,
blocker,.
C
E
C
A
A
But
technically,
if
you
came
up
with
a
data
plane
that
was
configured
via
XDS
and
did
the
same
thing,
Envoy
did
with
traffic
with
all
of
the
XDS
that
we
send.
There
would
be
no
reason
that
couldn't
be
swapped
in
I.
Think
that's
a
pretty
tall
order
for
L7
I
think
it's
much
more
achievable
at
L4,
but
it
seems
at
least
theoretically
possible.
So.
G
So
I
think
there's
obviously
a
contract
between
the
Z
tunnel
and
the
Waypoint
that
other
implementations
could
meet
as
Mitch
described.
It
gets
easier
for
other
waypoints
to
meet
that
and
and
I
don't
think
XDS
by
the
way
is
a
requirement
Niche
if
those
waypoints
are
sandwiched
by
a
zetamol
implementation
that
is
under
the
control
of
istio.
G
So
as
long
as
an
L7
proxy
is
sandwiched
in
a
network
where
it
acts,
the
network
is
acting
on
behalf
of
the
identity,
then,
whatever
the
Waypoint
does
right
will
maintain
the
identity.
The
only
thing
it
would
have
to
do
is
if
it
wanted
to
support
delegation
right,
it
would
have
to
do
identity
propagation
at
L7
right,
but
it
could
act
as
and
talk
as
the
identity,
simply
by
being
on
embedded
in
an
interface
that
had
that
identity
right.
F
And
and
I
want
to
reiterate
for
proxies
grpc,
which
we
support
in
is
the
open
source.
They
will
need
to
implement
at
least
a
subset
on,
because
it's
L7,
so
if
they
want
to
keep
doing
proxy
less,
they
will
probably
need
to
implement
some
of
the
features
of
the
Waypoint.
So
I,
don't
think
you
know
it
will
not
be
complete,
but
but
just
like
it's
not
completely
still
support,
but
but
it
will
need
some.
You
know
multiple
language
implementation
of
a
subset
of
the
protocol,
at
least
with
XDA
support.
G
G
So
I
think
this
discussion
really
has
a
bearing
on
how
do
we
want
to
compose
Waypoint
with
the
Z
total
implementation
if
we
layer
them
it's
easier
to
swap
Envoy
with
something
else?
If
we
embed
it's
harder.
G
To
I
don't
know
if
we
necessarily
want
to
replace
with
Envoy,
but
we
might
want
to
replace
with
a
different
controller
of
envoy
right
or
a
different
flavor
of
envoy
right
or
other
vendors.
May
provide
their
own
implementations
of
envoy
right
that
are
still
meeting
those
requirements.
And
how
would
the
control
plane
know.
H
G
G
A
G
H
G
That
was
whatever
was
the
Gateway
controller,
would
write
those
IPS
in
and
it
would
be
up
to
the
provider
of
the
Waypoint
class
to
make
sure
that
they
functioned.
B
B
B
Okay
and
then,
which
could
use
that
information
to
render
the
workload
and
resources
whether
it
has
the
optional
weight
Point
address
when
sending
from
the
h2od
control
plane
to
C
terminal.
G
Well,
imagine
we
had
two
control
planes
right,
a
z,
total
control,
plane
and
a
waypoint
control
plane
and
they
have
to
interoperate.
They
were
in
two
different,
like
there
were
literally
two
different
binaries.
How
would
they
communicate.
G
A
F
C
G
G
So
that
that's
that's
one
example
of
how
right,
and
maybe
it's
not
the
right
one,
but
it's
certainly
an
example
and
a
pretty
typical
usage
of
the
controller
pattern
to
achieve
the
effect.
The
second
question
is:
how
much
work
is
it
right
to
be
an
alternate
implementation
of
a
waypoint
today
it
would
be
very
hard
if
we
sandwich
it
would
be
a
lot
easier.
G
B
B
A
Yeah,
for
instance,
it
did
the
solo,
API,
Gateway
controller
right
istio's
said
we're
not
going
to
implement
API
Gateway
features,
but
solo
has
built
some
really
cool
stuff.
On
top
of
envoy
for
API
gateways,
you
could
have
that
API
Gateway
work
within
the
mesh
without
needing
an
additional
istio
Waypoint
in
order
to
serve
it.
H
H
Like
if
right
now,
I
have
some
filter
that
I
will
do
anymore
right
and
I
wanted
to
support
that,
and
this
is
something
that
this
year
is
not
supporting
today.
What
I'm
going
to
do,
I'm
going
to
use
Denver
filter
resource
going
to
put
whatever
I
want,
send
it
directly
to
us
to
Envoy?
Is
that
fair
or
not.
G
I
If,
if
I
have
my
own,
you
know
proprietary
Waypoint
implementation,
which
is
controlled
by
my
AWS
Gateway
API
control
controller,
which
I
understand
users
specify
Gateway
API
object.
It
will
reconcile
into
my
underlying
whatever
the
the
data
plane
construct.
I
F
F
Will
it
be
supported
by
the
istio
community
or
is
it
supported
by
the
design,
and
you
need
to
implement
some
stuff
I
mean
because
the
whole
idea
with
the
81
protocol
and
and
following
standard
was
exactly
to
enable
this
kind
of
use
cases.
So
vendors,
like
Google
AWS,
can
Implement
their
own
multi-tenant
multi.
F
You
know
custom
Solutions,
including
proxy
Legends,
and
all
the
others,
but
that
doesn't
mean,
though,
is
the
open
source.
Community
will
do
the
work
or
will
support
this.
It
just
means
that
we
follow
a
formal
protocol
and
an
event
or,
and
other
people
who
want
to
integrate
with
us.
They
do
the
work
and
with
whatever
languages
and
tools
they
they
need.
G
I
Okay
yeah,
so
this
is
assumption.
I
have
made
if
we
Implement
Edge
bone.
The
Eternal-
and
you
know,
follow
this
back
and
we
also
implement
the
Gateway
controller.
We'll
convert
the
Gateway
object
to
whatever
underlying
configuration,
but
that's
my
question.
Okay,
so
it's
possible
architecturally
will
work
if
Irani
has
DOD.
On
top
of
that,
we'll
write
on
top
of
the
Gateway
API
and
it
will
automatically
configure
reconcile
into
all
underlined
VPC
Data
Bank
configuration.
F
You
don't
actually
need
to
use
this
uod
or
XDS,
or
anything
I
mean
that
that's
what
Louis
said
earlier
I
mean
you
can
use
whatever
control
plane
or
you
want.
The
main
requirement
is
that
on
data
plane
we
have
compatibility,
I
mean
it's
the
same
headers
in
protocols
import
same
Discovery,
in
fact,
even
browsers
today
support
very
similar
protocols,
so
priv's
Chrome
they
based
on
the
same
mechanism,
so
we
should
be
able
to
have
complete
interoperability
and
and
as
many
tools
as
as
necessary,.
I
I
But
I
think
the
ideally
is
the
user
will
use
a
Common
Language
to
specify
their
desire.
You
know
and
then
we'll
reconcile
into
whatever
the
underlying
configuration
data
plan
configuration.
G
Yeah
I
mean
it's:
it's
user
choice
right,
you've
all
right
like
if
you
choose
to
do
something
beyond
the
Realms
of
istio
right,
we're
just
facilitating
an
integration
like
like
just
like
with
the
solo
API
Gateway
right,
like
istio,
knows
nothing
about
what
it
does
like.
We
have
no
idea
right
if
you
integrate
with
it
using
the
envoy
filter
mechanism,
but
istio
had
like
no
idea
what's
happening,
it's
up
to
the
user
and
your
contract
with
them.
For
you
to
make
that
coherent
same
for
any
other
product.
G
J
G
G
No
I'm
not
suggesting
that
we
try
and
deliver
that
in
a
you
know
in
an
alpha
release
or
something
like
that,
we
should
at
least
consider
it
and
and
not
lock
ourselves
out
with
that
possibility
and
pragmatically
speaking,
we
should
probably
enable
it
it's
going
to
be
useful.
A
If
we
can
find
a
first
implementer,
we
could
work
with
them
to
set
up
conformance
testing,
for
whatever
conformance
is
needed.
There
right.
G
H
G
Yeah
I
mean,
if
you
look
today,
yeah
right
like
if,
if
you
want
two
things
to
interoperate,
there
has
to
be
a
contract
between
them.
That's
during
kubernetes
today
is
to
write
State
back
to
status.
That
then
some
other
system
takes
a
dependency
on.
G
H
G
Now,
I'm
not
suggesting
that
we
go
and
chop
istio
and
a
half
right,
I,
don't
think
that's
practical,
at
least
not
in
the
short
term,
but
the
the
contract
can
still
be
maintained,
even
if
we're
still
shipping
a
monolithic
control
plane
for
both
Z
tunnel
and
Waypoint.
G
And
it
probably
behooves
us
to
be
a
little
cognizant
of
what
other
vendors
are
going
to
want
right.
Z
tunnel
is
going
to
make
like
if
you're
Palo
Alto,
like
hardened
ntls
right
with
all
the
best
security
best
practice,
is
going
to
make
your
Palo
Alto
firewall,
look
particularly
useful
right,
trying
to
find
the
C
cell
and
I
just
paid
five
million
dollars
for
my
Palo
Alto
firewall,
but
I
want
zero
trust.
G
F
F
Should
I
start
you
know
kind
of
since
we
have
this
discussion
and
there
are
options
being
discussed
and
truly
have
a
dock
and
list
those
options
and
try
to
kind
of
standardize
on
because
we
stand
as
a
protocol.
Maybe
if
this
standards
on
Discovery-
and
you
know
I'm
sure
it'll
be
a
bike
shading,
it
will
take
a
while
to
to
agree
but
yeah.
G
I
want
to
make
sure
like
that.
Does
this
make
sense
to
people
right?
Is
this?
If
everybody's
vehemently
against
doing
this,
then
you
know
we
shouldn't
do
it,
but
if
people
think
this
makes
sense,
then
you
know
people
feel
like
they
need
some
form
of
compositional
control.
A
G
A
F
K
G
H
So
implementation
details
all.
Basically,
you
suggested
right
now
correct
me
from
wrong.
It's
basically
a
way
that
the
way
it's
working
right
now
how
to
tie
the
basically
Z
tunnel
and
the
Waypoint
is
basically
done
by
whatever
data
or
whatever,
and
now
it
is
suggested
instead
of
it.
Let's
make
sure
that
in
the
control
plane
of
sdo,
we
are
putting
it
in
the
status
and
taking
it
from
the
status
or.
H
B
G
F
G
Yeah,
we
didn't
need
to
define
something,
write:
some
form
of
contract.
A
G
F
Yeah
but
I
think
it's.
What
was
the
most
important
decision
here
is
if
we
want
to
support
delegation
or
we
want
to
keep
the
current
model
or
we
want
to
support
both
order
or
something
like
that,
because
delegation
is
super
useful
in
a
lot
of
cases
where
you
know,
and
we
trust
something
in
front
of
it
to
do
the
authentication-
and
you
know
it
does
the
sandwich
I
mean
tunnel
in
front
of
it
or
or
some
other
Gateway
that
is
authenticated
to
other
means
right
now.
F
D
Yeah
I
think
it's
fine
I
mean
it's
not
to
me
a
top
priority
in
the
short
term,
because
there's
no
other
way
points
right
now,
but
we
should
we.
K
G
B
Yeah
I
agree
with
John
I
mean
it's
certainly
not
a
high
priority
thing.
One
thing
I
do
want
us
to
also
thank
Sue
as
part
of
the
contract
is
what,
if
do
you,
the
user,
now
deploy
Waypoint
proxy
using
the
Gateway
API,
it's
Gateway
API
the
status.
The
only
way
as
part
of
the
contract.
B
D
H
That
just
to
me,
is
not
a
good
use
of
our
time.
Honestly.
So
in
my
opinion,
but
let's
do
what
other
people
think,
but
if,
if
the
purpose
is
to
make
it
as
important
as,
for
instance,
the
cook
box,
or
something
like
that-
and
it
should
be
very,
very
clear
what
it's
doing.
It
should
be
very,
very
small
and
low
passes
and
very
very
solid,
because
that
becomes
such
an
important
piece
of
your
infrastructure.
D
Just
my
opinion,
yeah
I
definitely
agree
and
I
guess
what
I
was
getting
at
is
like
if,
if
Iris
or
someone
else
wants
to
go
Implement
as
Eternal
and
Decay
or
whatever,
but
like
that's,
we
could
definitely
add
a
spec
for
what
it
means
to
be
a
z
tunnel.
Obviously,
if
they,
the
non-formal
spec,
is
like
just
swap
it
out
and
make
sure
all
the
tests
still
pass
right,
but
we
can
make
a
more
formal
spec
if
it
comes
to
that.
D
A
D
D
G
C
Okay,
thank
you
for
the
clarification
you
know
when
we
want
to
contribute
to
ambient.
Currently
there
are
some
bugs
around.
You
know
the.
If
we
use
Leverage
The
Leverage
ml
Entertainer,
there
are
some
issues
and
if
we
go
to
the
rest
implementation,
there
are
also
some
issues
so
for
the
commutative
perspective
for
a
contributor,
if
the
you
need
to
contribute
which
direction
they
should
select
to
to
make
the
make
sure
the
M1
version
workable
or
make
the
last
version
workable,
so
yeah.
This
is
some
question
for
us.
E
Yeah
I
I
mean
so
I.
We
can't
really
dictate
what
the
community
does,
but
I'll
tell
you.
Google
is
investing
only
really
in
the
rest.
Implementation
from
an
engineering
perspective
today
we're
also
working
on
publishing
a
roadmap
of
GitHub
issues
and
all
that
sort
of
stuff
Steven's
got
it
almost
all
the
way
there,
but
we're
hoping
to
have
that
next
week,
or
so
to
make
it
a
little
easier
to
contribute
so
I
I
think
the
rest.
Implementation
is
the
correct
bet
if
you're
gonna
fix
bugs
and
contribute.
L
I
K
The
employee,
so
this
is
a
question:
is
there
any
issue
or
document
or
apply
to
researchers,
so
the.
K
L
I
think
we
have
a
Dockers
and
see
if
I
could
pull
it
up.
That
John
wrote
some
work
that
needed
to
be
done
still
for
ambient
see
if
we
can
pull
that
up
work.
G
Yeah
on
that
area,
the
Ethan
I
think
the
the
working
Envoy
is
pretty
dependent
on
the
sun,
which
no
sandwich
question
right.
E
E
I,
I
here,
here's
the
the
short
summary
the
XCS
path
in
the
L7
Waypoint
is
more
complicated
than
I
would
like
it
to
be,
and,
according
to
quote
who's
our
internal
Envoy
expert.
If
we
did
the
sandwiching,
it
would
make
the
XDS
and
L70
Point
dramatically
simpler.
F
For
sandwich
there
are
some
other
benefits.
You
know
in
simplification,
other
things,
but
I
think
the
important
things
that
we
need
to
to
discuss
is
how
we
are
going
to
to
pass
the
information
from
Z
tunnel
and
and
standard
is
a
bit
and
that's
kind
of
Delegation
effectively,
because
it's
it's
a
way
to
try
to
pass
certificate,
information
and
other
stuff
from
from
the
Z
tunnel
to
to
employ.
Yes,.
G
Is
that
evidently
information?
Yes
and
possibly
cost
and
I
were
discussing
this
earlier?
The
other
advantage
of
sandwiching
means
that
we
have
to
formalize
a
contract
between
the
Z
tunnel
layer
and
the
Waypoint
for
propagating
of
identity
for
policy
reasons.
That
contract
could
also
be
used
by
other
things
like
grpc
or
other
user
level.
Libraries
that
exist
without
the
Waypoint
but
sit
on
top
of
the
z-tunnel
network
for
policy
enforcement.
F
Because,
actually
that
that's
a
regression
in
in
current
ambient
in
in
the
initial,
for
example,
an
application
in,
can
get
information
about
the
the
certificates
it
at
least
for
http
through
to
some
others
in
in
ambient
right
now.
We
lack
a
way
to
do
it.
So
sandwich
would
force
us
to
to
define
a
clear
interface
between
between
Z
tunnel
and
applications
to
get
metadata
right.
G
Yeah,
so
the
the
historical
analog
here
is,
when
you
run
on
a
VM,
you
can
call
your
metadata
server
and
ask
who
am
I.
This
is
I.
Can
ask
the
network
who's
my
peer
all
right,
I.
Have
it
the
network,
give
you
back
some
either
an
assertion
or
proof
right
we're
likely
to
start
with
assertions
I'm,
not
sure
when
we'll
do
proofs,
but.
C
Nice,
you
just
meant
some
Savages
things,
so
it's
this
the
contract
between
the
titano
and
then
we
punch.
Can
you
share
more
details
around
this?
To
make
sure
we
are
clear.
G
E
Yes,
I
will
follow
up.
I
just
want
to
set
expectations.
This
is
in
like
very
early
concept
phase,
so
so
we're
we're
in
the
like
we'd
love
to
participate
with
people
and
figure
out
what
to
do
here.
It's
not
I,
don't
have
like
a
design
doc.
C
E
C
So
back
to
the
seven
just
seeing
there
will
be
a
documented
to
describe
the
the,
at
least
at
the
concept
level
right.
L
G
G
B
B
E
G
B
G
E
L
But
we
also
probably
even
can
simplify
some
of
the
standard,
Envoy
sidecar
deployments
as
well,
because
there's
already
logic
like
to
sniff
to
determine
whether
it's
mtls
encrypted
or
not.
So
all
of
that
can
also
be
stripped
out.
So
there's
a
lot
of
simplification,
I
think
that
can
come
with
this
even
for
existing
non-night
ambient.
G
G
B
G
I
I
The
the
whole
stack
I
saw
some
conversation
happen
on
the
slack
that
between
the
part
and
the
tunnel,
there
are
some
quite
complex
in
a
wiring
and
has
to
set
up
like
using
genive
tunnel
or
something
would
that
be
simplified
or
documented
somewhere,
it's
kind
of
mystery.
How
does
a
part
the
life
of
the
package
covers
from
part
to
Z
tunnel.
E
Yeah
at
a
high
level,
this
is
really
a
function
of
what
the
C9
does.
So.
The
kind
of
the
correct
the
correct
solution
to
this
is
the
scenes.
Each
cni
vendor
needs
to
implement
kind
of
native
support
for
Z
tunnel
in
the
experimental
launch
we
kind
of
hacked
around
it,
because
we
didn't
have
kind
of
formal
support
from
any
particular
scene
that
I
vendor
I.
Don't
think
that
will
be
kind
of
what
the
the
long-term
production
path
for
this
will
be,
but
but
I
also
don't
think.
E
Istio
can
dictate
how
that
redirection
happens,
because
it's
highly
dependent
on
what
the
cni
is,
for
example,
in
celium
they'll,
probably
use
BPF
to
redirect
a
z-tunnel
in
Calico
they'll
they'll
do
something
else
based
on
IEP
tables
Etc,
so
that's
kind
of
a
separate
project
that
we
need
to
track.
Getting
native
support
for
this
and
to
got
it
into
various
cnis
yeah
I
I
can
there's
no
documentation
on
the
like
series
of
hacks.
We
did
to
get
it
to
work.
E
I
I
could
talk
about
it
or
possibly
write
something
down,
but
I
I.
Don't
think
those
hacks
will
persist
in
the
long
term.
So
I'm
not.
L
Yeah,
but
both
both
solo
and
I
surveillance
have
expressed
interest
in
modifying
psyllium
so
that
we
have
a
much
cleaner
way
to
get
packets
in
and
out
of
PODS
and
into
Z
tunnels.
So
you
know
in
the
future
we
should
have
Alternatives
that
are
much
cleaner
than
the
current
kind
of
hackie
junip
tunnel
way.
G
E
I
H
G
Yeah
I
think
we
also
probably
want
a
less
hacky
but
Universal
way
if
we
can
get
one
in
istio
right
that
works
with
most
of
the
cni
vendors
out
of
the
box,
without
necessarily
having
to
take
a
hard
dependency
on
them
right.
Anything
we
like
there
are
still
opportunities
to
dig
in
on
that
as
well.
Right.
E
J
E
Very
much
into
the
weeds
with
the
sandwich:
it's
the
tunnel
sandwich
stuff,
you've
all
actually
I
you
in
particular
I
would
love
to
talk
about
this
without
a
band,
because
you're
going
to
have
really
interesting
ideas
on
it.
If
you're
for
free,
I'll,
I'll
email
you
and
we
can
schedule
a
time.
J
Yeah
yeah,
then,
tomorrow
we
have
this
company
event,
but
anytime
after.
E
G
The
one
you
asked
about
Sig
V4:
can
you
bring
that
up
in
this
slack
Channel,
maybe
reference
some
technical
documentation
about
it?
Sure.
G
Is
I
I
vaguely
remember
it,
but
I'm
not
familiar
with
the
details.
I
So
so
it's
like
past
associate
or
service
account
service
account
Associated
to
a
token,
and
they
can
use
that
to
use
a
sick
view
for
it's
a
well-known
algorithm.
You
can
sign
and
infrastructure.
We
can
look
at
the
signature.
Our
server
can
find
out
who's
a
caller,
the
account
ID,
all
those
kind
of
information
associated
with
that
that
user
on
AWS
and.
I
I
think
it's
exactly
I'm,
not
a
crypto
expert,
I'll
forward
the
information
on
that.
It's
basically
a
it's.
It's
a
service
account
you
associate
a
social
service
account
to
oidc,
and
then
you
get
a
static
token
on
the
part
and
and
the
the
application
can
call
Api
to
say.
I
want
to
assume
this
row.
I
will
get
a
temporary
key
from
AWS
infrastructure
and
you
sign
your
header
and
and
then
you
get
a
loan
signature
and
that
signature
is
sent
to
infrastructure
on
the
receiving.
I
Let's
say
Waypoint
would
receive
the
CB
connect,
including
the
6b4
header,
and
then
we'll
just
send
the
string
through
the
our
server.
The
server
will
come
back
to
say:
hey,
this
is
the
UN.
This
is
he's
this
her
role,
you
know
the
read
row
and
they
will
associate
whatever
the
policy
with
that
role.
So
everything
just
like
any
other
AWS
service,
yeah.
G
It's
a
bearer
token,
but
it
has
a
centralized
revocation
controlled
by
the
sounds
of.
I
G
Yeah,
there's
a
there's,
an
interesting
discussion
to
be
had
for
Z
tunnel
about
whether
one
z-tunnel
originates
streams
right
should
we
also
have
tokens
in
those
streams,
in
addition
to
the
identity
being
used
at
the
channel
level,
to
enable
systems
to
support
delegation,
in
addition
to
Channel
identity,
it's
a
quite
complicated
topic,
so
one
we
have
to
have
with
some
more
security
folks
here
at
Google
too,
but
certainly
whenever
their
delegation
is
occurring
right,
you
need
some
of
those
capabilities.
If
you
want
to
maintain
and
then
security
properties.
F
That
will
be
a
bigger
topic
and
probably
not
necessarily
ambient
specific,
because
the
entire
skill
has
similar
problems
and
you
know
need
to
integrate
with
other
gateways
and
infrastructure.
So
maybe
we
can
move
it
to
the
previous
meeting
and
and
implement
it.
We
can.
We
can
already
implement
it
in
SEO
gateways
and
and
other
things.