 Hello, we will give it about another minute and then we'll get started. Okay, double checking. Is my microphone working? Yeah, we can hear you. Okay, I apologize about the noise in the background. I have a desktop that's crunching some things. Cool, so I will share the agenda out and we will get started. Great, so welcome to the next Network Service Mesh meeting. And so we have this particular meeting which occurs every 8am Pacific time on every Tuesday. So if you could please add yourself to the agenda that would be fantastic. And so I'll see if I can make it easy to find the chat while you're working. So if you could add yourself there, that would be fantastic. And with that, it's going to get started. So we also have a meeting every other week that is Asia friendly. It is currently set for according to my calendar 1am every other week before the NSM meeting. 1am Pacific time on Tuesdays and I believe we had one today. Actually, we were only three people on the meeting and we are people that joined this evening too. So we decided to drop it from today. That's fair enough. And so we, we also participate in the telecom user group which occurs every first Monday at 8am Pacific and every third Monday at 3am Pacific. The next one will be this coming Monday. The, we also participate in the CNCFC network, which occurs every first and third Thursday of the month. So we have a link to access the calendar and the Zoom are in the agenda. We have a host of things that have been postponed and canceled due to, due to COVID-19. Though CubeCon has finally had some dates set. So if you were not aware of the new dates, these are the new proposed dates at August 13th through 16th. A recommendation from the CNCF though is that any travel that you book, make sure that it's refundable in case they need to turn it into a virtual event. Because we do not know what's going to happen in the next, within the next several months. That being said, we do have a call for paper list for things that have that were added. And for things that were things that were submitted. Not everything that is on this list will have made it in, but it is still useful for people where there's a topic you're interested in. Yeah, even if it didn't make it in, I'm pretty sure you could reach out to the person and have a conversation. And we also have an SM con which has been set now for August 13th. And so we, we have extended out the time for organizations to sponsor as well and we'll start asking, asking around more when, when we hit the lower end of the COVID-19 crisis. And so the schedule, the schedules are currently posted. And so you can go see what the schedule is. And we also are, we also will have a postponed version of ONES North America, which I believe they said was going to be around September or October. And couple, and it's relatively close to ONES Europe. So just be aware that there's some, that they're going to be very close together, assuming that they run it. And cloud native, CNCFS, sorry, QCon and cloud native on China has been canceled. The one in November in North America is still on the call for paper opens in a few weeks. So we will announce those and remind people to have their papers ready. A little short note about Ed. So Ed is, Ed has been pulled into a Cisco, it has been pulled into a Cisco related meeting that he wasn't able to avoid. Just, just so people know he's still very strongly committed to, to working with us is just unfortunate timing with, with the interesting set of events that have been going on recently. So he should be back next week, barring any other, any other major things that pop up between now and then. We also, so we also have social media community team. Do we have Ashley on? Hi everybody. So the last week as far as social media updates go, it's been another slow week again considering what's going on in the world at the moment. So as far as Twitter goes we've gained two followers, we've followed an additional four accounts and we have had a total of 13 tweets and retweets. So thanks to those, some of the posts have included the postponement update for coupon Cloud Native Khan happening now in August, sent out core reminders for the meetings that have happened and will be happening this week as well as all CNCF weekly webinars. Let's see there's also CNF testbed call which is happening next week Monday, April, April 6 so that's been promoted as far as Linux Foundation got some tweets out there regarding some online training courses and certifications that are currently discounted at the moment, as well as promoted a mental sponsorship, a mental program that they will be running. Then just general retweets from VMware open source related to containers as well as container bugs from Cisco. As far as a LinkedIn goes we have gained an additional four followers and we continue to promote the same original content that we do tweet on Twitter. And the plan moving forward will be to continue retweets, contribute a podcast as well as now getting back to promoting NSM Khan and coupon sponsorship, the prospectus and just trying to get the word out there for that coming up in the summer. So that's it on the social media end of things for this week. Fantastic. Thank you very much. And so, yeah, so right now we have our heads down and we're working to produce some, some extra work so we can have a stronger release for the next coupon. And so as we are closer to those to those milestones, we will discuss what's going on and and try to try to work out how we want to how we want to pitch this as we as we start to approach as we approach coupon. Thank you very much for, for the links that you that you sent and so before we could start it is there anything anyone else wants to put on the agenda. We do have the the operator live now recommend people go off and try it and. But it is if there's anything anyone wants to discuss. Definitely feel free to bring it up. With that I have a presentation. Sorry, a little bit of a cough that I've had for the past several weeks. I have a presentation on cloud native zero trust that I've been working on. And so what I would like to do is I'd like to share it and get a little bit of feedback from this from this group. So it's still a work in progress but it's it's at a point now where I can where I can share it and and it should start to be a useful a useful deck. So cool so let's go ahead and get started on this so. So we start with cloud native zero trust is the as the topic. So we so we start with the definition of perimeter defense. So perimeter defense is an entrusted client is connecting to a trusted server through a firewall or through a trusted system so in other words you have a perimeter on the on the on the right side and you're defending things using the firewall or other techniques. And there were guys never got a translation load balancers and so on, but generally in the shape of a firewall with something that is that is entrusted. There are different forms of perimeter defense are more advanced. One example is to creation of a DMZ. And so the DMZ you have the internet goes through a firewall up to a private network that has been sectioned off from both the internet and your internal network. And then the connection goes through another firewall to and from the corporate network. Yeah, there are no direct connections between the internet and the to to the corporate network, although in some scenarios or many most scenarios now I assume there may be connections that go in the opposite direction, possibly to the DMZ. There are several variations of this. The variation is you have a single firewall that then creates an EMZ for you and also firewalls off the corporate network and still provides you with the internet so it's still this particular one but instead of two devices defending you it's one device that has that has three access to three networks. The internet is is a variation of perimeter defense and the way that it's typically implemented. You have a client which which goes through an ingress which access your as access a L2 L3 L4 firewall to a degree. You don't have any advanced features in terms of these most usually doesn't have any advanced features but you can add things in with the ingress with the ingress controller and control access to your service in a pod. There are another variation and I'll fill this out. Another variation of this is a is you have two providers that you're trying to defend against, and you create a tunnel. That tunnel goes through an interesting network such as the internet and, however, the details matter. And so from a details side we want to make sure that we match our IP addresses properly, or that we put in the proper network address translation in these areas. We also have to specify access control list in terms of like what's allowed to connect to what in both sides so this side has outbound roles of the system connecting from here to here. So what ends up happening though when you want to allow a specific set of address a specific address to connect but not another so your access control has become much more detailed. Or if you want to connect to more than one service that is in the other control in the other trust zone. So again your access control list start to to grow larger simultaneously on the opposite side how do you establish trust in the in the client. The general answer. At this level is is we're still dealing an IP something that's IP based. And so, in this IP based version. We are. We're basically saying we're going to widely specific addresses. We're going to expose other services and so there's multiple ways to do this it's it's not uncommon to expose the IP address typically out on many systems or to stick some type of an application gateway in between. So that way that this could be a you could have an F5 gateway or something similar engine X or some other similar thing that sits in the middle. And also questions on how do you differentiate between multiple nodes in terms like service and service and service be if you have multiple services where where you need to to horizontally scale or or or shut them down. And finally how do you populate or rotate your certificates and do other trust zones. And this one will get into more in a while but this particular this particular one is is set based upon like this is a set you can see think of this as a trust zone or a trust domain in the same with this one that it's a zone of trust. The answer on this is to set up VPNs so that you can connect them together and expose up the routes. And as you add more systems you can create a mesh between the different VPNs themselves but you have to be very careful because these IP addresses that you have to you have to do some form of IPAM or some form of network address or some kind of private network in the VPNs in order to minimize the potential conflicts. A little aside be very careful with with L2 VPNs. L2 VPNs end up you end up having to share your, your ARP tables around and you have to synchronize them together across multiple systems in order to perform our caching in an efficient way. And this will come because literally layer two is generally not a ratable. These problems tend to go away when you use layer three because layer three is is ratable in the more advanced side of this you end up with with BGP sharing around our tables using something like a VPN. And so when you start to hook up multiple subnets together and you start to combine them, then what ends up happening is you have to de-conflict them. And so in two networks you only have to de-conflict for one connection or three networks, three connections, six and so on. So the more you add in, the more subnets you have to to de-conflict. And so you can model them based upon this formula. But and so would you have to be careful with is in addition to reducing the conflicts, how do you also manage these? Who gets to type up these configs or how do you how do you integrate them together? This will become particularly difficult once we start to see more edge cases appear. So with edge cases, think of them like you may have a system where your on-premise is owned by your company. The edge might be a system that's owned by an ISP or it could be Equinix or some other system and then you then connect them to something like Amazon, which may be your system or it could be a partners. And so that means you then have to synchronize with all of your potential partners in working out these subnets. And so you also have to be a bit careful because what happens if you don't plan appropriately for your growth, which is very easy to do. And you often see things using NAT in terms of trying to reduce the complexity on this, which helps, but then you end up with a lot of complexity in managing the NAT system. And for many people, I know this is not the only answer, but when things start to break, you often see a lot of manual work going into managing the firewalls or managing the edge perimeters. And so this becomes a manual process and you end up having to keep track of all of the details in your system in order to keep things scaling. So back to the original question, how does this end up improving security? Because we end up with runaway complexity. A lot of, I'll go ahead and remove this one. We also end up with fragile configurations, potentially fragile configurations. And STNs can help here, but there's still a lot of things to manage and even more so when you're bringing multiple companies. And then trying to gain observability and debugging these systems can be, in practice, very difficult. And finally, the main problem with it, though, when talking about security is you're defending with the assumption that the attacker is attacking from the outside. So in other words, our infrastructure is defending using 11th century techniques. Your attackers will come from out here and you're defending the thing that you want to defend in here. The problem though is what if your attack actually starts from in here or someone has already, you have a malicious actor that has already gained access to the inside. And so that's where perimeter defense starts to fall down. So we want to move from perimeter defense to a zero trust environment where we were no longer relying on the trusted networks with a trusted tunnel between them. Instead, we're relying on untrusted networks. They can still be private. We're not saying that the private networks go away, but rather they become more like an onion in this scenario, multiple layers of defense. But your workloads will attest each other's workload and you establish or rather verify each other's identity, and they will then establish a secure connection between them. And an attacker who is trying to connect with one of these attested workloads, even if they're in the untrusted network, it does not gain access to any of the systems, even if they spoof the IP address. So the question is how do we achieve this? So we start by establishing a trust domain. So at the top of each trust domain is a CA. And so think of a trust domain like an organization, like your organization may manage a CA. It gets rotated over time. You then attest the workloads. So there may be other things you attest in between, such as a sub-organization, a cluster, a node or so on. But at the end of the three bottom, you want to attest the workloads. So the application gateway receives an identity and this scenario at the API gateway receives an identity. You want to establish policy and how these things connect with each other. So this is one that I got from Spiffy, so I'll make sure to cite this. But in this scenario, we're pulling the source Spiffy ID. So you see this is very declarative. You're saying, what path do I want to allow? I want to allow pet slash owner using the get request. And the ID must match the Spiffy domain test slash friend and API for its identity. How do we get that ID? And we specify that by saying one of the requesters has a exported client certificate where we were able to extract that information out and verify it. So we were able to, this example doesn't show it, but we're able to, we're also able to validate the certificate that's passed through. So this, so before we grab the client ID, we would validate the certificate to make sure that it's that it's a valid certificate that is known by, by our infrastructure. And if it is, and then we, and it's, and it respects these, this contract and then we allow the connection through. And so we can establish this type of API in a much more detailed as way as well. So if there's a JWT, we can also include information about the JWT in order to end it for the token and pull that information to also scope the path even further. And I guess it would be a good idea to put an example through that as well. So establishing trust between organizations. So if you have multiple CAs, organization one and organization two, you don't have to send all the certificates that have been generated, you only have to send the two CAs, or you only have to share the CAE information with each other. And if you shared the CAE information with across both sides, that means organization one can attest organization two workloads and organization two can attest organization one workloads. So once you've established the trust between organizations, then in your spiffy IDs that you are that you're setting up in this one you say the destination spiffy ID is is the storage API. And this one you're saying you are allowing connections from, and you can set your policy to allow things from this specific, from this specific workload. So in this scenario we can identify even if we, even if we create the storage API, even if this ends up horizontally scaling up or down. When we hit a storage API, we know that we're hitting something as long as the organization attested properly that they were hitting the right workload regardless of how many that are that are there. So we end up translating this pattern to NSM. In the pattern, every workload in this scenario is every pod has its has its identity, and it could also have its associated policy that gets enforced through the NSM. The network service endpoint itself has its identity and and they can have policy about, we can enforce policy about what is allowed to connect to it. We also can wire in the intrusion detection system in this scenario so this is the Sarah's use case that that we tend to use. And so, so each of these has an identity in the in the network in the management layer. So these systems here don't have that identity themselves but rather we're driving the identity through here. So once we establish the chain, and we are comfortable with the with the identities and the policy here, one key point with NSM is it's being developed so that you can check the chain of a whole of a whole of the whole chain itself. So you can check policy that's not just between like the policy for this connection, you can say what is the policy for the entire chain itself, and make sure that it follows a unacceptable acceptable path. And when these these things get connected they get connected based upon the settings that are here after they've been validated properly. So a key to this though is the as an operator you have to be mindful that just because this is encrypted and the management is is is set up to verify each other's identity. That doesn't mean that this year necessarily is and so you have to make sure that the primitives that you expose out at the lower levels. You have to respect the privacy that you that you need. And so they're so this really good example is between like the firewall and intrusion detection system, you don't want there to be an attacker here but what's good in the scenario is NSM has the has the capability to pass context forward and back. So if you want to set up, let's say like we're building wire guard is supported into NSM as an example. So if you want these things to be wire guard as an example, then that means that we can pass the parameters and synchronize them at this level. So then they get injected into the systems and then your link becomes secure. So part of this path is making sure that if it's important for the data path to be secure that you negotiate those parameters at the top so that they can get injected into the into the signals themselves. So in a nutshell, that is what I wanted to show off and I put it on the links as to as to where people can learn more about the individual technologies. So, I definitely found a couple of holes that I need to solve for in giving presentation out but I wanted to ask for feedback on on what people thought and what what can I what can I improve on this. But hearing anything so either people are on mute or if you're not comfortable talking in front of the group as well, you know, definitely feel free to ping me to ping me and slack directly and I'll also. I'll also take responses to there as well. I'm going to continue working on this particular document this is something that I and that I was going to to give that at a beat up here in San Francisco barrier on in the go San Francisco. So I want to make sure that this presentation is ready to go for when they when they resume. And it is also going to become the basis for other for other talks I'm giving as well. So, another thing to to also get that I would like suggesting on this is also ways to simplify it. So not just what is missing but ways to simplify it. And so with that I don't have anything else in this double check the agenda. Yeah, so there's still nothing nothing else on the agenda is there anything that anyone would like to ask before we finish. Well, there's nothing else then we'll give you back around 25 minutes of your time and thank you very much everyone. Thank you. Bye. That's the mic. I don't hear it. It works really well. I don't hear it at all. Tariq talk. I've taken over the whole meeting. Yes, that's our meeting. Do you want to talk about it? Can you tell Johan what you've done today? Do you want to make a call or something? I'm talking about the meeting that I've described that you should be able to connect everything. Have you got it working? It actually looked like that. It was funny. What do you hear or what do you hear? I hear it almost everything. Do you hear it or do you hear it? Yes, exactly. Do you hear it badly? I heard it well, but now I hear it less. Now also? Yes, it sounds like you're sitting on the other side of the wall. I'm talking about Tariq, I'm walking around at home. Yes. What is the meaning of this data? Do you have any data plans? Yes, exactly. Do you run both the VL and the VX? Do you have anything that is a bit like an output? Yes, now it is. What I've tested now was a VLAN into this other NSN. And then a gang of VX LANs came out to the customers who are sitting on it. What do you do yourself? Just to get where it should work. Do you have a VLAN to the NSN? Do you have a VX LAN between all of us? And the VLANs are out? Yes, but the VLANs are out. So there will be nothing from this first NSN? No. That's right. What happens when you get a NSN that has a lot of VLANs out and then a VX LAN into the customer? Yes, exactly. So that's what we've been doing for half a year now? Yes, about that. Yes, exactly. So that's what we've been doing for half a year now? Yes, exactly. So that's what we've been doing for half a year now? Yes, exactly. Yes, exactly. Yes, exactly. I know both Rush and Inutalio think that we should talk, but not Ed. The point is that it's more interesting to know about your company. Yes, that's good. Yes, it works. I'm going to call Lillorio and say that you have a team and you can.... Can you tell us about this next week? It's cool. Can you tell us that. When we have an NSE, as we call it, an NSE with inline data plane and an NSE with extant, which helps us get out. Can you tell us something about that? If I haven't even tested it, it would have been clear for half an hour. Two weeks? Yes, definitely. Kalman? It was actually when the big people in Hellen came. Yes. Now you have to call the police. You're doing so well, Johan. Yes, but Tarik is still there. Tarik is still there, he doesn't say anything. You have to talk, Tarik. Yes, Tarik. You have to be quiet, Tarik. It sounds like he's behind you, do you hear it? Do you hear the noise here? Or do I turn on the mic now? No, I turn on a lot of people who are talking. It's not here. It's your noise, it sounds like the whole of Johan is talking. If I turn up the mic when you hear it, maybe you hear it. First of all. What the hell, what the fuck are you talking about? What's the difference? What's wrong with the mic? What's wrong with the mic? Did you hear the noise? No, I turned up the sensitivity. Yes, it was just the noise. What's wrong with the mic? I have to sit and scream in the computer. How can you sit and talk? But now it sounds good. Yes, Tarik. Tarik, don't talk too much, you'll hear it. Yes, but... We'll hear it.